Slashdot Mirror
Cellphone Could Crack RFID Tags
diverge_s writes "Adi Shamir of RSA is at it again. This time pointing out flaws in RFID systems. From the article: 'I haven't tested all RFID tags, but we did test the biggest brand and it is totally unprotected,' Shamir said. Using this approach, 'a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity.'"
Here's the cryptographer's panel:s x
http://media.omediaweb.com/rsa2006/1_5/1_5_High.a
Prof Shamir comes on at 6:15, but I recommend watching the whole hour through.
When your employer comes to you about injecting an RFID tag under your skin remember this article. It is one thing to have an ID card with a tag on it, something that can be binned and replaced in time, but what about that chip under your skin? Are they going to take it out of you or will you end up with 10 all up your arm?
My 6620 is capable of responding to 13.56 MHz readers and may be capable of reading tags as well. Nokia has been working with Mastercard and others to bring payment and reward systems to mobile phone users. There is little information in Google, but the API is available. Check your Nokia 'wallet' function for RFID functionality.
Also, in addition to tags that have a simple 'password', that they must have before they do anything - that may be trivially vulnerable to power analysis, there are tags that do more complex things - such as for example, send the reader a random token, which it then has to encrypt with a key known to both of them.
This can be immune to power analysis - in the simplest case, as it does not check each bit as recieved, but only at the end of a computation.
And, the fact that getting the first bit correct of a hash with a given key does not help you to guess the rest.
The patent should never have been awarded in the first place. For one thing, mathematics should never be patentable. For another, there was already Prior Art invented at GCHQ in the UK -- but because of its nature, it was kept hushed-up.
The patent was never applicable in the UK nor the EU.
Je fume. Tu fumes. Nous fûmes!
but it's primary uses: internal inventory tracking/ easy checkout, will be all it will be really good for
all of the other far out uses people have imagined rfid tech will be useful for once you get past check out and out of the store- all the negative and all the positive (conspiracy theory tracking, smart fridges that know when you need more milk, etc.), won't really come to pass. not because people will suddenly care about their privacy, but because of exactly this: no one will be able to design a system that can't be gamed for some sort of illicit activity. rfid use outside of the store will be undependable simply because if rfid tags are being depended upon for any sort of proof of id in the "wild", then there is immediate and easily realized incentive to game the system
in other words, rfid tags will only be useful in controlled environments. once out of the store, any grand schemes, good or bad, imagined with rfid tags in mind will be ruined by spoofing, masking, obfuscation, forgery, mass duplication, etc.
this cell phone meddling is but a very preliminary indication of the kind of homegrown creative hacks and schemes people will be devising for fun and profit in the near future using rfid technology
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Time for a price rollback at Walmart!
Slashdot's first reaction to VMware
(...) our government wants to embed these things in our passports (...)
(...) besides inventory tracking (...)
See the link yet ??
the only explanation is that your government sees it's citizens as inventory, just like cattle
For one thing, mathematics should never be patentable. For another, there was already Prior Art invented at GCHQ in the UK -- but because of its nature, it was kept hushed-up.
This "prior art" did not count as it was unpublished. However the point about the mathematics is exactly correct. Shamir is one of the the greatest trinity of conmen to ever plauge the computer industry.
If you ever want to know why you still don't have encrypted email, this guy is 33.33333....% of the reason.
May the Maths Be with you!
That cloning device only works on cheap RFID's that don't do cryptographic authentication. This is not the first time this has been done.
http://www.cl.cam.ac.uk/~gh275/relay.pdf
The method Shamir talked about is a little more interesting because the cards are leaking information wbout what they are doing internally. It is possible that a more detailed examination of the power consumption may reveal other detail of what the card is doing as well as when it things it has receive a bad bit.
Power analysis has been a known attack on smartcards for a long time. A few cards were vulnerable to an attacker looking for increase current draw just after a PIN/password attempt when the card tried to increment a count of the number of failures, cut the power when it tries to write to the fail count and you could attempt a brute force attack. I believe the most obvious way around the problem, to decrement the counter before checking the PIN and increment it after if the check passed, is patented.
It would be interesting to see if any RFID cards have that flaw.
I like what one of our users said:
;-)
"To summarize:
RFID for inventory tracking ==> Good idea
RFID for security ==> Stupid idea"
Here below I copy parts a previous comment on another story (which wasn't moderated and thus, probably not read a lot):
Anyone interested in RFID could also start with the excellent wikipedia.org entry.
Of interest, Slashdot already discussed RFID production increases before. Yes, RFID can be scary, especially in a bank or in passports. Imagine, even Sun cares for RFID. MobileMag have a small article about a 100% organic matter RFID chip developed in Korea, costing only 0.5 cents.
And if RFID and geospatial tech seriously interest you, see my sig
Animoog.org
Good bye karma, this post SUPPORTS patenting mathematics and software. Moderators, please read full post before moderating ...
I disagree. Many non-trivial and ingenious algorithms in math ought to be as patentable as other fields. Developing an algorithm to perform a useful task, or significantly improving an existing algorithm to perform a useful task, is no different than other fields. It requires time, resources, effort, and ingeniouty.
The thing that I object to is the blanket patent period of 17 years that apply uniformly to all patents. The situation does not call for a one size fill all solution. The period of 17 years was probably decided a long time ago, and did not envision how rapidly the world had evolved. Even for other fields of engineering, 17 years may not always to be the most appropriate amount of time.
In the computing world, 17 years is WAY too long. That's the equivalent of probably 5 or 6 revolutions in technologies. If patents for mathematics and computing was limited to say 2 or 3 years, then I can fully support it.
I heartily disagree. If someone creates an algorithm, and patents it, do I then have to get their permission before using it to prove something in a paper? You want to give people a 2 year patent on something software related (an implementation, not an algorithm) then I can see that - but for a mathematical construct that's just silly. It would be like patenting not the steam-engine, but the concept that steam expands when heated.
James P. Barrett
My reference? I work on smart cards, including biometric passports. In this field, no one in their right mind would use RFID tags for passports, or anything requiring security. Ever.
It is sad that the web is full of stuff about RFID security, or the lack of it, and people then make the assumption that anything contactless is RFID, and thus insecure. It it really hard to try to set the facts straight, when the correctness of your facts can be questioned with a bunch of links to FUD. (And damn, even the links you provide yourself prove to contain incorrect or misleading information! Argh.)
I guess I should just give up. It'll give me a warm and fuzzy feeling to know I'm right, after all.
Why he calls it "compromise"? RFID tag is just something like license plate on your car.
You don't call your car security compromised just because everybody non-blind in victinity can read your license plate with naked eyes.
You need have access to police database in order to get sensitive information of car owner using car license plate. Nobody but criminals tries to hide their car license plate from casual observer.
Same for RFIDs - they just transmit some unique id, and one who wants to idenitfy person carrying RFID has to get access to right database (and indentity which database holds this info first).
I'd rather say that your security is compromised, if you cannot read what is transmitted by RFID tag in your passport or under your skin, and some unknown person with RFID scanner can.
So, in order to stop this hype about RFIDs compromising security, they have to cell RFID scanners for dollar on next corner, or make it standard feature of every cell phone (if components are really already in place) so everybody who is concerned about security can easily scan oneself and find out what kind of information is available from those tags.
Only reason why those RFID makers don't do it - is because they want to make money on scanners as well as chips theirselves.