Sound far-fetched? It's already happening.

An inexpensive electronic device can, at close range, wirelessly probe newer car-immobilizer ignition keys and wireless-payment tags. The stolen information is then used to crack the chip's secret, encoded cryptographic key, giving thieves unauthorized access to whatever the key protects.

It turns out the 40-bit encryption key used in the transponder tags is not strong enough to prevent such attacks, warn computer scientists from Johns Hopkins Univ. and RSA Laboratories, Bedford, Mass. About 150 million of the Digital Signature Transponders are embedded in ignition keys for newer vehicles. The transponders are also inside over 6 million key-chain tags that secure wireless gasoline purchases. All are based on the Texas Instruments Registration and Identification System.

Here's how DSTs work: Automotive immobilizersuse a passive transponder chip in the key and a reader inside the car that connects to the fuelinjection system. Passive devices don't contain an onboard power source, but rather receive power from a reader antenna. A car will start only when the reader recognizes the transponder; a physical key that fits the ignition switch but doesn't contain the correct transponder code won't work. In the gasoline-purchase system, a reader at the gas pump must recognize a passive key-chain tag waved in front of it for the credit-card transaction to take place.

DSTs contain a secret, 40-bit cryptographic key that is field programmable by RF command. A reader signals the DST to emit a factory-set (24-bit) identifier, and then authenticate itself in a challenge-response protocol. The reader initiates the protocol by transmitting a 40-bit challenge. The DST encrypts this challenge under its key and returns a 24-bit response. It is the secrecy of the key that protects the DST against cloning and simulation.

After unraveling the mathematics involved, the group purchased an off-the-shelf, 100-MHz FPGA for less than $200 and programmed it to find the secret key for a gasoline-purchase tag. The bruteforce guessing process took about 10 hr. Linking 16 of the chips together let the team crack a secret key in about 15 min. And they are already working on faster decoders. The group had similar success with a DST-equipped car ignition. With the secret key in hand, they were able to simulate the RFID tag and disarm the car's antitheft system.

A laptop computer runs the FPGAs and a 12-bit DAC board. The board can do 12-bit a/d conversions on an input signal at a rate of 1.25 MHz and generate an output signal at 1 MHz. Both the input and output channels of the DAC connect to an antenna tuned to the correct frequency range. Modulation and demodulation software routines decode and produce the analog AM signals transmitted by the TI reader as well as FM-FSK analog signals transmitted by the transponders. Using these routines, the equipment can eavesdrop on the communication protocol between a DST reader and transponder, or participate actively in a protocol by emulating either device.

There are two basic ways attackers may use the equipment to harvest signals from a target DST. The first is active scanning. Here, the attacker takes control of a reader within scanning range of the target DST. DSTs of the type found in Speed-Pass refueling stations and automobile ignition keys are designed for scanning at short range, or about a few centimeters, though preliminary experiments have extended that range to several inches. A DST may respond to as many as eight queries/sec, making it possible to perform the requisite two scans in as little as 0.25 sec.

The second mode of attack called passive eavesdropping intercepts the communication between a legitimate reader and a target DST during a valid authentication session. In this case, the attacker need not furnish power to the DST. Effective eavesdropping range then depends on the ability to intercept the DST signal. Researchers say they haven't done experiments to determine the range at which such an attack might be mounted. But it is worth noting purported U.S. Dept. of Homeland Security reports cite successful eavesdropping of this kind on 13.56-MHz tags at a distanceof tens of feet. DSTs operate at a much lower 134-kHz frequency so signals penetrate obstacles more effectively. This may actually facilitate eavesdropping, though larger antennas are needed for intercepting signals.

But before you panic, consider that the cryptographic challenge-response protocols of DST devices constitute only one of several layers of security in these systems. The SpeedPass network, for example, has online fraud-detection mechanisms loosely analogous to those employed for traditional credit-card transaction processing. Suspicious usage patterns may result in flagging and disabling of a SpeedPass device in the network.

Researchers acknowledge the far greater threat is to car immobilizers, a technology that has slashed auto thefts by 90% since its inception, according to some estimates. A single successful attack on an automobile immobilizer can fully compromise the vehicle. While compromise of a DST does not immediately permit theft of an automobile, it renders an automobile with an immobilizer as vulnerable to theft as an automobile without one.

How to combat RFID thieves? Use stronger 128-bit Advanced Encryption Standard (AES) keys, says the group. Some RFID devices already use 128-bit keys, though implementing it for automobiles would be complex and costly. Faraday shielding is another potential fix. DSTs when not in use may be encased in aluminum foil or other radio-wave attenuator. This would defend against active scanning attacks, but not against passive eavesdropping. A metal shield in the form of a partial cylinder around the ignition-key slot in automobiles could limit eavesdropping range.