WASHINGTON -- Security and convenience don't always go hand in hand. That may be the painful lesson for people who use an ExxonMobil Speedpass to purchase gas or keyless entry systems to get into their cars.
It may be cheap and easy to hack a widely used RFID chip created by Texas Instruments and installed in a variety of car keys, including models made by Nissan and Toyota, and Ford models from 2003, 2004, and 2005, a recent study found. That RFID chip is also used in the ExxonMobil Speedpass, a key-tag that wirelessly completes transactions at gas pumps. According to Texas Instruments, almost 150 million chips exist in car keys and key-tags throughout the country.
The study was conducted by Johns Hopkins University and RSA Laboratories, and came about simply because researchers were curious. "One of us had a Speedpass and wondered how secure it was," says Avi Rubin, professor of Computer Science at Johns Hopkins University's Information Security Institute. In the end, Rubin says, the group was surprised by what they found.
RFID Security Is Weak
With just "a few hundred dollars worth of equipment," Rubin says his team was able to wirelessly interact with car keys and payment tags at close range, and obtain enough information to crack their security system. They could then create a clone of the device, he says. This clone would allow someone to purchase gas on a victim's key-tag or disable a car's alarm system, but would not allow you to unlock a car's doors, Rubin says.
The chips tested during the study were more advanced than those that exist in older cars, Rubin says. "The one that we broke is the latest and greatest," he says, adding that older cars have weaker security systems that could be easier to hack into.
No Intention to Change
ExxonMobile acknowledges the potential security problems with the Speedpass device. "Bottom line, we are aware of it," says Don Turk, a company spokesperson. Still, the company does not have any plans to change the internal Texas Instruments chip or upgrade their current security systems at this time, he says.
"There are additional security protections for our consumers in the Speedpass system," says Turk. Unlike a credit card, a Speedpass does not store consumer data, so thieves would not have access to personal information, he says.
ExxonMobil Speedpass also guarantees that consumers will not be held liable for any fraud committed against their accounts, Turk says.
According to Texas Instruments, consumers have little cause to be concerned. The company has made upgrades to the RFID chip that the Johns Hopkins researchers tested, says Gary Silcott, an RFID spokesperson for Texas Instruments.
"We're evolving beyond that product," he says. Additionally, Silcott says, "There's a much greater security threat and a much greater instance of fraud on magnetic-stripe credit cards."
A Simple Fix?
Ultimately, Rubin and his fellow researchers say the best way to fix the problem would be for developers to "just design their future systems more securely." However, Rubin says, there is recourse for consumers who already have the devices.
"The best thing we could think of was to wrap your Speedpass in foil or metallic covering," Rubin suggests. "It's kind of a silly recommendation, but I think it would work." The foil would, of course, have to be removed before using the Speedpass at a gas pump.
Rubin says the same method would work for a car key: "If somebody can't send a signal to your key, then they won't be able to get a response back," and in turn will not be able to crack its security measures.