Slashdot Mirror
Real RFID Hacking Scenarios
kjh1 writes "Wired is running an article on RFID hacking that has potentially scary implications. Many RFID tags have no encryption and will happily transmit their information in the clear if they are active or within range of a reader. Worse yet is that they can be overwritten. Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags."
I know of at least one lucent patent on RFID security.
I think it's common practice for most serious security badges to rely on RFID for part of the verification, but some sort of user input for the rest. I have a prox card at work (which, I assume, is an RFID-based card), but the card only activates a keypad. Without my PIN, it's useless.
From TFA:
:)
A typical passive RFID chip costs about a quarter, whereas one with encryption capabilities runs about $5. It's just not cost-effective for your average office building to invest in secure chips.
Ok, office with 200 people. You mean to tell me a lousy thousand bucks isn't worth preventing an intrusion? Some places spend that much a month on copy paper.
I'd call it cost effective considering the alternetive possibilities
Never fear, the DMCA is here to protect us from that sort of behavior. It's illegal, so I doubt criminals would even try it ;) Thanks god for big government!
http://religiousfreaks.com/There will be those who can manipulate it. On one hand I think it's awesome that people have the technical expertise to do it. On the other hand it's scary when you want to play by the rules and be affected negatively by something of this sort.
Truth resides in every human heart, and one has to search for it there, and to be guided by truth as one sees it. But no
It is interesting reading and looks like a fun project. RFID for Makers
What is really needed for security applications that use RFID is a kind of shielded wallet, that when an RFID tag is placed inside would keep the RFID tag from being read. Preferably one that could carry multiple cards and such. When you want something to be able to read it, you open it up. When you don't, you close it.
I don't think many people carry thier credit cards out in the open.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
http://cq.cx/prox.pl
While they may have just realized this everyone else has already known about it. Three years ago I attended BlackHat in Vegas and they presenters already were doing this.
They showed live examples and had very interesting stories about how they were reprogramming cheese to send RFID signals saying they were shavings products. Also, the store they were doing this in used RFID on all their products to make sure everything is shelved in the right place. They would reprogram an item on the shelf (already in the right place) to emit a signal saying it was something else. When the store came by to move the item to the correct place all they would find is the correct item. The presenters say it drove the store nuts.
Quality Hosting e3 Servers
Speedpass is encrypted, they just did a really bad job of the custom cypher they decided to use for it.
Test your net with Netalyzr
Interesting points raised in TFA. It's worth bearing in mind, though, that the average range for a passive RFID tag is only a few yards..
The Wikipedia article on RFID states "The US state of Virginia has considered putting RFID tags into driver's licenses ostensibly to make lookups faster for police officers and other government officials." Now that would fun, if you had a cloner!
By the way, read the "Religious Reaction to RFID" part if you haven't. It's "interesting".
"They send a signal only when a reader powers them with a squirt of electrons". Definitely not. Just some radio waves (think crystal set).
The cheapest RFID chips - by and large - are not read/write. They're read-only. The Wal-Marts of the world aren't putting read/write RFID in their products. This strikes me as largely a non-issue. As far as the securty-badge scenario; you'd have to be pretty close to the badge to get it to transmit. Like, close enough to have it in your hand. If the bad guy has your badge in his hand, you've already got bigger problems.
Dilbert once ran a strip in which the PHB says "Reasoning that anything I don't understand must be easy..." before assigning Dilbert a monumental task on an impossibly short deadline. This is a mental trap that's easy to fall into.
Another similar trap is "Any security technology I don't understand must be secure."
Everyone has some vague notion of how a traditional lock and key work, and how they might be circumvented.
But if there is no hole where the keyhole should be, and what IS there has some spiffy up-to-date appearance, and is "electronic" or "digital," the natural assumption is that because it clearly isn't a traditional lock and key, it must not have the traditional security vulnerabilities of a traditional lock and key... and since we aren't familiar with the new technology, we assume that "no traditional security vulnerabilities" = "no security vulnerabilities."
And, obviously, the vendor of the new system, who is likely to be in the best situation to know them, isn't likely to explain them to us.
"How to Do Nothing," kids activities, back in print!
It was up a loooong time ago with the same info about wiping library tags, reading a security manager's badge and gaining entry as a test, yadda ^ 3.
Loading...
