Slashdot Mirror
Cellphone Could Crack RFID Tags
diverge_s writes "Adi Shamir of RSA is at it again. This time pointing out flaws in RFID systems. From the article: 'I haven't tested all RFID tags, but we did test the biggest brand and it is totally unprotected,' Shamir said. Using this approach, 'a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity.'"
Here's the cryptographer's panel:s x
http://media.omediaweb.com/rsa2006/1_5/1_5_High.a
Prof Shamir comes on at 6:15, but I recommend watching the whole hour through.
Remember though that Shamir (the S of RSA) was one of the first people to apply for a software patent for the RSA patent, and hasn't been shy of enforcing it. Thus, he shall be shamed and loathed by the slashdot community.
It's a good thing our government wants to embed these things in our passports...something we should have on us at all times when traveling outside the country...
So wait, besides inventory tracking, why do we use RFID at all?
Error 407 - No creative sig found
When your employer comes to you about injecting an RFID tag under your skin remember this article. It is one thing to have an ID card with a tag on it, something that can be binned and replaced in time, but what about that chip under your skin? Are they going to take it out of you or will you end up with 10 all up your arm?
My 6620 is capable of responding to 13.56 MHz readers and may be capable of reading tags as well. Nokia has been working with Mastercard and others to bring payment and reward systems to mobile phone users. There is little information in Google, but the API is available. Check your Nokia 'wallet' function for RFID functionality.
Also, in addition to tags that have a simple 'password', that they must have before they do anything - that may be trivially vulnerable to power analysis, there are tags that do more complex things - such as for example, send the reader a random token, which it then has to encrypt with a key known to both of them.
This can be immune to power analysis - in the simplest case, as it does not check each bit as recieved, but only at the end of a computation.
And, the fact that getting the first bit correct of a hash with a given key does not help you to guess the rest.
Extrapolating the common reaction to this sort of 'dangers to national security', I'll be looking for a news article about how cellphones should be banned..
(Cynical, yes. Too close to the truth? Unfortunately)
Splut.
Coz eternity my friend, is a long *ing time.
I knew this was coming the second I saw the headline.
Biometric passports and most other applications that need secure tokens utilize smart cards.
RFID tags are not the same as smart cards. The difference is huge. Please do your homework.
Besides inventory tracking, we usually don't. It is just confusion and FUD.
Adi Shamir shares the patent with Rivest and Adelman. He was never an employee of RSA data security. He makes a living as a professor of computer science in Israel.
but it's primary uses: internal inventory tracking/ easy checkout, will be all it will be really good for
all of the other far out uses people have imagined rfid tech will be useful for once you get past check out and out of the store- all the negative and all the positive (conspiracy theory tracking, smart fridges that know when you need more milk, etc.), won't really come to pass. not because people will suddenly care about their privacy, but because of exactly this: no one will be able to design a system that can't be gamed for some sort of illicit activity. rfid use outside of the store will be undependable simply because if rfid tags are being depended upon for any sort of proof of id in the "wild", then there is immediate and easily realized incentive to game the system
in other words, rfid tags will only be useful in controlled environments. once out of the store, any grand schemes, good or bad, imagined with rfid tags in mind will be ruined by spoofing, masking, obfuscation, forgery, mass duplication, etc.
this cell phone meddling is but a very preliminary indication of the kind of homegrown creative hacks and schemes people will be devising for fun and profit in the near future using rfid technology
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Time for a price rollback at Walmart!
Slashdot's first reaction to VMware
http://cq.cx/proxmarkii.pl provides a nice article on how one Canadian guy designed a small hardware solution for cloning RFID tags. It should be very clear that RFID is NOT secure -- it's actually more likely to be insecure, in spite of the vendors who are offering tin-foil hats for their RFID cards.
Paul Gillingwater
MBA, CISSP, CISM
Tin Foil Hats?
Thats 20th century technology, get with the times, these days we're microwaving everything to ensure total rfid tag destruction. "microwave everything" thats the wave of the 21st century.
