Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Mobil SpeedPass, Various Car RFID Car Keys Cracked 240

44BSD writes "Crypto-enabled RFID products, including Mobil SpeedPass and various car keys, have been defeated utterly by Avi Rubin, et. al. Details are at rfidanalysis.org. An academic paper is also available."
This discussion has been archived. No new comments can be posted.

Mobil SpeedPass, Various Car RFID Car Keys Cracked

Comments Filter:
  • by Anonymous Coward on Sunday January 30, 2005 @12:37PM (#11520435)
    Car RFID Security System Cracked [slashdot.org]

    The best part of subscribing to Slashdot is watching CmdrTaco post multiple duplicates in a row, then giving up and posting a dupe anyway. Before this story, a dupe of the Super Bowl .com ads story [slashdot.org] was set to run. I had a ready made "Duper Bowl" joke, too.

    Hey Taco, when's the last time you read your own site? Oh wait, why am I asking, you'll never see this.
  • Dupe... (Score:4, Informative)

    by daveschroeder ( 516195 ) * on Sunday January 30, 2005 @12:37PM (#11520438)
    And the NY Times story [nytimes.com] from yesterday's slashdot story [slashdot.org] on this same crack by the same team.
    • Re:Dupe... (Score:3, Interesting)

      by liquidpele ( 663430 )
      You would think they would have a "dupe finder" or something they could use to search and make sure the artical hasn't already been posted at some point... oh well.
    • Who moderated the parent OFFTOPIC? Since the article is a dupe, it eems to me a comment about it being a dupe is about as on-topic as you can get.
    • Re:Dupe... (Score:2, Interesting)

      by jswatz ( 99824 )


      Actually, the Times story, which I wrote, came out at the same time as the RFID report from Hopkins was revealed.

  • by The Ancients ( 626689 ) on Sunday January 30, 2005 @12:39PM (#11520453) Homepage
    ...and various car keys, have been defeated utterly by Avi Rubin

    Damn it. I feel so inferior. My car keys defeat me as soon as I put them down, and suddenly they're not there anymore.

    It's a conspiracy I tell you!

  • Well... (Score:3, Insightful)

    by Anonymous Coward on Sunday January 30, 2005 @12:39PM (#11520456)
    The car keys aren't such a big deal, because you'd also need the key itself for the mechanical part of the lock. The speedpass IS a big deal, because it's single-factor authentication, and people could go around charging gas to your account.
    • Re:Well... (Score:3, Interesting)

      by tomhudson ( 43916 )
      The car keys aren't such a big deal, because you'd also need the key itself for the mechanical part of the lock.
      Nope, I've started cars and trucks with nothing more than a big screwdriver and some pounding.

      Pop the lock cylinder, insert screwdriver, turn, drive away.

      Before the first time I had to do it, I could have sworn it was impossible to lose a key in 1" of fresh-fallen snow.

      • ... most modern cars will have an alarm, deadbolts and a fairly solid steering lock.

        I suspect that even with the immobiliser key fob, you would have a bit of work to do to get the car started. Bear in mind that you have to get into the car without setting the alarm off, which locks out the engine management ECU on most cars. Then, possibly with the alarm going off, you have to get the steering unlocked (tampering with the lock will usually just jam the bolt in place), reset the ECU, get the car started,
        • Re:Thing is... (Score:3, Insightful)

          Alarms are far less security than you might think. Picture an apartment complex or a college dorm parking lot. Lots of riced up civics and chunky tired jeeps with alarms that go off if you *fart* next to the car.

          After about a month of alarms going off in the dead of night, no one bats an eye at hearing one anymore.
          • I've actually sawn open the bonnet of a car and cut the battery leads, because the owner would not turn the alarm off. After hearing the damn thing right outside my house from 1am to 5am, tempers were getting frayed right throughout the building...
            • -- easier to just break a tail-light and short it out - this kills the alarm as well - the brake light circuit and interior lights are independent of the ignition in most cars, which is why your tail lights stay on if you put your foot on the brake, even if the key isn't in the ignition.
              • Re:True enough... (Score:3, Insightful)

                by |<amikaze ( 155975 ) *

                But... if the brake light isn't on... there won't be any power flowing to it.
                • Simple DC circuit. Power to one lead -always live - the other leads to your brake switch. Pushing the pedal closes the switch and completes the circuit.

                  This also explains turn-signal or running lights that go "funky" - lights that are always half-on - there's a short to ground somewhere, allowing them to light up even when the turn signal isn't operating.

              • As the other poster says, the brake light won't be on. Furthermore, if you did short out the brake light, and it *was* on, all you'd do is pop the brake light fuse, which may not affect the alarm.
                • Read my reply to the previous poster. There are lots of circuits that have one side "live" and the other side is only completed by a switch. If you drop it to ground, the circuit is complete, even when the ignition key is off.

                  You're not completing the circuit between the brake light switch and battery in cases like this - you've bypassed it (and the fuse that protects it) completely. Ask yor local car thief or cop specializing in auto theft for a demonstration.

      • Hmm, so the cars you've done this in have the same RFID security system that was mentioned in that article?
        • For those (I've been told , wink wink nudge nudge) a laptop running a DOS-baed program will work fine to do reprogramming, as well as roll back the digital mileage counter, etc (btw - a lot of auto importers/exporters have *that* program, so they can *cough cough* just make the switch between kilometers and miles ...

          ... and never believe the mileage on a used vehicle without first checking for wear and tear that doesn't match what you're looking at. And NEVER look at a car at night. You might miss some of

      • I am told that in the old days that a dinner fork was the tool of choice. Bend the two outside prongs away, and insert middle two prongs into the lock. Bingo, free car. Still works I guess, unless of course they have dual immobilizers (or a single one for that matter).
    • Actually, with cars such as the new Toyota Prius, you can open the doors and start the car (the ignition is just a button on the dashboard) if the car detects that the fob is near or in the car. There is no mechanical action involved.
      • I recall reading somewhere that the Prius uses a stronger form of the key (64 bit?). Unfortunately I can't for the life of me find the webpage I saw it on...

        Oh well, I have almost no concern my Prius will get stolen. Possibly broken-into (though I'm careful to never leave anything visible inside it), but not stolen.

        N.
        • I'm always amazed at how much faith people put in '64 bit' security. You realize that 64bit is a whopping 8 bytes (characters) don't you?

          If 64 bit is the 'stronger' version of the encryption I'm surprised that the regular version lasted as long as it did. Given a sufficent sample size and enough caffeine in my system I can occasionally crack 16 bit encryption in my head (using simple heuristic pattern matching; and it helps to know what I'm looking for.)
          • You do realize that each bit doubles the amount of possibilities? Being able to crack 16 bit encryption in your head I would hope you do. 64 bit might not be sufficient for a lot of things, but it's not just "64/16"% stronger than 16 bit encryption; the fraction you are looking for is more like "(2^64)/(2^16)".
  • by lildogie ( 54998 ) on Sunday January 30, 2005 @12:41PM (#11520469)
    Maybe some form of RFID can help the editors avoid these duplicate articles.
  • Sad. (Score:3, Insightful)

    by WindBourne ( 631190 ) on Sunday January 30, 2005 @12:41PM (#11520473) Journal
    These companies take a bunch of average coders and then ask them to create a secure program/toy/whatever. They almost certainly do not get true expert help. Then lo and behold, it gets cracked. And I am willing to bet that top ppl are surprised.

    • And I am willing to bet that top ppl are surprised.


      I'm willing to bet they aren't. The system only has a very limited key length (40 bits) and anyone with half a lick of knowledge knows that a 40 bit key is vulnerable to offline brute force cracking.

      My guess is they knew the system could be pretty esily cracked, but combined with the very short range of RFID (I believe the researchers captured the key data on the order of several inches) it wasn't considered a major vulnerability.
    • Re:Sad. (Score:3, Interesting)

      by ivan256 ( 17499 ) *
      This is not how things typically work in my experience. In fact, it's not uncommon to have professional security audits done, and entire engineering teems know exactly what the problems are. After that, though, one of two things happens. Either somebody in marketing decides that good security practices are going to put customers off the product, or somebody in management decides they're going to look bad if the product is delayed and decides not to implement the security recommendations. When all is said an
    • What makes you think these products where coded by chimps? Are you telling us that it is possible (for you perhaps?) to make crypo secure RFID products? This is simply an inappropriate use of RFID, and regardless of the quality of the engineers working one these toys, the decision to go with this misuse of technology almost certainly came from the Suits upstairs.
      • What makes you think these products where coded by chimps?

