Forgot your password?
typodupeerror

Real RFID Hacking Scenarios 180

Posted by Zonk
from the rfid-underground dept.
kjh1 writes "Wired is running an article on RFID hacking that has potentially scary implications. Many RFID tags have no encryption and will happily transmit their information in the clear if they are active or within range of a reader. Worse yet is that they can be overwritten. Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags."
This discussion has been archived. No new comments can be posted.

Real RFID Hacking Scenarios

Comments Filter:
  • by tinkertim (918832) * on Thursday May 25, 2006 @10:49AM (#15401612) Homepage
    From TFA:

    A typical passive RFID chip costs about a quarter, whereas one with encryption capabilities runs about $5. It's just not cost-effective for your average office building to invest in secure chips.

    Ok, office with 200 people. You mean to tell me a lousy thousand bucks isn't worth preventing an intrusion? Some places spend that much a month on copy paper.

    I'd call it cost effective considering the alternetive possibilities :)
  • by InsomniacMK5 (975929) on Thursday May 25, 2006 @10:50AM (#15401620) Homepage
    There will be those who can manipulate it. On one hand I think it's awesome that people have the technical expertise to do it. On the other hand it's scary when you want to play by the rules and be affected negatively by something of this sort.
  • by Hoho19 (529839) on Thursday May 25, 2006 @10:51AM (#15401627)
    My college has no keypad. You just swipe your card. That's a huge security risk. Imagine if some sexual predator got access to a dorm. That's scary!
  • by Demon-Xanth (100910) on Thursday May 25, 2006 @10:51AM (#15401629)
    What is really needed for security applications that use RFID is a kind of shielded wallet, that when an RFID tag is placed inside would keep the RFID tag from being read. Preferably one that could carry multiple cards and such. When you want something to be able to read it, you open it up. When you don't, you close it.

    I don't think many people carry thier credit cards out in the open.
  • by Aladrin (926209) on Thursday May 25, 2006 @10:54AM (#15401658)
    It costs a LOT more than $5 to hire someone. If you count the cost of the name/rfid badge in the newhire cost, it doesn't look nearly so bad anymore, either.
  • by dpbsmith (263124) on Thursday May 25, 2006 @10:57AM (#15401692) Homepage
    Dilbert once ran a strip in which the PHB says "Reasoning that anything I don't understand must be easy..." before assigning Dilbert a monumental task on an impossibly short deadline. This is a mental trap that's easy to fall into.

    Another similar trap is "Any security technology I don't understand must be secure."

    Everyone has some vague notion of how a traditional lock and key work, and how they might be circumvented.

    But if there is no hole where the keyhole should be, and what IS there has some spiffy up-to-date appearance, and is "electronic" or "digital," the natural assumption is that because it clearly isn't a traditional lock and key, it must not have the traditional security vulnerabilities of a traditional lock and key... and since we aren't familiar with the new technology, we assume that "no traditional security vulnerabilities" = "no security vulnerabilities."

    And, obviously, the vendor of the new system, who is likely to be in the best situation to know them, isn't likely to explain them to us.
  • Hacking? (Score:2, Insightful)

    by tehcyder (746570) on Thursday May 25, 2006 @11:10AM (#15401802) Journal
    Have we now given up on using the word hacking except in a perjorative sense?

    The examples given all appeared to be illegal to me.

  • by qwijibo (101731) on Thursday May 25, 2006 @11:31AM (#15401971)
    I dislike the idea of shielded wallets because it misses the point. If you want something to default to off without user interaction, you shouldn't be using something that is always on plus another thing that mitigates the always on effect. Why not just make the rfid circuit default to open and make you do something like squeeze the badge to close the circuit and enable the RFID capability? Always on means always vunerable. That gets sold based on convenience, but is it ever really a good idea?
  • by jandrese (485) <kensama@vt.edu> on Thursday May 25, 2006 @11:35AM (#15402005) Homepage Journal
    Yes, because nobody in a dorm would be able to hear someone screaming for help...