As noted in the article: "Private citizens and the government could likewise place cookies on library books to monitor who's checking them out." And how is this not being done as is. For anyone who goes into a library, records of what books you check out are kept since you have to submit your library card. Most public libaries are known/thought to share this information with government as it stands. In response to Exxon Mobile SpeedPass ""Texas Instruments used an untested cipher." The Johns Hopkins lab found that the code could be broken" ... That was then, this is now... The test in question was done some years back. How about verifying something now instead of crying over spilled milk. Can this be replicated now, if so why didn't they write about it. Did they solely include this information to inject FUD into the RFID security scene. Another noteworthy statement: "VeriChip, the only company making FDA-approved tags, boasts on its Web site that "this 'always there' identification can't be lost, stolen, or duplicated." It sells the chips to hospitals as implantable medical ID tags and is starting to promote them as secure-access keys." Of interesting note would be that, many hospitals' maternity wards have chips for newborns that are supposed to alert staff if a baby is removed. While parents may find this "useful", it does nothing if someone simply... (drum roll) cuts off the tag. Aside from that instance of stupidity, in many instances, one need only to inject noise interference to disable many RFID tags... So instead of getting all geeky and narrowing down a band, find yourself a decent noise generator capable of jamming a frequency and just do a five finger discount on a bag of Doritos. Go for it, its on the house and I'm sure those security personnel whose jobs were lost from companies depending on RFID will love you for it
Infiltrated dot Net
Its really no big deal. The vast majority of RFID chips are simply read-only, because thats the bottom of the line cheapest way to go. The card is "pinged" with a radio-field, and the chip burps out its serial number. No over write. No virus attack potential. Nothing of interest... Sure you can spoof these by putting a different tag in its place - oh yay, you've done the same cleverness as peeling a price sticker from a different product.
Read/Write tags are a step up in cost. They range from 20 bytes to 256 bytes of data with a 10 digit serial number. Some brands support encrypted encoding formats. There is a trivial one byte "access key code" that prevents a Writer from writing to an RFID tag if this "access key code" byte doesnt match. Its really more of an accident prevention mechanisim (so you dont accidentally overwrite an ExxonSpeedPass if it was put in a WalMart system).
Encryption of the "Writable" tags is the responsibility of the application. Since you only have 20 bytes (on the more common, cheaper tags) there isnt much you can do anyway as the number of permutations at 20! is low enough for most script-kiddies to crack. When you start getting upto 256 bytes, then sure it makes absolute sense to encrypt the contents. But, when you're at that price level, you're already considering the hardware that can encrypt at the signal level.
(Yes, I write code dealing with RFID tags)
-Mike
The only PT Boat Journal on the web: http://www.PT171.org
Remind me again how getting nearly $4/gallon gas for free from ExxonMobil and it's $8.4 billion quarterly profit is scary.
Visit www.seriouslythough.com
For those who leaped before looking, this must be great news. Take for example
3 1213
or this guy. html
http://it.slashdot.org/article.pl?sid=06/02/12/00
http://www.bmezine.com/news/presenttense/20050330
Oh well.
The examples given all appeared to be illegal to me.
To have a right to do a thing is not at all the same as to be right in doing it
RIFD technology has the potential to do everything it's backers claim. Inventory tracking for all manner of transportation and commerce could be MUCH more efficient because it is possible to read hundreds of tagged items at once, and without having to rotate the items to expose the barcodes. Unlike a barcode, or a credit card which is basically just a magentic barcode, easily readable with commonly available readers or even iron filings, RFIDs can be made to keep their codes secret with encryption. It has to be competently done encryption, with secure, proven algorithms and a unique encryption key for EVERY device (it would be retarded if a bank made all of it's rfid credit cards, for instance, use the same key)
Credit card theft and misuse could be almost eliminated with better cards that use encryption so the code changes every time they are used. No longer would the number of your visa card suffice, every transaction would need a new code. For a business relationship, you would press a button on the card to generate a code that a particular merchant could then use repeatedly to charge the card from, and only that merchant.
Of course, every security measure can be broken. Thieves could still swipe actual cards (and they could be cancelled just as quickly like it is today, but no thief could use the card without phyisically possessing it). With electron microscopes and specialized equipment someone could read the codes out of memory for a card, and create duplicates : but the cost and time involved could easily be so onerous that no criminal ever did it.
I think the slashdot mentality is one of fear of the tech because if the megacorps deploying these cards screw it up, we could end up with a system far less secure than we have now. For instance, wireless internet could have been made pretty much 100% secure from the start, but instead was pathetically easy to hack and far less secure than standard cat-5 jacks with no log on.
I imagine a future walmart or best buy where you grab anything you want to buy and throw it in a mostly plastic shopping cart. You wheel it through a special detector booth enclosed on three sides, and with one big electronic beep EVERYTHING gets instantly scanned, and a total price comes. You take your credit card out of its protective foil sheath, push a physical button ON the card (or press your thumbprint to it), and put it into a little recess on the self checkout machine. You close the foil lined door, another beep follows, you open the door and the transaction is done. 15 seconds, start to finish, whether you are buying 1 item or an entire cart full. No more lines at stores that use the technology, ever. Instead of 30 clerks on the job at Walmart, there are just 4 or so "customer service representatives" to handle problems that come up. There's a roll of bags if you want to bag your own stuff, but otherwise you just push the cart right on out of the store. The guards even at best buy never bother to inspect your cart because each expensive or routinely stolen item has a deeply embedded rfid tag with a writable (WRITE ONCE) field that "knows" if it has been bought. Everything in your cart gets interrogated when you push it through the doors.
No need for a paper receipt, either - a customer id for who bought the item is on the tag for each item. When you return stuff, you don't need a receipt, either, the clerk can quickly scan all your items when returned and press one button to instantly refund your money or give you store credit with your store card.
Course, this is the real world. We can't get fcking word processing to work without any trouble at all on computers in offices because viruses, bloatware, stupid users, features creep, and constant other problems mean that the commonly used Word is MORE trouble prone that windows and DOS word perfect I used back in 1990. That's like a modern car being out performed by a model T! I can imagine this RFID stuff not working right either, or a health scare starting up due to the magneti
After the recent reports that companies like Levis were testing RFID tracking in their clothes I started searching around to see what it'd cost to get an RFID reader if I wanted to start tinkering. Although self-contained hand-held readers are still quite pricey I did find an alternative. There are companies that are selling RFID attachments for Palm and Windows CE devices. For about $200-$400 you can buy an RFID device that plugs into an SD slot. Depending on how much you want to pay you can get just a reader or a reader/writer. With a little bit of software work it probably wouldn't be very difficult at all to whip up an RFID "skimmer" that you could just stick into your pocket. Just casually walk buy a security guard and steal his access card, walk around a store and reprogram prices, etc. and nobody would know it was you since you're just walking around and the device in your pocket is doing all the real work.
Unless you are spoofing the speedpass of the CEO of Exxon,
the poor schmuck whose speedpass you cloned will get the bill.
It is stealing from that person. They could notice the extra
fill-ups on the bill and try to fight Exxon about them.
I'm sure that they would win any court battle.
Feel good that you are getting "FREE GAS" and forget that
you may have robbed some poor kids of christmas.
Why not just tattoo our personal ID info on our foreheads in radar-colored ink?
--
make install -not war
A common paper envelope provides sufficient shielding to prevent the visual reading of a credit card, and the credit card holder can visually determine the likely effectiveness of the shielding. Reading the magnetic stripe of a credit card while it is inside a paper envelope might be possible, but is not a likely threat. Simply putting a credit card in a shirt pocket is sufficient to prevent the surreptitious reading of common credit cards. A wallet that is shielded to prevent the reading of RFID tags would be much more complex than a paper envelope or shirt pocket, and the holder of the RFID cannot determine for himself the likely effectiveness of the shielding. When a user opens an RFID wallet, would he be exposing the rest of his RFID's so that they can be read?
privacy concerns? Assuming the signal was strong enough and the RFID was embedded in the product (so I can't remove it), couldn't someone drive by my house and see what sorts of things I buy? Or use them to track me with tags embedded in clothing or a watch?
I understand how they work but only know a little about RFID's integration into inventory management and the like. Are they deactivated when you check out? If not, how long would they last?
The last sentence on page 2 says: "Compare that to the hundreds of years experts estimate it would take for today's computers to break the publicly available encryption tool SHA-1, which is used to secure credit card transactions on the Internet."
This is incorrect.
SHA-1 is a digest algorithm. You give it some data, it outputs a 160-bit string that represents a fingerprint of the data. This fingerprint does not allow you to reconstruct the original input, but you can use it to verify data integrity, that data have not been tempered with. This does not protect against eavesdropping. Hacking a digest algorithm means to find, in a reasonable amount of time, two different inputs that produce the same digest.
