Security Analysis of a Cryptographically-EnabledRFID DeviceStephen C. Bono∗Matthew Green∗Adam Stubblefield∗Ari Juels†Aviel D. Rubin∗Michael Szydlo†AbstractWe describe our success in defeating the security of anRFID device known as a Digital Signature Transponder(DST). Manufactured by Texas Instruments, DST (andvariant) devices help secure millions of SpeedPassTMpayment transponders and automobile ignition keys.Our analysis of the DST involved three phases:1. Reverse engineering: Starting from a rough pub-lished schematic, we determined the completefunctional details of the cipher underpinning thechallenge-response protocol in the DST. We accom-plished this with only “oracle” or “black-box” ac-cess to an ordinary DST, that is, by experimentalobservation of responses output by the device.2. Key cracking: The key length for the DST is only40 bits. With an array of of sixteen FPGAs operat-ing in parallel, we can recover a DST key in underan hour using two responses to arbitrary challenges.3. Simulation: Given the key (and serial number) ofa DST, we are able to simulate its RF output so asto spoof a reader. As validation of our results, wepurchased gasoline at a service station and startedan automobile using simulated DST devices.We accomplished all of these steps using inexpensiveoff-the-shelf equipment, and with minimal RF expertise.This suggests that an attacker with modest resources canemulate a target DST after brief short-range scanning orlong-range eavesdropping across several authenticationsessions. We conclude that the cryptographic protectionafforded by the DST device is relatively weak.Key words: Digital Signature Transponder (DST),immobilizer, Hellman time-space tradeoff, RFID∗Department of Computer Science; The Johns Hopkins Univer-sity; 3400 N. Charles Street; Baltimore, MD 21218, USA. Email:{sbono,mgreen,astubble,rubin}@cs.jhu.edu.†RSA Laboratories, 174 Middlesex Turnpike, MA 01739, USA.Email: {ajuels,mszydlo}@rsasecurity.com.1 IntroductionRadio-Frequency IDentification (RFID) is a general termfor small, wireless devices that emit unique identifiersupon interrogation by RFID readers. Ambitious deploy-ment plans by Wal-mart and other large organizationsover the next couple of years have prompted intense com-mercial and scientific interest in RFID [23]. The formof RFID device likely to see the broadest use, particu-larly in commercial supply chains, is known as an EPC(Electronic Product Code) tag. This is the RFID devicespecified in the Class 1 Generation 2 standard recentlyratified by a major industry consortium known as EPC-global [9, 19]. EPC tags are designed t o be very inex-pensive – and may soon be available for as little as fivecents/unit in large quantities according to some projec-tions [21, 20]. They are sometimes viewed in effect aswireless barcodes: They aim to provide identification,but not digital authentication. Indeed, a basic EPC taglacks sufficient circuitry to implement even symmetric-key cryptographic primitives [21].The term RFID, however, denotes not just EPC tags,but a spectrum of wireless devices of varying capabil-ities. More sophisticated and expensive RFID devicescan offer cryptographic functionality and therefore sup-port authentication protocols. One of the most popular ofsuch devices is known as a Digital Signature Transpon-der (DST). Manufactured by Texas Instruments, DSTsare deployed in several applications that are notable forwide-scale deployment and the high costs (financial andotherwise) of a large-scale security breach. These in-clude:• Vehicle Immobilizers: More than 150 million ve-hicle immobilizer keys shipped with many cur-rent automobiles, including e.g. 2005 modelFords [7], use Texas Instruments low-frequencyRFID transponders. This number includes sys-tems with fixed-code transponders that provide nocryptographic security, as well as newer models14th USENIX Security SymposiumUSENIX Association114th USENIX Security Symposiumequippedwith DSTs. Immobilizers deter vehicletheft by interrogating an RFID transponder embed-ded in the ignition key as a condition of enablingthe fuel-injection system of the vehicle. The de-vices have been credited with significant reductionsin auto theft rates, as much as 90% [1, 8].• Electronic Payment: DSTs are used in the Exxon-Mobil SpeedPassTMsystem, with more than sevenmillion cryptographically-enabled keychain tags ac-cepted at 10,000 locations worldwide [2].A DST consists of a small microchip and antenna coilencapsulated in a plastic or glass capsule. It is a passivedevice, which is to say that it does not contain an on-board source of power, but rather receives its power viaelectromagnetic inductance from the interrogation signaltransmitted by the reading device. This design choiceallows for a compact design and long transponder life.A DST contains a secret, 40-bit cryptographic key thatis field-programmable via RF command. In its interac-tion with a reader, a DST emits a factory-set (24-bit)identifier, and then authenticates itself by engaging ina challenge-response protocol. The reader initiates theprotocol by transmitting a 40-bit challenge. The DSTencrypts this challenge under its key and, truncating theresulting ciphertext, returns a 24-bit response. It is thusthe secrecy of the key that ultimately protects the DSTagainst cloning and simulation.In this paper, we describe our success in attacking theTexas Instruments DST system. We are able to recoverthe secret cryptographic key from a target DST deviceafter harvesting just two challenge-response pairs. Forarbitrary challenge-response pairs, we are able to recovera key in under an hour using an array of sixteen FP-GAs. When the challenge-response pairs derive frompre-determined challenges, i.e., in a chosen-plaintext at-tack, a time-space trade-off is possible, reducing thecracking time to a matter of minutes. The full details ofthis chosen-response attack will appear in a future ver-sion of this work. Once we have recovered a key, weare able to use an inexpensive, commodity RF device to“clone” the target DST, that is, to simulate its radio out-put so as to convince a reader.In consequence, we show how an attacker with mod-est resources — just a few hundred dollars worth of com-modity equipment and a PC — can defeat the DST sys-tem. Such an attacker can succeed upon actively skim-ming a DST, that is, scanning it at short range for a frac-tion of a second. With additional use of an FPGA, anattacker can
View Full Document
Unlocking...