The safety of the RFID tags embedded in car keys has been called into question by a graduate student at Johns Hopkins University.
Matthew Green is part of a team that has announced that it has cracked the security behind the “immobilizer” systems used in many modern vehicles, and created by Texas Instruments. The immobilization systems reduce car theft by only starting a vehicle when it recognizes a tiny chip in the car key. They are in use by Ford, Toyota and Nissan.
Texas Instruments executive Tony Sabetti denies that cracking the vehicles is possible, saying that they “have been fraud-free and are likely to remain fraud-free.”
However the researchers disagree. In a demonstration, the researchers were able to stand next to someone holding a valid key for just 1-2 seconds, about an hour of number crunching and then the car was completely theirs for the taking.
The implications of the Hopkins finding go beyond stealing cars.
The security technology is widely used for everything from highway tools to credit cards and inventory tracking.
Aviel D. Rubin, the professor who led the team, said his students were responsible in how they broke the news and were fulfilling a much-needed part of security: ensuring a product or technique actually is secure.
“What we find time and time again is the security is overlooked and not done right,” said Rubin, who has exposed flaws in electronic voting systems and wireless computer networks.
David Wagner, an assistant professor of computer science at the University of California, Berkeley, who reviewed a draft of a paper by the Hopkins team, called it “great research,” adding, “I see it as an early warning” for all radio frequency ID systems.
Dan Bedore, a spokesman for Ford, said the company had confidence in the technology. “No security device is foolproof,” he said, but “it´s a very, very effective deterrent” to drive-away theft. “Flatbed trucks are a bigger threat,” he said, “and a lot lower tech.”