Interesting People mailing list archives
more on RFID Clonable
From: David Farber <dave () farber net>
Date: Tue, 25 Jul 2006 14:37:38 -0400
Begin forwarded message: From: Joseph Lorenzo Hall <joehall () gmail com> Date: July 25, 2006 2:24:05 PM EDT To: dave () farber net Cc: Ross Stapleton-Gray <ross () stapleton-gray com> Subject: Re: [IP] more on RFID Clonable Reply-To: joehall () pobox com On 7/25/06, David Farber <dave () farber net> wrote:
Begin forwarded message: From: Ross Stapleton-Gray <ross () stapleton-gray com> Date: July 25, 2006 1:02:13 PM EDT To: dave () farber net Subject: Re: [IP] RFID Clonable At 07:48 AM 7/25/2006, David Farber wrote:> In case anyone needed more proof that we're all living in a Philip K.> Dick novel, a pair of hackers have recently demonstrated how human- > implantable > RFID chips from VeriChip can be easily cloned, effectively stealing > the > person's identity. > ... > For its part, VeriChip has only said they haven't yet had a chance > to review the evidence but still > insist that "it's very difficult to steal a VeriChip." Certainly literally true, if by "steal" one means, "get one's hands on the original, e.g., pry one out of Annalee Newitz's arm." But we should recongize that the vast majority of RFID applications [BUT NOT ALL djf] don't depend on inability to clone them. RFID tags in most commerce will be as unclonable as license plates, which anyone with a little tin, paint and shop skills could zap out copies of, but which nonetheless serve as a cheap means for reasonably reliable identification. Think of most RFID applications as just like print bar codes; there have been various cases of fraud committed against systems employing the latter, most notably where thieves use bar codes for inferior goods to purchase expensive ones ("Bar code says that's a drill bit, and it looks like a drill bit...") then return the goods to pocket the difference in price.
To expand on Dave's "BUT NOT ALL" comment, there are many institutions that are using RFID-enabled ID cards as access control keys -- a far cry from a barcode. For example, my University uses Prox cards to allow access to many areas (although more sensitive areas require more sophisticated entry keys). This also seems to be the case at MIT and to gain entry to many parts of the California Legislature Building in Sacramento. A few MIT students have done an analysis of the vulnerabilities of their system, find it here (the MIT cards operate on AM frequencies so they were able to build a cloner for less than $30):MIT Proximity Card Vulnerabilities (Josh Mandel, Austin Roach, Keith Winstein)
<http://www.josephhall.org/tmp/mit_prox_vulns.pdf> (The best quote from that work, IMO, is: "Don't use prox card for monetary transactions or high-security areas. Remove from nuclear reactor.") I've been advocating at Berkeley for our administration to issue mylar envelopes for our ID cards and to start educating faculty, students and staff about how they should treat their ID card like a sensitive document. Unfortunately, there are many uses of our ID cards that rub directly against this; for example, to swim at a UC Berkeley pool you have to surrender you ID card to an attendant. Sigh. -Joe -- Joseph Lorenzo Hall PhD Student, UC Berkeley, School of Information <http://josephhall.org/> ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on RFID Clonable David Farber (Jul 25)