Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cellphone Could Crack RFID Tags

Posted by ScuttleMonkey on from the let-the-wardriving-begin dept.

diverge_s writes "Adi Shamir of RSA is at it again. This time pointing out flaws in RFID systems. From the article: 'I haven't tested all RFID tags, but we did test the biggest brand and it is totally unprotected,' Shamir said. Using this approach, 'a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity.'"

14 of 138 comments (clear)

  1. Shamir by Anonymous Coward · · Score: 1, Insightful

    Remember though that Shamir (the S of RSA) was one of the first people to apply for a software patent for the RSA patent, and hasn't been shy of enforcing it. Thus, he shall be shamed and loathed by the slashdot community.

    1. Re:Shamir by ObsessiveMathsFreak · · Score: 5, Insightful

      For one thing, mathematics should never be patentable. For another, there was already Prior Art invented at GCHQ in the UK -- but because of its nature, it was kept hushed-up.

      This "prior art" did not count as it was unpublished. However the point about the mathematics is exactly correct. Shamir is one of the the greatest trinity of conmen to ever plauge the computer industry.

      If you ever want to know why you still don't have encrypted email, this guy is 33.33333....% of the reason.

      --
      May the Maths Be with you!
    2. Re:Shamir by p2sam · · Score: 4, Insightful

      Good bye karma, this post SUPPORTS patenting mathematics and software. Moderators, please read full post before moderating ...

      I disagree. Many non-trivial and ingenious algorithms in math ought to be as patentable as other fields. Developing an algorithm to perform a useful task, or significantly improving an existing algorithm to perform a useful task, is no different than other fields. It requires time, resources, effort, and ingeniouty.

      The thing that I object to is the blanket patent period of 17 years that apply uniformly to all patents. The situation does not call for a one size fill all solution. The period of 17 years was probably decided a long time ago, and did not envision how rapidly the world had evolved. Even for other fields of engineering, 17 years may not always to be the most appropriate amount of time.

      In the computing world, 17 years is WAY too long. That's the equivalent of probably 5 or 6 revolutions in technologies. If patents for mathematics and computing was limited to say 2 or 3 years, then I can fully support it.

    3. Re:Shamir by Vainglorious+Coward · · Score: 2, Insightful
      From what I understand, the RSA patent has expired now.

      I well remember the party I attended to celebrate the patent expiry, in September 2000

      So, why havent we seen people working on a simple to use way to do encrypted email now that they dont have to pay RSA for the patent?

      Ever used Outlook? Or Thunderbird? Those email clients (and many others) do have a simple way to encrypt (and sign) email using S/MIME. The problem never was patent restrictions, rather the difficulties associated with key management (certificate management and PKI never took off the way it was originally hoped, for a number of reasons).

      --
      My next sig will be ready soon, but subscribers can beat the rush
  2. Injected RFID tags... by Manip · · Score: 4, Insightful

    When your employer comes to you about injecting an RFID tag under your skin remember this article. It is one thing to have an ID card with a tag on it, something that can be binned and replaced in time, but what about that chip under your skin? Are they going to take it out of you or will you end up with 10 all up your arm?

  3. Not all tags. by queazocotal · · Score: 5, Insightful
    Active tags - ones with their own battery, are going to be fundamentally immune to this.

    Also, in addition to tags that have a simple 'password', that they must have before they do anything - that may be trivially vulnerable to power analysis, there are tags that do more complex things - such as for example, send the reader a random token, which it then has to encrypt with a key known to both of them.

    This can be immune to power analysis - in the simplest case, as it does not check each bit as recieved, but only at the end of a computation.

    And, the fact that getting the first bit correct of a hash with a given key does not help you to guess the rest.

  4. Re:Good thing by 24-bit+Voxel · · Score: 3, Insightful

    I cannot think of a use for it other than surveillance/tracking. I tried.

    I have heard people mention that it can help rescue teams find you if you are lost in the woods, or buried in a snowdrift. Sure, I guess it could. Considering that the majority of people don't have this happen to them on a regular basis, I concluded that was not it's intended purpose.

    Maybe the RFID makers greased lawmakers to make more money. Could happen. Maybe we are all getting tagged so that we can be 'found' easily. Could also happen.

    I wonder why this is happening when the funds could serve the citizens better by say rebuilding New Orleans or fixing our crumbling infrastructure of roads and bridges.

    Who really knows what our gov'ts real priorities are? Certainly not I.

    It is of no consequence to me as I would microwave any RFID chips I was 'forced' to wear. "Sorry officer, I really don't know why I have a huge burn hole in my ID card, but I am a really terrific driver, let me tell ya."

