Real RFID Hacking Scenarios

kjh1 writes "Wired is running an article on RFID hacking that has potentially scary implications. Many RFID tags have no encryption and will happily transmit their information in the clear if they are active or within range of a reader. Worse yet is that they can be overwritten. Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags."

Regarding security badges

[benjjj]

I think it's common practice for most serious security badges to rely on RFID for part of the verification, but some sort of user input for the rest. I have a prox card at work (which, I assume, is an RFID-based card), but the card only activates a keypad. Without my PIN, it's useless.

Re:Regarding security badges

[tinkertim]

I'm recollecting many, many instances where I got through a door swiping a key with no pin or other authentication based on what I know.

Ideall you authenticate on 2 out of these three:

1 - what you know
2 - what you have
3 - what you are (or aren't, depending).

Now that I think about it, most buildings I've been in that use RFID tags to open doors do not use anything but #2.

I found this gizmo at fidgetsjust poking around on Google after reading TFA and feeling curious. That's the biggest one I found, the rest once stripped of their case would be very much like the scanner described in TFA.

I'm sure this will become a growing problem, quickly.

Make has a project in the current issue

[hal9000(jr)]

It is interesting reading and looks like a fun project. RFID for Makers

RFID Spoofing Guide

http://cq.cx/prox.pl

Speedpass IS encrypted...

[nweaver]

Speedpass is encrypted, they just did a really bad job of the custom cypher they decided to use for it.

Well

[ShooterNeo]

RIFD technology has the potential to do everything it's backers claim. Inventory tracking for all manner of transportation and commerce could be MUCH more efficient because it is possible to read hundreds of tagged items at once, and without having to rotate the items to expose the barcodes. Unlike a barcode, or a credit card which is basically just a magentic barcode, easily readable with commonly available readers or even iron filings, RFIDs can be made to keep their codes secret with encryption. It has to be competently done encryption, with secure, proven algorithms and a unique encryption key for EVERY device (it would be retarded if a bank made all of it's rfid credit cards, for instance, use the same key)

Credit card theft and misuse could be almost eliminated with better cards that use encryption so the code changes every time they are used. No longer would the number of your visa card suffice, every transaction would need a new code. For a business relationship, you would press a button on the card to generate a code that a particular merchant could then use repeatedly to charge the card from, and only that merchant.

Of course, every security measure can be broken. Thieves could still swipe actual cards (and they could be cancelled just as quickly like it is today, but no thief could use the card without phyisically possessing it). With electron microscopes and specialized equipment someone could read the codes out of memory for a card, and create duplicates : but the cost and time involved could easily be so onerous that no criminal ever did it.

I think the slashdot mentality is one of fear of the tech because if the megacorps deploying these cards screw it up, we could end up with a system far less secure than we have now. For instance, wireless internet could have been made pretty much 100% secure from the start, but instead was pathetically easy to hack and far less secure than standard cat-5 jacks with no log on.

I imagine a future walmart or best buy where you grab anything you want to buy and throw it in a mostly plastic shopping cart. You wheel it through a special detector booth enclosed on three sides, and with one big electronic beep EVERYTHING gets instantly scanned, and a total price comes. You take your credit card out of its protective foil sheath, push a physical button ON the card (or press your thumbprint to it), and put it into a little recess on the self checkout machine. You close the foil lined door, another beep follows, you open the door and the transaction is done. 15 seconds, start to finish, whether you are buying 1 item or an entire cart full. No more lines at stores that use the technology, ever. Instead of 30 clerks on the job at Walmart, there are just 4 or so "customer service representatives" to handle problems that come up. There's a roll of bags if you want to bag your own stuff, but otherwise you just push the cart right on out of the store. The guards even at best buy never bother to inspect your cart because each expensive or routinely stolen item has a deeply embedded rfid tag with a writable (WRITE ONCE) field that "knows" if it has been bought. Everything in your cart gets interrogated when you push it through the doors.

No need for a paper receipt, either - a customer id for who bought the item is on the tag for each item. When you return stuff, you don't need a receipt, either, the clerk can quickly scan all your items when returned and press one button to instantly refund your money or give you store credit with your store card.

Course, this is the real world. We can't get fcking word processing to work without any trouble at all on computers in offices because viruses, bloatware, stupid users, features creep, and constant other problems mean that the commonly used Word is MORE trouble prone that windows and DOS word perfect I used back in 1990. That's like a modern car being out performed by a model T! I can imagine this RFID stuff not working right either, or a health scare starting up due to the magneti

factual error in TFA about SHA-1

[pikine]

The last sentence on page 2 says: "Compare that to the hundreds of years experts estimate it would take for today's computers to break the publicly available encryption tool SHA-1, which is used to secure credit card transactions on the Internet."

This is incorrect.

SHA-1 is a digest algorithm. You give it some data, it outputs a 160-bit string that represents a fingerprint of the data. This fingerprint does not allow you to reconstruct the original input, but you can use it to verify data integrity, that data have not been tempered with. This does not protect against eavesdropping. Hacking a digest algorithm means to find, in a reasonable amount of time, two different inputs that produce the same digest.

SHA-1 is not a cipher. A cipher takes plain-text and a cipher-key in, and produces cipher-text out, which would appear to a third person without a cipher-key as a pretty random string.

New Hampshire Resists Real-ID

[Plugh]

There is a very active resistance to Real-ID here in New Hampshire. We came within a whisper of passing a law (HB1582) that would have explicitly rejected Real-ID; there was an incredibly passionate speech on the floor of the House of Representatives: here's the video

In addition, there was a large rally at the NH State Capitol; here is that video.

Unfortunately, our State Senate pulled some extremely underhanded parlimentary tricks to kill HB1582; all the gory details (and sound bites from the Senate) are here. The good news is, we here in the "Live Free or Die" still actively resisting this intrusion into our privacy!

• One of our Senators (John Sununu) has come out publicly against Real-ID
• We are still actively working to reject the funding to implement Real-ID; see this forum
• If worst comes to worst, people are pledging not to comply with Real-ID should it comes into effect

We take privacy seriously here in New Hampshire, especially privcay from the gorram Government!