Penetration Testing mailing list archives

RE: RFID Tags

From: Steven Trewick <STrewick () joplings co uk>
Date: Wed, 12 May 2004 10:53:30 +0100

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net]

It seems to me that some of these attacks sound great at 
first, but break down when you consider how it would REALLY 
play out


<snip>

As for credit cards, this is extremely easy to deal with.  
The cards themselves that have been seen so far have a very 
limited range, measured in inches.  I can think of a wallet 
design that would shield the  cards a bit,


Yes one merely needs to store it under ones tin foil hat,
and safety is assured  :-)

and thus cut that down to the point where the black hat would 
have to make physical contact with the wallet to be able to pull 
the information; at this point you're going to notice the black hat 
as he goes down the car rubbing up against everyone like a 
comically-indiscreet pickpocket.


I was under the impression, (which may well not be correct) that
passive RFID tags derive their operational power supply from the
radio signal transmitted by the reader.  If this is the case, is
it not possible to simply transmit a higher power signal, and thus
boost the response from the tag to gain more range? (Obviously, 
this becomes the arms/armour cycle in the end if we are talking about 
shielding.) Or even simply build an extremely sensitive receiver
and place it near where the cards will be used ? (etc)

And this all assumes that all the credit cards in the wallet don't 
respond at the same time, on the same frequency, thus garbling the 
results.


If it were the case that multiple tags in close proximity responding
to a probe would confuse a reader in this scenario, how would you account 
for the technologies ability to perform the scenario you outline below,
viz inventorying a crate of goods containing tags in close proximity,
which (for the sake of argument) could respond at the same time, on 
the same frequency ?

I don't think RFID was ever intended to be a feature of security, 
but rather one of convenience.  Things like being able to inventory a 
packing crate without opening it, having a credit card without a 
magnetic strip to wear out, and groceries that can be scanned while 
still in the shopping cart...these are the benefits of RFID technology.  
As will  all increases in functionality, there is opportunity for added 
insecurity, but it's not the end of the world either.

I agree, even if you are capable of retrieving the information
off the tag (which in most cases will likely be some kind of
semi-unique item ID), it makes no sense outside of the informational
context within which it is embedded.

A unique ID on a RFID enabled credit card need not necessarily
be the same as the card number, it could be a reference number
to the CC issuers card database, and possession of the number does
not necessarily imply the ability to correctly present and (more
importantly) authenticate the card during a transaction.

On the other hand, if you are doing a pen test (or are a blackhat)
being able to gain covert (ish) access to even a single unique
identifier could be enough to get you in through someone's maze,
(although obviously, it shouldn't be, but that's what you're supposed
to be testing, right ? :-)

</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only.
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by
viruses being passed.
joplings.co.uk

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

Current thread:

RE: RFID Tags, (continued)
- - - RE: RFID Tags James Hester (May 11)
- Re: RFID Tags lsi (May 11)
  - RE: RFID Tags James Hester (May 11)
    - RE: RFID Tags ktabic (May 12)
  - RE: RFID Tags Rob Shein (May 11)
    - RE: RFID Tags lsi (May 12)
    - RE: RFID Tags James Hester (May 12)
    - Re: RFID Tags c3rb3r (May 12)
    - Re: RFID Tags c0ncept (May 16)
- RE: RFID Tags Kim.Sassaman (May 11)
- RE: RFID Tags Steven Trewick (May 12)
  - RE: RFID Tags Rob Shein (May 12)
- RE: RFID Tags John (Tyler) Markowsky - Seccuris (May 12)
- RE: RFID Tags Steven Trewick (May 12)
- RE: RFID Tags Thompson, Jimi (May 16)
  - Re: RFID Tags Mister Coffee (May 17)
    - Re: RFID Tags lsi (May 19)
    - Re: RFID Tags Mister Coffee (May 19)
    - Re: RFID Tags lsi (May 21)
    - Re: RFID Tags Richard Rager (May 21)
    - Re: RFID Tags Mister Coffee (May 21)

(Thread continues...)