Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cellphone Could Crack RFID Tags

Posted by ScuttleMonkey on from the let-the-wardriving-begin dept.

diverge_s writes "Adi Shamir of RSA is at it again. This time pointing out flaws in RFID systems. From the article: 'I haven't tested all RFID tags, but we did test the biggest brand and it is totally unprotected,' Shamir said. Using this approach, 'a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity.'"

3 of 138 comments (clear)

  1. Not all tags. by queazocotal · · Score: 5, Insightful
    Active tags - ones with their own battery, are going to be fundamentally immune to this.

    Also, in addition to tags that have a simple 'password', that they must have before they do anything - that may be trivially vulnerable to power analysis, there are tags that do more complex things - such as for example, send the reader a random token, which it then has to encrypt with a key known to both of them.

    This can be immune to power analysis - in the simplest case, as it does not check each bit as recieved, but only at the end of a computation.

    And, the fact that getting the first bit correct of a hash with a given key does not help you to guess the rest.

  2. Re:Shamir by ObsessiveMathsFreak · · Score: 5, Insightful

    For one thing, mathematics should never be patentable. For another, there was already Prior Art invented at GCHQ in the UK -- but because of its nature, it was kept hushed-up.

    This "prior art" did not count as it was unpublished. However the point about the mathematics is exactly correct. Shamir is one of the the greatest trinity of conmen to ever plauge the computer industry.

    If you ever want to know why you still don't have encrypted email, this guy is 33.33333....% of the reason.

    --
    May the Maths Be with you!
  3. Re:RFID != Smart Card by CortoMaltese · · Score: 5, Insightful
    It is always fun to do homework with Wikipedia... Biometric passports don't use RFID tags. Period.

    My reference? I work on smart cards, including biometric passports. In this field, no one in their right mind would use RFID tags for passports, or anything requiring security. Ever.

    It is sad that the web is full of stuff about RFID security, or the lack of it, and people then make the assumption that anything contactless is RFID, and thus insecure. It it really hard to try to set the facts straight, when the correctness of your facts can be questioned with a bunch of links to FUD. (And damn, even the links you provide yourself prove to contain incorrect or misleading information! Argh.)

    I guess I should just give up. It'll give me a warm and fuzzy feeling to know I'm right, after all.