Are RFID ignition systems secure?
An RFID-equipped key could help throw off the thieves -- or not.
In 1997, Ford Motor Co. equipped the Mustang with one of the first RFID
ignition immobilizers in the U.S. car industry. Theft levels for the Mustang
immediately dropped 70 percent from just two years prior. The results were
stunning, and pretty much every other carmaker followed suit.
Today, the RFID (radio frequency identification) industry claims a 90
percent reduction in theft rates for car models equipped with RFID starters,
immobilizers and entry systems. Both automakers and insurance companies
have full faith in the devices, even going so far as to label them unbeatable.
And certainly, the technology is an impressive display of security
innovation.
RFID relies on radio-frequency signals to create a system that, for the first
several years it was in use, was indeed uncrackable. In the 1990s, many a
car thief was thwarted by the rather brilliant addition of RFID immobilizers
to regular old physical keys.
An RFID immobilizer is a chip embedded in
the top part of an ignition key. This chip sends out an encrypted string of
radio-frequency signals, basically a particular number of impulses
broadcast on various radio frequencies to create a specific code, when the
driver inserts it into the ignition-key slot. Without this code, the car either
won't start or won't activate the fuel pump. So even if someone hotwires the
car or copies an ignition key, the ignition isn't going to work because it
hasn't received the proper radio-frequency code.
If you have a car that comes with a special "valet key," the immobilizer
probably shuts down the fuel pump if the car is started without the code.
This means the car is going to run only on whatever fuel is left in the fuel
line, which will only get it a couple of blocks. Thus the valet key -- valet
parkers only have to drive a car very short distances. If they try to drive off
with your car, they won't get very far. Neither will any other potential car
thief.
Early RFID systems, both keyless entry (the key fob device with the button
you press to unlock the car) and vehicle immobilizers, used 32-bit
encryption. That means they sent a code of 32 impulses. With 32 bits in the
code, there are billions of possible combinations. In newer schemes,
including remote starters that let you start a car with the push of a button,
the codes have 40 bits, which increases the possibilities. With so many
possible codes, the system seems unbeatable.
And at first, it was.In this article, we'll see whether RFID technology can
protect a car from theft and find out how thieves are adapting to the
systems.
RFID Car Systems: Radio Protection
Radio-frequency identification tags use similar technology to RFIDs used in cars.
Cars with RFID security do have lower theft rates, and it makes sense. This
type of system makes getting in and driving off a lot more complicated.
Keyless entry and immobilizer systems work in pretty much the same way.
Let's say you have a keyless-entry fob. It's a standard radio-transponder
setup: Inside is a circuit board, a radio transmitter, a battery and an antenna.
When you get near your car, perhaps 5 feet to 10 feet (a few meters) away,
you press the button to unlock your doors. The RFID chip in the fob sends
out a code of 40 impulses broadcast on different frequencies. The
corresponding RFID chip in the car receives this code and accesses the car's
software to find out if the code is the right one. If it is, the doors unlock.
This is called an active RFID system, since pushing the button actively
sends out the code, instead of receiving it. The immobilizer chips in
ignition keys are also active. Keyless ignition, on the other hand, is a
passive RFID system. Instead of the ignition chip sending out the code, the
car sends out the code and the ignition chip receives it. Ignition systems
have no battery (or a different kind), and they have a lower-power antenna,
so they won't broadcast as far. It's an additional security measure.
On its face, the system seems impenetrable: There are billions of possible
sequences, and brute force will no longer get the car moving. Add in
rolling codes, which are becoming more common -- a system in which the
expected sequence changes slightly every time you push the button -- and
the options get closer to a trillion. But as with any security system, it's only
impenetrable until thieves figure out a way around it. Look at safes and
burglar alarms; you've got to update those frequently in order to stay ahead
of the robbers. Car RFID systems are no different.
RFID hacking is the most high-tech approach to car theft yet. Using
hardware that grabs radio frequency signals out of the air, and software that
decrypts it, thieves with time on their hands can steal an RFID-equipped
car. In 2005, researchers at Johns Hopkins University in Maryland
demonstrated how.
RFID Security: Hacking In
A thief with a laptop and a microreader can capture the transmissions sent out
by an RFID.
The fact is, people steal cars equipped with RFID security. It's especially
common in Europe , where RFID has been used in cars for longer than in
the United States . To prove the weaknesses of the system, researchers at
Johns Hopkins went about breaking in. What they found was startling.
If you equip a laptop computer with a microreader, a device that can
capture radio signals, you can capture the transmissions sent out by an
RFID immobilizer key. Positioned within a few feet of the RFID
transponder -- say, sitting next to the car owner in a restaurant -- the laptop
sends out signals that activate the chip. When the key begins broadcasting,
the reader grabs the code, and the computer begins decrypting it. Within 20
minutes, you've got the code that'll tell the car to start. (Once you have a
good database of codes stored in your laptop, the time gets much shorter.)
Pair that code with a copy of the physical key or a hotwire job, and you're
on your way. In the case of the passive ignition system, the process is
similar, but you need only stand next to the car, not the person carrying the
key.
In cars that have RFID entry and ignition, it's an all-in-one process. Break
the codes, and you can not only unlock the doors, but also start the car and
drive away. According to some security experts, this is the problem with
the system. RFID is a really great addition to a car's physical security
system, but on its own, it allows for complete access with just a single act
of decryption. For a thief with good equipment, it's a snap.
This is where the RFID, insurance and car industries object to the portrayal
of RFID systems as faulty. Sure, the Johns Hopkins researchers could break
it. They have money and hardware. Car thieves would never take the time
or spend the money to break an encrypted code.
But with the payoff of tens of thousands of dollars for a high-end car,
thieves have decided to give it a whirl. And whereas locksmiths weren't
allowed to copy RFID-equipped keys at first, annoyance on the part of car
owners who lost their keys led to a loosening of the rule. Now, both
locksmiths and regular consumers can buy kits that can capture and clone
an RFID code. The result is that people are losing their RFID-secured cars,
and insurance companies call the owners' claims fraudulent because RFID
security is uncrackable. The owners must be lying.
There are a few possible solutions to this problem that don't involve
scrapping RFID. The Johns Hopkins scientists propose several ways to
better secure the system: First, RFID makers should switch from 40-bit to
128-bit encryption; owners should wrap their fob in tinfoil when not using
them, to help block fraudulent signals from activating transmission; and
most important, carmakers should use RFID technology as an additional
security measure, not the sole one.
As with any other security system, the advice is simple: Layer up. Don't
rely on any single protection method. Instead, use several different types of
security in order to make it as complicated as possible to bypass.
