There are several types of security systems on the market that use RFID transponders.
Systems with a fixed password (fixed code)
These systems are the most common. First,
when registering ignition keys, the ECU “learns” the passwords stored in each
key transponder for a given vehicle. Transponder IDs are meant here, because
the task of driver authentication in a system with a fixed password is reduced
to identifying a transponder instance; in a more advanced version, the ECU
additionally calculates checksums corresponding to the registered key labels.
The driver then inserts the key into the ignition and the transponder ID is
read and compared with IDs stored in the ECU memory.
The degree of protection here is
determined primarily by the type of transponder used. There are write-once
transponders that are issued without recording. Their programming is the
responsibility of the user. Available read-write tools also allow you to find
out the transponder ID when it is outside the vehicle, and then enter it into
another, empty transponder. Thus, a fixed password can be copied into a
duplicate, which will not differ in any way from the original (for example,
transponders of early VAG immobilizers).
These Read Only systems are factory-set
with passwords using a unique ID number. These systems do not allow copying.
This statement is not absolute:
apparently, what is meant here are not just any transponders, but those
developed by Texas Instruments. These transponders really cannot be duplicated
by simple means, when the password is copied into a rewritable Read/Write
transponder from the same company. The fact is that TI immobilizers recognize
the type of transponder, and the task of identifying a duplicate is solved with
a negative result, so even the correct authentication ID is not accepted. This
is exactly what the authors meant by the words about the impossibility of
copying and was true for about 10 years, counting from the appearance of the
first transponders.
However, it remains possible to reproduce
the data signal at radio frequency. Building a playback device for this purpose
requires considerable effort and a good knowledge of radio.
Since 2004, special Keyline tags have
been available on the market, allowing you to duplicate Texas Instruments
transponders through just such emulation. To give an idea of the technical
level of Keyline development, it is enough to say that this device, together
with the power supply, fits into the head of a key of normal size, and the
power supply is not intended to be replaced, i.e. is implied to be practically
eternal for this design.
Rolling code systems
Rolling code systems operate in the same
way as fixed code systems, with the difference that the password in the key
remains valid temporarily, usually during one ignition cycle. The transponder
used here is already regritable, of the Read/Write type, and the immobilizer
ECU periodically programs its memory. The password changes, but in
cryptographic terms it is still a static authentication procedure, one-way
authentication.
To ensure system reliability, it is
possible to resume synchronization in the event of an error or interruption in
the transponder memory rewrite process. It is these synchronization failures
that are the weakest point of the described system.
Password protected transponders
Simple mutual authentication can be
accomplished using a transponder protected by a password. The transponder will
deny access to secret data in its memory until a password is sent that
identifies the device working with the key. The length of this password greatly
affects the level of protection.
The password is usually broadcast by the
ECU in clear text and can be learned or guessed if the transponder is available
for such tests. Depending on the length of the password, the time to guess it
can vary from several minutes to several years.
A limitation of the system is its overall
response time, which may not be suitable for practical use.
Composite password-protected rolling systems
can also be robust through the use of
rewritable gated transponders. They provide a high degree of protection. Weak
points are synchronization and its failures (a typical problem with
Mercedes-Benz ML).