    Dorm security is a joke because for the most part it's not necessary. The people who break into dorms aren't sexual predators, they're common thieves trying to make off with a laptop or two. Most of the time they have legitimate access to the dorm anyway so the front door security is useless to begin with. Lock your door when you go to bed or leave the room, that's all there is to it.
  • by Thuktun (221615) on Thursday May 25, 2006 @12:10PM (#15402383) Homepage Journal
    Why not just store *encrypted* data on it? My hard disk doesn't support encryption, but I can store encrypted files (even partitions) on it nonetheless.

    When you're talking about authentication tokens, this does absolutely ZERO to block a replay attack.
  • by pikine (771084) on Thursday May 25, 2006 @12:13PM (#15402411) Journal
    I think you underestimated how a read-only RFID tag can still be subject to play-back attack. You can fake the presence of an RFID. This becomes a problem when the person deploying RFID doesn't understand the consequences. For example, since perimeter security assumes that authorization is equivalent to the presence of an ID, being able to fake RFID violates this assumption and breaches security.

    TFA mentions a couple of these examples, where deployment is flawed. The flaw is not in the RFID technology.

    As for encryption, if the RFID always echoes back the same cipher-text, then it is still subject to play-back attack. Encrypted authentication is only useful if there is some sort of challenge-response protocol. I'm sure you know all this.
  • by Proteus (1926) on Thursday May 25, 2006 @12:26PM (#15402546) Homepage Journal
    A lot of these problems stem from using RFID as authentication (esp. single-factor) rather than identification.

    Most of the good RFID-enabled security measures I've seen essentially use the RFID as a rapid user ID. When I approach a secured door, the RFID says "this is Proteus", and a second device (PIN-pad, hand scanner, etc.) says "ok, prove it". That's much the same as a username/password pair, except cloning the RFID has a higher work-factor than guessing a user ID (e.g. it requires physical proximity and specialized hardware).

    That doesn't mean RFID isn't secure. It's just that too many people are using it as magical techno-faery-dust to solve security problems, and that behavior leads to insecurity.

    Of course, there are real security issues with certain RFID applications. The DoS that can result from removing/altering the tags is concerning -- makes one wonder why the RFID tag in a library book (for example) needs more data than an unalterable serial number. Can't the readers correlate that number with record in a DB?

    Add to that the issue of tracking that comes with things like implantable RFID chips. Yeah, those could just be a serial number. But imagine stores putting RFID scanners in their doorways: they know the ID# of everyone who went in and out of the store, and even if they can't correlate that with your identity, the police could. Now, what if I clone your ID# and rob a store?

    Again, though, that's not a problem with the RFID tech, but with an ill-concieved implementation and too much trust. The only security problem with the tech itself is the overwriting/erasing issue.
  • Re:Hello noobcakes (Score:3, Insightful)

    by peacefinder (469349) * <alan.dewitt@SLAC ... com minus distro> on Thursday May 25, 2006 @04:23PM (#15404719) Journal
    "Using a laptop and a simple RFID broadcasting device, they tricked the system into letting them fill up for free."

    As in so many things on slashdot, the definition of "free" matters here. In this case, it could mean
    1) no one was charged for the fuel by ExxonMobil.
      or
    2) some other ExxonMobil customer was charged for the fuel, but the pumper was not charged.
      or
    3) the fuel was liberated. :-)

    It seems to me that #2 is by far the most likely, which is probably what the GP poster was getting at.

    As for calling it "identity theft", as the GP did, that's daft. It's just a plain run-of-the-mill theft.
  • Cookies? (Score:3, Insightful)

    by Michael Woodhams (112247) on Thursday May 25, 2006 @05:26PM (#15405284) Journal
    "He programmed RFDump with the ability to place cookies on RFID tags the same way Web sites put cookies on browsers to track returning customers. With this, a stalker could, say, place a cookie on his target's E-ZPass, then return to it a few days later to see which toll plazas the car had crossed (and when). Private citizens and the government could likewise place cookies on library books to monitor who's checking them out."

    This makes no sense. Either he has to get access to the library/E-ZPass data (in which case no cookie is needed) or the library needs to be writing to the tag - which it doesn't do.

    Can anyone invert the ignorant-reporter-transform which has been applied to this paragraph?

Q: How many IBM CPU's does it take to execute a job? A: Four; three to hold it down, and one to rip its head off.

Working...