This is one of those stories that receives a lot of attention from the media -- particularly the "tech" media -- but not a lot of analysis. Herewith, the full story.

As an academic exercise, four students from Johns Hopkins University and two researchers from RSA Laboratories decided to try to crack the 40 bit encryption of the Texas Instruments RFID transponders used in the Exxon/Mobile SpeedPass and in some car immobilizer systems.

What they found was that, by using some very sophisticated equipment (16 field programmable gate arrays in parallel, costing a total of around $3,500 US exclusive of computer hardware and RFID equipment), they were able to crack the encryption key of TI’s DST transponder that is used in some car immobilizers and payment applications.

Using a laptop computer and RFID antenna, researchers were able to effectively "spoof" their SpeedPass and purchase gas using their own Speedpass number by placing the RFID antenna close to the reader on the pump. They were also able to crack the encryption on the immobilizer of a 2005 Ford Escape but apparently did not attempt to start the vehicle using a non-enabled key and a "spoofed" code.

TI does not dispute these results.

According to a statement on the TI website, "Since 1997, when the level of security in question was introduced, we've understood that a determined team of cryptographers could reverse engineer the algorithm involved. That is why several different layers of security were built into the system and we have evolved to a 128-bit encryption technology today from the 40-bit technology studied by the researchers."

It should be noted that TI does offer transponders with stronger encryption schemes and many of the immobilizer transponders it sells today no longer use the 40 bit encryption.

However, the actual threat potential exposed by the research deserves scrutiny.

First, while it's entirely possible to decrypt and "spoof" a SpeedPass transponder (assuming you're a skilled cryptographer with the necessary programming and hardware configuration skills), an investment of roughly $5,000 US for all the necessary equipment in order to get free gas does not seem to offer an adequate ROI particularly since there are security layers in the payment system analogous to those used by credit card companies to detect fraudulent purchases. So, while it's technically possible, this falls into the category of "possible but not likely."

The issue of the car immobilizer would be far more troubling except for the fact that the effective range of these transponders is a matter of a few inches -- under optimal conditions.

Trying to "eavesdrop" on the communication between an immobilizer and an ignition lock is virtually impossible due to the transponder's limited range. Similarly, attempting to covertly read a key transponder from several inches away while it's in someone's pocket or purse -- on a keychain with other keys, possibly near a cell phone, change, or other metal objects that significantly reduce effective read range -- becomes, at best, theoretically possible but hardly feasible.

Thus, while the findings are indeed valid, the actual threat is negligible.