SHA-1 is not a cipher. A cipher takes plain-text and a cipher-key in, and produces cipher-text out, which would appear to a third person without a cipher-key as a pretty random string.
I once had a signature.
The June edition contains an interesting article on RFID and its security with respect to consumers. It is a good introductory article that covers all of the main security issues. It also talks about how various people who have been influential in teh government are now working for RFID companies (one being Tom Ridge former Secretary of Homeland Security)
What was interesting to me in the same articla is a reference to IBM having a 2001 patent application for tracking individual persons using the RFID constellation they create when carrying around a significant number of RFID tags. You nominate your target and profile what RFIDs they have, and then just look for that specific profile as it floats from detector to detector. This is scary stuff.
On a slightly related note, I remember seeing a comment somewhere about how teenage boys could profile the RFID constellation of hot looking women walking down the street and correlate this with the Victorias Secret catalogue in order to pick who was wearing the hot lingerie. This is a weird but possible new behaviour that RFIDs is opening.
Of more importance, I saw recently a reference to an RFID tag that could be embedded in currency notes as an anti counterfitting measure. Imagine how the muggers would jump on board this if it comes true.
I am Slashdot. Are you Slashdot as well?
I mean we are already working on a device that confuses the reciever into thinking it is being worked on by a technician and shuts of but lets the pump open for inspection thus letting it pump gas and whoala free gasoline. Plus, it is easy to break into one of those pumps and add in a card read that reads off the card number from your debit/credit card and PIN number if you use debit. Technology is amazing, is it not?
Why do I know? BECAUSE I WAS THAT MAN. Not really. I lived there during that time, in 1995.
You better watch out, there may be dogs about . .
Which is pretty scary if it's YOUR SpeedPass they're using.
Noob.
You better watch out, there may be dogs about . .
If they failed to deactivate the tag, or if you tried to steal a book, the system would sound an alarm, and Gary would be in an uproar. He might even have called the elderly Mrs. Simpson as backup. I recognized the 400Hz. tone as being a Mallory Sonalert.
Seeing as how we were already using the ASR-33 Teletypes with acoustic couplers in the Library to hack into local dial-up modem mainframes, I felt that a new hack was in order.
I had a Mallory Sonalert from a recent dumpster dive where my brother worked. I wired it and a 9v battery to a momentary switch and kept it in my coat pocket.
On occasions, I would situate myself in a library desk near the checkout. When Gary would wand a book, I would sound my alarm. Then, with a red face, he'd retrieve the book, and wand it again. I'd beep. He'd wand again. And again. Then, I'd stop before his blood pressure popped his head off.
Sometimes, I'd activate my Sonalert when Gary walked past the sensor gate. Sometimes not. I was having fun.
Why the long story? Well, just to let you know that hacking in a jovial sense can be a pantload of fun, and that you might not have to hack the internals of a system, to hack a system. That was 1977 folks - RFID (even in a crude sense) has been around for a while.
Our hacking was not malicious, it was fun. We never caused harm, and we never left tracks.
That's cool. Do you have any other links to sites that don't contain the article you're talking about?
Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags.
Interesting, though in today's climate it seems the fourth option is the only real way to make any money off of this.
No. It's not polite to slam doors in people's faces. But you could say "Sorry, I can't let you in" and just "close" the door. That guy might think you're a dick but the potential rape victims won't.
My turnips listen for the soft cry of your love
There are WORM (I think that's the acronoym) write-once read-many tags which can only be written to once (by the end-user, kind of like how you can print on a piece of paper just once but you can read it many times). These are relatively hacker-proof... the only danger is reading the information. Reading information from passive tags (WORM tags usually are) requires them to be very close to the reader (or the reader to be "MORE POWERFUL THAN HULK, HULK SMASH!"), so much so that the only viable scams would be to get people with RFID cards in their wallets to sit on your scanner. ...do I see Santa Claus stealing little kids' information in the future?
A computer once beat me at chess, but it was no match for me at kick boxing.
TOP SECRET FACT:Most modern cars have tracking transponders! While you drive on highways. Wires in the road and 14 feet above, work fine and log your car movement.
:
:
: ...but the shocking link finally died in July 2004 and the new location 2005 does not have a photo of a RFID bridge underpass RFID database collector. But this 20005 link below does discuss their toll booth RFID tracking uses...
Spy transmission chips embedded in tires that can be read REMOTELY while driving.
A secret initiative exists to track all funnel-points on interstates and US borders for car tire ID transponders (RFID chips embedded in the tire).
Yup. My brother works on them (since 2001).
The us gov T.R.E.A.D. act (which passed) made it illegal to sell new passenger cars lacking untamperable RFID in the tires allowing efficient scanning of moving cars.
Your tires have a passive coil with 64 to 128 bit serial number emitter in them! (AIAG B-11 ADC v3.0) . A particular frequency energizes it enough so that a receiver can read its little ROM. A ROM which in essence is your GUID for your TIRE. Multiple tires do not confuse the readers. Its almost identical to all "FastPass" "SpeedPass" technologies you see on gasoline keychain dongles and commuter windshield sticker-chips. The US gov has secretly started using these chips to track people.
Its kind of like FBI "Taggants" in fertilizer and "Taggants" in Gasoline and Bullets, and Blackpowder. But these car tire transponder Ids are meant to actively track and trace movement of your car.
Taggant chemical research papers
http://www.wws.princeton.edu/cgi-bin/byteserv.prl/ ~ota/disk3/1980/8017/801705.PDF
(remove spaces in url from slashcode if needed)
I am not making this up. Melt down a high end Firestone, or Bridgestone tire and go through the bits near the rim (sometimes at base of tread) and you will locate the transmitter (similar to 'grain of rice' pet ids and Mobile SpeedPass, but not as high tech as the tollbooth based units). Sokymat LOGI 160, and Sokymat LOGI 120 transponder buttons are just SOME of the transponders found in modern high end car tires. The AIAG B-11 Tire tracking standard is now implemented for all 3rd party transponder manufactures [covered below].
It is for QA and to prevent fraud and "car theft", but the US Customs service uses it in Canada to detect people who swap license plates on cars when doing a transport of contraband on a mule vehicle that normally has not logged enough hours across the border. The customs service and FBI do not yet talk about this, and are starting using it soon.
Photos of tracking chips before molded deep into tires!
http://www.sokymat.com/index.php?id=94
PLEASE LOOK AT THAT LINK : Its the same shocking tire material I have been trying to tell people about since the spring of 2001 on slashdot.
a controversial dead older link was at http://www.sokymat.com/sp/applications/tireid.html
(slashdot ruins links, so you will have to remove the ASCII space it inserts usually into any of my urls to get to the shocking info and photos on the embedded LOGI 160 chips that the us Gov scans when you cross Mexican and Canadian borders.)
You never heard of it either because nobody moderates on slashdot anymore and this is probably +0 still. It has also never appeared in print before and is (or was) very secret.
Californias Fastpass is being upgraded to scan ALL responding car tires in future years upcoming. I-75 may get them next in rural funnel points in Ohio.
The photo of the secret high speed overpass prototype WAS at
http://www.tadiran-telematics.com/products6.html
I think you underestimated how a read-only RFID tag can still be subject to play-back attack. You can fake the presence of an RFID. This becomes a problem when the person deploying RFID doesn't understand the consequences. For example, since perimeter security assumes that authorization is equivalent to the presence of an ID, being able to fake RFID violates this assumption and breaches security.
TFA mentions a couple of these examples, where deployment is flawed. The flaw is not in the RFID technology.
As for encryption, if the RFID always echoes back the same cipher-text, then it is still subject to play-back attack. Encrypted authentication is only useful if there is some sort of challenge-response protocol. I'm sure you know all this.
I once had a signature.
At 18 you should know better.
You better watch out, there may be dogs about . .
I am a techie librarian, you can put away your pointy tinfoil hat.
Our RFID tags are write-once-only. Once we've written the tag, it can't be over/re-written. Yes this means we have to throw a tag away if someone writes the wrong thing to it.
Our tags only include the barcode of the item on the shelf. Our library catalog does not allow searching by barcode, so there is no way for an outsider to link the barcode to what the item is short of physically possessing the item.
So, maybe all those other nightmare scenarios have some credence, but I can sleep at night about our RFID implementation, and you can too.
welcome our new RFID Tag pirating overlords.
Seriously though - I hope organizations which are implementing this are seriously considering the security risks and implications. Though I fear the people trying to sell them this technology are emphasing the cost-savings and largely ignoring the potential for abuse.
Going on means going far
Going far means returning
A lot of these problems stem from using RFID as authentication (esp. single-factor) rather than identification.
