Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cellphone Could Crack RFID Tags

Posted by ScuttleMonkey on from the let-the-wardriving-begin dept.

diverge_s writes "Adi Shamir of RSA is at it again. This time pointing out flaws in RFID systems. From the article: 'I haven't tested all RFID tags, but we did test the biggest brand and it is totally unprotected,' Shamir said. Using this approach, 'a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity.'"

43 of 138 comments (clear)

  1. Link to the dude itself, dude! by Anonymous Coward · · Score: 5, Informative

    Here's the cryptographer's panel:
    http://media.omediaweb.com/rsa2006/1_5/1_5_High.as x

    Prof Shamir comes on at 6:15, but I recommend watching the whole hour through.

  2. Injected RFID tags... by Manip · · Score: 4, Insightful

    When your employer comes to you about injecting an RFID tag under your skin remember this article. It is one thing to have an ID card with a tag on it, something that can be binned and replaced in time, but what about that chip under your skin? Are they going to take it out of you or will you end up with 10 all up your arm?

    1. Re:Injected RFID tags... by scsirob · · Score: 4, Funny

      So let me get this right... If the injected RFID tag gets compromised, does that mean I'll be charged an extra bag of chips each time I pass the checkout at Gateways??

      --
      To Terminate, or not to Terminate, that's the question - SCSIROB
    2. Re:Injected RFID tags... by ajs318 · · Score: 4, Interesting
      When your employer comes to you about injecting an RFID tag under your skin
      That would be considered non-elective surgery, which is a form of assault {at least common assault, and maybe ABH or even GBH if an allergic reaction or septicaemia develops} -- and therefore illegal. Note also that you cannot consent to assault, and just because you said it was OK the perpetrator can still be prosecuted.
      --
      Je fume. Tu fumes. Nous fûmes!
    3. Re:Injected RFID tags... by Anonymous Coward · · Score: 2, Funny

      They'll just use the Dick Cheney method of implanting pellets I guess.

    4. Re:Injected RFID tags... by plumby · · Score: 4, Informative
      That would be considered non-elective surgery, which is a form of assault {at least common assault, and maybe ABH or even GBH if an allergic reaction or septicaemia develops} -- and therefore illegal. Note also that you cannot consent to assault, and just because you said it was OK the perpetrator can still be prosecuted.

      Whether you can or can't consent to assault is irrelevant, as by agreeing to have the surgery, it would become elective and there would be no assault to consent to.

    5. Re:Injected RFID tags... by kansas1051 · · Score: 4, Informative

      Note also that you cannot consent to assault, and just because you said it was OK the perpetrator can still be prosecuted.

      Your high school business law teacher who told you that didn't know what he was talking about. You can consent to a battery (unlawful touching) or an assault (reasonable apprehension of a battery). How do you think boxing, hockey, or football work? Each participant consents to being battered and assaulted (within the rules of the game) by other participants.

  3. RFID tag reader already in many Nokia phones by Hyperkinetic · · Score: 5, Interesting

    My 6620 is capable of responding to 13.56 MHz readers and may be capable of reading tags as well. Nokia has been working with Mastercard and others to bring payment and reward systems to mobile phone users. There is little information in Google, but the API is available. Check your Nokia 'wallet' function for RFID functionality.

    1. Re:RFID tag reader already in many Nokia phones by ianalis · · Score: 5, Informative

      That is the reason why I was shocked when I read the title. I know that there are Nokia phones that can read RFID and Nokia is pushing for its widespread use. Here's a useful link regarding RFID in Nokia phones: http://europe.nokia.com/nokia/0,,55737,00.html

  4. Not all tags. by queazocotal · · Score: 5, Insightful
    Active tags - ones with their own battery, are going to be fundamentally immune to this.

    Also, in addition to tags that have a simple 'password', that they must have before they do anything - that may be trivially vulnerable to power analysis, there are tags that do more complex things - such as for example, send the reader a random token, which it then has to encrypt with a key known to both of them.

    This can be immune to power analysis - in the simplest case, as it does not check each bit as recieved, but only at the end of a computation.

    And, the fact that getting the first bit correct of a hash with a given key does not help you to guess the rest.

