Slashdot Mirror
Real RFID Hacking Scenarios
kjh1 writes "Wired is running an article on RFID hacking that has potentially scary implications. Many RFID tags have no encryption and will happily transmit their information in the clear if they are active or within range of a reader. Worse yet is that they can be overwritten. Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags."
From TFA:
:)
A typical passive RFID chip costs about a quarter, whereas one with encryption capabilities runs about $5. It's just not cost-effective for your average office building to invest in secure chips.
Ok, office with 200 people. You mean to tell me a lousy thousand bucks isn't worth preventing an intrusion? Some places spend that much a month on copy paper.
I'd call it cost effective considering the alternetive possibilities
There will be those who can manipulate it. On one hand I think it's awesome that people have the technical expertise to do it. On the other hand it's scary when you want to play by the rules and be affected negatively by something of this sort.
Truth resides in every human heart, and one has to search for it there, and to be guided by truth as one sees it. But no
My college has no keypad. You just swipe your card. That's a huge security risk. Imagine if some sexual predator got access to a dorm. That's scary!
What is really needed for security applications that use RFID is a kind of shielded wallet, that when an RFID tag is placed inside would keep the RFID tag from being read. Preferably one that could carry multiple cards and such. When you want something to be able to read it, you open it up. When you don't, you close it.
I don't think many people carry thier credit cards out in the open.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
Dilbert once ran a strip in which the PHB says "Reasoning that anything I don't understand must be easy..." before assigning Dilbert a monumental task on an impossibly short deadline. This is a mental trap that's easy to fall into.
Another similar trap is "Any security technology I don't understand must be secure."
Everyone has some vague notion of how a traditional lock and key work, and how they might be circumvented.
But if there is no hole where the keyhole should be, and what IS there has some spiffy up-to-date appearance, and is "electronic" or "digital," the natural assumption is that because it clearly isn't a traditional lock and key, it must not have the traditional security vulnerabilities of a traditional lock and key... and since we aren't familiar with the new technology, we assume that "no traditional security vulnerabilities" = "no security vulnerabilities."
And, obviously, the vendor of the new system, who is likely to be in the best situation to know them, isn't likely to explain them to us.
"How to Do Nothing," kids activities, back in print!
The examples given all appeared to be illegal to me.
To have a right to do a thing is not at all the same as to be right in doing it
Yes, because nobody in a dorm would be able to hear someone screaming for help...
Dorm security is a joke because for the most part it's not necessary. The people who break into dorms aren't sexual predators, they're common thieves trying to make off with a laptop or two. Most of the time they have legitimate access to the dorm anyway so the front door security is useless to begin with. Lock your door when you go to bed or leave the room, that's all there is to it.
I read the internet for the articles.
I think you underestimated how a read-only RFID tag can still be subject to play-back attack. You can fake the presence of an RFID. This becomes a problem when the person deploying RFID doesn't understand the consequences. For example, since perimeter security assumes that authorization is equivalent to the presence of an ID, being able to fake RFID violates this assumption and breaches security.
TFA mentions a couple of these examples, where deployment is flawed. The flaw is not in the RFID technology.
As for encryption, if the RFID always echoes back the same cipher-text, then it is still subject to play-back attack. Encrypted authentication is only useful if there is some sort of challenge-response protocol. I'm sure you know all this.
I once had a signature.
A lot of these problems stem from using RFID as authentication (esp. single-factor) rather than identification.
Most of the good RFID-enabled security measures I've seen essentially use the RFID as a rapid user ID. When I approach a secured door, the RFID says "this is Proteus", and a second device (PIN-pad, hand scanner, etc.) says "ok, prove it". That's much the same as a username/password pair, except cloning the RFID has a higher work-factor than guessing a user ID (e.g. it requires physical proximity and specialized hardware).
That doesn't mean RFID isn't secure. It's just that too many people are using it as magical techno-faery-dust to solve security problems, and that behavior leads to insecurity.
Of course, there are real security issues with certain RFID applications. The DoS that can result from removing/altering the tags is concerning -- makes one wonder why the RFID tag in a library book (for example) needs more data than an unalterable serial number. Can't the readers correlate that number with record in a DB?
Add to that the issue of tracking that comes with things like implantable RFID chips. Yeah, those could just be a serial number. But imagine stores putting RFID scanners in their doorways: they know the ID# of everyone who went in and out of the store, and even if they can't correlate that with your identity, the police could. Now, what if I clone your ID# and rob a store?
Again, though, that's not a problem with the RFID tech, but with an ill-concieved implementation and too much trust. The only security problem with the tech itself is the overwriting/erasing issue.
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
"Using a laptop and a simple RFID broadcasting device, they tricked the system into letting them fill up for free."
:-)
As in so many things on slashdot, the definition of "free" matters here. In this case, it could mean
1) no one was charged for the fuel by ExxonMobil.
or
2) some other ExxonMobil customer was charged for the fuel, but the pumper was not charged.
or
3) the fuel was liberated.
It seems to me that #2 is by far the most likely, which is probably what the GP poster was getting at.
As for calling it "identity theft", as the GP did, that's daft. It's just a plain run-of-the-mill theft.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
"He programmed RFDump with the ability to place cookies on RFID tags the same way Web sites put cookies on browsers to track returning customers. With this, a stalker could, say, place a cookie on his target's E-ZPass, then return to it a few days later to see which toll plazas the car had crossed (and when). Private citizens and the government could likewise place cookies on library books to monitor who's checking them out."
This makes no sense. Either he has to get access to the library/E-ZPass data (in which case no cookie is needed) or the library needs to be writing to the tag - which it doesn't do.
Can anyone invert the ignorant-reporter-transform which has been applied to this paragraph?
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.