Slashdot Mirror

← Back to Stories (view on slashdot.org)

Real RFID Hacking Scenarios

Posted by ryuzaki0 on from the rfid-underground dept.

kjh1 writes "Wired is running an article on RFID hacking that has potentially scary implications. Many RFID tags have no encryption and will happily transmit their information in the clear if they are active or within range of a reader. Worse yet is that they can be overwritten. Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags."

8 of 180 comments (clear)

  1. Encrypted RFID too expensive? by tinkertim · · Score: 5, Insightful

    From TFA:

    A typical passive RFID chip costs about a quarter, whereas one with encryption capabilities runs about $5. It's just not cost-effective for your average office building to invest in secure chips.

    Ok, office with 200 people. You mean to tell me a lousy thousand bucks isn't worth preventing an intrusion? Some places spend that much a month on copy paper.

    I'd call it cost effective considering the alternetive possibilities :)

    1. Re:Encrypted RFID too expensive? by Aladrin · · Score: 3, Insightful

      It costs a LOT more than $5 to hire someone. If you count the cost of the name/rfid badge in the newhire cost, it doesn't look nearly so bad anymore, either.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  2. With Every New Technology... by InsomniacMK5 · · Score: 3, Insightful

    There will be those who can manipulate it. On one hand I think it's awesome that people have the technical expertise to do it. On the other hand it's scary when you want to play by the rules and be affected negatively by something of this sort.

    --
    Truth resides in every human heart, and one has to search for it there, and to be guided by truth as one sees it. But no
  3. Re:Regarding security badges by Hoho19 · · Score: 4, Insightful

    My college has no keypad. You just swipe your card. That's a huge security risk. Imagine if some sexual predator got access to a dorm. That's scary!

  4. Needed: RFID lockers. by Demon-Xanth · · Score: 4, Insightful

    What is really needed for security applications that use RFID is a kind of shielded wallet, that when an RFID tag is placed inside would keep the RFID tag from being read. Preferably one that could carry multiple cards and such. When you want something to be able to read it, you open it up. When you don't, you close it.

    I don't think many people carry thier credit cards out in the open.

    --
    If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
    1. Re:Needed: RFID lockers. by qwijibo · · Score: 3, Insightful

      I dislike the idea of shielded wallets because it misses the point. If you want something to default to off without user interaction, you shouldn't be using something that is always on plus another thing that mitigates the always on effect. Why not just make the rfid circuit default to open and make you do something like squeeze the badge to close the circuit and enable the RFID capability? Always on means always vunerable. That gets sold based on convenience, but is it ever really a good idea?

  5. "If I don't understand it, it must be secure." by dpbsmith · · Score: 4, Insightful

    Dilbert once ran a strip in which the PHB says "Reasoning that anything I don't understand must be easy..." before assigning Dilbert a monumental task on an impossibly short deadline. This is a mental trap that's easy to fall into.

    Another similar trap is "Any security technology I don't understand must be secure."

    Everyone has some vague notion of how a traditional lock and key work, and how they might be circumvented.

    But if there is no hole where the keyhole should be, and what IS there has some spiffy up-to-date appearance, and is "electronic" or "digital," the natural assumption is that because it clearly isn't a traditional lock and key, it must not have the traditional security vulnerabilities of a traditional lock and key... and since we aren't familiar with the new technology, we assume that "no traditional security vulnerabilities" = "no security vulnerabilities."

    And, obviously, the vendor of the new system, who is likely to be in the best situation to know them, isn't likely to explain them to us.

    --

    "How to Do Nothing," kids activities, back in print!

  6. Re:Regarding security badges by jandrese · · Score: 3, Insightful

    Yes, because nobody in a dorm would be able to hear someone screaming for help...

    Dorm security is a joke because for the most part it's not necessary. The people who break into dorms aren't sexual predators, they're common thieves trying to make off with a laptop or two. Most of the time they have legitimate access to the dorm anyway so the front door security is useless to begin with. Lock your door when you go to bed or leave the room, that's all there is to it.

    --

    I read the internet for the articles.