An article in the January 29th New York Times [subscription req'd] reveals that the RIFD tag systems in car keys are not the ultimate security some may have expected.
There are some really good points in this article. When your key is only 40 bits long, it is likely that the system can be brute forced by simply building a system to test all the keys. But an important starting point was the ability to repeatedly activate the RFID tags with challenges, and collect the responses, followed up with the analysis to determine the actual key value. The potential ability to gather this information from a key while it continues to reside in the owner's pocket raises this from a purely research threat to one with some real world possibilities. This problem is reminiscent of the concern over reading RFID passports from a distance.
It appears likely that many of these car key systems use an encrypted transponder like the ones found towards the bottom of this Texas Instruments product page. This is important, because a potential security enhancement is buried inside this Texas Instruments application note. Although the topic of this note is testing RFID systems, they show how to automate tests, in part by turning the RFID tag on and off on command.
There is no magic to this, though. A few turns of wire are wound around the RFID tag. The note describes why.
The ends of the wire turns are soldered to screened twisted pair cable, which is connected to a spare I/O port on the Reader. When the cable ends are connected together, the shorted loops create a Faraday cage around the transponder and the transponder will not operate but if the ends are not connected, the transponder will function as normal.
Such a system could easily be implemented in car keys. A few turns of wire around the transponder would be connected to a normally closed switch on the side of the key. The act of squeezing the key — something you already do while starting the car — opens the connections, breaks the Faraday cage, and allows the tag to be read for that brief moment. At any other time, such as when your keys are in your pocket, the RFID tag is shielded and cannot be read.
Depending on the exact design of the key and the ignition lock on the car, it may even be possible to issue more secure keys to existing owners. This could be done without requiring significant re-engineering of the car or its security reader.
A much more subtle, yet far more dangerous aspect of their attack is mentioned only once. The article mentions that they...
...had to fill a back seat of Mr. Green's S.U.V. with computers and other equipment to successfully imitate a key. But the cost of equipment could be brought down to several hundred dollars, Dr. Rubin said, and Adam Stubblefield, one of the Hopkins graduate students, said, "We think the entire attack could be done with a device the size of an iPod."
This is a reminder of that old dictum "the map is not the territory". Picking up the appropriate electronic signals at the RFID reader is no guarantee that they came from the original tag. The possibility of this type of RFID reader spoofing must be kept in mind by any implementor of an RFID system, to ensure that the cost of spoofing the system is higher than any value that can be derived from such an attack.