    Regards,
    24BV

  5. i think the rfid juggernaut can't be stopped by circletimessquare · · Score: 4, Insightful

    but it's primary uses: internal inventory tracking/ easy checkout, will be all it will be really good for

    all of the other far out uses people have imagined rfid tech will be useful for once you get past check out and out of the store- all the negative and all the positive (conspiracy theory tracking, smart fridges that know when you need more milk, etc.), won't really come to pass. not because people will suddenly care about their privacy, but because of exactly this: no one will be able to design a system that can't be gamed for some sort of illicit activity. rfid use outside of the store will be undependable simply because if rfid tags are being depended upon for any sort of proof of id in the "wild", then there is immediate and easily realized incentive to game the system

    in other words, rfid tags will only be useful in controlled environments. once out of the store, any grand schemes, good or bad, imagined with rfid tags in mind will be ruined by spoofing, masking, obfuscation, forgery, mass duplication, etc.

    this cell phone meddling is but a very preliminary indication of the kind of homegrown creative hacks and schemes people will be devising for fun and profit in the near future using rfid technology

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:i think the rfid juggernaut can't be stopped by bloodstar · · Score: 2, Insightful

      But then the question comes to mind.
      How long will it take for the Corporations to manage a media campaign to smear anyone who would spoof or obfuscate or reproduce the RFID tags and information collected? Then spend the money it takes to make any such tampering with RFID tags to be a Felony with punishment on par with Rape and Murder.

      And before anyone thinks I think corporations are 'teh evil', It's the corporation being able to legally (the ethics of it is another matter) 'purchase' legislation to enforce their business model with the power of the governments guns creating the problems.

      --
      "The bass, the rock, the mic, the treble. I like my coffee black, just like my metal" - Mindless Self Indulgence
  6. Re:Good thing by sxpert · · Score: 4, Insightful

    (...) our government wants to embed these things in our passports (...)
    (...) besides inventory tracking (...)

    See the link yet ??

    the only explanation is that your government sees it's citizens as inventory, just like cattle

  7. As a mathematician ... by Bazzalisk · · Score: 4, Insightful

    I heartily disagree. If someone creates an algorithm, and patents it, do I then have to get their permission before using it to prove something in a paper? You want to give people a 2 year patent on something software related (an implementation, not an algorithm) then I can see that - but for a mathematical construct that's just silly. It would be like patenting not the steam-engine, but the concept that steam expands when heated.

    --
    James P. Barrett
    1. Re:As a mathematician ... by p2sam · · Score: 3, Insightful

      I'm talking about algorithms that performs non-trival useful tasks. I'm NOT talking about the theorems/lemmas/etc.

      Quicksort ought to be patentable, sorting numbers should not.
      Algorithms for solving Linear Programs ought to be patentable, duals should not.
      RSA ought to be patentable, public key crypto should not.

      In order for something to be patentable, it has perform a useful task.

      To address your point about implementation vs algorithm, in software and mathematics, the implementation is often trivial (hence not deserving of a patent). The real innovation happens in the algorithm.

      Perhaps patents is a thing of the past, but I still wish to reward innovation to inventors of complex non-trivial algorithms which advance the state of the art. And patents are the closest thing we have.

    2. Re:As a mathematician ... by Fahrenheit+450 · · Score: 2, Insightful

      Even before Napier published the first ever book of log tables, the relationship (a ** b) * (a ** c) == a ** (b + c) still held.

      And astonishingly enough, even before [insert patented physical device here] was invented, the physics that allowed it to work the way it does still held. But you think that combining Widget A and Widget B to produce Result C is somehow more patentable than combining Number A and Number B to produce Result D?

      Why? Because you can touch them?

      --
      -30-
  8. Re:RFID != Smart Card by CortoMaltese · · Score: 5, Insightful
    It is always fun to do homework with Wikipedia... Biometric passports don't use RFID tags. Period.

    My reference? I work on smart cards, including biometric passports. In this field, no one in their right mind would use RFID tags for passports, or anything requiring security. Ever.

    It is sad that the web is full of stuff about RFID security, or the lack of it, and people then make the assumption that anything contactless is RFID, and thus insecure. It it really hard to try to set the facts straight, when the correctness of your facts can be questioned with a bunch of links to FUD. (And damn, even the links you provide yourself prove to contain incorrect or misleading information! Argh.)

    I guess I should just give up. It'll give me a warm and fuzzy feeling to know I'm right, after all.