  5. Ban Cellphones! by splutty · · Score: 3, Funny

    Extrapolating the common reaction to this sort of 'dangers to national security', I'll be looking for a news article about how cellphones should be banned..

    (Cynical, yes. Too close to the truth? Unfortunately)

    Splut.

    --
    Coz eternity my friend, is a long *ing time.
  6. RFID != Smart Card by CortoMaltese · · Score: 2, Informative
    It's a good thing our government wants to embed these things in our passports

    I knew this was coming the second I saw the headline.

    Biometric passports and most other applications that need secure tokens utilize smart cards.

    RFID tags are not the same as smart cards. The difference is huge. Please do your homework.

    So wait, besides inventory tracking, why do we use RFID at all?

    Besides inventory tracking, we usually don't. It is just confusion and FUD.

    1. Re:RFID != Smart Card by agent+dero · · Score: 2

      Smart cards are a reasonable alternative, but I've played with smart card readers as well, most people just assume "it's electronic, it must be secure"

      Which means, a good amount of companies really don't. Of course the same applies for magstrips, etc.

      The problem is not just RFID centric, that wasn't the point I was making. It is the trade off of security for convienence.

      --
      Error 407 - No creative sig found
    2. Re:RFID != Smart Card by armb · · Score: 2, Informative

      > Biometric passports and most other applications that need secure tokens utilize smart cards.

      Except for the ones which really are planed to use RFIDs.

      Here's some homework for you:
      http://www.schneier.com/blog/archives/2005/08/rfid _passport_s_1.html
      http://www.theregister.co.uk/2006/01/30/burnham_rf id_evasions/
      http://catless.ncl.ac.uk/Risks/22.98.html#subj7.1
      http://catless.ncl.ac.uk/Risks/23.87.html#subj5.1

      --
      rant
    3. Re:RFID != Smart Card by peragrin · · Score: 2, Informative

      I hate to break this to you, but any card that has a contactless interface(ie hold the card near the reader) is an RFID setup. it should be RFRC Radio frequency responder chip. which the USA and the UK want to use in passports. hence why they are coming with faraday cage style bags.

      A smart card still needs to be swiped. I have one in my american express card. My roommates new debit card has an RFRC in it as well. As he can simple place his card on a special sign and have it read it.

      --
      i thought once I was found, but it was only a dream.
    4. Re:RFID != Smart Card by CortoMaltese · · Score: 2, Interesting
      I've done my homework. Most folks (esp. in the US) seem to use the terms "RFID" and "contactless smart card" interchangeably, while they are totally different beasts. Scheier does that just as well, which doesn't help things. Maybe he even does it deliberately, to gain more publicity. You see, there are tons of news about RFID being broken, but when was the last time you saw that about a smart card?

      In fact, the article by The Register you refer to deals with this issue. People are worried because "The contactless chips that will be used in ID cards and passports are amazingly like RFID tags." They both work without contacts, from a distance. But that doesn't make them the same.

      I repeat again, the biometric passports and UK identity cards, etc. etc. won't be using RFID tags. They will be using contactless smart cards, which communicate according to ISO/IEC 14443.

      So I guess this boils down to terminology, really. The problem is that whenever people see "RFID broken" in the news, they freak, even though it means "RFID tags broken". Maybe you could argue that smart cards use RFID technology for contactless communication, but I think this just fuels the confusion, because then people generalize smart cards to be RFID tags, which is not the case.

    5. Re:RFID != Smart Card by CortoMaltese · · Score: 5, Insightful
      It is always fun to do homework with Wikipedia... Biometric passports don't use RFID tags. Period.

      My reference? I work on smart cards, including biometric passports. In this field, no one in their right mind would use RFID tags for passports, or anything requiring security. Ever.

      It is sad that the web is full of stuff about RFID security, or the lack of it, and people then make the assumption that anything contactless is RFID, and thus insecure. It it really hard to try to set the facts straight, when the correctness of your facts can be questioned with a bunch of links to FUD. (And damn, even the links you provide yourself prove to contain incorrect or misleading information! Argh.)

      I guess I should just give up. It'll give me a warm and fuzzy feeling to know I'm right, after all.

    6. Re:RFID != Smart Card by throwaway18 · · Score: 2, Informative

      I work on smart cards, including biometric passports. In this field, no one in their right mind would use RFID tags for passports, or anything requiring security. Ever.

      The problem here seems to be terminology (and clueless moderators).

      You are incorrectly assuming that "RFID" means a simple tag with no crypto.

      RFID is a generic term for any device that uses RF and identifys it's presence or absense. A resonant circuit without a chip that is used
      to tag library books is an RFID. A contactless smartcard that uses cryptography to make it harder to clone is an RFID.

      people then make the assumption that anything contactless is RFID
      That is a correct assumption.

      and thus insecure.
      This is an incorrect assumption, however as Shamir has shown it is early days for RFID security.

  7. Re:Good thing by 24-bit+Voxel · · Score: 3, Insightful

    I cannot think of a use for it other than surveillance/tracking. I tried.

    I have heard people mention that it can help rescue teams find you if you are lost in the woods, or buried in a snowdrift. Sure, I guess it could. Considering that the majority of people don't have this happen to them on a regular basis, I concluded that was not it's intended purpose.

    Maybe the RFID makers greased lawmakers to make more money. Could happen. Maybe we are all getting tagged so that we can be 'found' easily. Could also happen.

    I wonder why this is happening when the funds could serve the citizens better by say rebuilding New Orleans or fixing our crumbling infrastructure of roads and bridges.

    Who really knows what our gov'ts real priorities are? Certainly not I.

    It is of no consequence to me as I would microwave any RFID chips I was 'forced' to wear. "Sorry officer, I really don't know why I have a huge burn hole in my ID card, but I am a really terrific driver, let me tell ya."

    Regards,
    24BV

  8. Re:Shamir by ajs318 · · Score: 5, Interesting

    The patent should never have been awarded in the first place. For one thing, mathematics should never be patentable. For another, there was already Prior Art invented at GCHQ in the UK -- but because of its nature, it was kept hushed-up.

    The patent was never applicable in the UK nor the EU.

    --
    Je fume. Tu fumes. Nous fûmes!
  9. i think the rfid juggernaut can't be stopped by circletimessquare · · Score: 4, Insightful

    but it's primary uses: internal inventory tracking/ easy checkout, will be all it will be really good for

    all of the other far out uses people have imagined rfid tech will be useful for once you get past check out and out of the store- all the negative and all the positive (conspiracy theory tracking, smart fridges that know when you need more milk, etc.), won't really come to pass. not because people will suddenly care about their privacy, but because of exactly this: no one will be able to design a system that can't be gamed for some sort of illicit activity. rfid use outside of the store will be undependable simply because if rfid tags are being depended upon for any sort of proof of id in the "wild", then there is immediate and easily realized incentive to game the system

    in other words, rfid tags will only be useful in controlled environments. once out of the store, any grand schemes, good or bad, imagined with rfid tags in mind will be ruined by spoofing, masking, obfuscation, forgery, mass duplication, etc.

    this cell phone meddling is but a very preliminary indication of the kind of homegrown creative hacks and schemes people will be devising for fun and profit in the near future using rfid technology

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:i think the rfid juggernaut can't be stopped by bloodstar · · Score: 2, Insightful

      But then the question comes to mind.
      How long will it take for the Corporations to manage a media campaign to smear anyone who would spoof or obfuscate or reproduce the RFID tags and information collected? Then spend the money it takes to make any such tampering with RFID tags to be a Felony with punishment on par with Rape and Murder.

      And before anyone thinks I think corporations are 'teh evil', It's the corporation being able to legally (the ethics of it is another matter) 'purchase' legislation to enforce their business model with the power of the governments guns creating the problems.

      --
      "The bass, the rock, the mic, the treble. I like my coffee black, just like my metal" - Mindless Self Indulgence
  10. Time for... by Jon+Abbott · · Score: 4, Funny

    Time for a price rollback at Walmart!

    --
    Slashdot's first reaction to VMware
  11. Re:Good thing by sxpert · · Score: 4, Insightful

    (...) our government wants to embed these things in our passports (...)
    (...) besides inventory tracking (...)

    See the link yet ??

    the only explanation is that your government sees it's citizens as inventory, just like cattle

  12. Re:Shamir by ObsessiveMathsFreak · · Score: 5, Insightful

    For one thing, mathematics should never be patentable. For another, there was already Prior Art invented at GCHQ in the UK -- but because of its nature, it was kept hushed-up.

    This "prior art" did not count as it was unpublished. However the point about the mathematics is exactly correct. Shamir is one of the the greatest trinity of conmen to ever plauge the computer industry.

    If you ever want to know why you still don't have encrypted email, this guy is 33.33333....% of the reason.

    --
    May the Maths Be with you!
  13. A PCB for cloning RFID tags by PGillingwater · · Score: 3, Interesting

    http://cq.cx/proxmarkii.pl provides a nice article on how one Canadian guy designed a small hardware solution for cloning RFID tags. It should be very clear that RFID is NOT secure -- it's actually more likely to be insecure, in spite of the vendors who are offering tin-foil hats for their RFID cards.

    --
    Paul Gillingwater
    MBA, CISSP, CISM
  14. this thread by Anonymous Coward · · Score: 2, Interesting

    At the last DefCon...people were able to remotely read RFID tags from a distance of approximatly 49 feet...I knew this was a bad thing to implement so soon.

    1. Re:this thread by ajs318 · · Score: 2, Informative

      As I understand it, there is a serious issue with selectivity when reading RFID tags, due to the fact that they all have to use the same frequency. Passive RFID tags work by absorbing less or more energy from a radio transmitter to send zeros and ones. Real-life reading ranges are of the order of a few centimetres. Longer ranges are theoretically possible but create difficulties in practice. The "real" reader {i.e. the one which is actually supposed to be reading the tag} can't be too sensitive, lest its signal be picked up by other RFID tags {this system is meant for use in a store full of goods with RFID tags .....} and they interfere with the signal. The "parasite" reader {i.e. the one which is picking up overspill from the "real" reading process} can be much further away, but needs to be kept stationary because it is responding to really minute changes in signal strength. The "real" reader doesn't care about the RF power at all, since it can measure how much is being absorbed indirectly by measuring how much current is being drawn by the transmitter circuit {when the tag is absorbing more power, the oscillator draws more current}. The "parasite" reader will still be affected by any other "real" readers operating nearby.

      The limitations of passive tags are decreed by universal laws and won't be overcome by invention. Ironically, RFID will become less of a threat the more widely it is deployed.

      --
      Je fume. Tu fumes. Nous fûmes!
  15. RFID cloning and power consumption attacks by throwaway18 · · Score: 4, Interesting

    That cloning device only works on cheap RFID's that don't do cryptographic authentication. This is not the first time this has been done.
    http://www.cl.cam.ac.uk/~gh275/relay.pdf

    The method Shamir talked about is a little more interesting because the cards are leaking information wbout what they are doing internally. It is possible that a more detailed examination of the power consumption may reveal other detail of what the card is doing as well as when it things it has receive a bad bit.

    Power analysis has been a known attack on smartcards for a long time. A few cards were vulnerable to an attacker looking for increase current draw just after a PIN/password attempt when the card tried to increment a count of the number of failures, cut the power when it tries to write to the fail count and you could attempt a brute force attack. I believe the most obvious way around the problem, to decrement the counter before checking the PIN and increment it after if the check passed, is patented.

    It would be interesting to see if any RFID cards have that flaw.

  16. RFID is not meant for security by Lord+Satri · · Score: 4, Informative

    I like what one of our users said:
    "To summarize:
    RFID for inventory tracking ==> Good idea
    RFID for security ==> Stupid idea    "

    Here below I copy parts a previous comment on another story (which wasn't moderated and thus, probably not read a lot):
    Anyone interested in RFID could also start with the excellent wikipedia.org entry.

    Of interest, Slashdot already discussed RFID production increases before. Yes, RFID can be scary, especially in a bank or in passports. Imagine, even Sun cares for RFID. MobileMag have a small article about a 100% organic matter RFID chip developed in Korea, costing only 0.5 cents.

    And if RFID and geospatial tech seriously interest you, see my sig ;-)

    --
    Animoog.org
  17. Is this news? by rettridg · · Score: 2, Interesting

    Again this topic reviews the insecurities of wireless technology. We don't need a famous mathematician to tell us this. I have said it before, if data is so critically classified, don't transmit it across public air space.

    There isn't any problem with this unless the tag claims to be secure. Also, as the report says, if the tags are going to be made cheaply available, they can't necessarily promise security. No doubt the communication could include the latest security technologies, but there would be an associated cost.

    A big deal made from nothing, in my opinion.

  18. Re:Shamir by p2sam · · Score: 4, Insightful

    Good bye karma, this post SUPPORTS patenting mathematics and software. Moderators, please read full post before moderating ...

    I disagree. Many non-trivial and ingenious algorithms in math ought to be as patentable as other fields. Developing an algorithm to perform a useful task, or significantly improving an existing algorithm to perform a useful task, is no different than other fields. It requires time, resources, effort, and ingeniouty.

    The thing that I object to is the blanket patent period of 17 years that apply uniformly to all patents. The situation does not call for a one size fill all solution. The period of 17 years was probably decided a long time ago, and did not envision how rapidly the world had evolved. Even for other fields of engineering, 17 years may not always to be the most appropriate amount of time.

    In the computing world, 17 years is WAY too long. That's the equivalent of probably 5 or 6 revolutions in technologies. If patents for mathematics and computing was limited to say 2 or 3 years, then I can fully support it.

  19. Re:Shamir by jonwil · · Score: 2, Interesting

    From what I understand, the RSA patent has expired now.
    So, why havent we seen people working on a simple to use way to do encrypted email now that they dont have to pay RSA for the patent?

  20. As a mathematician ... by Bazzalisk · · Score: 4, Insightful

    I heartily disagree. If someone creates an algorithm, and patents it, do I then have to get their permission before using it to prove something in a paper? You want to give people a 2 year patent on something software related (an implementation, not an algorithm) then I can see that - but for a mathematical construct that's just silly. It would be like patenting not the steam-engine, but the concept that steam expands when heated.

    --
    James P. Barrett
    1. Re:As a mathematician ... by p2sam · · Score: 3, Insightful

      I'm talking about algorithms that performs non-trival useful tasks. I'm NOT talking about the theorems/lemmas/etc.

      Quicksort ought to be patentable, sorting numbers should not.
      Algorithms for solving Linear Programs ought to be patentable, duals should not.
      RSA ought to be patentable, public key crypto should not.

      In order for something to be patentable, it has perform a useful task.

      To address your point about implementation vs algorithm, in software and mathematics, the implementation is often trivial (hence not deserving of a patent). The real innovation happens in the algorithm.

      Perhaps patents is a thing of the past, but I still wish to reward innovation to inventors of complex non-trivial algorithms which advance the state of the art. And patents are the closest thing we have.

    2. Re:As a mathematician ... by Fahrenheit+450 · · Score: 2, Insightful

      Even before Napier published the first ever book of log tables, the relationship (a ** b) * (a ** c) == a ** (b + c) still held.

      And astonishingly enough, even before [insert patented physical device here] was invented, the physics that allowed it to work the way it does still held. But you think that combining Widget A and Widget B to produce Result C is somehow more patentable than combining Number A and Number B to produce Result D?

      Why? Because you can touch them?

      --
      -30-
  21. I cannot understand just one thing... by Vitus+Wagner · · Score: 4, Interesting

    Why he calls it "compromise"? RFID tag is just something like license plate on your car.
    You don't call your car security compromised just because everybody non-blind in victinity can read your license plate with naked eyes.

    You need have access to police database in order to get sensitive information of car owner using car license plate. Nobody but criminals tries to hide their car license plate from casual observer.

    Same for RFIDs - they just transmit some unique id, and one who wants to idenitfy person carrying RFID has to get access to right database (and indentity which database holds this info first).

    I'd rather say that your security is compromised, if you cannot read what is transmitted by RFID tag in your passport or under your skin, and some unknown person with RFID scanner can.

    So, in order to stop this hype about RFIDs compromising security, they have to cell RFID scanners for dollar on next corner, or make it standard feature of every cell phone (if components are really already in place) so everybody who is concerned about security can easily scan oneself and find out what kind of information is available from those tags.

    Only reason why those RFID makers don't do it - is because they want to make money on scanners as well as chips theirselves.