        Well, the researchers discovered that the proprietary cipher that underlies the system is pretty lousy -- it's not particularly fast, and it may have structural flaws. You don't have to be a "chimp" to construct a bad cipher, but ignoring something like AES or the many other peer-reviewed ciphers is pretty dumb.
    • If you had read the article you would know that nothing has been cracked. And certainly not utterly...

      They just brute forced it. Thats not called cracking. Windows has numbers you can enter to authorize it. We don't call it cracked when you 'brute force' your way into ONE of those numbers, we call it cracked when you can generate them at will.
  • Illegal under DMCA? (Score:3, Interesting)

    by Anonymous Coward on Sunday January 30, 2005 @12:44PM (#11520496)
    They apparently tested one of their devices at an actual Mobil station. Will the Ashcroft/Gonzales Army arrest these guys?
  • Bye-Bye Karma (Score:5, Insightful)

    by rel4x ( 783238 ) on Sunday January 30, 2005 @12:48PM (#11520524)
    I'm probably going to get modded into oblivion for saying this.... But why don't people just not read dupes? I mean, it's not really hurting you that it's there...and some of us didn't see the first one, but see the second one. It just doesn't seem worth complaining over.
    • I'm probably going to get modded into oblivion for saying this.... But why don't people just not read dupes? I mean, it's not really hurting you that it's there...and some of us didn't see the first one, but see the second one. It just doesn't seem worth complaining over.

      Part of outrage is that it makes it clear that the editors don't bother to read the very "new accumulator" the work on. I sometimes miss a day or two worth of articles, but it's not my job-- they're paid to be editors. They're the only o

    • I think it's only after someone's witty, well-thought posting get's moderated redundant that people get the bug up their nether region about redundancies of the "editors".

      It also goads future postings into becoming poorly-edited, formulaic, nonsense as long as it can be posted quickly.

      Quod erat demonstrandum ;-)
    • There's a very limited number of articles posted in a day. I've had articles rejected, where a dupe of some old article gets posted instead. Not that I'm suggesting what I have to say is interesting, exactly, but I'm sure others have had the same thing happen, others who *are* interesting. :)
    • I'm probably going to get modded into oblivion for saying this.... But why don't people just not read dupes?

      That would imply that they read the articles in the first place.

      I mean, it's not really hurting you that it's there...and some of us didn't see the first one, but see the second one. It just doesn't seem worth complaining over.

      What sucks is that it:
      1. Wastes people's time
      2. Hurts slashdot's credibility
      3. Between the constant misspellings and duplicate articles, it hurts slashdot finanacially bec
      • Between the constant misspellings and duplicate articles, it hurts slashdot... ...
        --
        Life is too short to proofread.


        Irony (n): Signing off with a sig which is in direct contrast to your main argument...
    • rel4x writes:
      "I'm probably going to get modded into oblivion for saying this.... But why don't people just not read dupes? I mean, it's not really hurting you that it's there...and some of us didn't see the first one, but see the second one. It just doesn't seem worth complaining over. "

      I don't subscribe, so this is just a guess, but dupes count against your account. IIRC, you get n number of premium posts for x number of dollars and so dupes are useless posts you get charged for.

      Again, that's just a gue
  • First author (Score:3, Interesting)

    by sunhou ( 238795 ) on Sunday January 30, 2005 @12:49PM (#11520536)
    Why does the slashdot summary say the work was done by "Avi Rubin et.al." when Rubin was the 5th out of 6 authors on the paper? Why not say Steve Bono et. al., since he was the first author?
  • "The car keys aren't such a big deal, because you'd also need the key itself for the mechanical part of the lock." Not true, one of my cars has a function called "Keyless Go", just have a credit card type device on you and the car unlocks and starts at the press of a button. I am not sure if it using RFID though. No information on that. But it is using a similar technology for sure
  • by EMIce ( 30092 ) on Sunday January 30, 2005 @12:57PM (#11520594) Homepage
    The electronic keys from Mercedes are a good example of this done right. The key has an IR transceiver at it's head that exchanges one time codes with the car when the driver begins turning it. The received code is saved for next time and can't be intercepted without getting physically between the head of the key and the transceiver inside the lock. Even then, an intercepted code would have to be used before the victim returned to his car. Who is going to do a complicated install of capture equipment into a fortified lock at location A and then follow the victim to location B to steal the car? It's just far too conspicuous.

    Mercedes overhauled security, rather than tacking on a secure by being obscure layer to the existing crackable standard - TI Immobilizer systems don't require advanced physical access, just proximity to the key at least an hour before the moment of a heist. Even worse, once the key is cracked it won't change either, so criminals can wait to strike and further avoid notice. Just wait till a tiny RFID scanner and a usable cracking program show up in the black market. A laid off engineer has too much potential to make dough with the ideas that have been released. The program could even do distributed processing on a broadcast LAN or via P2P.

    Now someone is probably going to point out that they'll be laughing when the fancy Mercedes key runs out of batteries and leaves its owner stranded, but this isn't the case. The key can receive power from the car despite not having any visible metal contacts - likely because there is a coil embedded in the plastic key that will get power inductively when the key is inserted - without any wires [slashdot.org]. It's news on slashdot, but it's been shipping since 1997, and much longer before that for other applications.

    As if that weren't it, the key doubles as an RF remote for locking/unlocking doors, popping the trunk, and a panic function. But wait there's more - the IR transciever portion of the key, when aimed at the driver door can open, close, or place anywhere in between all the side windows and sunroof at once. Great for getting into the car on a hot day or sealing up all the windows as you leave. Impressive what they they've put usably into a key, albeit oversized.

    Finally, despite using a radically different model, Mercedes cleverly applied the familiar form and usage pattern of the existing standard to bridge it with the new one - a nice touch for user comfort without any compromise to security. Well engineered indeed.
    • The electronic keys from Mercedes are a good example of this done right. The key has an IR transceiver at it's head that exchanges one time codes with the car when the driver begins turning it. The received code is saved for next time....
      confused? info is save for next time. What happens when a different key is user.
      aka What happens when person A uses car with key A, then person B uses car with Key B, is person B locked out?
      • The car does support multiple keys, so there must be a lookup table mapping physical keys to one time keys in there somewhere. So the car knows who last used the car last. It could make an interesting plot point in an episode of CSI.
    • Impressive what they they've put usably into a key, albeit oversized.

      I completely agree with everything you've written here. Their IR keys are an enormous convenience. If the batteries fail, the door locks can also be manually actuated. There is a traditional blade embedded within the key that probably contributes significantly to the "excessive size."
    • > Now someone is probably going to point out that they'll be
      > laughing when the fancy Mercedes key runs out of batteries
      > and leaves its owner stranded, but this isn't the case.

      No, they'll be laughing when the said Mercedes' security system malfunctions and the car doors continuously unlock despite the fact that the owner locked them less than two minutes before. Then the alarm goes off repeatedly. And the Tele Aid [mbusa.com] system calls the Mercedes call center who then calls the owner to ask if anything's
      • Well, from what I hear, your mistake was buying a new Mercedes. I'm about to buy an '81 300SD, a 3 liter 5-cylinder turbo diesel that by many accounts is Mercedes' finest car ever. It has an excellent engine that is reputed to run on basically anything (for example it's known to run on vegetable oil without conversion beyond a heater to keep it flowing and a filter if it's dirty) and it has all the usual appointments, power everything, yada yada. Then, you just have to accept that you're going to spend 700
      • So when something goes wrong, it manifests itself in a bizarre fashion and the dealer can't figure out how to fix it.

        And they apparently lack the common sense to pull the battery while disabling the stupid thing. Gotta love under-qualified technicians working on your expensive stuff.

    • Sounds great... But unless they can run away from flatbed trucks... They are totally useless.

      The point is this:
      If somone wants to steal your car. They are going to steal your car.

      It is fairly rare to have a car stolen for "joy riding" now a days... It is much more common for cars to be stolen for parts or to be shipped overseas.

      Either of these scenerios imply that criminals are looking for a specific model, meaning they will know how to bypass any stock security systems. Or they will just throw the $10
    • by jerryasher ( 151512 ) on Sunday January 30, 2005 @01:38PM (#11520900)
      I own a 2002 Toyota, which I bought used, and which came with ONE transponder key.

      Toyota wanted $45 for the blank. And $95 to "program the key for the car". My brother has a Mitsubishi, they wanted even more.

      It turns out that if you can obtain a blank, you can usually program your car yourself to accept the key.

      And it turns out that there is a very nice market for these key blanks on ebay. Search for transponder key and your vehicle's make and model. The going rate is about $20.00 and the key blanks usually come with all the instructions you need.

      I bought two blanks for $40, and three days and 20 minutes later I had three working keys for my Toyota saving me over $200 from what the dealer wanted.
  • by cpeikert ( 9457 ) <cpeikert.alum@mit@edu> on Sunday January 30, 2005 @01:00PM (#11520615) Homepage
    ... is that they reverse-engineered the design of the cipher using just black-box access!

    Reverse-engineering can be easy enough when you have some assembly code or a piece of hardware, but these guys figured out the internals just by looking at input/output pairs. (OK, they had a rough description of the design, but it was lacking almost all details and was even inaccurate in places.)

    That's really clever -- and really underscores the idea that "security through obscurity" tends to fail terribly. (TI probably thought that the use of a proprietary cipher provided a lot of security, so they didn't worry so much about key length. Foolish, but common, reasoning.)
    • However, it is sad that they didn't publish full details of the cipher. This goes against full disclosure principles.

      I can already hear screams of `what do you want the cipher for? Are you going to steal cars and get free gas?' No. But using this excuse, researchers can prevent me and others from implementing a faster attack, or even finding an attack of smaller complexity -- this is a Feistel cipher, so it shares some structure with DES and thus some similar attacks (linear, differential cryptanalysis) mi
      • But using this excuse, researchers can prevent me and others from implementing a faster attack, or even finding an attack of smaller complexity -- this is a Feistel cipher, so it shares some structure with DES and thus some similar attacks (linear, differential cryptanalysis) might apply.

        And you're right to say so -- in fact, the paper mentions that the cipher may have some structural weaknesses, so it's legitimate to want to know the details.

        My guess is that if you asked the authors for the full spec, y
  • Tinfoil (Score:3, Funny)

    by Anonymous Coward on Sunday January 30, 2005 @01:02PM (#11520638)
    The best line of the story: keep your keys wrapped in tinfoil just to be safe. First there were tinfoil hats - now tinfoil wrapped keys! Where will this madness end?
  • Mobil (Score:4, Informative)

    by HarveyBirdman ( 627248 ) on Sunday January 30, 2005 @01:02PM (#11520644) Journal
    I think Mobil anticipated this. They started requiring you to enter your ZIP code at the pump a few months back.
  • I'm wondering.. when the RFID chips get a signal from the reader (eg: a mobil speedpass challenge/response), the speedpass obviously has to do some computation on the limited RF energy that its been given, and then return the answer.

    I know vaguely how CPUs do these sort of calculations, but how do you HARD wire a system to do that on so little energy ?

    Do the energy requirements go up w/ keysize ? The complexity of the circuits?

    Do these things have some sort of static flash ROM ?
  • 40 bit Key? (Score:3, Interesting)

    by Deathlizard ( 115856 ) on Sunday January 30, 2005 @01:11PM (#11520713) Homepage Journal
    Seriously. Why would Mobil build and support an RFID system protected under a 40 bit key? I thought at the very least those speedpass systems had a 64 bit key.

    I know that encryption isn't that important when true physical contact is involved (such as most credit cards, which have no encryption protection but are starting to get some with smartcards) but when it comes down to something that basicially broadcasts a credit card number, you would think that mobil would be a bit more concerned about it.

    If I had a mobil speedpass I would be concerned, since a small device placed on top of a gas pump could easily passive eavesdrop on your speedpass and pass that information to would be criminals.

