Penetration Testing mailing list archives
Re: RFID Tags
From: "lsi" <stuart () cyberdelix net>
Date: Wed, 19 May 2004 02:58:43 +0100
Firstly, it's evident there's a bunch of potential attacks out there. In addition to unauthorised usage and replay attacks, multiple people have pointed out the potential for Denial of Service attacks, against the card, against the reader, against the user, or against the back- end database. Some people have also suggested attacks on data integrity, whereby false data is written back to the tag, in order to later manipulate the database which stores the altered data; others have suggested falsifying either the data on the tag, or the tags themselves, for various purposes. More comments inline..
Let's go back to our hypothetical commuter train for a moment. I think that this would be more valuable in a targeted attack than a general fishing expedition.Definately. Getting a sweep from an individual will be more useful than pinging an entire train (bus, theater, etc.) worth of people. Even if you could localize the responses (not a sure thing - signal strentgh, as mentioned previously, is not a sure indication of source) the sheer volume of information returned would probably make it of dubious value in a real-time situation.
My one-word counter to the signal strength issue is: triangulation. OK, so this requires two readers and a bit of number-crunching. But depending on the value of the target, this is feasible. This technique would involve two transceivers pinging the tags simultaneously, and correlating the returned signal strength and tag data. It would allow the attackers to build a 3D map of every tag in range. Couple this with the Big Database of All RFIDs in the Known Universe, and you have a device that can instantly identify and geolocate high- value targets, or targets matching specific criteria.
the case, is it not possible to simply transmit a higher power signal, and thus boost the response from the tag to gain more range?
Higher power, based on what? And what about the nearer RFIDs you cook while trying to get enough power to the ones that are further away? And of course this assumes that you can get enough gain without overloading all of them (or cooking your own gonads).
This attack is not suitable for all scenarios, as you note. However it would be suitable for a targetted attack on a specific individual, as the distance between the attacker and the victim could be controlled by the attacker. The attackers would of course wear foil underwear. Some people have questioned whether it's a big deal to be able to recover tag data. Some tags store more than just ID's, so it's not as simple as saying 'it's just a number'. But even if it was just a number. Just one unique number leaking from your person could be used to track you around the transit system. A whole bunch of them would let the Watchers know what *mood* you were in! Your particular combination of RFIDs would make a specific pattern on their screens; and they could watch it morph, day-to-day, play it back and see when you bought this, when you stopped wearing that. Maybe nobody cares - today. What about tomorrow? Maybe it would suit someone to know where all the DVDs of Michael Moore's latest movie actually WENT...... Marketers could show you ads targeted at your specific shoesize. Stores in competition with one another could monitor the spending habits of people simply walking through their doors - no need to make a purchase! And if you ever did, well they could match all that up with your name, if you had one single leaking RFID on you at the time, that you also had on you when you were there previously. And this is only for RFIDs in shoes, jeans, etc. The privacy implications for RFIDs in documents would be far worse. An RFID in a drivers' license would take all the fun out of matching up individuals with RFID combinations! It seems to me that without authentication, these things are at best, useless, and at worst, an open door for criminal activity. Stuart --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192.168.0.2)
Current thread:
- RE: RFID Tags, (continued)
- RE: RFID Tags James Hester (May 12)
- Re: RFID Tags c3rb3r (May 12)
- Re: RFID Tags c0ncept (May 16)
- RE: RFID Tags Kim.Sassaman (May 11)
- RE: RFID Tags Steven Trewick (May 12)
- RE: RFID Tags Rob Shein (May 12)
- RE: RFID Tags John (Tyler) Markowsky - Seccuris (May 12)
- RE: RFID Tags Steven Trewick (May 12)
- RE: RFID Tags Thompson, Jimi (May 16)
- Re: RFID Tags Mister Coffee (May 17)
- Re: RFID Tags lsi (May 19)
- Re: RFID Tags Mister Coffee (May 19)
- Re: RFID Tags lsi (May 21)
- Re: RFID Tags Richard Rager (May 21)
- Re: RFID Tags Mister Coffee (May 21)
- Re: RFID Tags Mister Coffee (May 17)