The Weak Link in RFID Security Systems

An informative article published by Wired shows that people are often to blame when RFID security systems—like other security systems—fail.
Published: August 2, 2006

Wired ran an excellent article on the use of radio frequency identification in car immobilization systems (see Pinch My Ride). The article says that insurance companies have so much faith in RFID immobilizers that they deny theft claims based on the fact that the car couldn’t have been stolen if the owner has all the keys. That’s because the key is embedded with an RFID tag. When you turn the key to start the car, a reader in the steering column pings the RFID transponder in the key. If the transponder doesn’t reflect back the correct serial number, the car won’t start.

The reporter, Brad Stone, did some investigating after his own car was stolen and found that locksmiths have tools to clone RFID tags in keys so that they can create a new key when someone loses one of theirs. Of course, thieves can also use the tools to steal cars.

The reporter also reveals that some cars have a “cheat code,” which is similar to a trap door that lets IT folks get into their systems even if someone changes the password on them. Tricking someone at a car dealership into giving you the cheat code for your vehicle lets you start the car without the RFID-enabled key.

The article is entertaining and informative, but what I love about it is it shows that over-reliance on technology is dangerous. It causes companies to get complacent about dealing with the human element of security. Sure, a criminal can go out and buy computers and high-tech equipment to crack the security algorithm on any RFID tag. Or they can figure out high-tech ways to clone or spoof tags. The media has picked up on researchers proving this is possible. But it’s far more likely that a criminal will trick someone into providing—or even pay for—the information that enables them to hack an RFID (or other) security system. That’s what should be keeping you up at night—not the thought of a guy driving around with a Cray Supercomputer in the trunk trying to decrypt your tags.