An article in the January 29th New York Times [subscription req'd] reveals that the RIFD tag systems in car keys are not the ultimate security some may have expected.
There are some really good points in this article. When your key is only 40 bits long, it is likely that the system can be brute forced by simply building a system to test all the keys. But an important starting point was the ability to repeatedly activate the RFID tags with challenges, and collect the responses, followed up with the analysis to determine the actual key value. The potential ability to gather this information from a key while it continues to reside in the owner's pocket raises this from a purely research threat to one with some real world possibilities. This problem is reminiscent of the concern over reading RFID passports from a distance.
It appears likely that many of these car key systems use an encrypted transponder like the ones found towards the bottom of this Texas Instruments product page. This is important, because a potential security enhancement is buried inside this Texas Instruments application note. Although the topic of this note is testing RFID systems, they show how to automate tests, in part by turning the RFID tag on and off on command.
There is no magic to this, though. A few turns of wire are wound around the RFID tag. The note describes why.
The ends of the wire turns are soldered to screened twisted pair cable, which is connected to a spare I/O port on the Reader. When the cable ends are connected together, the shorted loops create a Faraday cage around the transponder and the transponder will not operate but if the ends are not connected, the transponder will function as normal.
Such a system could easily be implemented in car keys. A few turns of wire around the transponder would be connected to a normally closed switch on the side of the key. The act of squeezing the key — something you already do while starting the car — opens the connections, breaks the Faraday cage, and allows the tag to be read for that brief moment. At any other time, such as when your keys are in your pocket, the RFID tag is shielded and cannot be read.
Depending on the exact design of the key and the ignition lock on the car, it may even be possible to issue more secure keys to existing owners. This could be done without requiring significant re-engineering of the car or its security reader.
A much more subtle, yet far more dangerous aspect of their attack is mentioned only once. The article mentions that they...
...had to fill a back seat of Mr. Green's S.U.V. with computers and other equipment to successfully imitate a key. But the cost of equipment could be brought down to several hundred dollars, Dr. Rubin said, and Adam Stubblefield, one of the Hopkins graduate students, said, "We think the entire attack could be done with a device the size of an iPod."
This is a reminder of that old dictum "the map is not the territory". Picking up the appropriate electronic signals at the RFID reader is no guarantee that they came from the original tag. The possibility of this type of RFID reader spoofing must be kept in mind by any implementor of an RFID system, to ensure that the cost of spoofing the system is higher than any value that can be derived from such an attack.
There has been much discussion of why Apple would produce a low end flash-memory based player. As many have noted, although the iPod shuffle has Apple design fingerprints all over it, technically it doesn't offer all that much compared to competitors' offerings. The only unique technical feature is the ability to natively play iTunes-purchased tracks.
But the shuffle does have that low, low priceof USD$99. And as many current iPod owners have discovered, the full iPod has a high price that can end up being paid more than once. Reports from the U.S., Canada, Britain, and Australia all show that iPods can make the wearer a snatch theft target. Those distinctive white headphones signify your membership in an exclusive club — a club that means you are carrying USD$400 worth of gear in your pocket.
That makes the iPod shuffle uniquely valuable to all existing iPod owners. Take a close look — the headphones on the shuffle are the same cool looking white ones you get on the big iPods. But tucked in that shirt or jacket pocket, the average snatch-and-grab thief will now find only a 99 dollar lump of plastic the size of a package of gum, with no display, voice recorder, or FM radio.
Voila! By reducing the value in the pockets of people wearing those distinctive headphones, Apple has reduced the value associated with mugging someone to get at that pocket. The risk is now much less likely to be worth the reward. The security of the average iPod owner is thus enhanced.
Rejoice, iPod owners! By creating the lowest priced iPod ever, Apple has lowered the price of admission to the club. Now the high end iPod owner can walk safe again, hiding in a crowd of low-priced decoys.