This has been a bad week for automotive security - viruses getting into onboard computers and now this...
U.S. researchers say they cracked security system used in millions of cars
Sat Jan 29, 9:27 PM ET
BALTIMORE (AP) - U.S. university researchers said Saturday they have found a way to crack the code used in millions of car keys, a development they said could allow thieves to bypass the security systems on newer car models.
The research team at Johns Hopkins University said it discovered the "immobilizer" security system developed by Texas Instruments could be cracked using a "relatively inexpensive electronic device" that acquires information hidden in the microchips that make the system work.
The radio-frequency security system being used in more than 150 million new Fords, Toyotas and Nissans involves a transponder chip embedded in the key and a reader inside the car. If the reader does not recognize the transponder, the car will not start, even if the key inserted in the ignition is the correct one.
It's similar to the new gasoline-purchase system in which a reader inside the gas pump is able to recognize a small key-chain tag when the tag is waved in front of it. The transaction is then charged to the tag owner's credit card.
Researchers said they were able to crack that code, too.
"We stole our own car and we bought gas stealing from our own credit card," said Avi Rubin, a professor of computer science at Johns Hopkins who led the research team.
Texas Instruments was recently given demonstrations of the team's code-cracking capabilities but the company maintains its system is secure.
Tony Sabetti, a business manager with Texas Instruments, said the hardware used to crack the codes is cumbersome, expensive and not practical for common thieves.
"I think the way in which it's presented as being inexpensive to do and quick and all the rest of that is an exaggeration," Sabetti said.
"And because of that, we believe the technology still is extremely secure for the applications that it's used in."
But Rubin said the code-breaking demonstrations illustrate developers did not pay enough attention to security.
"I think the implications are that it sets us back about 10 years ago where we were with car security," Rubin said.
In the seven years the technology has been in use, Texas Instruments has never had a reported incident where a car has been stolen or a gasoline-purchasing tag has been duplicated, company spokesman Bill Allen said.
The Johns Hopkins team, which was funded by Bedford, Mass.-based RSA Security Inc., recommended distributing free metallic sheaths to cover the radio frequency devices when they are not being used.