RE: RFID Tags

From: James Hester (jay.hester@mci.com)
Date: Tue May 11 2004 - 12:33:15 EDT


Tags have to recive the right signal to transmit the data back. If tags
could be queried by any device wireless networks (900Mhz) would be flooded
with 900Mhz tags. Wal-Mart is going with the 915Mhz tags so that problem is
unacceptable. You have to know what to send a tag to get it to respond.

The security on the tags are minimal, but you can put encryption on them.
I'm experimenting with that right now. One feature some tags have in them is
a password lock, if you don't have the password then it's difficult to
reprogram the tag. If you try to reprogram the tag without the right
password it disables the programming feature of the tag for a specified
amount of time. Once the tag is disabled you can still read it from a Class
I antenna, but you can't reprogram it.

The Class I tags are like solid state devices, since the chip is so small
you can't store backups of data. Once the memory is written it's gone. You
do have extra room on other classes of tags, but I think it's the same,
there is extra memory there but the tag id is stored in the same location.

Jay

-----Original Message-----
From: Rogan Dawes [mailto:discard@dawes.za.net]
Sent: Tuesday, May 11, 2004 1:42 AM
To: James Hester
Cc: tim@labmonkey.co.uk; pen-test@securityfocus.com
Subject: Re: RFID Tags

Since the tag basically just transmits whatever is programmed into it
when interrogated, I see no reason that someone should not be able to
create a "programmable" RFID tag emulator, that simply broadcasts
whatever that person wants it to when interrogated.

For example, picture a standard RFID chip, with basic components such as
an antenna, a tiny CPU, and some memory (ROM, EPROM, EEPROM, FLASH,
whatever).

When the tag is interrogated, the CPU reads whatever is in the memory,
and broadcasts it out.

How difficult can it be to have an alternate way of programming that memory?

At this point in time, I don't think that RFID tags are using any
encryption (i.e. transforming a challenge broadcast to it in some way),
which means that it should be trivial to snoop on a response, or
interrogate the tag yourself, and copy it into your programmable tag.

So, yes, I would say that they can be copied/faked.

I would also be inclined to believe that, once changed, it would not be
possible to read what the original data was, DEPENDING on the nature of
the underlying media. For instance, if you are using a WO-RM type of
memory, that marks previously used positions as invalid, but does not
overwrite them, with the right tools, you should be able to get at that
previous data. I doubt that too many tags would be using this kind of
scheme, but it could be worth investigating for a forensics case . . .

Regards,

Rogan

James Hester wrote:

> Tim,
> That depends on what tag you are going to use. The Class I tag has 96
bits
> of memory that can be programmed. There are some types of tags that have
the
> ability to password protect the memory, but when you do things like that
it
> drives the price up. The tags can be written, but I doubt you will be able
> to pull the original data off once it's erased since it's stored on the
> tag's chip.
>
> Jay
>
> -----Original Message-----
> From: Timothy Marshall [mailto:tim@labmonkey.me.uk]
> Sent: Monday, May 10, 2004 6:05 AM
> To: pen-test@securityfocus.com
> Subject: RFID Tags
>
>
> Hi,
>
> Does anyone have information / experience on how secure these tags are?
Can
> the data they store be changed in anyway? Can they be copied / faked? If
> they are changed can the original information still be read?
>
> Cheers
>
> Tim
>
>
>
> --------------------------------------------------------------------------

--
> --
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
--
> ---
>
>
>
> --------------------------------------------------------------------------
----
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
-----
>
>
--
Rogan Dawes
*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
----------------------------------------------------------------------------
--
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT