Penetration Testing mailing list archives
RE: RFID Tags
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 11 May 2004 12:57:08 -0400
It seems to me that some of these attacks sound great at first, but break down when you consider how it would REALLY play out. For one, if you get on the train and inventory everyone's clothing...how do you know which shirt goes with which pants or shoes? You just have a list of clothes, all jumbled up. If you're on the cast of "Queer Eye for the Straight Guy" it's an effective thing to do, perhaps, but I don't see the point from a black hat perspective. As for credit cards, this is extremely easy to deal with. The cards themselves that have been seen so far have a very limited range, measured in inches. I can think of a wallet design that would shield the cards a bit, and thus cut that down to the point where the black hat would have to make physical contact with the wallet to be able to pull the information; at this point you're going to notice the black hat as he goes down the car rubbing up against everyone like a comically-indiscreet pickpocket. And this all assumes that all the credit cards in the wallet don't respond at the same time, on the same frequency, thus garbling the results. I don't think RFID was ever intended to be a feature of security, but rather one of convenience. Things like being able to inventory a packing crate without opening it, having a credit card without a magnetic strip to wear out, and groceries that can be scanned while still in the shopping cart...these are the benefits of RFID technology. As will all increases in functionality, there is opportunity for added insecurity, but it's not the end of the world either.
-----Original Message----- From: lsi [mailto:stuart () cyberdelix net] Sent: Tuesday, May 11, 2004 4:50 AM To: tim () labmonkey co uk Cc: pen-test () securityfocus com Subject: Re: RFID Tags I read about some theoretical attacks on RFID: - unauthorised usage: Black Hat walks onto train with rogue ID sniffer, gets IDs of all tags in the carriage - this info might be used to compute the relative value of each commuter's clothes and belongings, and their origins. If RFIDs go into drivers licenses, passports etc, then the presence of those documents will be revealed without a search. If the RFIDs go into credit cards, Black Hat will know how many, and which ones, you have. And if RFIDs go into cash, then Black Hat will know how much you're carrying. - replay attack: sniff a tag's ID, then later, play it back to the detector and impersonate that tag "Security professionals need to realize that RFID tags are dumb devices. They listen, and they respond. Currently, they don't care who sends the signal. Anything your companies' transceiver can detect, the bad guy's transceiver can detect. So don't be lulled into a false sense of security." -- http://www.securityfocus.com/columnists/169
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RFID Tags Timothy Marshall (May 10)
- RE: RFID Tags James Hester (May 10)
- Re: RFID Tags Rogan Dawes (May 11)
- RE: RFID Tags James Hester (May 11)
- Re: RFID Tags Rogan Dawes (May 11)
- Re: RFID Tags lsi (May 11)
- RE: RFID Tags James Hester (May 11)
- RE: RFID Tags ktabic (May 12)
- RE: RFID Tags Rob Shein (May 11)
- RE: RFID Tags lsi (May 12)
- RE: RFID Tags James Hester (May 12)
- Re: RFID Tags c3rb3r (May 12)
- Re: RFID Tags c0ncept (May 16)
- RE: RFID Tags James Hester (May 11)
- RE: RFID Tags James Hester (May 10)
- <Possible follow-ups>
- RE: RFID Tags Kim.Sassaman (May 11)
- RE: RFID Tags Steven Trewick (May 12)
- RE: RFID Tags Rob Shein (May 12)
- RE: RFID Tags John (Tyler) Markowsky - Seccuris (May 12)
- RE: RFID Tags Steven Trewick (May 12)
- RE: RFID Tags Thompson, Jimi (May 16)