August 10th, 2009

Fed's RFIDiocy pwnd at DefCon

Posted by Robin Harris @ 2:17 am

Categories: Infrastructure, Public policy, Security

Tags: Federal Reserve Board, RFID, Wireless And Mobility, Security, Biometrics, Robin Harris

NSA spooks gather for a colleague’s retirement party at a bar. What they don’t know is that an RFID scanner is picking them out - and a wireless Bluetooth webcam is taking their picture.

Could that really happen? It already did.

The Feds got a taste of the real world risks of RFID passports and IDs at DefCon, the annual hacker conference. According to Wired:

. . . federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.

The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.

RFIDiots
The goal at DefCon was awareness, not crime. But as organized tech mobs grow it won’t be long before crime - or terrorism - exploits the gaping security holes in RFID.

Chris Paget, the researcher who demo’d drive-by scanning early this year

. . . will be releasing a $50 kit at the end of August that will make reading 125-kHz RFID chips — the kind embedded in employee access cards — trivial. It will include open source software for reading, storing and re-transmitting card data and will also include a software tool to decode the RFID encryption used in car keys for Toyota, BMW and Lexus models. This would allow an attacker to scan an unsuspecting car-owner’s key, decrypt the data and open the car.

RFID Bad Day: you get fired because a bunch of office equipment went missing after someone with your ID entered the office at 1 AM. And when you go to your car, it isn’t there.

Cloning on the fly
Adam Laurie, another researcher and author of the RFIDiot (RFID I/O tool), an open source python library, said

It takes a few milliseconds to read [a chip] and, depending on what equipment I’ve got, doing the cloning can take a minute. I could literally do it on the fly.

Mr. Paget even demo’d a wired doorframe that collects RFID data as people walk through it. Handy, eh?

The Storage Bits take
Perhaps now that federal security gurus have been pwnd the RFID threat will get some serious attention. Like, maybe this isn’t such a great idea, attention.

Maybe that will be enough to start the wheels turning, but with hundreds of millions of dollars already spent on this stupidity, I’m afraid that someone, somewhere, will have to die before citizens figure out that this is a real, increasing and unnecessary risk.

The technology for reading, hacking and cloning RFID tags will only get better. The mass production machinery behind the tags can’t keep up with the security threats.

The time to end this nonsense is now. There are perfectly usable non-RF storage technologies - like 3D barcodes - that can safely store data in hard to crack, hard to hack formats.

Comments welcome, of course.