Radio frequency identification (RFID) technology used for contactless petrol pump payments systems and high-security car keys can be cracked remotely using a cheap kit bought on the Internet.
Scientists from RSA Laboratories and Johns Hopkins University in the US have uncovered the vulnerabilities in Texas Instruments' DST tags, which are used for high security car keys, and the Speedpass contactless payments system used by ExxonMobil.
Using a device that cost $200, the team were able to remotely probe a DST tag and then use the data obtained to crack the secret cryptographic key. By obtaining this key, they were able to simulate the DST tag and over-ride the theft prevention system in a car with a basic ignition key.
The researchers were also able to extract and simulate the key from a SpeedPass token and then use the digital simulator to buy petrol multiple times in the course of a single day.
The team says it has informed Texas Instruments of the vulnerabilities. The technology firm is due to supply an RFID system for MasterCard's contactless payment system, PayPass, later this year.