    1. Re:I cannot understand just one thing... by $ASANY · · Score: 2, Informative
      I was similarly baffled. I work with DoD to develop and implement RFID solutions for transportation and asset accountability, and I've never heard of anyone trying to encrypt the data on an RFID tag. The DOD-64 and DOD-96 passive RFID constructs aren't encrypted, and those are the two DoD-specific constructs used in logistics. It seems like he's talking out of his posterior -- sure it's easy to "crack" the data on an RFID tag, because what is encoded there is not encrypted at all. That's by intentional design.

      In the commercial workd, with Wal-Mart and Target the EPC constructs are also undencrypted. So when he talks about 'the most popular tag', I'm really wondering what he thinks that might be. Low-frequency livestock tags? 13.56 MHz access control badges? 900MHz passive Alien squiggle tags? Savi active tags? What the heck is this guy talking about, because none of these "popular" implementations encrypt the data on their tags?

      But let's say you managed to "crack" a tag. You got '2F0103047541A430000001F9' (yes, this is a valid construct with minimally munged data). Ok, how about someone tell me how that constitutes a breach of security.

    2. Re:I cannot understand just one thing... by throwaway18 · · Score: 2, Interesting

      I was similarly baffled. I work with DoD to develop and implement RFID solutions for transportation and asset accountability, and I've never heard of anyone trying to encrypt the data on an RFID tag.

      Sadly I am not surprised by someone who works on a government IT project not knowing what he is talking about. The card systems currently on the market for opening doors generally use challenge-response authentication.

      I'm told that the plan is for the UK RFID passports to use crypto. (and yes a contactless smartcard is an RFID.)

    3. Re:I cannot understand just one thing... by asuffield · · Score: 2, Interesting

      RFID tag is just something like license plate on your car.

      Do you walk around wearing a large plate describing, in lettering visible from a considerable distance, all the items you are carrying about your person?

      This technology could revolutionise the pickpocket industry. They don't need a complete database of all known tags. They just need to lurk down the street from the Apple store and know the code for "ipod" which is used at that particular store. Other valuable items (on the black market) that may include RFID tags are: passports, ID cards, most electronic products still in their original boxes, pharmaceuticals...

      And that's just one of the many possible uses for them. I'm sure people will find more and more creative ways to take advantage of the newly available information. Imagine if you could profile the current posessions of a customer to identify the ones likely to make a purchase, and target your salespeople to them, or even just prohibit the rest from entering.

      The possibilities for bold new patents are almost unlimited.

  22. Define "Crack" by Philodoxx · · Score: 3, Interesting

    RFID tag encodings adhere to standards (EPC and ISO); perhaps I'm missing something but what exact is there to crack when all the information is freely available on the internet?

    --
    Oh, a lesson in history from Mr. I'm my own grandpa.
  23. Re:Shamir by Vainglorious+Coward · · Score: 2, Insightful
    From what I understand, the RSA patent has expired now.

    I well remember the party I attended to celebrate the patent expiry, in September 2000

    So, why havent we seen people working on a simple to use way to do encrypted email now that they dont have to pay RSA for the patent?

    Ever used Outlook? Or Thunderbird? Those email clients (and many others) do have a simple way to encrypt (and sign) email using S/MIME. The problem never was patent restrictions, rather the difficulties associated with key management (certificate management and PKI never took off the way it was originally hoped, for a number of reasons).

    --
    My next sig will be ready soon, but subscribers can beat the rush
  24. Re:Shamir by MadMidnightBomber · · Score: 2, Informative
    This "prior art" did not count as it was unpublished. However the point about the mathematics is exactly correct. Shamir is one of the the greatest trinity of conmen to ever plauge the computer industry. If you ever want to know why you still don't have encrypted email, this guy is 33.33333....% of the reason.

    Dude, 2000 called. They want their excuse back.

    The first copy of PGP was released in 1991 [1]

    The RSA patent expired in 2000. If you're in the US. I don't believe it was patented elsewhere. [2]

    I seem to remember GNU Privacy Guard working OK around 2000 [3]. Want to think of another reason why no one is encrypting email?

    --
    "It doesn't cost enough, and it makes too much sense."