Outsmarting the Electronic Gatekeeper: code breakers beat security scheme of car locks, gas pumps.

A team of computer scientists has unraveled the codes of tiny radio devices that protect cars from theft and prevent fraudulent gasoline purchases.

The exercise in reverse engineering by researchers at Johns Hopkins University Johns Hopkins University, mainly at Baltimore, Md. Johns Hopkins in 1867 had a group of his associates incorporated as the trustees of a university and a hospital, endowing each with $3.5 million. Daniel C. in Baltimore and RSA (1) (Rural Service Area) See MSA.

(2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key. Laboratories in Bedford, Mass., shows that "an attacker with modest resources--just a few hundred dollars" of off-the-shelf equipment--can crack the codes of millions of car keys and the stubby stub·by
adj. stub·bi·er, stub·bi·est
1.
a. Having the nature of or suggesting a stub, as in shortness, broadness, or thickness: stubby fingers and toes.

b. wands that trigger the pumps at ExxonMobil gas stations, the team reports in a draft article posted Jan. 28 on the Intern et (www. rfid-analysis.org).

"There is a practical risk here," says team member Ari Juels of RSA, the company that created an encryption technique used throughout the Internet.

The team has withheld from its article critical code-breaking details that could abet To encourage or incite another to commit a crime. This word is usually applied to aiding in the commission of a crime. To abet another to commit a murder is to command, procure, counsel, encourage, induce, or assist. would-be hackers. The makers of products that rely on the security technology say that without those key specifics, criminals are unlikely to achieve what the Johns Hopkins-RSA team has.

"If you look at the kind of equipment and time needed by the researchers to break this, it's not what would normally be considered an attractive theft opportunity," claims J. Donald Turk of ExxonMobil in Fairfax, Va.

In any case, Juels says, the new study uncovers a preventable weakness in wireless security technologies, which are becoming more prevalent. "It's very important to ensure that we get security right in wireless devices from the very start," he says.

Led by Juels and Aviel D. Rubin of Johns Hopkins, the code crackers directed their attack specifically against a type of miniature radio transmitter-receiver, or transponder A receiver/transmitter on a communications satellite. It receives a microwave signal from earth (uplink), amplifies it and retransmits it back to earth at a different frequency (downlink). A satellite has several transponders. , made by Texas Instruments of Dallas. Inside the head of an ignition key, the transponder must convince the vehicle's computer that it has the correct 40-bit code before fuel will flow to the engine. The transponders allow ExxonMobil customers to buy gas by merely waving the wands in front of the pumps on the company's Speedpass system.

A typical cryptographic system contains two parts: a secret number, or key, and a procedure, or cipher cipher: see cryptography.

(1) The core algorithm used to encrypt data. A cipher transforms regular data (plaintext) into a coded set of data (ciphertext) that is not reversible without a key. , for validating the key without unveiling it. The rule among cryptographers, Juels says, is to use a big key--128 bits or more. That way, not even someone with access to the most powerful computers could test every possible key.

By using only 40 bits and relying on the cleverness of their cipher, the transponder designers went wrong, says Rubin. After breaking the cipher, which was a major challenge met by trial-and-error methods and cryptographic expertise, "we just tried all possible keys," he says.

"This is a warning that you can't take shortcuts See Win Shortcuts. on the design of these systems," comments Internet-security specialist Steven M. Bellovin Steven M. Bellovin is a researcher on computer networking and security. He is currently a Professor in the Computer Science department at Columbia University, having previously been a long time employee at AT&T Labs Research in Florham Park, New Jersey. of Columbia University.

COPYRIGHT 2005 Science Service, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	This Week
Author:	Weiss, P.
Publication:	Science News
Geographic Code:	1U1MA
Date:	Feb 5, 2005
Words:	443
Previous Article:	Bad breath: insects zip air holes to cut oxygen risks.(This Week)
Next Article:	Cultivating revolutions: early farmers may have sown social upheavals from the Middle East to Europe.
Topics:	Burglary protection Equipment and supplies Electronic security systems Equipment and supplies Security measures Equipment and supplies Security systems Equipment and supplies

Related Articles
Self-service gas stations: hidden dangers. (Gas, Food, and Lodging: Hazards Away from Home) (Cover Story)
ROBOT PUMP DOES DIRTY WORK : NO MORE GAS ON YOUR HANDS.(NEWS)
Let voters decide.(Editorials)(Whether to lift ban on self-service gasoline)(Editorial)
GAS COSTS PUMPING AGENCIES' BUDGETS DRY.(News)(Statistical Data Included)
Lock program for security.(Locks ...)(Brief Article)
WHEN $2.75 A GALLON SOUNDS GOOD ANALYSTS EXPECT IT BY SEPT. 30, BUT COMMUTERS NOT READY TO CELEBRATE.(News)
Fuel gets more environmentally correct.(Environment)(A new gas station offers ethanol and biodiesel as alternative combustibles)
LETTERS IN THE EDITOR'S MAILBAG.(Letters)(Letter to the editor)
Should the U.S. raise the gas tax? Most Americans agree the U.S. needs to reduce its dependence on foreign oil; the question is how to do it.(DEBATE)