Penetration Testing mailing list archives
RE: RFID Tags
From: Steven Trewick <STrewick () joplings co uk>
Date: Wed, 12 May 2004 10:53:30 +0100
-----Original Message----- From: Rob Shein [mailto:shoten () starpower net]
It seems to me that some of these attacks sound great at first, but break down when you consider how it would REALLY play out
<snip>
As for credit cards, this is extremely easy to deal with. The cards themselves that have been seen so far have a very limited range, measured in inches. I can think of a wallet design that would shield the cards a bit,
Yes one merely needs to store it under ones tin foil hat, and safety is assured :-)
and thus cut that down to the point where the black hat would have to make physical contact with the wallet to be able to pull the information; at this point you're going to notice the black hat as he goes down the car rubbing up against everyone like a comically-indiscreet pickpocket.
I was under the impression, (which may well not be correct) that passive RFID tags derive their operational power supply from the radio signal transmitted by the reader. If this is the case, is it not possible to simply transmit a higher power signal, and thus boost the response from the tag to gain more range? (Obviously, this becomes the arms/armour cycle in the end if we are talking about shielding.) Or even simply build an extremely sensitive receiver and place it near where the cards will be used ? (etc)
And this all assumes that all the credit cards in the wallet don't respond at the same time, on the same frequency, thus garbling the results.
If it were the case that multiple tags in close proximity responding to a probe would confuse a reader in this scenario, how would you account for the technologies ability to perform the scenario you outline below, viz inventorying a crate of goods containing tags in close proximity, which (for the sake of argument) could respond at the same time, on the same frequency ?
I don't think RFID was ever intended to be a feature of security, but rather one of convenience. Things like being able to inventory a packing crate without opening it, having a credit card without a magnetic strip to wear out, and groceries that can be scanned while still in the shopping cart...these are the benefits of RFID technology. As will all increases in functionality, there is opportunity for added insecurity, but it's not the end of the world either.
I agree, even if you are capable of retrieving the information off the tag (which in most cases will likely be some kind of semi-unique item ID), it makes no sense outside of the informational context within which it is embedded. A unique ID on a RFID enabled credit card need not necessarily be the same as the card number, it could be a reference number to the CC issuers card database, and possession of the number does not necessarily imply the ability to correctly present and (more importantly) authenticate the card during a transaction. On the other hand, if you are doing a pen test (or are a blackhat) being able to gain covert (ish) access to even a single unique identifier could be enough to get you in through someone's maze, (although obviously, it shouldn't be, but that's what you're supposed to be testing, right ? :-) </code> The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. joplings.co.uk ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: RFID Tags, (continued)
- RE: RFID Tags James Hester (May 11)
- Re: RFID Tags lsi (May 11)
- RE: RFID Tags James Hester (May 11)
- RE: RFID Tags ktabic (May 12)
- RE: RFID Tags Rob Shein (May 11)
- RE: RFID Tags lsi (May 12)
- RE: RFID Tags James Hester (May 12)
- Re: RFID Tags c3rb3r (May 12)
- Re: RFID Tags c0ncept (May 16)
- RE: RFID Tags James Hester (May 11)
- RE: RFID Tags Rob Shein (May 12)
- Re: RFID Tags Mister Coffee (May 17)
- Re: RFID Tags lsi (May 19)
- Re: RFID Tags Mister Coffee (May 19)
- Re: RFID Tags lsi (May 21)
- Re: RFID Tags Richard Rager (May 21)
- Re: RFID Tags Mister Coffee (May 21)