The cryptography in RFIDs used as keys into cars has been successfully attacked by a team of cryptographers and security specialists. The system, known as the Texas Instruments DST (digital signature transponder) does a challenge-response based on a proprietary algorithm and a 40 bit key.
The team cracked open the secret algorithm by probing the device and gradually isolating it from the responses; this is called an 'oracle' attack. Then, with the algorithm bare, they were able to build a brute force 16-way key space searcher (with some optimisation) and figure out keys. Allied with a device they constructed to simulate the challenge-response, the team were then able to unlock the vehicle.
It was their own vehicle, but they also used the same techniques on SpeedPass tokens to create a device to purchase fuel at gas stations.
How plausible is this attack? Reasonable. With optimisation, car owners could be at risk. But, consider this: they are still at less risk than all the others who don't have this technology. And, it's not a 100% breach, in that there are quite severe costs left over to turn this into a real live attack. Don't expect any serious news for another year, I'd say, and it is likely that SpeedPass is the more risky area, but even then, it is not an easy attack (considering that in order to steal a tank of petrol, you have to drive past the cameras ...).
Some will say this is evidence that "things should have been done properly!" To that I say Balderdash! When this system was conceived, it is likely that it couldn't have been much stronger. More, it's done its job, for that we should thank the designers. Even better, by all reasonable analysies, it is going to continue to do its job, albeit with higher risks.
Further, we now have something of inestimable value: a data point. The system was invented, deployed and attacked. On this day, in its history, it was attacked. Up until then it was a theoretical unknown, but now we have a fairly good idea of how much it costs to attack it.
That information will be of inestimable value in designing the replacement systems. The systems people now have a baseline and can happily assess what they need for the next ten years. Without this attack, that would not have been possible, as everything would have been based on theoretical projections, which have proven to be rather shy of useful in some cases.
What will be more important is how this crack shakes up the debate on Passports with RFIDs. Already under challenge, this will cause the heads over at DHS to duck down from the rampants faster than you can say challenge-response. It will be interesting to see how that primarily political project evolves!
Posted by iang at January 30, 2005 02:43 PM | TrackBackAcceptable risk scenarios involve discovery and events. I.e. things must happen. The simple fact that things can be cracked means nothing. Are they being cracked and at what cost? It seems as though the owner of the asset under protection must make the choice.
Now take for example priceless baseball cards left in a closet safely stored away in a cardboard box owned by the young son of the house. The value is not known to the mother who throws the box out as clutter. The assumption the son made was his closet was safe and exclusive, yet his mother had a different idea.
If the owner of a car parks it with the idea that it is safe, leaving his Picasso etchings in the backseat only to return to find that the Picassos were picked, then the courts will come into play. They will ask TI and this wonderful team of developers what the risk scenario was on this damn thing that did not work.
The team can say many things but what they cannot say is the risk is or was acceptable. So the classic issue of notification to all owners of the now cracked security system is in order so they might be made aware of the shortcoming. Also a prudent reserve should be placed aside by the TI team for claims against their flawed product.
All in all the product is defective (just like Microsoft's OS) so the question is, what is the remedy to the consumer? What's in it for their pain and suffering?
I'm sure the answer is 'nothing' because crypto people should not be sued for the products they produce that cause injury. The problem is the law does not see it that way. I shall send this blog posting to an attorney right away since I'm sure there is a class action and product recall in the making. Just kidding.
Posted by: Jim at January 31, 2005 08:37 AM