backtop


Print 9 comment(s) - last by Mojo the Monke.. on Feb 5 at 4:52 PM


Chris Paget shows of one of the RFID cloner attennas at a 2007 security conference. Mr. Paget has since refined the design. He recently showed how easy it was to pick up RFID passport card data with a simple attenna/reader setup, and did so, picking up 2 passports in a 20 minute drive in San Francisco  (Source: Flickr)
RFID system is shown yet again to be painfully insecure

A couple years ago, RFID was considered one of the hottest new technologies.  RFID was thought to be great idea to digitize shipping and make it more efficient -- many began to dream up new uses for the tracking tags.  What about putting them in credit cards, passports, or even in our bodies?  They indeed implemented many of these ideas and today many major credit cards, as well as U.S. passport cards, and alternative to paper passports, which features RFID chips.

However, last year, proof-of-concept attacks started to expose just how insecure having RFID as a means of personal identification might be.  Hackers hitched free rides on subways and Myth Busters was set to air a special on how hackable RFID credit cards were, only to back down after criticism and hints at legal action from the credit card industry.

While new active RFID chips may provide greater security, the passive chips found in many sensitive items have been shown to be insecure.  But just how insecure are they?

That's what Chris Paget, director of research and development at Seattle-based IOActive, set out to show.  Mounting a $250 USD Motorola RFID reader and an antenna to his side window, he cruised the streets of San Francisco for 20 minutes, with a colleague that videotaped the demonstration.

He picked up the details of two U.S. passport cards.  The information could easily be used to clone the cards and create fake passports that would pass as the real thing.  He says the demonstration is just more sign of what a bad idea using RFID tags in security sensitive areas is.  He states, "
I personally believe that RFID is very unsuitable for tagging people.  I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Western Hemisphere Travel Initiative be scrapped."

The Western Hemisphere Travel Initiative is the program which champions the RFID passport cards, which allow for easy travel to anywhere in the Western Hemisphere, as the name implies.  Authorities cite ‘kill codes’ (which can wipe the card’s data) and a ‘lock codes’ that prevents the tag’s data being changed that are built into the cards as proof of their security.

However, Mr. Paget says the cards would be easy to clone.  Even if a radio interrogation (one of these signals) is done, he elaborates, it would be easy to collected, analyzed, and overridden as it is in plain text.

The ease with which Mr. Paget picked up the passport info is even more accentuated by the fact that less than a million of the cards have been issued to date, meaning that likely relatively few were driving on the streets with the cards.

While Mr. Paget is known as a
‘white hat’ ethical hacker, his latest moves could land him in legal hot water.  San Francisco at this time has not announced any plans to pursue legal action against him, though.  A constant voice of skepticism about RFID, Mr. Paget in 2007 was set to present a paper on the security failings of RFID at the Black Hat security conference in Washington, only to be forced out after legal threats by an RFID company.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Encryption?
By Spivonious on 2/4/2009 4:34:39 PM , Rating: 2
Why don't they use a private key instead of plain text? If the Customs people had the key to decrypt the RFID data in passports, then the would-be forger would also have to obtain that key. If that's not secure enough, then build in one of those auto key switchers that makes a new key every 5 minutes.




RE: Encryption?
By Yames on 2/5/2009 1:07:50 PM , Rating: 2
Even if they did you would still be able to clone the encrypted ID. Then it would work as the original. However, this would be better then plain text to protect the information in the ID.


By thenannystate on 2/4/2009 8:04:53 PM , Rating: 2
After reading about the problems that the public transit systems are having with people cloning fare cards and using up peoples balance. I immediately went to my bank to ask them which RFID chip they use in the card. Of course they didn't know, so I choose to get a new card without one. Fortunately my bank offers that, but they didn't inform me that the first card I got was going to have it. It is also know in the US as paywave.




By TomZ on 2/4/2009 12:03:46 PM , Rating: 2
Paget's experiment demonstrates how effective the shieid is - or isn't. It is not foolproof obviously as some users will knowingly or unknowingly not use it.

Also, shields only "attenuate" signals - they don't block them 100%. I would imagine a more sensitive receiver could read RFID passports in their shields.

Overall seems like a bad idea. They should stick with barcodes.


By tastyratz on 2/5/2009 4:42:19 PM , Rating: 2
a 3d barcode would be the most logical and safe solution, but it just isn't as "hot button cool" as rfid.

At the very least some sort of encryption should have been pursued for this very reason - the fact that its transmitted in plain text is just utter fail.


By Chocobollz on 2/4/2009 2:59:25 PM , Rating: 2
I think that is not right solution. If someone wants to steal a lot of RFID's data, he could just do it in a place where the RFID itself most likely be used (therefore, no protection from the sleeve), like in a country border or in an airport for examples. It is as simple as that. Then you'll have to be faced with 2 options, use your RFID and get your data stealed, or you can protect the RFID but you can't use it as an id card. Which one will you choose? ~_~


By Moishe on 2/5/2009 9:04:25 AM , Rating: 2
Good idea for a product except that it's not perfect and it adds an extra step. Now I have to pull my CC out of the wallet and then out of the sleeve.

They need a wallet made entirely of that material.

The best defense though is to come up with a way to encrypt the data so that even reading it is useless without a key.


By Mojo the Monkey on 2/5/2009 4:52:46 PM , Rating: 2
I have seen such wallets, i think on ThinkGeek or a similar site.


"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein

Related Articles
















botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki