Cryptologists at Johns Hopkins University have found a way to crack the code stored in millions of car keys. The car security system sold by Texas Instruments involves a transponder chip embedded in the key and a reader inside the car. The transponder emits radio signals, which the receiver in the car has to identify. If there is a mismatch then the car will not start irrespective of whether the key is correct or not.
The research team led by Avi Rubin, a professor of computer science at Johns Hopkins, cracked the code transmitted via radio signals on security system using cheap and easily available hardware in flat 15 minutes.
The team was also able to trick the gas station scanners that use a similar code emitted by a transmitter in the key chain of the car’s key. They used 16 commercial microchips that come for less than $200 each and used them to find the key for a petrol-purchase tag.
With this code they were able to buy gas from the gas station with the money being charged on someone else’s (one of the researcher’s) credit card.
Company spokesman Bill Allen said that the technology has been in use for seven years now and till now Texas Instruments has never had a reported incident where a car has been stolen or a gasoline-purchasing tag has been duplicated.
Sabetti, the business representative of Texas Instruments said, "I think the way in which it's presented as being inexpensive to do and quick and all the rest of that is an exaggeration. And because of that, we believe the technology still is extremely secure for the applications that it's used in."
Rubin however disagrees with the company statement as he says,
"I think the implications are that it sets us back about 10 years ago where we were with car security." He has recommended distributing free metallic sheaths to conceal the radio frequency from the devices when they are not being used.
Rubin further added that, "millions of tags that are currently in use by consumers have an encryption function that can be cracked without requiring direct contact. An attacker who cracks the secret key in an RFID tag can then bypass security measures and fool tag readers in cars or at gas stations."
Bedford, Mass.-based RSA Security Inc, funded the Johns Hopkins team.
