Re: RFID used at Olympics in Germany

[Adam Laurie <adam.laurie () thebunker net>]

Josh L. Perrymon wrote:
> Yeah.. I suppose their would be limitations on the amount of data that 
> would be on the chip..
>
> Maybe the will just use an ID number that refrences the user info in the 
> DB....
>
> Has anyone successfully performed SQL injections usinf RFID tags? I 
> looked at a few papers but know it's not widespread.
> I'm thinking about getting an IPAQ and an RFID reader/writer to play 
> around w/ this stuff.

It's certainly do-able if the target RFID reading system isn't doing the 
proper checks...  for playing, I can recommend the ACG reader - should 
work fine in a Compaq as it's a CF card:

http://www.acg.de/synformation/servlet/PageServlet/corporate/RFIDProducts/Start?show=RFID_Basics

and if you've got python, you can drive it with RFIDIOt:

  http://rfidiot.org/

BTW, if anyone's got access to these tickets I'd love to have a look at 
one...

cheers,
Adam
--
Adam Laurie                         Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd.      Fax: +44 (0) 1304 814899
Ash Radar Station                   http://www.thebunker.net
Marshborough Road
Sandwich                            mailto:adam () thebunker net
Kent
CT13 0PL
UNITED KINGDOM                      PGP key on keyservers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/