An article in the January 29th New York Times [subscription req'd] reveals that the RIFD tag systems in car keys are not the ultimate security some may have expected.
There are some really good points in this article. When your key is only 40 bits long, it is likely that the system can be brute forced by simply building a system to test all the keys. But an important starting point was the ability to repeatedly activate the RFID tags with challenges, and collect the responses, followed up with the analysis to determine the actual key value. The potential ability to gather this information from a key while it continues to reside in the owner's pocket raises this from a purely research threat to one with some real world possibilities. This problem is reminiscent of the concern over reading RFID passports from a distance.
It appears likely that many of these car key systems use an encrypted transponder like the ones found towards the bottom of this Texas Instruments product page. This is important, because a potential security enhancement is buried inside this Texas Instruments application note. Although the topic of this note is testing RFID systems, they show how to automate tests, in part by turning the RFID tag on and off on command.
There is no magic to this, though. A few turns of wire are wound around the RFID tag. The note describes why.
The ends of the wire turns are soldered to screened twisted pair cable, which is connected to a spare I/O port on the Reader. When the cable ends are connected together, the shorted loops create a Faraday cage around the transponder and the transponder will not operate but if the ends are not connected, the transponder will function as normal.
Such a system could easily be implemented in car keys. A few turns of wire around the transponder would be connected to a normally closed switch on the side of the key. The act of squeezing the key — something you already do while starting the car — opens the connections, breaks the Faraday cage, and allows the tag to be read for that brief moment. At any other time, such as when your keys are in your pocket, the RFID tag is shielded and cannot be read.
Depending on the exact design of the key and the ignition lock on the car, it may even be possible to issue more secure keys to existing owners. This could be done without requiring significant re-engineering of the car or its security reader.
A much more subtle, yet far more dangerous aspect of their attack is mentioned only once. The article mentions that they...
...had to fill a back seat of Mr. Green's S.U.V. with computers and other equipment to successfully imitate a key. But the cost of equipment could be brought down to several hundred dollars, Dr. Rubin said, and Adam Stubblefield, one of the Hopkins graduate students, said, "We think the entire attack could be done with a device the size of an iPod."
This is a reminder of that old dictum "the map is not the territory". Picking up the appropriate electronic signals at the RFID reader is no guarantee that they came from the original tag. The possibility of this type of RFID reader spoofing must be kept in mind by any implementor of an RFID system, to ensure that the cost of spoofing the system is higher than any value that can be derived from such an attack.
There has been much discussion of why Apple would produce a low end flash-memory based player. As many have noted, although the iPod shuffle has Apple design fingerprints all over it, technically it doesn't offer all that much compared to competitors' offerings. The only unique technical feature is the ability to natively play iTunes-purchased tracks.
But the shuffle does have that low, low priceof USD$99. And as many current iPod owners have discovered, the full iPod has a high price that can end up being paid more than once. Reports from the U.S., Canada, Britain, and Australia all show that iPods can make the wearer a snatch theft target. Those distinctive white headphones signify your membership in an exclusive club — a club that means you are carrying USD$400 worth of gear in your pocket.
That makes the iPod shuffle uniquely valuable to all existing iPod owners. Take a close look — the headphones on the shuffle are the same cool looking white ones you get on the big iPods. But tucked in that shirt or jacket pocket, the average snatch-and-grab thief will now find only a 99 dollar lump of plastic the size of a package of gum, with no display, voice recorder, or FM radio.
Voila! By reducing the value in the pockets of people wearing those distinctive headphones, Apple has reduced the value associated with mugging someone to get at that pocket. The risk is now much less likely to be worth the reward. The security of the average iPod owner is thus enhanced.
Rejoice, iPod owners! By creating the lowest priced iPod ever, Apple has lowered the price of admission to the club. Now the high end iPod owner can walk safe again, hiding in a crowd of low-priced decoys.
Freedom To Tinker is joining in the discussion on the ease of o-pen-ing Kryptonite bicycle locks that use cylindrical keys.
Apparently there is some question of how long this has been known. Reasonable proof of this being known for a while might be this Usenet message, found in Google Groups, which dates from December 1992.
Quoting from it also makes clear a second point - "... ANY lock with a cylindrical key of that style can be picked in seconds with the plastic cap from a cheap ballpoint pen..." - which still holds true. A thorough reading of the original bikeforum thread finds people reproducing this trick on many similar locks, not just those of Kryptonite. So, in that regard, Ed Felten's description of Kryptonite's claim as 'safest thing around' is a relative claim, which might still be true. Additional pointers in the bikeforum also lead out to lockpicking forums, where the idea that locks are unbreakable generates a really good chuckle.
It is worth keeping in mind that a bike lock has to satisfy other parameters besides those of security. It has to be of moderate weight, since it will be carried everywhere. It needs to be small -- some riders like small locks that they can carry in their pocket. It needs to be easy to manufacture, since bicycle locks can't really be super-expensive for most of the market. It also has to be resistant to jamming due to weather and dirt, both of which many riders encounter regularly. A "false negative" -- that is, unable to unlock your OWN jammed lock -- may be just as bad in the short term as a stolen bike.
If you read through Kryptonite's reports of street toughness, it is clear that most attacks on bicycle locks targetted the lock frame, not the actual key mechanism. Kryptonite appears to build very robust frames, but may have been a little blind to just how easy it had become to pick the cylinder-style locking mechanisms. As a reminder, we can go all the way back to the original Usenet posting, and look at the reply.
"Sure, with enough skill. Having tried my hand at picking cylinder locks, I can attest that even with the proper tools it requires skill and practice far beyond what most thieves will bother to invest. The handful of "specialists" who can do this trick I don't worry about."
This points out the real breakthrough this time. This technique is not just possible for the expert, it is relatively easy for the novice.
Although it is easy to take Kryptonite to task for not disclosing the real security level of their locks (which they may have not known), it is important to note that no bike lock company is disclosing such details. When it comes down to weighing the relative merits of which lock to buy, Kryptonite's anti-theft insurance policy is going to be a critical part of your protection.