Cracking RFID

If RFID tags are going to be the glue that holds together the pervasive computing environment of the future, security must be a primary consideration. Several graduate students from Johns Hopkins University have completed an analysis of a widely used RFID device -- the Texas Instruments DST tag, found in ExxonMobil SpeedPass electronic payment devices, among other places -- and their findings are sobering.

The students were able to crack the tags' 40-bit encryption algorithm using commonly available hardware and software components. With this equipment, they show how an attacker could eavesdrop on an active transaction session to grab a key and, theoretically, gain access to an otherwise secure system.

The students are careful to point out that systems such as SpeedPass use elaborate anti-fraud technology, so they should still be regarded as secure. However, they suggest that RFID tags contain a stronger key, using a 128-bit algorithm.

Finally, it should be noted that the analysis was conducted with the cooperation of Texas Instruments.

Source: Boing Boing