[saag] Mobil SpeedPass and anti-theft immobilizers spoofed

Hallam-Baker, Phillip pbaker at verisign.com
Mon Jan 31 11:20:20 EST 2005 

I read in slashdot that they have a 40 bit key and a challenge/response
scheme.

Given the vintage of the system and the choice of 40 bits I would strongly
suspect that this is not a result of incompetent design, it is simply a left
over legacy from the Louis Freeh crypto wars. If someone was going to choose
a key size at random they would have choosen a round number lile 32 or 64
bits or the DES key size.

I would not have serious worries about the practical security of the system
if they had choosen 56 bits. Not a choice I would choose but acceptable. 

Incidentally, folk are calling this RFID, my understanding is that the RFID
tags sold as such have no security at all. This is an RF authentication
token.


That is all water under the bridge. Understanding how we got here is all
very well. I am more interested in how we can move on. Since this is SAAG it
is worthwhile pointing out that there is a proposal in IETF already t5hat
would provide a basis to move on.

There is a real problem upgrading from an insecure system to a secure one.
All the legacy pumps would need to be upgraded to the new spec. The only
practical way to manage that is to move to a new industry-wide standard with
at least 128 bit security that we can be confident of (I accept that we
could probably get by with less but we would never agree on any less).

The OATH authentication scheme could probably be used as a drop in
replacement. The gas pump authentication scheme is going to require a call
back for credit authentication and so the counter auth mode works well. I
would probably do the car door lock scheme using local shared keys,
challenge response and no counter.

http://www.ietf.org/internet-drafts/draft-mraihi-oath-hmac-otp-01.txt




> -----Original Message-----
> From: saag-bounces at mit.edu [mailto:saag-bounces at mit.edu] On 
> Behalf Of Russ Housley
> Sent: Sunday, January 30, 2005 2:42 PM
> To: saag at mit.edu
> Subject: [saag] Mobil SpeedPass and anti-theft immobilizers spoofed
> 
> 
> Does anyone have more details?
> 
> = = = = = = = =
> 
> Auto, Gas Security Chips Vulnerable, Study Finds
> Sat Jan 29, 2005 08:00 PM ET
> 
> WASHINGTON (Reuters) - Tiny radio-transmitter chips that make 
> possible high-security car keys and swipe-by gasoline passes 
> can be cracked using cheap technology, U.S. computer experts 
> said on Saturday.
> 
> The radio-frequency ID, or RFID, system uses a relatively 
> simple code that criminals can easily decipher, making it 
> easier to steal a car or get a free tankful of gasoline, the 
> team at Johns Hopkins University in Baltimore and RSA 
> Laboratories said.
> 
> "We've found that the security measures built into these 
> devices are inadequate," said Avi Rubin, technical director 
> of the Johns Hopkins Information Security Institute.
> 
> "Millions of tags that are currently in use by consumers have 
> an encryption function that can be cracked without requiring 
> direct contact. An attacker who cracks the secret key in an 
> RFID tag can then bypass security measures and fool tag 
> readers in cars or at gas stations," Rubin said in a statement.
> 
> Made by Texas Instruments (TXN.N: Quote, Profile, Research) , 
> the RFID system studied for the report uses a device that 
> prevents a car from starting unless both the right key and 
> the correctly coded RFID chip are used.
> 
> "The devices have been credited with significant reductions 
> in auto theft rates, as much as 90 percent," the researchers 
> wrote. They cited Texas Instruments, which had been told 
> about the problem, as saying the company had received no 
> reports of thefts due to the vulnerability.
> 
> The fuel-purchase system uses a reader inside the gas pump 
> that recognizes a key-chain tag waved nearby and 
> automatically charges a designated credit card.
> 
> More than 150 million of the Texas Instruments transponders 
> are embedded in keys for newer vehicles built by at least 
> three leading makers, and in more than 6 million key-chain 
> gas tags, the researchers said.
> 
> The problem is that the mathematical key used to code the 
> verification system is too short, they said.
> 
> They bought a commercial microchip costing less than $200 and 
> programmed it to find the key for a gasoline-purchase tag. 
> They linked 16 such chips together and cracked the key in 
> about 15 minutes.
> 
> The researchers said a metal sheath could help prevent the 
> problem. Texas Instruments representatives were unavailable 
> for comment.
> 
> The RFID system they used is called a Digital Signature 
> Transponder, and is distinct from the Electronic Product Code 
> used by retailers and pharmacies for inventory control.
> 
>   RSA Laboratories, based in Bedford, Massachusetts, is a 
> division of RSA
>   Security (RSAS.O: Quote, Profile, Research).
> 
> _______________________________________________
> saag mailing list
> saag at mit.edu
> https://jis.mit.edu/mailman/listinfo/saag
>

More information about the saag mailing list