Researchers Chip Away at RFID Security

Technology researchers at Johns Hopkins University have found that radio frequency identification (RFID) technologies used for automobile locks and easy-pay gasoline systems are sorely lacking in protection, warning that opportunists could easily exploit the weakness for ill deeds.

The researchers, led by Avi Rubin, technical director of the Johns Hopkins Information Security Institute, cited poor encryption and inadequate protection from wireless hacking, which could allow access to automobiles or accounts that rely on the small, wireless-capable chips used for RFID.

The researchers claimed that the Texas Instruments (NYSE: TXN) system it cracked -- a low-power, radio frequency security system used worldwide by top car manufacturers and for more than 6 million key chain tags used to purchase gasoline -- could allow easy access to tech-savvy thieves.

"I think this sets back vehicle security about a decade," lead researcher Rubin told TechNewsWorld.

Ease of Use

The Johns Hopkins researchers said that the RFID system they studied was designed to thwart car thieves and provide fast and convenient payments via safeguarded wireless transactions. The group found, however, that the TI tags -- already in use around the world -- were susceptible to attack using mathematics and low-cost processors.

"Millions of tags that are currently in use by consumers have an encryption function that can be cracked without requiring direct contact," Rubin said in a statement. "An attacker who cracks the secret key in an RFID tag can then bypass security measures and fool tag readers in cars or at gas stations."

The researchers said that they alerted TI and demonstrated the security breach to the company, which is among a number of different RFID system makers.

The Hopkins researchers, who teamed with RSA Security (Nasdaq: RSAS) on the study, are putting other RFID systems to the test, Rubin said.

Early Disclosure

Ari Juels, RSA Laboratories principal research scientist, told TechNewsWorld the research was intended to head off more widespread distribution of the faulty RFID technology.

"Our aim is to uncover weaknesses like this in RFID devices before it becomes widespread and costly," Juels said. "This points to the importance of implementing good security from the get-go."

While the research does not indicate a general security problem with RFID, Juels said, additional research is expected to reveal more vulnerabilities.

"We are looking at other systems and there are other RFID devices in widespread use that we believe may have security weaknesses," Juels said.

Hardening RFID

RFID systems are being rapidly deployed in manufacturing and distribution, with companies such as Wal-Mart requiring the technology from suppliers.

Juels said the researchers are still assessing the parameters of the RFID weakness, indicating that factors such as wireless range and other circumstances have yet to be investigated.

Jules said Texas Instruments, for example, was on the right track by including encryption in its RFID solution, but needed to harden it further.

"In cars as in commerce, RFID is becoming a linchpin for security in day-to-day life," he said in a statement. "It is important that RFID devices offer a level of security commensurate with the value of the assets they protect."