    The car key, although just as disturbing, isn't as important to have a strong key since it would involve way too much work to basicially steal one car. To do it you would have to somehow read the signal from the key by bumping into the person leaving the car to active scan their rfid signal, (passive eavesdropping would not work well since it only sends the signal at startup when the person's going to be driving away) Decode it, and then use it to start the car once you bypass the physical key. It would be much easier and faster to steal a car without an immobilization system then to bypass it.
    • "Seriously. Why would Mobil build and support an RFID system protected under a 40 bit key? I thought at the very least those speedpass systems had a 64 bit key."

      Because they're cheap, lazy, and blind. Like all companies.
    • This may be a stupid question, but I'm honestly curious about something. I'm also no security expert.

      Does it matter that the Speedpass isn't totally secure, if it's more secure then the other ways of paying? I mean sure, you can put some sort of reader on top of a pump and intercept Speedpass codes and break the system and steal some gas. But if you want to steal some gas, why not just fill up and drive off? Or pass a hot check? Or make a counterfeit credit card that'll pass through the card reader?
      • It's not a stupid question at all. If you read any of the recent research by Bruce Schneier, you'll find he presents this same concept under the name of "attack trees". Basically he says that if there are a set of known attacks on a system, the bad guys will go for the cheapest one that will give them success (or easiest or fastest, depending on their motives.) SpeedPass forging certainly is harder than any of the other mechanisms out there, so your common criminals are still likely to try the other mech
    • Re:40 bit Key? (Score:2, Interesting)

      by nolife ( 233813 )
      I can not comment on the decision to use a 40 bit key but I will still carry and use my SpeedPass. You can only use the device at these gas stations and for the in store purchases. Not high dollar unless you fill a few diesel trucks. A thief has to be physically present in these stores to use the cloned ID. Basically, he/she is not online in Russia somewhere ordering plasma screens. A large shopping spree would consist of the person going from gas station to gas stations buying junk food and gas. Your
  • Title. (Score:3, Funny)

    by Kickasso ( 210195 ) on Sunday January 30, 2005 @01:12PM (#11520719)
    Various Car RFID Car Keys Cracked

    This a dupe article dupe!

  • I am very interested about the techniques they barely mention that made a "black-box" implementation of the encryption! Does anyone have any information on this? I think that is the most amazing part of the article, but they go into no detail.
    • You need to read the referenced research paper for details on the algorithm. That was the most interesting part: rather than violate an end-user agreement and reverse engineer the algorithm from an .EXE, they chose instead to break it by studying the published details of the algorithm (which were not completely correct) and by testing a live device.

      The paper is the detail, the article is just the marketing.

  • Toll passes? (Score:2, Interesting)

    by Anonymous Coward
    Here's my question: Will this apply to toll road "speed passes" too? Does this mean that someone can charge up my account driving around all the tollways broadcasting my id? That could be a huge problem when we don't find that out until the bill arrives... and no verification to enter to make sure it's you (that would defeat the purpose of the speed pass). And a whole lot of time and money to go back and fix that system!


    Chris
    http://www.freeminimacs.com/?r=14620338 [freeminimacs.com]
  • by 44BSD ( 701309 )
    Hey all --

    Sorry to have submitted a dupe. I don't read the NYT, and I saw this via a somewhat esoteric web site, and when it wasn't up on today's /. already, I figured it hadn't been submitted. My bad for not reading /. yesterday ;^).

    Anyway, the obvious thing to do is see what domain names Avi and cohorts have registered recently, to see what they will obliterate next.

    If this guy hooks up with Matt "Locksmiths ph33r my 7eet sk1llz" Blaze (linkage [crypto.com]) it will be rather amusing.

    On a serious note, why don't
  • With the price of gas hovering around 2 bucks a gallon here in the midwest, all i can say is 'cool, free gas for all!'
  • The thing about this I thought was interesting is that the research was sponsored by RSA Corp. Anybody want to bet that wouldn't have happened if TI had licenced a RSA algorythm?

    I suppose it's a good thing that companies are competing in this way, rather than just slathering us all in layers of obfuscation and FUD.

10 to the minus 6th power Movie = 1 Microfilm

Working...