Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Real RFID Hacking Scenarios 180

Posted by Zonk
from the rfid-underground dept.
kjh1 writes "Wired is running an article on RFID hacking that has potentially scary implications. Many RFID tags have no encryption and will happily transmit their information in the clear if they are active or within range of a reader. Worse yet is that they can be overwritten. Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags."
This discussion has been archived. No new comments can be posted.

Real RFID Hacking Scenarios

Comments Filter:
  • by benjjj (949782) on Thursday May 25, 2006 @09:48AM (#15401597)
    I think it's common practice for most serious security badges to rely on RFID for part of the verification, but some sort of user input for the rest. I have a prox card at work (which, I assume, is an RFID-based card), but the card only activates a keypad. Without my PIN, it's useless.
  • by hal9000(jr) (316943) on Thursday May 25, 2006 @09:51AM (#15401628)
    It is interesting reading and looks like a fun project. RFID for Makers [makezine.com]

  • RFID Spoofing Guide (Score:5, Informative)

    by Anonymous Coward on Thursday May 25, 2006 @09:51AM (#15401631)
  • by nweaver (113078) on Thursday May 25, 2006 @09:53AM (#15401645) Homepage
    Speedpass is encrypted, they just did a really bad job of the custom cypher they decided to use for it.
  • by ebcdic (39948) on Thursday May 25, 2006 @09:55AM (#15401668)
    "They send a signal only when a reader powers them with a squirt of electrons". Definitely not. Just some radio waves (think crystal set).
  • FUD (Score:2, Informative)

    by QuartzDuane (803077) <duane.roelands@gma[ ]com ['il.' in gap]> on Thursday May 25, 2006 @09:56AM (#15401680)
    The cheapest RFID chips - by and large - are not read/write. They're read-only. The Wal-Marts of the world aren't putting read/write RFID in their products. This strikes me as largely a non-issue. As far as the securty-badge scenario; you'd have to be pretty close to the badge to get it to transmit. Like, close enough to have it in your hand. If the bad guy has your badge in his hand, you've already got bigger problems.
  • by RagingChipmunk (646664) on Thursday May 25, 2006 @10:06AM (#15401768) Homepage
    Its really no big deal. The vast majority of RFID chips are simply read-only, because thats the bottom of the line cheapest way to go. The card is "pinged" with a radio-field, and the chip burps out its serial number. No over write. No virus attack potential. Nothing of interest... Sure you can spoof these by putting a different tag in its place - oh yay, you've done the same cleverness as peeling a price sticker from a different product.

    Read/Write tags are a step up in cost. They range from 20 bytes to 256 bytes of data with a 10 digit serial number. Some brands support encrypted encoding formats. There is a trivial one byte "access key code" that prevents a Writer from writing to an RFID tag if this "access key code" byte doesnt match. Its really more of an accident prevention mechanisim (so you dont accidentally overwrite an ExxonSpeedPass if it was put in a WalMart system).

    Encryption of the "Writable" tags is the responsibility of the application. Since you only have 20 bytes (on the more common, cheaper tags) there isnt much you can do anyway as the number of permutations at 20! is low enough for most script-kiddies to crack. When you start getting upto 256 bytes, then sure it makes absolute sense to encrypt the contents. But, when you're at that price level, you're already considering the hardware that can encrypt at the signal level.

    (Yes, I write code dealing with RFID tags)

    -Mike

  • Well (Score:4, Informative)

    by ShooterNeo (555040) on Thursday May 25, 2006 @10:14AM (#15401836)
    RIFD technology has the potential to do everything it's backers claim. Inventory tracking for all manner of transportation and commerce could be MUCH more efficient because it is possible to read hundreds of tagged items at once, and without having to rotate the items to expose the barcodes. Unlike a barcode, or a credit card which is basically just a magentic barcode, easily readable with commonly available readers or even iron filings, RFIDs can be made to keep their codes secret with encryption. It has to be competently done encryption, with secure, proven algorithms and a unique encryption key for EVERY device (it would be retarded if a bank made all of it's rfid credit cards, for instance, use the same key)

    Credit card theft and misuse could be almost eliminated with better cards that use encryption so the code changes every time they are used. No longer would the number of your visa card suffice, every transaction would need a new code. For a business relationship, you would press a button on the card to generate a code that a particular merchant could then use repeatedly to charge the card from, and only that merchant.

    Of course, every security measure can be broken. Thieves could still swipe actual cards (and they could be cancelled just as quickly like it is today, but no thief could use the card without phyisically possessing it). With electron microscopes and specialized equipment someone could read the codes out of memory for a card, and create duplicates : but the cost and time involved could easily be so onerous that no criminal ever did it.

