RFID Hackers Shock Popular Press

This article was originally published by RFID Update.

January 29, 2005—The mainstream media has pounced on a story about the success a Johns Hopkins University research team has had in cracking the popular RFID security system used in car keys to fight automobile theft. Referred to as “immobilizer,” the technology allows only a specially-encoded key to start its owner’s vehicle. A passive RFID tag is housed in the key, which responds to interrogations from an RFID reader within the car. If the tag doesn’t produce the correct response, the car won’t start.

Both immobilizer and ExxonMobil’s Speedpass, which the group also claims to have cracked, use chips from Texas Instruments. Roughly 150 million Toyota, Nissan, and Ford keys are equipped with the technology, which has proved very successful both commercially and as a theft deterrent.

Despite its coverage, the import of this story is dubious. In the first place, as any hacker or security consultant will tell you, no security system is full-proof; that the immobilizer is not absolutely unbreakable comes as no surprise. Second, it is not the system’s fundamental structure that is flawed. Rather, the strength of encryption that it uses is weak. This means that a relatively simple fix could remedy the system for future versions. A look at the details of the hack reveals that it’s rather involved and impractical anyway, requiring specialized equipment and very close proximity to the original key. It would be overblown to suggest that all immobilizer users are now vulnerable to car theft from petty thieves; only the most committed, persistent thieves with a particular target in mind might benefit.

The relevance of this story to the RFID industry is obvious, reminding us that if university researchers are spending time trying to discover RFID’s vulnerabilities, so too are less scrupulous factions. It is also important from a PR perspective. The rate of widespread RFID adoption will be directly correlated to the public’s comfort with it as a secure technology. Like the privacy issue, security needs to addressed by the industry not only for its own merits but also to assuage consumer concern.

Try The New York Times for more