Thursday, February 24, 2005

InfoWorld: Not-so-secure keys

Image hosted by Photobucket.com

======================================================================== SECURITY ADVISER: BOB FRANCIS http://www.infoworld.com ======================================================================== Thursday, February 24, 2005

NOT-SO-SECURE KEYS

By Bob Francis

Posted February 18, 2005 3:00 PM Pacific Time

A couple of weeks ago, I used an analogy about my grandfather's wrecking yard to describe the search for better security, making the point that automobiles used to start with a mere foot pedal before the development of effective theft protection in the form of a car key.

ADVERTISEMENT -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

INFOWORLD WEBCAST: FOUR EXCUSES FOR UPGRADING YOUR NETWORK InfoWorld's CTO Chad Dickerson discusses four technologies that you may want to consider when upgrading your network. This webcast is tailored to small- and mid-sized businesses looking to leverage enterprise-class technologies, like VoIP, SANs, Gigabit Ethernet and enterprise-class security, on a fraction of the budget typically required. Chad relates his experiences as a columnist and technologies. A companion webcast to P.J. Connolly's article "Small Networks Bulk Up." Sponsored by Cisco Systems. Register and view now. http://newsletter.infoworld.com/t?ctl=BD1FF3:353CA35 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

Through a confluence of cosmic events, these two topics -- cars and security -- have once again come together.

A recent study conducted by Johns Hopkins University and RSA Laboratories found that a widely used RFID chip created by Texas Instruments (TI) and installed in a variety of car keys may be cheap and easy to hack. (You can read the report at rfid-analysis.org.)

The car key chips are included on recent models of cars made by Nissan, Toyota, and Ford. The RFID chip is also used in the ExxonMobil Speedpass, a key tag that wirelessly completes transactions at gas pumps. According to TI, almost 150 million chips are in use in the United States.

The report states it's easy to hack the chip in a car key. Thieves only need some relatively cheap equipment that can wirelessly interact with and then make a clone of the device. The clone would let them disable a car's alarm system.

They couldn't just drive away in a new Lexus, however. Getting into the car is still a problem. Apparently, after disabling the alarm, the thieves would have to resort to a good old-fashioned crowbar to crack a window. That's a lot of trouble to go through just to steal the latest Kanye West CD.

When they examined the Speedpass system, the researchers were able to unravel the mathematical process used in verification. They then purchased a commercial microchip (costing less than $200) and programmed it to find the secret key for a gasoline purchase tag owned by one of the researchers. By linking together 16 such chips, the group cracked the secret key in about 15 minutes.

That, too, is a lot of trouble, despite the price of gas. Thankfully, in the Speedpass system the owner's credit card information isn't carried on the chip and isn't revealed by breaking the pass' security.

The researchers have some advice if you're worried about the security of your Speedpass or your keys: Put aluminum foil around the device when it's not in use. Apparently aluminum foil is just enough of a barrier to block unauthorized data transfers. And you thought those guys wearing foil hats were nuts? Nope, they're just protecting their RFID chips. If only the rest of computer security were that easy.

Bob Francis is a senior writer at InfoWorld.

======================================================================== Ever wonder how others keep up with web services? Your peers will tell you, although your competitors probably won't. This is how more than 63,000 people keep up with the fast-moving news about web services: the Web Services Report newsletter. Scan its quick summaries of the week's biggest news in web services, then move on or click through for the full story. It may not be the only way to keep up with web services, but it's the easiest. Subscribe at http://newsletter.infoworld.com/t?ctl=BD1FEF:353CA35

ADVERTISE ======================================================================== For information on advertising, contact Elisabeth_raphel@infoworld.com.

UNSUBSCRIBE/MANAGE NEWSLETTERS ======================================================================== To subscribe, unsubscribe or change your e-mail address for any of InfoWorld's e-mail newsletters, go to: http://newsletter.infoworld.com/t?ctl=BD1FF0:353CA35

To subscribe to InfoWorld.com, or InfoWorld Print, or both, or to renew or correct a problem with any InfoWorld subscription, go to http://newsletter.infoworld.com/t?ctl=BD1FF2:353CA35

To view InfoWorld's privacy policy, visit: http://newsletter.infoworld.com/t?ctl=BD1FF1:353CA35

Copyright (C) 2005 InfoWorld Media Group, 501 Second St., San Francisco, CA 94107

This message was sent to: GDEWILDE@GMAIL.COM

posted under , by Gaby de Wilde at 10:49 AM 0 comments