Real RFID Hacking Scenarios

kjh1 writes "Wired is running an article on RFID hacking that has potentially scary implications. Many RFID tags have no encryption and will happily transmit their information in the clear if they are active or within range of a reader. Worse yet is that they can be overwritten. Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags."

Regarding security badges

[benjjj]

I think it's common practice for most serious security badges to rely on RFID for part of the verification, but some sort of user input for the rest. I have a prox card at work (which, I assume, is an RFID-based card), but the card only activates a keypad. Without my PIN, it's useless.

Re:Regarding security badges

[Hoho19]

My college has no keypad. You just swipe your card. That's a huge security risk. Imagine if some sexual predator got access to a dorm. That's scary!

Re:Regarding security badges

[tinkertim]

I'm recollecting many, many instances where I got through a door swiping a key with no pin or other authentication based on what I know.

Ideall you authenticate on 2 out of these three:

1 - what you know
2 - what you have
3 - what you are (or aren't, depending).

Now that I think about it, most buildings I've been in that use RFID tags to open doors do not use anything but #2.

I found this gizmo at fidgetsjust poking around on Google after reading TFA and feeling curious. That's the biggest one I found, the rest once stripped of their case would be very much like the scanner described in TFA.

I'm sure this will become a growing problem, quickly.

Encrypted RFID too expensive?

[tinkertim]

From TFA:

A typical passive RFID chip costs about a quarter, whereas one with encryption capabilities runs about $5. It's just not cost-effective for your average office building to invest in secure chips.

Ok, office with 200 people. You mean to tell me a lousy thousand bucks isn't worth preventing an intrusion? Some places spend that much a month on copy paper.

I'd call it cost effective considering the alternetive possibilities :)

Stop your worrying!

[gasmonso]

Never fear, the DMCA is here to protect us from that sort of behavior. It's illegal, so I doubt criminals would even try it ;) Thanks god for big government!

http://religiousfreaks.com/

Make has a project in the current issue

[hal9000(jr)]

It is interesting reading and looks like a fun project. RFID for Makers

Needed: RFID lockers.

[Demon-Xanth]

What is really needed for security applications that use RFID is a kind of shielded wallet, that when an RFID tag is placed inside would keep the RFID tag from being read. Preferably one that could carry multiple cards and such. When you want something to be able to read it, you open it up. When you don't, you close it.

I don't think many people carry thier credit cards out in the open.

RFID Spoofing Guide

http://cq.cx/prox.pl

Nothing New

[WebHostingGuy]

While they may have just realized this everyone else has already known about it. Three years ago I attended BlackHat in Vegas and they presenters already were doing this.

They showed live examples and had very interesting stories about how they were reprogramming cheese to send RFID signals saying they were shavings products. Also, the store they were doing this in used RFID on all their products to make sure everything is shelved in the right place. They would reprogram an item on the shelf (already in the right place) to emit a signal saying it was something else. When the store came by to move the item to the correct place all they would find is the correct item. The presenters say it drove the store nuts.

"If I don't understand it, it must be secure."

[dpbsmith]

Dilbert once ran a strip in which the PHB says "Reasoning that anything I don't understand must be easy..." before assigning Dilbert a monumental task on an impossibly short deadline. This is a mental trap that's easy to fall into.

Another similar trap is "Any security technology I don't understand must be secure."

Everyone has some vague notion of how a traditional lock and key work, and how they might be circumvented.

But if there is no hole where the keyhole should be, and what IS there has some spiffy up-to-date appearance, and is "electronic" or "digital," the natural assumption is that because it clearly isn't a traditional lock and key, it must not have the traditional security vulnerabilities of a traditional lock and key... and since we aren't familiar with the new technology, we assume that "no traditional security vulnerabilities" = "no security vulnerabilities."

And, obviously, the vendor of the new system, who is likely to be in the best situation to know them, isn't likely to explain them to us.

factual error in TFA about SHA-1

[pikine]

The last sentence on page 2 says: "Compare that to the hundreds of years experts estimate it would take for today's computers to break the publicly available encryption tool SHA-1, which is used to secure credit card transactions on the Internet."

This is incorrect.

SHA-1 is a digest algorithm. You give it some data, it outputs a 160-bit string that represents a fingerprint of the data. This fingerprint does not allow you to reconstruct the original input, but you can use it to verify data integrity, that data have not been tempered with. This does not protect against eavesdropping. Hacking a digest algorithm means to find, in a reasonable amount of time, two different inputs that produce the same digest.

SHA-1 is not a cipher. A cipher takes plain-text and a cipher-key in, and produces cipher-text out, which would appear to a third person without a cipher-key as a pretty random string.