Headlines at Hopkins: news releases from across
university Headlines
News by Topic: news releases organized by
subject News by Topic
News by School: news releases organized by the 
university's 9 schools & divisions News by School
Events Open to the Public (campus-wide) Events Open
to the Public
Blue Jay Sports: Hopkins Athletic Center Blue Jay Sports
Search News Site Search the Site

Contacting the News Staff: directory of
press officers Contacting
News Staff
Receive News Via Email (listservs) Receive News
Via Email
Resources for Journalists Resources for Journalists

Virtually Live@Hopkins: audio and video news Virtually
Hopkins in the News: news clips about Hopkins Hopkins in
the News

Faculty Experts: searchable resource organized
topic Faculty Experts
Faculty and Administrator Photos Faculty and
Faculty with Homepages Faculty with Homepages

JHUNIVERSE Homepage JHUniverse Homepage
Headlines at Hopkins
News Release

Office of News and Information
Johns Hopkins University
901 South Bond Street, Suite 540
Baltimore, Maryland 21231
Phone: 443-287-9960 | Fax: 443-287-9920

Saturday, January 29, 2005
CONTACT: Phil Sneiderman

RFID Chips in Car Keys and Gas Pump
Pay Tags Carry Security Risks

Thieves Could Exploit Encryption Vulnerabilities,
Computer Scientists Warn

A popular radio-frequency ID system that is used to deter car thefts and as a convenience device for the purchase of gasoline can be defeated with low-cost technology, computer scientists from The Johns Hopkins University and RSA Laboratories have determined.

Their findings, described in a new research paper, indicate that the encryption in RFID microchips in some newer car keys and wireless payment tags may not keep thieves at bay. Using a relatively inexpensive electronic device, criminals could wirelessly probe a car key tag or payment tag in close proximity, and then use the information obtained from the probe to crack the secret cryptographic key on the tag, the scientists said. By obtaining this key, lawbreakers could more easily circumvent the auto theft prevention system in that person's car or potentially charge their own gasoline purchases to the tag owner's account.

Avi Rubin (second from left) supervised a team of Johns Hopkins University computer science graduate students in research that uncovered a method that lawbreakers might use to defeat the security system in some newer car keys and gasoline purchase convenience tags. The students, from left, are Adam Stubblefield, Steve Bono and Matt Green.
Photo by Will Kirk

The researchers uncovered the vulnerability while studying the Texas Instruments Registration and Identification System, a low-power radio-frequency security system used worldwide. The researchers said that more than 150 million of these transponders are embedded in keys for newer vehicles built by at least three leading manufacturers. The transponders are also inside more than 6 million key chain tags used for wireless gasoline purchases. The computer security researchers discovered a way that tech-savvy thieves can get around the encryption safeguards in these systems.

The research paper has been posted online at: rfid-analysis.org/.

"We've found that the security measures built into these devices are inadequate," said Avi Rubin, technical director of the Johns Hopkins Information Security Institute and an author of the study. "Millions of tags that are currently in use by consumers have an encryption function that can be cracked without requiring direct contact. An attacker who cracks the secret key in an RFID tag can then bypass security measures and fool tag readers in cars or at gas stations."

"In cars as in commerce, RFID is becoming a lynchpin for security in day-to-day life," said Ari Juels, principal research scientist of RSA Laboratories. "It is important that RFID devices offer a level of security commensurate with the value of the assets they protect. Our aim is to help the industry achieve this standard."

Researchers at Johns Hopkins University and RSA Laboratories have uncovered a security vulnerability in the radio frequency identification chips used in some newer car keys and gasoline purchase convenience tags.
Photo by Will Kirk

The radio-frequency ID system studied by the research team was designed to thwart car thieves, provide fast and convenient contactless payments and safeguard wireless transactions. In vehicles, it uses a passive, unpowered transponder chip embedded in the key and a reader inside the car, connected to the fuel injection system. If the reader does not recognize the transponder, the car will not start, even if the physical key inserted in the ignition is the correct one. This innovation has greatly reduced auto theft. In the gasoline purchase system studied by the researchers, a reader inside the gas pump must recognize a small key-chain tag that is waved in front of it. Upon system approval, the transaction is then charged to the tag owner's credit card.

Security verification takes place through a procedure called a challenge/response protocol. When the key or tag is nearby, the reader transmits a random string of ones and zeroes to it. The transponder in the key or tag then processes these numbers in a specific way and sends a numeric message back to the reader for authentication.

The researchers from Johns Hopkins and RSA Laboratories were able to unravel the mathematical process used in this verification. They then purchased a commercial microchip costing less than $200 and programmed it to find the secret key for a gasoline purchase tag owned by one of the researchers. By linking 16 such chips together, the group cracked the secret key in about 15 minutes. (In this system, an owner's credit card information is not carried on the chip and is not revealed by breaking the pass's security. In addition, this system possesses other security safeguards designed to protect customers from repeated fraudulent purchases made with a contactless device. The company that markets this system has said it has no knowledge that any fraudulent purchases have ever been made with a cloned version of its device.)

To quickly break the code in the car keys and gasoline purchase tags, the computer science researchers linked 16 general purpose programmable microchips.
Photo by Will Kirk

The researchers had similar success with a chip-equipped car key. With the secret key in hand, the team was able to simulate the RFID tag and disarm the car's anti-theft system without the built-in tag present. (Keyless remote control systems to lock and unlock car doors do not use RFID chips).

The researchers alerted Texas Instruments, manufacturer of the radio frequency systems, about the security vulnerabilities they had detected and demonstrated them to Texas Instruments in the lab. The Johns Hopkins-RSA team recommended a program of distributing free metallic sheaths to cover its radio frequency devices when they are not being used. This could make it more difficult for thieves to electronically steal the secret keys in the tags when they were not in use.

The Texas Instruments system is only one of a number of RFID systems on the market. The Johns Hopkins-RSA team has also been examining another system, not produced by Texas Instruments, that uses an active, battery-powered transponder chip. The team expects to prepare a paper soon on that work.

RSA Laboratories, based in Bedford, Massachusetts, is a division of RSA Security. In addition to participating in this work, RSA Laboratories has provided an unrestricted grant to support Rubin's research. The team's research paper has been reviewed by prominent computer scientists at other institutions and will be submitted to the USENIX security conference. Authors of the paper include Johns Hopkins graduate students Steve Bono, Matt Green and Adam Stubblefield, along with RSA Laboratories researcher Michael Szydlo. The authors will not provide a detailed "recipe" in their paper that lawbreakers might easily follow to steal radio-frequency secret keys.

Color photos of the researchers and devices available; contact Phil Sneiderman.

Related Links
Johns Hopkins University Information Security Institute
Johns Hopkins Department of Computer Science

Johns Hopkins University news releases can be found on the World Wide Web at http://www.jhu.edu/news_info/news/
   Information on automatic e-mail delivery of science and medical news releases is available at the same address.

Go to Headlines@HopkinsHome Page