Cellphone Could Crack RFID Tags

diverge_s writes "Adi Shamir of RSA is at it again. This time pointing out flaws in RFID systems. From the article: 'I haven't tested all RFID tags, but we did test the biggest brand and it is totally unprotected,' Shamir said. Using this approach, 'a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity.'"

Link to the dude itself, dude!

Here's the cryptographer's panel:
http://media.omediaweb.com/rsa2006/1_5/1_5_High.as x

Prof Shamir comes on at 6:15, but I recommend watching the whole hour through.

RFID tag reader already in many Nokia phones

[Hyperkinetic]

My 6620 is capable of responding to 13.56 MHz readers and may be capable of reading tags as well. Nokia has been working with Mastercard and others to bring payment and reward systems to mobile phone users. There is little information in Google, but the API is available. Check your Nokia 'wallet' function for RFID functionality.

Re:RFID tag reader already in many Nokia phones

[ianalis]

That is the reason why I was shocked when I read the title. I know that there are Nokia phones that can read RFID and Nokia is pushing for its widespread use. Here's a useful link regarding RFID in Nokia phones: http://europe.nokia.com/nokia/0,,55737,00.html

Not all tags.

[queazocotal]

Active tags - ones with their own battery, are going to be fundamentally immune to this.

Also, in addition to tags that have a simple 'password', that they must have before they do anything - that may be trivially vulnerable to power analysis, there are tags that do more complex things - such as for example, send the reader a random token, which it then has to encrypt with a key known to both of them.

This can be immune to power analysis - in the simplest case, as it does not check each bit as recieved, but only at the end of a computation.

And, the fact that getting the first bit correct of a hash with a given key does not help you to guess the rest.

Re:Shamir

[ajs318]

The patent should never have been awarded in the first place. For one thing, mathematics should never be patentable. For another, there was already Prior Art invented at GCHQ in the UK -- but because of its nature, it was kept hushed-up.

The patent was never applicable in the UK nor the EU.

Re:Shamir

[ObsessiveMathsFreak]

For one thing, mathematics should never be patentable. For another, there was already Prior Art invented at GCHQ in the UK -- but because of its nature, it was kept hushed-up.

This "prior art" did not count as it was unpublished. However the point about the mathematics is exactly correct. Shamir is one of the the greatest trinity of conmen to ever plauge the computer industry.

If you ever want to know why you still don't have encrypted email, this guy is 33.33333....% of the reason.

Re:RFID != Smart Card

[CortoMaltese]

It is always fun to do homework with Wikipedia... Biometric passports don't use RFID tags. Period.

My reference? I work on smart cards, including biometric passports. In this field, no one in their right mind would use RFID tags for passports, or anything requiring security. Ever.

It is sad that the web is full of stuff about RFID security, or the lack of it, and people then make the assumption that anything contactless is RFID, and thus insecure. It it really hard to try to set the facts straight, when the correctness of your facts can be questioned with a bunch of links to FUD. (And damn, even the links you provide yourself prove to contain incorrect or misleading information! Argh.)

I guess I should just give up. It'll give me a warm and fuzzy feeling to know I'm right, after all.