Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mobil SpeedPass, Various Car RFID Car Keys Cracked

Posted by ryuzaki0 on from the feeling-safe-yet dept.

44BSD writes "Crypto-enabled RFID products, including Mobil SpeedPass and various car keys, have been defeated utterly by Avi Rubin, et. al. Details are at rfidanalysis.org. An academic paper is also available."

33 of 240 comments (clear)

  1. CmdrTaco Cracked, Various Slashdot Editors Duped by Anonymous Coward · · Score: 4, Informative

    Car RFID Security System Cracked

    The best part of subscribing to Slashdot is watching CmdrTaco post multiple duplicates in a row, then giving up and posting a dupe anyway. Before this story, a dupe of the Super Bowl .com ads story was set to run. I had a ready made "Duper Bowl" joke, too.

    Hey Taco, when's the last time you read your own site? Oh wait, why am I asking, you'll never see this.

  2. Dupe... by daveschroeder · · Score: 3, Informative

    And the NY Times story from yesterday's slashdot story on this same crack by the same team.

    1. Re:Dupe... by jswatz · · Score: 2, Interesting



      Actually, the Times story, which I wrote, came out at the same time as the RFID report from Hopkins was revealed.

      --
      "speaking only for myself since 1957"
  3. I'm defeated too by The+Ancients · · Score: 3, Funny
    ...and various car keys, have been defeated utterly by Avi Rubin

    Damn it. I feel so inferior. My car keys defeat me as soon as I put them down, and suddenly they're not there anymore.

    It's a conspiracy I tell you!

    --
    The Mothership
  4. Well... by Anonymous Coward · · Score: 3, Insightful

    The car keys aren't such a big deal, because you'd also need the key itself for the mechanical part of the lock. The speedpass IS a big deal, because it's single-factor authentication, and people could go around charging gas to your account.

    1. Re:Well... by tomhudson · · Score: 2, Interesting
      The car keys aren't such a big deal, because you'd also need the key itself for the mechanical part of the lock.
      Nope, I've started cars and trucks with nothing more than a big screwdriver and some pounding.

      Pop the lock cylinder, insert screwdriver, turn, drive away.

      Before the first time I had to do it, I could have sworn it was impossible to lose a key in 1" of fresh-fallen snow.

    2. Re:Well... by tomhudson · · Score: 2, Interesting
      The hardest one I ever cracked was a Chevy Astro (the doors are thick, solid, etc.,, there's an anti-slim-jim plate in the door).

      Me: Where's the van.
      Bubba: Parked outside.
      Me: You locked it okay>
      Bubba: Yep.
      Me: Okay, where are the keys.
      Bubba: Umm ... in the van?
      Me: WTF?
      Keys in van, van running, close to quitting time, and getting dark fast.

      So, 1 big screw-driver, 2 wooden shims, 1 coat-hanger wire and some cursing later, I can turn the engine off.

      The quickest;

      Co-worker:I've locked my keys in the car. Can you break into it without scratching the paint?
      Me: Okay, give me a few minutes
      ... less than a minute later ...
      Me: Here's your keys
      Co-worker: How did you do it so fast
      Me: Your back doors were unlocked.
      Always check for passenger door, back doors, a hatchback, trunk or sun-roof that are open ...
  5. Great use for RFID by lildogie · · Score: 2, Funny

    Maybe some form of RFID can help the editors avoid these duplicate articles.

  6. Sad. by WindBourne · · Score: 2, Insightful

    These companies take a bunch of average coders and then ask them to create a secure program/toy/whatever. They almost certainly do not get true expert help. Then lo and behold, it gets cracked. And I am willing to bet that top ppl are surprised.

    --
    I prefer the "u" in honour as it seems to be missing these days.
    1. Re:Sad. by tomhudson · · Score: 3, Insightful
      The real reason is because anyone with brains will ask "What's wrong with the current system?"

      Speedpasses are not there for the benefit of the consumer, any more than the uscan at the supermarket.

      There's a debatable benefit for the key bugs for your car ignition - debatable because anyone can still steal/strip your car, and it gives people a false sense of security, as well as adding another layer to "what can go wrong now"...

      Speaking of which - Pontiac anti-theft radios. Leave your headlights on overnight, and you can't get a jump-start, because you have to re-code the radio first. Try that at -30 (and no, it wasn't me).

    2. Re:Sad. by ivan256 · · Score: 2, Interesting

      This is not how things typically work in my experience. In fact, it's not uncommon to have professional security audits done, and entire engineering teems know exactly what the problems are. After that, though, one of two things happens. Either somebody in marketing decides that good security practices are going to put customers off the product, or somebody in management decides they're going to look bad if the product is delayed and decides not to implement the security recommendations. When all is said and done, the product ships with crippled security.

      It would hardly matter that SpeedPass type devices or RF car keys were cracked if you also needed a PIN to use them... But where's the convienience in that.

    3. Re:Sad. by plover · · Score: 2, Insightful
      The grandparent poster is correct, though, in that SpeedPass wasn't first designed to make your life easier: that's a byproduct of how the system works. I believe SpeedPass was first designed as a replacement for insecure, easy-to-forge credit cards. But being different, it turned into a marketing tool; something that made Mobil "more cool" than Amoco. Finally, speeding up the transaction at the pumps didn't hurt them any. But it really doesn't gain them any financial benefit except in terms of marketing.

      Replacing the existing mag stripe system is very important. Credit card theft losses today involve absolutely staggering amounts. Forging credit cards is almost child's play (or it would be if I were a child :-) There are professional crime rings that collect mag swipe data from dishonest restaurant employees, for example. And gas pumps are the perfect victim for forged cards. With no human to validate the little foil dove on the Visa card, any chunk of plastic with a mag stripe will do the trick.

      RFID was sold to Mobil as "difficult to forge." (Actually, it was probably sold as "impossible to forge", but that's sales lingo.) This is just the first public demonstration of a counter example.

      By the way, regarding time spent in lines: given a choice at Home Depot, I evaluate the lines this way: my first choice is self-checkout ONLY if no one's ahead of me; second choice, a cashier who knows what they're doing; and my dead-last choice is self-checkout waiting behind four idiots who collectively can't figure out how to put their barcodes under the lasers.

      --
      John
  7. Comment removed by account_deleted · · Score: 2, Interesting

    Comment removed based on user account deletion

  8. Illegal under DMCA? by Anonymous Coward · · Score: 3, Interesting

    They apparently tested one of their devices at an actual Mobil station. Will the Ashcroft/Gonzales Army arrest these guys?

  9. Bye-Bye Karma by rel4x · · Score: 5, Insightful

    I'm probably going to get modded into oblivion for saying this.... But why don't people just not read dupes? I mean, it's not really hurting you that it's there...and some of us didn't see the first one, but see the second one. It just doesn't seem worth complaining over.

    --

    Before you mod me funny, think, perhaps I was insightfully funny?
  10. First author by sunhou · · Score: 2, Interesting

    Why does the slashdot summary say the work was done by "Avi Rubin et.al." when Rubin was the 5th out of 6 authors on the paper? Why not say Steve Bono et. al., since he was the first author?

  11. DON'T NEED A CAR KEY by Pipermalibu · · Score: 2, Interesting

    "The car keys aren't such a big deal, because you'd also need the key itself for the mechanical part of the lock." Not true, one of my cars has a function called "Keyless Go", just have a credit card type device on you and the car unlocks and starts at the press of a button. I am not sure if it using RFID though. No information on that. But it is using a similar technology for sure

  12. Mercedes electronic keys - a good design by EMIce · · Score: 5, Informative

    The electronic keys from Mercedes are a good example of this done right. The key has an IR transceiver at it's head that exchanges one time codes with the car when the driver begins turning it. The received code is saved for next time and can't be intercepted without getting physically between the head of the key and the transceiver inside the lock. Even then, an intercepted code would have to be used before the victim returned to his car. Who is going to do a complicated install of capture equipment into a fortified lock at location A and then follow the victim to location B to steal the car? It's just far too conspicuous.

    Mercedes overhauled security, rather than tacking on a secure by being obscure layer to the existing crackable standard - TI Immobilizer systems don't require advanced physical access, just proximity to the key at least an hour before the moment of a heist. Even worse, once the key is cracked it won't change either, so criminals can wait to strike and further avoid notice. Just wait till a tiny RFID scanner and a usable cracking program show up in the black market. A laid off engineer has too much potential to make dough with the ideas that have been released. The program could even do distributed processing on a broadcast LAN or via P2P.

    Now someone is probably going to point out that they'll be laughing when the fancy Mercedes key runs out of batteries and leaves its owner stranded, but this isn't the case. The key can receive power from the car despite not having any visible metal contacts - likely because there is a coil embedded in the plastic key that will get power inductively when the key is inserted - without any wires [slashdot.org]. It's news on slashdot, but it's been shipping since 1997, and much longer before that for other applications.

    As if that weren't it, the key doubles as an RF remote for locking/unlocking doors, popping the trunk, and a panic function. But wait there's more - the IR transciever portion of the key, when aimed at the driver door can open, close, or place anywhere in between all the side windows and sunroof at once. Great for getting into the car on a hot day or sealing up all the windows as you leave. Impressive what they they've put usably into a key, albeit oversized.

    Finally, despite using a radically different model, Mercedes cleverly applied the familiar form and usage pattern of the existing standard to bridge it with the new one - a nice touch for user comfort without any compromise to security. Well engineered indeed.

    1. Re:Mercedes electronic keys - a good design by EMIce · · Score: 2, Interesting

      The car does support multiple keys, so there must be a lookup table mapping physical keys to one time keys in there somewhere. So the car knows who last used the car last. It could make an interesting plot point in an episode of CSI.

  13. The most interesting thing about this work... by cpeikert · · Score: 4, Informative

    ... is that they reverse-engineered the design of the cipher using just black-box access!

    Reverse-engineering can be easy enough when you have some assembly code or a piece of hardware, but these guys figured out the internals just by looking at input/output pairs. (OK, they had a rough description of the design, but it was lacking almost all details and was even inaccurate in places.)

    That's really clever -- and really underscores the idea that "security through obscurity" tends to fail terribly. (TI probably thought that the use of a proprietary cipher provided a lot of security, so they didn't worry so much about key length. Foolish, but common, reasoning.)

  14. Tinfoil by Anonymous Coward · · Score: 3, Funny

    The best line of the story: keep your keys wrapped in tinfoil just to be safe. First there were tinfoil hats - now tinfoil wrapped keys! Where will this madness end?

  15. Mobil by HarveyBirdman · · Score: 3, Informative

    I think Mobil anticipated this. They started requiring you to enter your ZIP code at the pump a few months back.

    --
    --- Ban humanity.
  16. 40 bit keys and complexity by cyberfunk2 · · Score: 2, Interesting

    I'm wondering.. when the RFID chips get a signal from the reader (eg: a mobil speedpass challenge/response), the speedpass obviously has to do some computation on the limited RF energy that its been given, and then return the answer.

    I know vaguely how CPUs do these sort of calculations, but how do you HARD wire a system to do that on so little energy ?

    Do the energy requirements go up w/ keysize ? The complexity of the circuits?

    Do these things have some sort of static flash ROM ?

  17. 40 bit Key? by Deathlizard · · Score: 2, Interesting

    Seriously. Why would Mobil build and support an RFID system protected under a 40 bit key? I thought at the very least those speedpass systems had a 64 bit key.

    I know that encryption isn't that important when true physical contact is involved (such as most credit cards, which have no encryption protection but are starting to get some with smartcards) but when it comes down to something that basicially broadcasts a credit card number, you would think that mobil would be a bit more concerned about it.

    If I had a mobil speedpass I would be concerned, since a small device placed on top of a gas pump could easily passive eavesdrop on your speedpass and pass that information to would be criminals.

    The car key, although just as disturbing, isn't as important to have a strong key since it would involve way too much work to basicially steal one car. To do it you would have to somehow read the signal from the key by bumping into the person leaving the car to active scan their rfid signal, (passive eavesdropping would not work well since it only sends the signal at startup when the person's going to be driving away) Decode it, and then use it to start the car once you bypass the physical key. It would be much easier and faster to steal a car without an immobilization system then to bypass it.

