RFID Security System Cracked
from the fun-fun-fun dept
Perhaps all of those vendors who are holding back on RFID have the right idea. Avi Rubin and some students have apparently cracked the security on a variety of RFID chips, including those used in car key chips and ExxonMobile’s SpeedPass payment technology. While, in both cases, it seems unlikely that the cracks will lead to widespread theft, the weak security is worrisome. It seems like the type of thing that would have been more well thought out.
Comments on “RFID Security System Cracked”
Well Thought Out?
You’re really criticizing these keys for not being “well thought out”?
First, how many years has it been since the keys came out until somebody cracked them? With technology improving as it is, if it was over two years, it seems like the keys had a decent run.
Second, wouldn’t you agree that even a flawed system is better than none? Would you suggest auto makers go back to dumb keys now? Would you suggest people not use WEP encryption on 802.11b networks because it can be cracked?
Third, speaking of WEP, given its known security problems, why is the fact that car keys can be cracked a surprise?
Re: Well Thought Out?
Whoa, Steve. Calm down.
First off, where did I say we should get rid of them? No where. I even said that this is unlikely to lead to a big problem. Still, when you read the details, it sounds like this *WAS NOT* very well thought out. They used a weak system, and it was known to be a weak system. That’s all I said, and I stand by it.
And, what does WEP have to do with all of this at all? However, simply saying that because WEP can be cracked car keys can be cracked seems like a total non sequitor. I’m not surprised it was cracked — I’m surprised they used such weak security, making it so easy to crack, just as I was surprised that WEP was so easily cracked. However, securing something like a car key and something like an internet connection are two totally separate things. Why are you making this connection?
If you want to jump to conclusions, go right ahead, but please don’t jump down my throat with your incorrect conclusions.
Calm Down?
I thought that I was calm, but let me try again and spell it out.
A little research shows that TI had introduced this system as far back as 1993 (maybe longer, but I didn’t want to waste my lunch time searching further). If it’s really just being cracked now, I’d say that’s a pretty good design. I wouldn’t call it “easy to crack” except maybe in hindsight with technology over 10 years later (which still fills the backseat of an SUV).
Also, it has lowered auto theft dramatically during that time (according the TI page linked to above). So, pragmatically, that’s indicative of a good design, too.
Even if it did use weak encryption, as the article you linked to said, they couldn’t build much computing power into a key that draws power from the transmitter signal, so it’s quite possibly an engineering trade-off that had to be made — and one that has worked well for quite a while.
So, why do you claim that the system wasn’t well thought out? Pointing out that the system has been cracked is interesting and worth posting about. Value judgements without facts to back them up seem to me to cross the line. Without those facts, it sounds like you were the one jumping to conclusions, not me. Did you read anywhere that somebody said the system was poorly designed?
As for WEP, that was just an analogy. The people who designed WEP should have been pretty knowledgable about security and yet they produced a system that got cracked in a much shorter time than this did. So is it a surprise that another system in a simpler package could be cracked?
Given that the simpler car key system took much longer to crack than WEP, that’s another argument that it was reasonably well thought out to begin with.
Re: Calm Down?
I’ll stand by the claim completely. They used weak encryption on a system that’s designed to always be transmitting. Just because no one happened to crack it earlier doesn’t really matter. This is a system that they had to know someone would try to crack eventually and using such a weak encryption system was clearly a poor choice.
My point in telling you to calm down was that you seemed to get quite upset that I was telling them to ditch this system, which I didn’t say anywhere (and which you seem to have ignored in your response). I agree that the system has done the job for now — but that doesn’t mean the right choices were made in putting it together. I can build a building that will stand for five years, and then fall down — does it mean that I made the right choice? For a system like this, that involves things like payment systems, it would seem logical that you would want to use a heftier bit of security, and the fact that they didn’t was a poor choice.
As for “crossing the line,” when did I have to get permission from you on my own values before I could write about them? What line did I cross? I gave the reasons for why I believe it’s a bad choice. You disagree. You also mis-stated what I said. So I gave an opinion you disagreed with, but you were factually incorrect. Why is it that I’ve “crossed the line,” and you’re just fine? From now on, I guess I’ll presubmit all my opinions to you to make sure I’m not crossing any imaginary lines.
Factually Incorrect?
It was not “clearly” a poor choice. It has worked for 10+ years without being cracked. Do you know for a fact that they could have produced a better system given the power and processing constraints back then? If not, you should stop claiming it was “clearly” a poor choice.
The reason I ignored that was because I never said that you claimed they should ditch it. If you read carefully, you’ll see that I just asked you if that’s what you thought. It was an intentionally leading question designed to elicit some response to see what your solution would be. You didn’t seem to have one, though.
Personally, if you had suggested they ditch it, I would actually agree now that it’s been cracked ? if they can design a better system now given the constraints involved. But nowhere will you find that I said you said that.
Wow, that’s a bad analogy, but I’ll address it anyway. If the building was only supposed to be temporary (like for a movie set) and was built in a place where it was very unlikely anybody would be in it when it collapsed (the middle of a desert, the Arctic, etc.), then I would say you made the right choice. As with most things, it depends on the situation.
You like the horse-and-buggy example, so let me ask you a question. Would you criticize people who used them 10 years before the automobile was invented? I assume not, given that there was no better mode of personal transportation available. So why criticize this system that has worked for 10+ years when there was no better system available back then?
It’s good to know that these systems are becoming obsolete, which is why I have no problem with most of the article. It can serve as an early warning to people and hopefully will get the companies involved developing the next generation security device (if they weren’t doing so already).
The line was criticizing something you probably know very little about. As I’ve said, unless you know for a fact (based on personal knowledge or that of experts you’ve heard from) that the system was poorly designed based on 1993 technology, you should have stopped after pointing the flaw out, IMHO. I saw nothing in the article you linked to that said the system was poorly designed back then (although there was one comment about 40-bit encryption being bad and one saying important systems weren’t designed for robust security, but those didn’t necessarily consider the other constraints of the system and didn’t say it was a bad choice at the time).
Of course, if you would like my opinion on things before you post them, I would certainly be glad to help. Your posting seems to have increased of late, and I’ve fallen behind reading them. Reviewing them would give me a chance to catch up. 🙂
Keyless Entry
This is re the Prius keyless entry/ignition system.
When I walk up to the car with the fob in my pocket the interior lights turn on. When I pull on the door handle, the door opens. When I push on the power switch, the car is ready to drive.
Are all 3 functions controlled by one code, or is there a separate code for each?
One code for all the functions means that someone with a similarly coded fob can see that it works as they pass my car (lights) and then open it and drive off. Three codes in one fob would be far more difficult to crack. Which did Toyota implement?
Update?
Well, it now has been a couple years since it had been released that the RFID systems have been cracked and well i am just wondering if they have updated there encryption types or well are they using other methods?
I look forward to hearing from you.