more on RFID Clonable

[David Farber <dave () farber net>]

Begin forwarded message:

From: Joseph Lorenzo Hall <joehall () gmail com>
Date: July 25, 2006 2:24:05 PM EDT
To: dave () farber net
Cc: Ross Stapleton-Gray <ross () stapleton-gray com>
Subject: Re: [IP] more on RFID Clonable
Reply-To: joehall () pobox com

On 7/25/06, David Farber <dave () farber net> wrote:
> Begin forwarded message:
>
> From: Ross Stapleton-Gray <ross () stapleton-gray com>
> Date: July 25, 2006 1:02:13 PM EDT
> To: dave () farber net
> Subject: Re: [IP] RFID Clonable
>
> At 07:48 AM 7/25/2006, David Farber wrote:
> > In case anyone needed more proof that we're all living in a  
> Philip K.
> > Dick novel, a pair of hackers have recently demonstrated how human-
> > implantable
> > RFID chips from VeriChip can be easily cloned, effectively stealing
> > the
> > person's identity.
> > ...
> > For its part, VeriChip has only said they haven't yet had a chance
> > to review the evidence but still
> > insist that "it's very difficult to steal a VeriChip."
>
> Certainly literally true, if by "steal" one means, "get one's hands
> on the original, e.g., pry one out of Annalee Newitz's arm."
>
> But we should recongize that the vast majority of RFID applications
> [BUT NOT ALL djf]  don't depend on inability to clone them.  RFID
> tags in most commerce will be as unclonable as license plates, which
> anyone with a little tin, paint and shop skills could zap out copies
> of, but which nonetheless serve as a cheap means for reasonably
> reliable identification.  Think of most RFID applications as just
> like print bar codes; there have been various cases of fraud
> committed against systems employing the latter, most notably where
> thieves use bar codes for inferior goods to purchase expensive ones
> ("Bar code says that's a drill bit, and it looks like a drill
> bit...") then return the goods to pocket the difference in price.

To expand on Dave's "BUT NOT ALL" comment, there are many institutions
that are using RFID-enabled ID cards as access control keys -- a far
cry from a barcode.  For example, my University uses Prox cards to
allow access to many areas (although more sensitive areas require more
sophisticated entry keys).  This also seems to be the case at MIT and
to gain entry to many parts of the California Legislature Building in
Sacramento.

A few MIT students have done an analysis of the vulnerabilities of
their system, find it here (the MIT cards operate on AM frequencies so
they were able to build a cloner for less than $30):

MIT Proximity Card Vulnerabilities (Josh Mandel, Austin Roach, Keith  
Winstein)
<http://www.josephhall.org/tmp/mit_prox_vulns.pdf>

(The best quote from that work, IMO, is: "Don't use prox card for
monetary transactions or high-security areas. Remove from nuclear
reactor.")

I've been advocating at Berkeley for our administration to issue mylar
envelopes for our ID cards and to start educating faculty, students
and staff about how they should treat their ID card like a sensitive
document.  Unfortunately, there are many uses of our ID cards that rub
directly against this; for example, to swim at a UC Berkeley pool you
have to surrender you ID card to an attendant.  Sigh.

-Joe

--
Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information
<http://josephhall.org/>


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/