RFID: The Hacker’s Dream Key

This post is going to briefly discuss RFID (Radio Frequency IDentification) technology and some concerns with it being used in keys. It will start with a quick description of the functional components of RFID, move on to some examples of it being used in keys, continue with a little bit of cryptography talk, and end with saying RFID keys are probably a bad idea.

When speaking of RFID technology, there are two types to be aware of: active and passive (Newitz, 2006). RFID keys come in the form of passive radio frequency transmitters. They have no internal power source; instead, they rely on active RFID transceivers for wireless power. The active RFID transceiver does have an internal power source and is constantly broadcasting its presence; if the passive RFID device gets close enough to the active one, it can pull enough electrons out of the air to broadcast a small message itself, which is then received by the active RFID transceiver and aliased to a function (one that unlocks a door in this case).

There have been recent television commercials advertising a company called Zipcar. This company has cars scattered all over the globe that can be rented online for an hourly or daily rate. The basic process goes something like this: First a person needs to go online and sign up for an account. Once the account is made they will get an RFID card in the mail. From there, the person can browse to the Zipcar website or open the Zipcar mobile application and schedule a time to reserve a car near them. The RFID card they received in the mail acts as the key to the car. Additionally, the mobile application allows some features such as the ability to lock and unlock the car from anywhere.

It sounds like a novel idea on the face of things, but one cannot help but worry that using an RFID card as the key is a bad idea. To be fair, it is not just Zipcar that does this. A lot of cars actually use RFID-equipped key fobs for access and ignition control. RFID keys are convenient: The doors automatically lock and unlock, push-button starts are spiffy, memory seats can be automatically detect which key is being used (and presumably the driver) and position the seat perfectly, oh, and anyone can copy your key by simply bumping into you with a scanner… How about that convenience?

Sure, there is encryption, and the encryption is getting better. Private symmetric encryption using SHA-1 and 3DES are common today. The private key is known only to the sender and receiver and every message sent is encrypted with that key. That makes messages tougher to decode, but still not impossible. The passive transmitters are limited in power, and likewise limited in their processing ability which makes high-bit encryption difficult. According to Newitz, it usually is not hard to brute force the encryption key because of the low bit count. In the case of keys, encryption doesn’t matter, though. If a person can copy and replay the encrypted message the unlock command is still being sent. Even if a handshake takes place between the two devices, that can likely be recorded and replayed, as well. The only possible solution that comes to mind is if they switch up the encryption with each message in the handshake, but that is not really feasible.

RFID security will surely improve, but at the present time RFID keys are probably a bad idea.

References

Newitz, Annalee. (2006). The RFID Hacking Underground. Wired. Retrieved from http://archive.wired.com/wired/archive/14.05/rfid.html?pg=1&topic=rfid&topic_set=