    --
    In Soviet Russia, Trojan exploits YOU!
    1. Re:40 bit Key? by nolife · · Score: 2, Interesting

      I can not comment on the decision to use a 40 bit key but I will still carry and use my SpeedPass. You can only use the device at these gas stations and for the in store purchases. Not high dollar unless you fill a few diesel trucks. A thief has to be physically present in these stores to use the cloned ID. Basically, he/she is not online in Russia somewhere ordering plasma screens. A large shopping spree would consist of the person going from gas station to gas stations buying junk food and gas. Your credit card company and the SpeedPass system will refund any fradulent purchases you did not make and the thief does not have your actual credit card number or any personal information about you that would be useful for anything.
      In conclusion..
      When I compare convienence to security, the SpeedPass still wins. To compare, my standard credit card if taken or even sighted, has the number written right on it with no encryption for anyone to see, including the resturant personell or gas station attendant inside the store who will gladly take the card and swipe it for you. They can do much more with that then my SpeedPass that is tied to that same exact credit card.

      --
      Bad boys rape our young girls but Violet gives willingly.
  18. Title. by Kickasso · · Score: 3, Funny
    Various Car RFID Car Keys Cracked

    This a dupe article dupe!

  19. Re:CmdrTaco Cracked, Various Slashdot Editors Dupe by springbox · · Score: 5, Insightful

    This story is similar to the car key RFID system being cracked but if you look carefully the content is actually different and provides a more technical perspective to the situation. The other one was fluff compared to this. People here need to stop being so nit-picky because I find that most of these "duplicated" articles are informative and contain interesting content that I would have not seen otherwise.

  20. Toll passes? by Anonymous Coward · · Score: 2, Interesting

    Here's my question: Will this apply to toll road "speed passes" too? Does this mean that someone can charge up my account driving around all the tollways broadcasting my id? That could be a huge problem when we don't find that out until the bill arrives... and no verification to enter to make sure it's you (that would defeat the purpose of the speed pass). And a whole lot of time and money to go back and fix that system!


    Chris
    http://www.freeminimacs.com/?r=14620338

  21. PSA: Transponder Keys for YOUR Car: $20 on Ebay by jerryasher · · Score: 4, Informative

    I own a 2002 Toyota, which I bought used, and which came with ONE transponder key.

    Toyota wanted $45 for the blank. And $95 to "program the key for the car". My brother has a Mitsubishi, they wanted even more.

    It turns out that if you can obtain a blank, you can usually program your car yourself to accept the key.

    And it turns out that there is a very nice market for these key blanks on ebay. Search for transponder key and your vehicle's make and model. The going rate is about $20.00 and the key blanks usually come with all the instructions you need.

    I bought two blanks for $40, and three days and 20 minutes later I had three working keys for my Toyota saving me over $200 from what the dealer wanted.

  22. Re:Future of security by plover · · Score: 4, Informative
    Biometrics are not security. Biometrics are only about authentication.

    Your biometric information is not secret. The police or your parents might have a copy of your fingerprints, for example. It's theoretically difficult to duplicate biometric data, but certainly not impossible: Cryptome has a copy of the research paper where researchers used $20 worth of common kitchen items to successfully fool every commercial fingerprint reader on the market.

    Assuming forgery is tougher than that, the problem really is in the "interface" -- at some point the information stops being "biometric" and has been converted by circuitry into digital data. Digital data, of course, can be sniffed, copied, and modified. That's the real weak point of the biometric systems. If you can replace real biometric data with spoofed data, the computer systems downstream aren't going to know the difference.

    --
    John
  23. Re:Thing is... by NeoSkandranon · · Score: 2, Insightful

    Alarms are far less security than you might think. Picture an apartment complex or a college dorm parking lot. Lots of riced up civics and chunky tired jeeps with alarms that go off if you *fart* next to the car.

    After about a month of alarms going off in the dead of night, no one bats an eye at hearing one anymore.

    --
    If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
  24. Re:True enough... by |<amikaze · · Score: 2, Insightful


    But... if the brake light isn't on... there won't be any power flowing to it.

  25. I don't think that would work. by Gordonjcp · · Score: 2, Informative

    As the other poster says, the brake light won't be on. Furthermore, if you did short out the brake light, and it *was* on, all you'd do is pop the brake light fuse, which may not affect the alarm.