Penetration Testing mailing list archives
RE: RFID Tags
From: James Hester <jay.hester () mci com>
Date: Tue, 11 May 2004 11:33:15 -0500
Tags have to recive the right signal to transmit the data back. If tags could be queried by any device wireless networks (900Mhz) would be flooded with 900Mhz tags. Wal-Mart is going with the 915Mhz tags so that problem is unacceptable. You have to know what to send a tag to get it to respond. The security on the tags are minimal, but you can put encryption on them. I'm experimenting with that right now. One feature some tags have in them is a password lock, if you don't have the password then it's difficult to reprogram the tag. If you try to reprogram the tag without the right password it disables the programming feature of the tag for a specified amount of time. Once the tag is disabled you can still read it from a Class I antenna, but you can't reprogram it. The Class I tags are like solid state devices, since the chip is so small you can't store backups of data. Once the memory is written it's gone. You do have extra room on other classes of tags, but I think it's the same, there is extra memory there but the tag id is stored in the same location. Jay -----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Tuesday, May 11, 2004 1:42 AM To: James Hester Cc: tim () labmonkey co uk; pen-test () securityfocus com Subject: Re: RFID Tags Since the tag basically just transmits whatever is programmed into it when interrogated, I see no reason that someone should not be able to create a "programmable" RFID tag emulator, that simply broadcasts whatever that person wants it to when interrogated. For example, picture a standard RFID chip, with basic components such as an antenna, a tiny CPU, and some memory (ROM, EPROM, EEPROM, FLASH, whatever). When the tag is interrogated, the CPU reads whatever is in the memory, and broadcasts it out. How difficult can it be to have an alternate way of programming that memory? At this point in time, I don't think that RFID tags are using any encryption (i.e. transforming a challenge broadcast to it in some way), which means that it should be trivial to snoop on a response, or interrogate the tag yourself, and copy it into your programmable tag. So, yes, I would say that they can be copied/faked. I would also be inclined to believe that, once changed, it would not be possible to read what the original data was, DEPENDING on the nature of the underlying media. For instance, if you are using a WO-RM type of memory, that marks previously used positions as invalid, but does not overwrite them, with the right tools, you should be able to get at that previous data. I doubt that too many tags would be using this kind of scheme, but it could be worth investigating for a forensics case . . . Regards, Rogan James Hester wrote:
Tim, That depends on what tag you are going to use. The Class I tag has 96
bits
of memory that can be programmed. There are some types of tags that have
the
ability to password protect the memory, but when you do things like that
it
drives the price up. The tags can be written, but I doubt you will be able to pull the original data off once it's erased since it's stored on the tag's chip. Jay -----Original Message----- From: Timothy Marshall [mailto:tim () labmonkey me uk] Sent: Monday, May 10, 2004 6:05 AM To: pen-test () securityfocus com Subject: RFID Tags Hi, Does anyone have information / experience on how secure these tags are?
Can
the data they store be changed in anyway? Can they be copied / faked? If they are changed can the original information still be read? Cheers Tim --------------------------------------------------------------------------
--
-- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html --------------------------------------------------------------------------
--
--- --------------------------------------------------------------------------
----
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html --------------------------------------------------------------------------
-----
-- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net" ---------------------------------------------------------------------------- -- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RFID Tags Timothy Marshall (May 10)
- RE: RFID Tags James Hester (May 10)
- Re: RFID Tags Rogan Dawes (May 11)
- RE: RFID Tags James Hester (May 11)
- Re: RFID Tags Rogan Dawes (May 11)
- Re: RFID Tags lsi (May 11)
- RE: RFID Tags James Hester (May 11)
- RE: RFID Tags ktabic (May 12)
- RE: RFID Tags Rob Shein (May 11)
- RE: RFID Tags lsi (May 12)
- RE: RFID Tags James Hester (May 12)
- Re: RFID Tags c3rb3r (May 12)
- Re: RFID Tags c0ncept (May 16)
- RE: RFID Tags James Hester (May 11)
- RE: RFID Tags James Hester (May 10)
- <Possible follow-ups>
- RE: RFID Tags Kim.Sassaman (May 11)
- RE: RFID Tags Steven Trewick (May 12)