Re: RFID Tags

["lsi" <stuart () cyberdelix net>]

Firstly, it's evident there's a bunch of potential attacks out there. 
In addition to unauthorised usage and replay attacks, multiple people 
have pointed out the potential for Denial of Service attacks, against 
the card, against the reader, against the user, or against the back-
end database.  Some people have also suggested attacks on data 
integrity, whereby false data is written back to the tag, in order to 
later manipulate the database which stores the altered data; others 
have suggested falsifying either the data on the tag, or the tags 
themselves, for various purposes.  

More comments inline..

> > Let's go back to our hypothetical commuter train for a moment.  I think
> > that this would be more valuable in a targeted attack than a general
> > fishing expedition.
>
> Definately.  Getting a sweep from an individual will be more useful
> than pinging an entire train (bus, theater, etc.) worth of people. 
> Even if you could localize the responses (not a sure thing - signal
> strentgh, as mentioned previously, is not a sure indication of source)
> the sheer volume of information returned would probably make it of
> dubious value in a real-time situation. 

My one-word counter to the signal strength issue is: triangulation.  
OK, so this requires two readers and a bit of number-crunching.  But 
depending on the value of the target, this is feasible.  This 
technique would involve two transceivers pinging the tags 
simultaneously, and correlating the returned signal strength and tag 
data.  It would allow the attackers to build a 3D map of every tag in 
range.

Couple this with the Big Database of All RFIDs in the Known Universe, 
and you have a device that can instantly identify and geolocate high-
value targets, or targets matching specific criteria.

> > the case, is it not possible to simply transmit a higher 
> > power signal, and thus boost the response from the tag to 
> > gain more range? 

> Higher power, based on what?  And what about the nearer RFIDs you cook while
> trying to get enough power to the ones that are further away?  And of course
> this assumes that you can get enough gain without overloading all of them
> (or cooking your own gonads).

This attack is not suitable for all scenarios, as you note.  However 
it would be suitable for a targetted attack on a specific individual, 
as the distance between the attacker and the victim could be 
controlled by the attacker.  The attackers would of course wear foil 
underwear.

Some people have questioned whether it's a big deal to be able to 
recover tag data.  Some tags store more than just ID's, so it's not 
as simple as saying 'it's just a number'.  But even if it was just a 
number.  Just one unique number leaking from your person could be 
used to track you around the transit system.  A whole bunch of them 
would let the Watchers know what *mood* you were in!  Your particular 
combination of RFIDs would make a specific pattern on their screens; 
and they could watch it morph, day-to-day, play it back and see when 
you bought this, when you stopped wearing that.  Maybe nobody cares - 
today.  What about tomorrow?  Maybe it would suit someone to know 
where all the DVDs of Michael Moore's latest movie actually 
WENT...... Marketers could show you ads targeted at your specific 
shoesize.  Stores in competition with one another could monitor the 
spending habits of people simply walking through their doors - no 
need to make a purchase!  And if you ever did, well they could match 
all that up with your name, if you had one single leaking RFID on you 
at the time, that you also had on you when you were there previously. 
 And this is only for RFIDs in shoes, jeans, etc.  The privacy 
implications for RFIDs in documents would be far worse.  An RFID in a 
drivers' license would take all the fun out of matching up 
individuals with RFID combinations!

It seems to me that without authentication, these things are at best, 
useless, and at worst, an open door for criminal activity.

Stuart

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192.168.0.2)