At the last DefCon...people were able to remotely read RFID tags from a distance of approximatly 49 feet...I knew this was a bad thing to implement so soon.
There is no need to "purchase legislation." Corporations only are going to care whether you spoof, obfuscate or reproduce RFIDs, if you use them for illegal activities. That is, if you use these techniques to scam the checkout system to steal merchandise. To spoof the system so it thinks you're buying a CD rather than a 50 inch plasma TV. They'll care, if you're a supplier using such techniques to scam the inventory system. Etc. Etc. All these activities are already illegal. On the other hand, they may try to get legislation to restrict access to common technologies used to perform these techniques. But in my mind that is little different from current laws saying you can't possess burglary tools (i.e., a crowbar, hammer, or rock).
That cloning device only works on cheap RFID's that don't do cryptographic authentication. This is not the first time this has been done.
http://www.cl.cam.ac.uk/~gh275/relay.pdf
The method Shamir talked about is a little more interesting because the cards are leaking information wbout what they are doing internally. It is possible that a more detailed examination of the power consumption may reveal other detail of what the card is doing as well as when it things it has receive a bad bit.
Power analysis has been a known attack on smartcards for a long time. A few cards were vulnerable to an attacker looking for increase current draw just after a PIN/password attempt when the card tried to increment a count of the number of failures, cut the power when it tries to write to the fail count and you could attempt a brute force attack. I believe the most obvious way around the problem, to decrement the counter before checking the PIN and increment it after if the check passed, is patented.
It would be interesting to see if any RFID cards have that flaw.
I like what one of our users said:
;-)
"To summarize:
RFID for inventory tracking ==> Good idea
RFID for security ==> Stupid idea"
Here below I copy parts a previous comment on another story (which wasn't moderated and thus, probably not read a lot):
Anyone interested in RFID could also start with the excellent wikipedia.org entry.
Of interest, Slashdot already discussed RFID production increases before. Yes, RFID can be scary, especially in a bank or in passports. Imagine, even Sun cares for RFID. MobileMag have a small article about a 100% organic matter RFID chip developed in Korea, costing only 0.5 cents.
And if RFID and geospatial tech seriously interest you, see my sig
Animoog.org
Again this topic reviews the insecurities of wireless technology. We don't need a famous mathematician to tell us this. I have said it before, if data is so critically classified, don't transmit it across public air space.
There isn't any problem with this unless the tag claims to be secure. Also, as the report says, if the tags are going to be made cheaply available, they can't necessarily promise security. No doubt the communication could include the latest security technologies, but there would be an associated cost.
A big deal made from nothing, in my opinion.
Now it will be intersting to watch what does the DMCA have to say about this if the RFID vendor files a law suit ?
Just saying...
If you have any doubt look at hos the soldiers in Iraq are being treated. They aren't getting much body armor, so some soldiers are going into debt to buy theory won body armor. The most popular brand, Dragon Skin, is BETER than what the army provides.
However, the military doesn't like their soldiers taking the initiative like that, so if you're killed in combat while wearing body armor that wasn't issued by the military, your family doesn't get your death benefits. Your wife and children don't get a red cent for your life.
There was a a case a few weeks ago where a guy was paralyzed from the waist down, and the military withheld his pay until he paid back a few grand in combat pay that they'd overpaid him because of a clerical error. You try to come up with $4k when you have two kids, no job and you just lost the use of EVERYTHING below mid waist. Unless your wife is a banker or heiress, you're screwed.
Then there's the guy who had to pay $600 for body armor that was destroyed when his arm was shredded by an enemy land mine. Seems no one wanted to own up to losing the paperwork on the body armor that was pulled from his body as medics were trying to keep him from bleeding to death.
As far as the government is concerned, the soldiers are meat, one more commodity to ship to the war zone so the military contractors can line their pockets.
"Live Free or Die." Don't like it? Then keep out of the USA
I heartily disagree. If someone creates an algorithm, and patents it, do I then have to get their permission before using it to prove something in a paper? You want to give people a 2 year patent on something software related (an implementation, not an algorithm) then I can see that - but for a mathematical construct that's just silly. It would be like patenting not the steam-engine, but the concept that steam expands when heated.
