Saturday, July 16, 2005
With a little bit of technical acumen and a few hundred dollars, enterprising thieves can walk away with some late-model cars and gas them up for free to boot, according to research published by computer security experts at the Johns Hopkins University in Baltimore and RSA Security Inc.'s RSA Laboratories in Bedford, Mass. In January, the researchers published the results of a technical analysis of a kind of secure radio frequency identification (RFID) technology called Digital Signature Transponder (DST) from Texas Instruments Inc., which is widely used to secure newer-generation automobiles and electronic payment systems like Exxon Mobil Corp.'s Speedpass. The work revealed serious weaknesses in the cryptographic security used to protect data sent back and forth, and shines a light on the problem of security systems that rely on aging or inadequate cryptography, according to experts. The team of researchers included staff from Johns Hopkins' Information Security Institute such as Avi Rubin, the computer security expert who gained fame for his analysis of flawed electronic voting technology from Diebold Inc. Rubin and a team of three graduate students, along with cryptography experts from RSA, used reverse-engineering techniques and custom-designed tools to crack the cryptographic keys used to secure the systems and simulate both the RFID DST tags and readers. The hack allowed researchers to disable a vehicle immobilizer in a 2005 Ford automobile using a specially equipped laptop computer, and purchase gas at a number of Exxon Mobil locations with a homemade Speedpass device, according to a copy of their findings posted online.