8
June 2014
Industry One on One
Can you share with us a case study of a project you worked on?
Question:
Response:
Our company was born in 2005 when our founders, who were computer scientists enrolled in
the PhD program at Johns Hopkins, decided to research the Texas Instruments DST40 RFID
system. As computer scientists who liked breaking systems in order to make them stronger,
our founders were focused on this particular system because at the time it was considered
“unbreakable.” Of course, if you say that to a bunch of hacker-minded computer scientists,
they will gladly say “challenge accepted!” In addition to the interest in breaking a supposedly
unbreakable system, our founders were intrigued by the two primary use cases of the DST40: it
powers the immobilizer function of Ford Motors ignition keys, and it powers the communication
protocol of the ExxonMobil SpeedPass, a payment system tied to a consumer’s credit cards.
The ramifications of breaching either system — let alone both — would have tremendous wide
scale impact on millions of customers of these massive global enterprises. If these systems
were in fact vulnerable, we wanted to harden them before the bad guys broke them.
And so we designed a research study to investigate. After about three weeks, we had reverse-
engineered the cryptographic algorithm. With that, we could build a radio to impersonate an
authentic reader. Several weeks later, we had built a non-functioning prototype; it worked in the
lab but not in a real environment. After several more weeks of tinkering with the design we
defeated the remaining error-correcting code that was causing our prototype to fail, and thus we
had a fully functional, weaponized RFID radio.
Immediately thereafter, we invited various members of mainstream media for a demonstration
where we proved concept by starting a Ford Taurus with a completely reverse engineered key,
and then drove that Taurus to an ExxonMobil gas station, where we pumped gas with a
completely reverse engineered SpeedPass.
Ted Harrington
Ted Harrington, Independent Security Evaluators