Most of the good RFID-enabled security measures I've seen essentially use the RFID as a rapid user ID. When I approach a secured door, the RFID says "this is Proteus", and a second device (PIN-pad, hand scanner, etc.) says "ok, prove it". That's much the same as a username/password pair, except cloning the RFID has a higher work-factor than guessing a user ID (e.g. it requires physical proximity and specialized hardware).
That doesn't mean RFID isn't secure. It's just that too many people are using it as magical techno-faery-dust to solve security problems, and that behavior leads to insecurity.
Of course, there are real security issues with certain RFID applications. The DoS that can result from removing/altering the tags is concerning -- makes one wonder why the RFID tag in a library book (for example) needs more data than an unalterable serial number. Can't the readers correlate that number with record in a DB?
Add to that the issue of tracking that comes with things like implantable RFID chips. Yeah, those could just be a serial number. But imagine stores putting RFID scanners in their doorways: they know the ID# of everyone who went in and out of the store, and even if they can't correlate that with your identity, the police could. Now, what if I clone your ID# and rob a store?
Again, though, that's not a problem with the RFID tech, but with an ill-concieved implementation and too much trust. The only security problem with the tech itself is the overwriting/erasing issue.
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
My College uses these to lock and unlock ALL the doors. The "security monoculture" is a serious issue that people will have to realize, but untill they do thing my get "stoled"
In addition, there was a large rally at the NH State Capitol; here is that video.
Unfortunately, our State Senate pulled some extremely underhanded parlimentary tricks to kill HB1582; all the gory details (and sound bites from the Senate) are here. The good news is, we here in the "Live Free or Die" still actively resisting this intrusion into our privacy!
- One of our Senators (John Sununu) has come out publicly against Real-ID
- We are still actively working to reject the funding to implement Real-ID; see this forum
- If worst comes to worst, people are pledging not to comply with Real-ID should it comes into effect
We take privacy seriously here in New Hampshire, especially privcay from the gorram Government!Part of the Second American Revolution!
The cards alone aren't the cost barrier.
It's the implementation of a contactless crypto card where it all goes to pieces.
Your -special- prox card is one card per building/office that's duplicated many times. No crypto, it just sends it's unique ID to the reader when powered. The reader is programmed to accept that card code.
Now, to add a little crypto to the system means perhaps the contactless card does a little computation, or decrypts a message sent from the reader to the card, then returns it to the reader. We're talking about 1 or more seconds passing. Definitely beyond the average medium-traffic door. I haven't even gotten into personalizing the card and sending that data over yet. And then there's the reader that is still horribly expensive.
FYI, there are a number of proprietary contactless products out there:
1. Sony's Felica(sp?)
2. Mifare Some megacorp... (ISO 14443 + proprietary?)
3. HID's "prox" (many buildings use this)
The ISO standard is 14443.
The insecurity comes from the really dumb contactless cards that are essentially open, just power the card and query for it's contents. This is where all the volume is and probably will be for quite some time.
If you are actually concerned, then you should probably stick with magstripe insecurity for your bankcards in the U.S.
Happy hacking!
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
not true...
4 02408
4 02408
new hampshire did nothign to stop the RFIDs hidden in cars from being used by federal authorities to track and log car movements.
Refer to long detailed post regarding RFID in cars... all cars sold in New hampshire in fact without exception.
http://slashdot.org/comments.pl?sid=186652&cid=15
For some reason no one mods anymore on slashdot so people in New Hampsire probably over looked it unless they read at "anon whistleblower" level of 0.
I agree newhampsire is more free than most any other state... but they do plan on tracking citizen movements... just as all gasoline sold in New Hampshire has chemical signature "taggants" added.
The kids burning churches in geogia this year in 2006 were caught not from "luck" or "police talent" but because soley on the gasoline taggants traced back to point of purchase. Amusingly that fact was never divulged in the press. In fact disinformation regarding tire tread database was used. HA!
The truth is taggants and RFID make lots of anonymous movement difficult.
New hampshire does not care about rights.
read http://slashdot.org/comments.pl?sid=186652&cid=15
I am so sick of hearing people/articles complaining about RFID insinuating that simply because people don't know how to utilize it properly, it is an evil idea to implement it (for security purposes)...It is pretty similar to WiFi in that people who don't really know what they are doing will put it out there with no enccryption because they are stupid/careless, but the techology is there to lock it down. The RFID tags we use at my company cost ~$1.50, and have encyption capabilities. The way these cards work is the RFID reader/writer sends a signal activating the card. The card responds and you then have to provide it with the correct encryption key before it will send ANY data. In addition, the response time is (by-design) a slow .07 seconds, so to try to crack the 12 digit hex key by brute force could take up to 624 thousand years.
