Car RFID Security System Cracked

jmichaelg writes "The NY Times reports that the security chip in new auto keys has been cracked. A team at Johns Hopkins have found a method to extract the 30 bit crypto key that tells your car that the physical key in the ignition switch is the correct key. Texas Instruments has sold some 150 million security chips that are stored in the car key. The devices are credited with reducing car thefts of some car models by 90%. Stealing a crypto key requires standing next to the victim and broadcasting a series of challenges to the key and capturing the responses. The team claims an iPod-sized device would suffice to steal the crypto key in under a second. They advise wrapping your keys in foil when you're not using them. TI admits the team has cracked their code but denies there's any problem."

Easy Access

[Anonymous Coward]

Click that link from here: http://news.google.com/news?hl=en&ned=us&q=rfid+cr acked&btnG=Search+News [google.com]

Tinfoil hats

[Anonymous Coward]

You know, I'm starting to wonder if there was something to all those old sci-fi movies and tv shows where the characters were all wearing shiny tinfoil-like clothes. Perhaps in the future we will all be wearing stuff like that to prevent others from wirelessly stealing our keys/wallet/identity, etc.

Interesting point

[Saint Aardvark]

Dan Bedore, a spokesman for Ford, said the company had confidence in the technology. "No security device is foolproof," he said, but "it's a very, very effective deterrent" to drive-away theft. "Flatbed trucks are a bigger threat," he said, "and a lot lower tech."

All you'd have to do is put a towing company logo (or something made-up and likely-looking), and who'd say anything?

And take your time getting ready to leave, because the very worst that'll happen is that someone'll come back early and bribe you into leaving.

Well....

[Culexus]

I worked as a locksmith for awhile and getting those keys made is expensive to say the least. Plus you need a transponder machine to encode a key with the correct information. And they don't come cheap. Where I live it's usually over a $100 to get a new transponder key made and some dealerships charge around $60-$70 to make you a new one.

Re:The logic behind why your car is safe

[Anonymous Coward]

You've never parked a $30,000 car in or around NY City, have you? Every day, dozens of cars are stolen, and either chopped or loaded onto some form of transport and shipped somewhere else. I know people that have had it happen, and one person, it's happened twice. The police can't catch them, or don't care. If you have a car that is "wanted", then it's gone. And it doesn't have to be expensive, or new. Mitsubishi mid-range SUV, several years old was one, and a Sebring convertible, 1 year old was the other. Both in the lower east side of Manhattan, but it happens everywhere. For these 2 cars, both were gone from the street during mid-day in less than 30 minutes' time.

For real geeks

[dmitriy]

Those of us who ever tried to figure out what a certain poorly-documented register on an ASIC really does, and enjoyed it, please read on:

http://www.rfidanalysis.org/DSTbreak.pdf [rfidanalysis.org]

this isn't a big problem...

[Anonymous Coward]

Even with a key cloner, you have to be within a few inches of the key.

And they point out that far more cars are stolen with a flatbed truck.

The only risk is when someone has access to both the chip and the key, like a valet parking service.

Re:Quite so.

[spuzzzzzzz]

No. They need the RFID chip in addition to the physical key. So they would have to wander through the restaurant, crack the crypto key, fabricate their own and work out which car it belongs to before they could try to steal the car normally. It's just an extra layer of security on top of the normal ignition key.

Re:Quite so.

[Mattintosh]

Actually, all the ones for the high-end Lexuses are not only a real key, but they're a very secure U-channel design. You can't see the key's cut shape, meaning you can't sneak a picture and cut one later, and it has the RFID-style circuit in addition to that.

Here's a pic of the u-channel design: http://image.www.rakuten.co.jp/lock/img1039136153. jpeg [rakuten.co.jp]

Re:30 Bit Key? That's like soooo 1990

[Gordonjcp]

self destruck the fuel pump, lock the brakes, diable the transmission, disengage the steering column and take the electrical and computer systems offline

Sounds like bullshit to me. What does happen is that after a certain number of incorrect codes, the ignition/injection ECU will lock out, usually requiring a special tool to reset. Or, in the case of all BMWs made since 1981, a 6" piece of wire to short two pins for a few seconds.

Corrections:

[chaboud]

First off, the key doesn't use static from the ignition. Read about this baby that swallowed a key [smh.com.au] to have that bit set straight.

Secondly, responding to the parent of this post's parent, a neighbor of mine who owned an Integra Type R (that, it just so happens, was exactly like mine) had his car stolen in under two minutes while mall security guards watched. The monkeys smashed the window, opened up the passenger floorboard, snipped the immobilizer lead, shoved a screwdriver into the ignition, and drove off.

The very next morning his car was found, minus its motor and expensive bits, rolled over, several times, into a lake. That he didn't have insurance at the time doesn't make the implementation details of immobilizers more or less important. Improperly implemented, these chips are about as potent as Master locks on chicken-wire fences.

New Prius

[Soljin]

My parent's new Prius has absolutly no ignition at all just a "Smart Key" that automatically opens the car when it gets with in a set distace. And once inside they key remotely enables a button that you push to start the car. I don't know if it's the same chip but if you could get that code remotely it would make it very easy to steal a 2005 prius. I mean walk up, open the car, sit and bush a button.

Re:I knew it!

[kevcol]

I carry aluminum foil. I don't think tin foil has been a common commodity since my grandma was a little girl.

Pedantic plagiarizing follows.

Why is aluminum foil sometimes called tin foil?
In 1919, the U.S. Foil Company, parent of Reynolds Metals Company was founded in Louisville, Kentucky to produce lead and tin foil. Then in 1926, the company entered the aluminum business, rolling aluminum foil for packaging. Today, Reynolds Wrap is made from 8111 alloy aluminum, at the thickest gauge specifications available in the marketplace. ReynoldsWrap® Aluminum Foil is 98.5% aluminum. The balance is primarily iron and silicon. These are added to give the strength and puncture resistance obtained only in the alloy used in ReynoldsWrap® Aluminum Foil.

Re:The More Appropriate Question...

[jmichaelg]

The key isn't being broadcast. Here's what happens:

The chip is an rfid device which means when it gets close to the reader, the reader sees it. The reader encrypts a string of bits using a crypto key shared by the reader and car key and then broadcasts the encrypted bits. The car key sees the broadcast and decrypts the bits using the same crypto key. It then does something to the bits, i.e, add 5, divide by 8, whatever and then recrypts the result. The encrypted result is broadcast back to the reader which sees the encrypted result. It decrypts the result, and compares it against its version of the result. If they match, then the car starts.

At no time does the key get broadcast. The attacker just pretends to be the reader and sends several encrypted strings and looks at the results coming back and acts on that information. The attack succeeds because the attacker has access to huge processing power whereas the car key is relying on the power it can suck out of the rfid antenna. The disparity in available power drives what's feasible for the key to do in a short amount of time. If the key were substantially longer, the car key would take considerably longer to decrypt and encrypt which means you'd put your key in the ignition and nothing would happen while the car key was thinking. Not something most folks would tolerate. The attacker on the other hand, can take the encrypted bits coming out of the car key, and given enough samples, can just brute force the crypto key.

I'll bet the next level of security will entail the car supplying the car key with enough power so the embedded chip can crank a bigger crypto key.

Re:It's limited by the chip

[InvalidError]

AES does not require beefy hardware to implement.

AES lends itself fairly well to both ASIC/hardware and software implementations. Because we are talking about cryptographic messages most likely in the sub-kilobit size range, the amount of processing in question is fairly limited.

I remember about at least one company advertising RFID tag microcontrollers. The rest is a simple matter of balancing power and time... and since the RFID microcontroller can start processing before the key is in the ignition switch, a processing delay up to a few seconds should be acceptable, allowing the microcontroller to run its core at most likely less than 100kHz or even less than 10kHz if the chip contains dedicated AES logic - we are taking 8bits microcontrollers here.

The only reason why RFID tags are the only thing we commonly see is because demand for tags far exceeds demand for everything else that could possibly be handled by RFID techniques. If demand for AES-enabled RFID microcontrollers becomes large enough, microcontroller companies will make them.

BTW, the RFID microcontroller summary did mention that an external capacitor was necessary to smooth the power but I do not remember the rest.

As far as size is concerned, keep in mind that typical microcontrollers contain well under a milion transistors so a microcontroller suitable for secure authentication for an ignition system should be well under 10 square milimeters on 180nm process.

AES-128 in a PIC

[Migraineman]

I've implemented the 128-bit AES algorithm in a PIC16F873. Here's the Microchip page with the app note and source code. [microchip.com] The app note has performance metrics - 5273 cycles to encrypt; 6413 to decrypt (section 6, page 14.) My implementation, written from scratch, has comparable performance.

Since the PIC is a single-cycle execution unit, clocks correlate directly to real-time once you spec the operating frequency. At 40kHz clock (=10kHz instruction execution frequency) it'll take 527mS to encrypt one 128-bit block of data. Similarly, a 400kHz clock results in a 52.7mS block excrypt time. A maximum of 41-bytes of RAM are required for either encode/decode operations.

The claim that AES requires substantial hardware is bogus. AES is designed to be byte-processing friendly. It's much nicer than dealing with the bit-oriented DES and 3DES standards, especially in an 8-bit microcontroller environment.

Parent is not well informed. Mod down.

[John Harrison]

To put it bluntly, you don't know what you are talking about.

I work in the smart card industry. You can buy smart card chips that do 3DES and 2048 bit RSA for less than a dollar. You can buy a complete contactless card (what idiots here would call RFID) that has a Java operating system, does 3DES in less that 70 milliseconds and does RSA with on card key generation for about $6, and considerably less than that in volume. These chips have specialized hardware to speed and secure the crypto operations, but any 8 bit processor with some storage can do 3DES in a reasonable amount of time.

As for AES, it was designed to be able to be run on smart cards and there are implementations of it.

In short, strong crypto on a keychain is feasible. I have half a dozen keyfobs on my desk right now that do it. The reason for the 30 bit key probably has more to do with export regulations involving the US and Japan than any technological problem.

Re:Corrections:

[Helios1182]

A lot of them are stolen because there are so many on the road. I know the Corolla is the best selling car in history. Camrys, Civics, and Accords make up a fair amount of the cars on the road as well.