James P. Barrett
Having these rules in paper, and actually following through with them are completely different things. Remember, there are lots of governments that regularly break international law, even ones that those countries themselves created. For a (non-debate raising) US example: softwood lumber trade with Canada, both countries agreed years ago on tariff prices and terms, and because of a US complaint even changed the rules (in their favour) over a decade ago. Now they refuse to pay out the millions of dollars (that's USD mind you) that they've not paid.
Now I don't want to scare anyone away from RFID technology - I think it's the bee's knees, myself - but I just want people to remember that big government is, almost without exception, bad government.
Whoo, signature!
DesireCampbell.com
Why he calls it "compromise"? RFID tag is just something like license plate on your car.
You don't call your car security compromised just because everybody non-blind in victinity can read your license plate with naked eyes.
You need have access to police database in order to get sensitive information of car owner using car license plate. Nobody but criminals tries to hide their car license plate from casual observer.
Same for RFIDs - they just transmit some unique id, and one who wants to idenitfy person carrying RFID has to get access to right database (and indentity which database holds this info first).
I'd rather say that your security is compromised, if you cannot read what is transmitted by RFID tag in your passport or under your skin, and some unknown person with RFID scanner can.
So, in order to stop this hype about RFIDs compromising security, they have to cell RFID scanners for dollar on next corner, or make it standard feature of every cell phone (if components are really already in place) so everybody who is concerned about security can easily scan oneself and find out what kind of information is available from those tags.
Only reason why those RFID makers don't do it - is because they want to make money on scanners as well as chips theirselves.
I wondered about this when those 'blink' cards came out. Imagine scanning for credit card numbers just by standing by a door as people walk in.
RFID tag encodings adhere to standards (EPC and ISO); perhaps I'm missing something but what exact is there to crack when all the information is freely available on the internet?
Oh, a lesson in history from Mr. I'm my own grandpa.
We want the public to be able to read RFID tags, so we have at least the same access to "personal" data as others scanning us. These tags will be left in our stuff at least 10x the rate that checkout droids fail to zap current security tags, which set off store alarms all day long. RFIDs won't set off the alarms, but they'll be big "scan me" signs on our backs wherever we go.
RFIDs should contain a cryptohash to prevent their data being altered without notice. But the hash and the data must be zeroable, so we can wipe them once we own them. Or the tag must be physically removeable.
--
make install -not war
For all of the bravado posts here on /., don't forget that this audience is the same audience that is happy to run (even defend) proprietary software that leaks information about you to untrusted parties, argue that such secrecy is an important expression of freedom (confusing freedom with power), and believes in the myth of the marketplace (if your employer is oppressive, find another job). Once RFID injection becomes commonplace, you'll see this myth exposed yet again (because the poor end up switching jobs that all require RFID injection).
I wouldn't be surprised if the debate switched from "I don't want to be injected with RFID tags at all!" to "How can I maintain RFID tag portability when I switch jobs?".
Digital Citizen
"And here I was expecting some sort of tinfoil/rifd joke."
A smart card is a small computer with or without wireless. Generally has a battery or requires power.
Sure you could call anything that exchanges ID information by RF RFID. Garage door openers, RFID. Aircraft transponders, RFID. CB Radio, RFID...IIRC that's called the Humpty Dumpty Fallicy (words mean what YOU ment them to when YOU said them).
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Replace a $$$$ digital oscilloscope with a cellphone??? Bullshit.
He's not talking about replacing a $$$$ digital osciloscope with a cellphone. He's talking about doing something with a cellphone that can also be done by a $$$$ digital osciloscope. Big difference. (You can do a LOT of stuff with the scope.)
Typical scam research claim trying to extract money from investors. Where is he from again? Ah, OK, now we all know...
This is Adi Shamir we're talking about. He can get all the investors he wants just by dropping his name and saying he found something lucrative to do.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way