.07 sec) / (60 sec/min) / (60 min/hr) / (24 hr/day) / (365 day/yr) = 624786 years
.07 second transaction...
(&HFFFFFFFFFFFF *
Additionally, the readers we utilize have a relatively weak signal that is only good for a few inches, so for someone to try to steal the key while it is in the air, they would have to be pretty much touching the reader and the rfid chip during that
People using unencrypted RFID are asking for trouble, but if you want to implement it securely, there are paths you can take to do so with confidence.
If RFIDs become as ubiquitous as people suggest, how about the simpler scenarios?
Let's say a store begins tracking its inventory through RFID usage. One could potentially build transmitters that make it look like someone is pushing the equivalent of a tractor trailer full of goods around in their shopping cart. If these RFIDs are used to check items as someone is going out the door, how hard would it be to dump them on someone else to disguise your own act of shoplifting?
These are rather tame examples, but I see RFID spoofing as the biggest immediate threat.
Government's view of the economy: If it moves, tax it. If it keeps moving,regulate it. If it stops moving, subsidize it.
I live in NH and there are many people here who care very much. We have been fighting and are one of the only states even trying to stop Real ID. We also tried to do something about RFID with bill HB203 however the senate killed it as well. Don't confuse RFID with Real ID they are two separate and important issues.
"Rebellion against tyrants is obedience to God."
http://www.emvelope.com/
http://www.walletgard.com/productinfo.html
He was complaining one night about the tests they make him take to determine rehabilitation and how they're rigged. He then went into how the questions were all subjective. Stuff like "when walking around at night do you look into people's windows" or soemsuch. They were really straightforward questions and he was getting them wrong.
It was hilarious that he'd overthink it, but also sort of terrifying. THAT'S a grabber. Not some punk kid making an unfunny joke.
You better watch out, there may be dogs about . .
Because the gov't tracks when you sell your tires to your neighbor, put on snow tires, etc.
You're nuts
Welcome to the USA, where you don't pay for anything when your card is stolen. Federal Law.
The story goes that when speedpass, or at least the patents it was based on, was originally being developed by Exxon engineers there was full intent to include encryption. Exxon, however sold the patents off to Mobile for the startling sum of 1$, and when mobile implemented it, they cut the encryption to shave a few bucks off the per-unit.
Of course this was years and years ago so whatever encryption they had included would have been obsolete now, so I suppose the point it moot.
We should; however, assume that any mass-produced rfid technology is going to have the least amount of security possible, just enough to not alienate the majority. Considering the majority thinks that opening internet explorer is synonymous with starting the internet, it will be a while before we see secure rfid in any notable capacity.
That'll teach me for picking a handle after reading Alternet.org on a friday night.
You better watch out, there may be dogs about . .
"He programmed RFDump with the ability to place cookies on RFID tags the same way Web sites put cookies on browsers to track returning customers. With this, a stalker could, say, place a cookie on his target's E-ZPass, then return to it a few days later to see which toll plazas the car had crossed (and when). Private citizens and the government could likewise place cookies on library books to monitor who's checking them out."
This makes no sense. Either he has to get access to the library/E-ZPass data (in which case no cookie is needed) or the library needs to be writing to the tag - which it doesn't do.
Can anyone invert the ignorant-reporter-transform which has been applied to this paragraph?
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
From TFA: > "We don't expect that retailers will use RFID like this at the product level for at least 10 or 15 years." By then, Truchsess thinks, security will be worked out.
Isn't this kind of lax attitude how a number of our current security flaws have come about? Through lax attitudes at first?
Spam: Authenticating the other computer all the way back to the original computer could have helped with this.
Phreaking: Likewise. DDoS: Likewise. Need I go on?
AC's modded -6. I don't see you, I don't mod you, anything you say is lost. Don't like it? Don't be a coward.
There is a solution out there. Wierd Al knew about this and proposed the idea of having Conan the Librarian manning all libraries and keeping a check on people who vandalize books by swapping tags. Hasta la vista, baby! You'll never be back.
Fortunately for my friend, he went to court and the judge laughed his ass off before dismissing the charges. I guess not everyone is so lucky.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent