AOH :: PT-1058.HTM

One (perhaps already reported) security hole in RFIDs

One (perhaps already reported) security hole in RFIDs
One (perhaps already reported) security hole in RFIDs




-------- Original Message --------
Subject: Re: [Politech] Who's liable for "smart card" security breaches?
Date: Fri, 15 Jul 2005 23:28:12 -0700
From: Hal Murray  
To: declan@well.com 
CC: Richard M. Smith , Hal Murray 
 

Feeding >RFID crack< to google gets some interesting answers.

I don't remember seeing this mentioned in Politech (or anywhere else):

The RFID/DST scheme has been cracked.  Press Release is dated 29-Jan-2005.

http://rfidanalysis.org/ 
http://www.jhu.edu/news_info/news/home05/jan05/rfid.html 

It's used by:
   150 million vehicle immobilizer keys (including 2005 Fords)
   Exxon Mobil Speedpass
     seven million cryptographically-enabled keychain tags
     10,000 locations worldwide

That scheme uses 40 bit keys.  Obviously weak by today's standards.
But it's shipping on 2005 Fords so somebody obviously didn't do their
homework.

They used a bank of FPGAs to speed up brute force key search.
   2 weeks to find a key when running on 10 very fast PCs.
   16 FPGSs got 5 keys in well under 2 hours.
(Doesn't look critical, but probably lots of fun and a good way to get grad
students working on the project.)

The FAQ mentions lack of public scrutiny.  That seems to confirm my 
security-by-obscurity feelings for the new RFID-CC scheme.


-- 
The suespammers.org mail server is located in California.  So are all my
other mailboxes.  Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other 
addresses.
These are my opinions, not necessarily my employer's.  I hate spam.



_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/ 
Moderated by Declan McCullagh (http://www.mccullagh.org/) 


Make REAL money with your website!

The entire AOH site is optimized to look best in Firefox® 2.0 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.