    I think the slashdot mentality is one of fear of the tech because if the megacorps deploying these cards screw it up, we could end up with a system far less secure than we have now. For instance, wireless internet could have been made pretty much 100% secure from the start, but instead was pathetically easy to hack and far less secure than standard cat-5 jacks with no log on.

    I imagine a future walmart or best buy where you grab anything you want to buy and throw it in a mostly plastic shopping cart. You wheel it through a special detector booth enclosed on three sides, and with one big electronic beep EVERYTHING gets instantly scanned, and a total price comes. You take your credit card out of its protective foil sheath, push a physical button ON the card (or press your thumbprint to it), and put it into a little recess on the self checkout machine. You close the foil lined door, another beep follows, you open the door and the transaction is done. 15 seconds, start to finish, whether you are buying 1 item or an entire cart full. No more lines at stores that use the technology, ever. Instead of 30 clerks on the job at Walmart, there are just 4 or so "customer service representatives" to handle problems that come up. There's a roll of bags if you want to bag your own stuff, but otherwise you just push the cart right on out of the store. The guards even at best buy never bother to inspect your cart because each expensive or routinely stolen item has a deeply embedded rfid tag with a writable (WRITE ONCE) field that "knows" if it has been bought. Everything in your cart gets interrogated when you push it through the doors.

    No need for a paper receipt, either - a customer id for who bought the item is on the tag for each item. When you return stuff, you don't need a receipt, either, the clerk can quickly scan all your items when returned and press one button to instantly refund your money or give you store credit with your store card.

    Course, this is the real world. We can't get fcking word processing to work without any trouble at all on computers in offices because viruses, bloatware, stupid users, features creep, and constant other problems mean that the commonly used Word is MORE trouble prone that windows and DOS word perfect I used back in 1990. That's like a modern car being out performed by a model T! I can imagine this RFID stuff not working right either, or a health scare starting up due to the magneti
  • by tinkertim (918832) * on Thursday May 25, 2006 @10:16AM (#15401854) Homepage
    I'm recollecting many, many instances where I got through a door swiping a key with no pin or other authentication based on what I know.

    Ideall you authenticate on 2 out of these three:

    1 - what you know
    2 - what you have
    3 - what you are (or aren't, depending).

    Now that I think about it, most buildings I've been in that use RFID tags to open doors do not use anything but #2.

    I found this gizmo at fidgets [phidgetsusa.com]just poking around on Google after reading TFA and feeling curious. That's the biggest one I found, the rest once stripped of their case would be very much like the scanner described in TFA.

    I'm sure this will become a growing problem, quickly.
  • Re:Over the edge (Score:3, Informative)

    by VP (32928) on Thursday May 25, 2006 @10:33AM (#15401984)
    And how is this not being done as is. For anyone who goes into a library, records of what books you check out are kept since you have to submit your library card. Most public libaries are known/thought to share this information with government as it stands.

    I don't know where you get this idea, but currently most public libraries make it a point to destroy the record of you checking out a book after you return it, just so that they don't have this information available if/when the government comes around asking for it. Here is some relevant reading material: http://www.ala.org/ala/oif/ifissues/usapatriotact. htm [ala.org]
  • by pikine (771084) on Thursday May 25, 2006 @10:36AM (#15402018) Journal
    The last sentence on page 2 says: "Compare that to the hundreds of years experts estimate it would take for today's computers to break the publicly available encryption tool SHA-1, which is used to secure credit card transactions on the Internet."

    This is incorrect.

    SHA-1 is a digest algorithm. You give it some data, it outputs a 160-bit string that represents a fingerprint of the data. This fingerprint does not allow you to reconstruct the original input, but you can use it to verify data integrity, that data have not been tempered with. This does not protect against eavesdropping. Hacking a digest algorithm means to find, in a reasonable amount of time, two different inputs that produce the same digest.

    SHA-1 is not a cipher. A cipher takes plain-text and a cipher-key in, and produces cipher-text out, which would appear to a third person without a cipher-key as a pretty random string.
  • by Anonymous Coward on Thursday May 25, 2006 @11:12AM (#15402408)
    TOP SECRET FACT:Most modern cars have tracking transponders! While you drive on highways. Wires in the road and 14 feet above, work fine and log your car movement.

    Spy transmission chips embedded in tires that can be read REMOTELY while driving.

    A secret initiative exists to track all funnel-points on interstates and US borders for car tire ID transponders (RFID chips embedded in the tire).

    Yup. My brother works on them (since 2001).

    The us gov T.R.E.A.D. act (which passed) made it illegal to sell new passenger cars lacking untamperable RFID in the tires allowing efficient scanning of moving cars.

    Your tires have a passive coil with 64 to 128 bit serial number emitter in them! (AIAG B-11 ADC v3.0) . A particular frequency energizes it enough so that a receiver can read its little ROM. A ROM which in essence is your GUID for your TIRE. Multiple tires do not confuse the readers. Its almost identical to all "FastPass" "SpeedPass" technologies you see on gasoline keychain dongles and commuter windshield sticker-chips. The US gov has secretly started using these chips to track people.

    Its kind of like FBI "Taggants" in fertilizer and "Taggants" in Gasoline and Bullets, and Blackpowder. But these car tire transponder Ids are meant to actively track and trace movement of your car.

    Taggant chemical research papers :
    http://www.wws.princeton.edu/cgi-bin/byteserv.prl/ ~ota/disk3/1980/8017/801705.PDF [princeton.edu]
    (remove spaces in url from slashcode if needed)

    I am not making this up. Melt down a high end Firestone, or Bridgestone tire and go through the bits near the rim (sometimes at base of tread) and you will locate the transmitter (similar to 'grain of rice' pet ids and Mobile SpeedPass, but not as high tech as the tollbooth based units). Sokymat LOGI 160, and Sokymat LOGI 120 transponder buttons are just SOME of the transponders found in modern high end car tires. The AIAG B-11 Tire tracking standard is now implemented for all 3rd party transponder manufactures [covered below].

    It is for QA and to prevent fraud and "car theft", but the US Customs service uses it in Canada to detect people who swap license plates on cars when doing a transport of contraband on a mule vehicle that normally has not logged enough hours across the border. The customs service and FBI do not yet talk about this, and are starting using it soon.

    Photos of tracking chips before molded deep into tires! :
    http://www.sokymat.com/index.php?id=94 [sokymat.com]

    PLEASE LOOK AT THAT LINK : Its the same shocking tire material I have been trying to tell people about since the spring of 2001 on slashdot.

    a controversial dead older link was at http://www.sokymat.com/sp/applications/tireid.html [sokymat.com]

    (slashdot ruins links, so you will have to remove the ASCII space it inserts usually into any of my urls to get to the shocking info and photos on the embedded LOGI 160 chips that the us Gov scans when you cross Mexican and Canadian borders.)

    You never heard of it either because nobody moderates on slashdot anymore and this is probably +0 still. It has also never appeared in print before and is (or was) very secret.

    Californias Fastpass is being upgraded to scan ALL responding car tires in future years upcoming. I-75 may get them next in rural funnel points in Ohio.

    The photo of the secret high speed overpass prototype WAS at :
    http://www.tadiran-telematics.com/products6.html [tadiran-telematics.com] ...but the shocking link finally died in July 2004 and the new location 2005 does not have a photo of a RFID bridge underpass RFID database collector. But this 20005 link below does discuss their toll booth RFID tracking uses...
  • Re:Subscriber only (Score:3, Informative)

    by hal9000(jr) (316943) on Thursday May 25, 2006 @11:36AM (#15402649)
    Snap! Ok, here are a few.

    RFID Door [extremetech.com]
    RFID board [phidgetsusa.com]
    Instructions on building an extended range reader [iacr.org]
  • by Plugh (27537) on Thursday May 25, 2006 @11:41AM (#15402689) Homepage
    There is a very active resistance to Real-ID here in New Hampshire. We came within a whisper of passing a law (HB1582 [generalcourt.org]) that would have explicitly rejected Real-ID; there was an incredibly passionate speech on the floor of the House of Representatives: here's the video [freestateblogs.net]

    In addition, there was a large rally at the NH State Capitol; here is that video [google.com].

    Unfortunately, our State Senate pulled some extremely underhanded parlimentary tricks to kill HB1582; all the gory details (and sound bites from the Senate) are here [freestateblogs.net]. The good news is, we here in the "Live Free or Die" still actively resisting this intrusion into our privacy!

    We take privacy seriously here in New Hampshire, especially privcay from the gorram Government!
  • by mikelieman (35628) on Thursday May 25, 2006 @02:10PM (#15404061) Homepage
    If the ladies were properly armed with handguns, this sort of thing wouldn't happen.

"Your stupidity, Allen, is simply not up to par." -- Dave Mack (mack@inco.UUCP) "Yours is." -- Allen Gwinn (allen@sulaco.sigma.com), in alt.flame

Working...