Forgot your password?
typodupeerror

Real RFID Hacking Scenarios 180

Posted by Zonk
from the rfid-underground dept.
kjh1 writes "Wired is running an article on RFID hacking that has potentially scary implications. Many RFID tags have no encryption and will happily transmit their information in the clear if they are active or within range of a reader. Worse yet is that they can be overwritten. Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags."
This discussion has been archived. No new comments can be posted.

Real RFID Hacking Scenarios

Comments Filter:
  • Nothing New (Score:5, Interesting)

    by WebHostingGuy (825421) * on Thursday May 25, 2006 @10:52AM (#15401632) Homepage Journal
    While they may have just realized this everyone else has already known about it. Three years ago I attended BlackHat in Vegas and they presenters already were doing this.

    They showed live examples and had very interesting stories about how they were reprogramming cheese to send RFID signals saying they were shavings products. Also, the store they were doing this in used RFID on all their products to make sure everything is shelved in the right place. They would reprogram an item on the shelf (already in the right place) to emit a signal saying it was something else. When the store came by to move the item to the correct place all they would find is the correct item. The presenters say it drove the store nuts.
  • Very interesting (Score:1, Interesting)

    by goldaryn (834427) on Thursday May 25, 2006 @10:53AM (#15401647) Homepage
    Interesting points raised in TFA. It's worth bearing in mind, though, that the average range for a passive RFID tag is only a few yards..

    The Wikipedia article on RFID [wikipedia.org] states "The US state of Virginia has considered putting RFID tags into driver's licenses ostensibly to make lookups faster for police officers and other government officials." Now that would fun, if you had a cloner!

    By the way, read the "Religious Reaction to RFID" part if you haven't. It's "interesting".
  • by Kadin2048 (468275) <slashdot@kadin.xoxy@net> on Thursday May 25, 2006 @11:13AM (#15401823) Homepage Journal
    Except the keypad is digital...

    Huh?

    I'm not sure I'm understanding what you're saying. Of course the keypad is digital. My keyboard is digital. Pretty much anything except for a mechanical combination lock is going to be "digital." (Well, even that you can argue is 'digital,' in the non-computerized sense of the term.)

    Are you saying that the keypad appears on a screen, with the numbers in a random order in the array? E.g., so that some person might get a keypad numbered [[6,2,9][5,4,7][8,1,3]] and the next person would get [[3,8,4][5,2,1][6,9,7]]?

    Seems like a system like that, which requires a touch-screen instead of a regular el-cheapo numeric keypad, would be pretty expensive to implement. If you have a small number of chokepoints where you can put them, it might work, but if you're trying to secure all the exterior doors of a large number of buildings, I could see it getting prohibitively expensive fast.

    I have seen a lot of places that use Prox-Cards as their only form of authentication for access control: for whatever reason, people seem to think they're "more secure" than swipe cards. They were actually implemented at a place that I worked a few years ago this way, and I argued against them because of the RFID interception risk, but I got shot down by the PHB's and the system vendors, who said this was 'totally impossible.' I was tempted to try and figure out how to intercept the transmission, but I never had the time to get started.

    At any rate, I don't work there anymore.
  • by Iphtashu Fitz (263795) on Thursday May 25, 2006 @11:18AM (#15401873)
    After the recent reports that companies like Levis were testing RFID tracking [mobilemag.com] in their clothes I started searching around to see what it'd cost to get an RFID reader if I wanted to start tinkering. Although self-contained hand-held readers are still quite pricey I did find an alternative. There are companies that are selling RFID attachments for Palm and Windows CE devices. For about $200-$400 you can buy an RFID device that plugs into an SD slot. Depending on how much you want to pay you can get just a reader or a reader/writer. With a little bit of software work it probably wouldn't be very difficult at all to whip up an RFID "skimmer" that you could just stick into your pocket. Just casually walk buy a security guard and steal his access card, walk around a store and reprogram prices, etc. and nobody would know it was you since you're just walking around and the device in your pocket is doing all the real work.
  • by OzPeter (195038) on Thursday May 25, 2006 @11:38AM (#15402039)
    The June edition contains an interesting article on RFID and its security with respect to consumers. It is a good introductory article that covers all of the main security issues. It also talks about how various people who have been influential in teh government are now working for RFID companies (one being Tom Ridge former Secretary of Homeland Security)

    What was interesting to me in the same articla is a reference to IBM having a 2001 patent application for tracking individual persons using the RFID constellation they create when carrying around a significant number of RFID tags. You nominate your target and profile what RFIDs they have, and then just look for that specific profile as it floats from detector to detector. This is scary stuff.

    On a slightly related note, I remember seeing a comment somewhere about how teenage boys could profile the RFID constellation of hot looking women walking down the street and correlate this with the Victorias Secret catalogue in order to pick who was wearing the hot lingerie. This is a weird but possible new behaviour that RFIDs is opening.

    Of more importance, I saw recently a reference to an RFID tag that could be embedded in currency notes as an anti counterfitting measure. Imagine how the muggers would jump on board this if it comes true.
  • I beg to differ (Score:2, Interesting)

    by BitterAndDrunk (799378) on Thursday May 25, 2006 @11:45AM (#15402125) Homepage Journal
    All the locks in the public showers in the Cambell/Landon/Mayo dorms at Michigan State were installed because a "grabber" was hiding out in showers and . . . well. . . grabbing.

    Why do I know? BECAUSE I WAS THAT MAN. Not really. I lived there during that time, in 1995.

  • by Kadin2048 (468275) <slashdot@kadin.xoxy@net> on Thursday May 25, 2006 @12:08PM (#15402345) Homepage Journal
    I have to hand it to that guy, that's some pretty brilliant homebrew. (He even has a home-built PCB router!)

    He's right though that if you did a multilayer board that you could make the device a lot smaller; and I tend to wonder if you used an FPGA if you couldn't make it even smaller, down to around key-fob size. At any rate, he already seems to have achieved the "cigarette pack" size benchmark for a portable device, or close to it.

    From his "Security Implications" section:
    I could also exploit the fact the distance at which the cards will be powered is less than the distance at which they can be read; if another reader is exciting the card then my reader can read that card from the other side of a wall!

    This means that a sniffer concealed somewhere near a legitimate reader could intercept real transactions at a significant distance. This sort of attack is particularly good because the card repeats its id over and over as long as it is in the field, so that I could use signal processing techniques to combine multiple copies of the pattern to further improve my read range. This is easy--if I sample all 64 bits of the id then I don't have to get word-sync, and if I oversample then I don't even have to get bit-sync. Even if I capture the id with a few bit errors it is still useful; I could try the captured id, then every id with a Hamming distance of 1 from the captured id (one bit flipped), then 2, and so on. One or two bit errors would take seconds; three would take minutes.
    I think this is worth pointing out, because most people think of RFID cards as line-of-sight devices. But there's nothing stopping someone from burying a sniffer on the other side of the wall that the reader is mounted on, or maybe some distance away if they have a high-gain receive antenna and some good pre-amplification and filtering (not too hard: they're only trying to receive on one very particular frequency, so the whole setup can be tuned for that purpose).

    It's also worth noting the date on that article: October 2003. It's almost three years old at this point -- and I'm not convinced that RFID equipment has gotten any smarter, the installed base has increased significantly. The demand for sniffing equipment is going to be pretty big, and there are a lot of grey-market factories in Asia (like the ones that make console mod-chips) that will be happy to supply the hardware.
  • by Anonymous Coward on Thursday May 25, 2006 @12:50PM (#15402780)
    not true...

    new hampshire did nothign to stop the RFIDs hidden in cars from being used by federal authorities to track and log car movements.

    Refer to long detailed post regarding RFID in cars... all cars sold in New hampshire in fact without exception.

    http://slashdot.org/comments.pl?sid=186652&cid=154 02408 [slashdot.org]

    For some reason no one mods anymore on slashdot so people in New Hampsire probably over looked it unless they read at "anon whistleblower" level of 0.

    I agree newhampsire is more free than most any other state... but they do plan on tracking citizen movements... just as all gasoline sold in New Hampshire has chemical signature "taggants" added.

    The kids burning churches in geogia this year in 2006 were caught not from "luck" or "police talent" but because soley on the gasoline taggants traced back to point of purchase. Amusingly that fact was never divulged in the press. In fact disinformation regarding tire tread database was used. HA!

    The truth is taggants and RFID make lots of anonymous movement difficult.

    New hampshire does not care about rights.
    read http://slashdot.org/comments.pl?sid=186652&cid=154 02408 [slashdot.org]

  • Re:I beg to differ (Score:4, Interesting)

    by jc42 (318812) on Thursday May 25, 2006 @02:30PM (#15403687) Homepage Journal
    Someone who cops a feel is a little different than a sexual predator at least in my mind.

    Of course, the courts may think differently than you do.

    We had a good example hereabouts (a suburb of Boston) a few years back, when there was a news story about a college student who'd had a few drinks on a Saturday night relieved himself in an alley. Unfortunately for him, he was spotted by a cop, arrested, charged with, and convicted of indecent exposure. It was pointed out in the news stories that now he'd have to register as a sex offender anywhere he ever lived again.

    Among all the comments of the draconian nature of this, there were a few that pointed out another problem: To many of us who read the stories, the phrases "sex offender" and "sexual predator" now induce the thought "Probably another guy caught peeing in a dark alley."

    Someone once observed that a problem with unjust laws is that they bring the entire legal system into disrespect. Some of the best examples are the extreme reactions to things like this.

NOWPRINT. NOWPRINT. Clemclone, back to the shadows again. - The Firesign Theater

Working...