Slashdot Mirror
Cellphone Could Crack RFID Tags
diverge_s writes "Adi Shamir of RSA is at it again. This time pointing out flaws in RFID systems. From the article: 'I haven't tested all RFID tags, but we did test the biggest brand and it is totally unprotected,' Shamir said. Using this approach, 'a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity.'"
It's a good thing our government wants to embed these things in our passports...something we should have on us at all times when traveling outside the country...
So wait, besides inventory tracking, why do we use RFID at all?
Error 407 - No creative sig found
My 6620 is capable of responding to 13.56 MHz readers and may be capable of reading tags as well. Nokia has been working with Mastercard and others to bring payment and reward systems to mobile phone users. There is little information in Google, but the API is available. Check your Nokia 'wallet' function for RFID functionality.
The patent should never have been awarded in the first place. For one thing, mathematics should never be patentable. For another, there was already Prior Art invented at GCHQ in the UK -- but because of its nature, it was kept hushed-up.
The patent was never applicable in the UK nor the EU.
Je fume. Tu fumes. Nous fûmes!
Je fume. Tu fumes. Nous fûmes!
http://cq.cx/proxmarkii.pl provides a nice article on how one Canadian guy designed a small hardware solution for cloning RFID tags. It should be very clear that RFID is NOT secure -- it's actually more likely to be insecure, in spite of the vendors who are offering tin-foil hats for their RFID cards.
Paul Gillingwater
MBA, CISSP, CISM
At the last DefCon...people were able to remotely read RFID tags from a distance of approximatly 49 feet...I knew this was a bad thing to implement so soon.
That cloning device only works on cheap RFID's that don't do cryptographic authentication. This is not the first time this has been done.
http://www.cl.cam.ac.uk/~gh275/relay.pdf
The method Shamir talked about is a little more interesting because the cards are leaking information wbout what they are doing internally. It is possible that a more detailed examination of the power consumption may reveal other detail of what the card is doing as well as when it things it has receive a bad bit.
Power analysis has been a known attack on smartcards for a long time. A few cards were vulnerable to an attacker looking for increase current draw just after a PIN/password attempt when the card tried to increment a count of the number of failures, cut the power when it tries to write to the fail count and you could attempt a brute force attack. I believe the most obvious way around the problem, to decrement the counter before checking the PIN and increment it after if the check passed, is patented.
It would be interesting to see if any RFID cards have that flaw.
Again this topic reviews the insecurities of wireless technology. We don't need a famous mathematician to tell us this. I have said it before, if data is so critically classified, don't transmit it across public air space.
There isn't any problem with this unless the tag claims to be secure. Also, as the report says, if the tags are going to be made cheaply available, they can't necessarily promise security. No doubt the communication could include the latest security technologies, but there would be an associated cost.
A big deal made from nothing, in my opinion.
In fact, the article by The Register you refer to deals with this issue. People are worried because "The contactless chips that will be used in ID cards and passports are amazingly like RFID tags." They both work without contacts, from a distance. But that doesn't make them the same.
I repeat again, the biometric passports and UK identity cards, etc. etc. won't be using RFID tags. They will be using contactless smart cards, which communicate according to ISO/IEC 14443.
So I guess this boils down to terminology, really. The problem is that whenever people see "RFID broken" in the news, they freak, even though it means "RFID tags broken". Maybe you could argue that smart cards use RFID technology for contactless communication, but I think this just fuels the confusion, because then people generalize smart cards to be RFID tags, which is not the case.
From what I understand, the RSA patent has expired now.
So, why havent we seen people working on a simple to use way to do encrypted email now that they dont have to pay RSA for the patent?
Why he calls it "compromise"? RFID tag is just something like license plate on your car.
You don't call your car security compromised just because everybody non-blind in victinity can read your license plate with naked eyes.
You need have access to police database in order to get sensitive information of car owner using car license plate. Nobody but criminals tries to hide their car license plate from casual observer.
Same for RFIDs - they just transmit some unique id, and one who wants to idenitfy person carrying RFID has to get access to right database (and indentity which database holds this info first).
I'd rather say that your security is compromised, if you cannot read what is transmitted by RFID tag in your passport or under your skin, and some unknown person with RFID scanner can.
So, in order to stop this hype about RFIDs compromising security, they have to cell RFID scanners for dollar on next corner, or make it standard feature of every cell phone (if components are really already in place) so everybody who is concerned about security can easily scan oneself and find out what kind of information is available from those tags.
Only reason why those RFID makers don't do it - is because they want to make money on scanners as well as chips theirselves.
RFID tag encodings adhere to standards (EPC and ISO); perhaps I'm missing something but what exact is there to crack when all the information is freely available on the internet?
Oh, a lesson in history from Mr. I'm my own grandpa.