Sunday, January 30, 2005

Well that didn't take long

(Via WorldNet Daily)

WARNING: GEEK ALERT!

Cryptographers unlock code of 'thiefproof' car key

Matthew Green starts his 2005 Ford Escape with a duplicate key he had made at Lowe's. Nothing unusual about that, except that the automobile industry has spent millions of dollars to keep him from being able to do it.

It took some bright grad students at John Hopkins 3 months to defeat the auto industry's newest "thiefproof" key.

And before the universal reply to such hacks, which is to claim that they had oodles and oodles of specialized equipment...

The researchers used several thousand dollars of off-the-shelf computer equipment to crack the code, and had to fill a back seat of Green's SUV with computers and other equipment to successfully imitate a key. But the cost of equipment could be brought down to several hundred dollars, Rubin said, and Adam Stubblefield, one of the Hopkins graduate students, said, "We think the entire attack could be done with a device the size of an iPod."

Several thousand dollars? Face it, for professional car thieves, that's simply a cost of doing business. All it will take is for organized crime, which has the money to pay for design and manufacturing (and who probably knows who can do this work and how to motivate them to do it), and those little iPod-size devices will start showing up. Maybe they could call it the iSteal?

I wonder how much fun these will be for places like Walmart, who are hopping on the RFID device bandwagon with all their might. Just reprogram the little RFID tag on that new DVD to $9.98 from $19.98--what a deal! It might not even have to be that fancy--it burns out the existing RFID tag and sends out something different at the checkout. How about a big screen TV for $199.99? One might call that a steal...

And the enterprising Hopkins students have tried something similar with the Exxon Speedpass gas payment system. It worked.

As you might expect, Texas Instruments, who makes the system, pooh-poohs the idea that any of this is a problem. Speaking to the Speedpass exploit, Tony Sabetti of TI states that any improvements to the system are

... a solution to a problem that doesn't exist.

As my wife says, "Famous Last Words". Someone really needs to start reading RISKS Digest on the subject of "security through obscurity".

Helpful hint--it rarely works.

No comments: