backtop


Print 26 comment(s) - last by Motoman.. on Sep 5 at 5:01 PM

Lawyers step in with the smack down

How easy is it to hack an RFID passport? Just how much knowledge is required to screw around with RFID-enabled credit cards or fare systems? The subject has received a lot of attention lately, what with Dutch and Bostonian researchers hitching free subway rides, and it appears the latest casualty in the resulting legal battle is the hit science show Mythbusters.

According to show co-host Adam Savage, speaking in a panel at hacker convention HOPE, the show’s production crew was virtually bound and gagged by a phalanx of credit card companies after they caught wind of an upcoming episode featuring the tech and just how easy it is to hack.

At the time, the episode was early in production, and it appears that at some point a researcher from the production crew contacted chipmaker Texas Instruments for assistance. TI and Mythbusters agreed to a conference call to discuss the technology involved, and upon meeting via telephone it became clear that instead of answers, the representatives from TI brought along a team of lawyers:

“I’m not sure how much of this story I’m allowed to tell,” he says nervously. “Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else...”

At this point, the audience lets out a muted laughter. “[Our team was] way, way outgunned and they absolutely made it really clear to [show owner] Discovery that they were not going to air this episode talking about how hackable [RFID] was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it.”

The funny thing, I think, is that credit card companies have had a relatively easy time as far as public scrutiny goes. While there are indeed RFID chips embedded in some credit cards, as far as I’ve seen it really isn’t too common; indeed the push towards RFID-powered plastic money hasn’t gathered nearly as much attention as, say, RFID-powered passports and subway tickets.

Hackers, many of whom aren’t the type to let something like this slide, could change that very soon.

But why credit card lawyers? Are we about to see a wave of contact-free credit cards? (Judging by those insipid Life Takes Visa commercials, I consider it highly likely.) Or perhaps they appeared on behalf of retailers – many of which use RFID for inventory tracking purposes now, championed by Wal-Mart – and wanted to stave off a criminal revolution of sorts. (As if crooks don’t already have access to this information…)

Whatever the reasons, the sheer amount of lawyers involved with the technology is a clear indication that RFID is here to stay – flawed or not.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

To paraphrase Mr. Hyneman
By Chris Peredun on 9/2/2008 8:20:59 AM , Rating: 5
quote:
Whatever the reasons, the sheer amount of lawyers involved with the technology is a clear indication that RFID is here to stay – flawed or not.

"Well there's your problem!"

I predict a significant increase in the number of "How to hack RFID" videos springing up on YouTube. Despite the "Don't try this at home" disclaimer, the mention that the Mythbusters were going to take this one on and weren't allowed should gather enough attention.

And I recall it being mentioned as an aside in an earlier episode involving RFID tags (I think it was the "RFID + MRI = Explosion?" myth) that they wanted to do more experiments with RFID credit cards, passports, etc, but "we're probably on enough government watch lists already."




RE: To paraphrase Mr. Hyneman
By Bender 123 on 9/2/2008 9:50:07 AM , Rating: 5
Wouldn't the more intelligent thing for a credit card company (based on the business of selling trust over your finances...), be to box up the lawyers and call your R&D tech staff in charge of deploying RFID to work WITH these folks?

What a fantastic marketing point to say we have worked with professional hackers to make your wireless credit card the most secure device in the industry!

Stupid business people never seem to understand the risks of tech...


RE: To paraphrase Mr. Hyneman
By Flunk on 9/2/2008 11:19:14 AM , Rating: 3
It does seem completely ridiculous to bury your head in the sand and shout "la la la" when someone tries to show you how flawed your technology is. They are just opening themselves for bigger lawsuits in the future. Big business tends to be short-sighted but this is really stupid.


RE: To paraphrase Mr. Hyneman
By porkpie on 9/3/2008 11:53:15 PM , Rating: 2
I'm sure they're working on the problem internally. They just want to shut people up long enough to solve the problem.


RE: To paraphrase Mr. Hyneman
By Motoman on 9/5/2008 5:01:28 PM , Rating: 3
...$100 on the "head in sand" option rather than the "we're working on it" option.


RE: To paraphrase Mr. Hyneman
By mmntech on 9/2/2008 2:58:12 PM , Rating: 2
That costs money. lol

I think somebody needs to "accidentally" release the episode on Youtube.


By PhoenixKnight on 9/5/2008 1:29:43 PM , Rating: 2
Exactly, because we all know that paying R&D people costs a lot more than paying high-priced lawyers.


RE: To paraphrase Mr. Hyneman
By idconstruct on 9/4/2008 10:36:38 AM , Rating: 2
i would hardly call the mythbusters professional-anything... except maybe actors


RE: To paraphrase Mr. Hyneman
By TomCorelis on 9/2/2008 2:58:00 PM , Rating: 3
I agree that a Mythbuster special is a good indicator of RFID's easy hackability, but I find the lawyers to be a much better indicator of the sheer financial weight being thrown behind the tech.


RE: To paraphrase Mr. Hyneman
By maverick85wd on 9/2/2008 3:30:53 PM , Rating: 2
I don't see how train systems and the like would matter too much considering it's just transportation... but why would they still be considering it for credit cards and passports?

One thing people never seem to realize is that, no matter how secure you make it, if the incentive is there someone will find a way to manipulate the system. RFIDs are apparently no exception... and they aren't even as widely used yet as they will be, or were going to be. Obviously this system was flawed from the beginning. When I first heard about it, I assumed security features would be built in considering they were to be put in passports - I was honestly quite baffled and confused to learn they had made it as easy as it is to hack.

I can understand why these companies are so upset to find out the all wonderful technology they were planning to utilize in up and coming systems is quite vulnerable... but why try to hide it? Anyone that pays attention to the tech world already knows.


RE: To paraphrase Mr. Hyneman
By TomCorelis on 9/2/2008 4:37:11 PM , Rating: 4
Well, just because the tech world knows about this stuff doesn't mean the general populace does. My non-tech friends would be easily wooed by the concept of merely waving around your wallet to make a credit card transaction, for example. I went skiing earlier this year and the lift system at the slopes uses RFID to open its turnstyles. "That's pretty cool," they said.

This is why Mythbusters might be so important ... Mythbusters has mainstream appeal: pop science at its best. If Mythbusters says its true, then I'd surmise that there's a good chance that the mainstream world will quickly be repeating what they say soon thereafter -- because Adam Savage says so.

Right now any of the "fears" of this "newfangled wireless card stuff" are more or less blind speculation... once you put a face, or a methodology, to that speculation, you might find public openness towards it begins to dwindle. Which, of course, goes back to the whole 'our super duper expensive rfid R&D is broken!!' response from the companies with a financial stake in it.


By maverick85wd on 9/2/2008 6:18:29 PM , Rating: 2
I can agree with all of that; what I'm saying is that their response is pretty jacked. Instead of finding a way to make it work securely or finding an alternative to the existing system, they want to hide and pretend like nothing is wrong. It's like putting money into a new material to build houses with and then finding out their new material is toxic... and then trying to keep it quiet so they can still build houses and make their money. What happens when the shit storm really hits the fan? It's another example of what happens when corporations allow themselves to be blinded to reality. Obviously a company's sole purpose is to make money and they want their investment back. I can agree, and even sympathize with that... but building a system, especially one as sensitive as a credit card system, on technology that's constantly being exploited is, in my opinion, criminal.

My point, as far as a lot of people in the tech world knowing about it, is that it's not uncommon knowledge. Dailytech isn't exactly an unpopular website and I've also seen it mentioned on engadget and that's without looking. While your non-tech friends may be easily impressed with wireless money transfers and such (as are mine, and I'll admit I think it's a cool idea), they also have you there to tell them it's unsecure and thus not a good idea for sensitive information to be put on RFIDs

I think you have a great point when it comes to Mybusters. It's just too bad corporate America is being allowed to censor the findings of researchers (hackers do research!) that found a serious vulnerability. Apparently, freedom of speech only lasts until too much money is involved.


By lukasbradley on 9/2/2008 5:14:20 PM , Rating: 2
Nice reference, by the way.


"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis

















botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki