RE: RFID Tags

From: Steven Trewick (STrewick@joplings.co.uk)
Date: Wed May 12 2004 - 05:53:30 EDT


> -----Original Message-----
> From: Rob Shein [mailto:shoten@starpower.net]
 
 
> It seems to me that some of these attacks sound great at
> first, but break down when you consider how it would REALLY
> play out

<snip>

> As for credit cards, this is extremely easy to deal with.
> The cards themselves that have been seen so far have a very
> limited range, measured in inches. I can think of a wallet
> design that would shield the cards a bit,

Yes one merely needs to store it under ones tin foil hat,
and safety is assured :-)

> and thus cut that down to the point where the black hat would
> have to make physical contact with the wallet to be able to pull
> the information; at this point you're going to notice the black hat
> as he goes down the car rubbing up against everyone like a
> comically-indiscreet pickpocket.

I was under the impression, (which may well not be correct) that
passive RFID tags derive their operational power supply from the
radio signal transmitted by the reader. If this is the case, is
it not possible to simply transmit a higher power signal, and thus
boost the response from the tag to gain more range? (Obviously,
this becomes the arms/armour cycle in the end if we are talking about
shielding.) Or even simply build an extremely sensitive receiver
and place it near where the cards will be used ? (etc)

> And this all assumes that all the credit cards in the wallet don't
> respond at the same time, on the same frequency, thus garbling the
> results.

If it were the case that multiple tags in close proximity responding
to a probe would confuse a reader in this scenario, how would you account
for the technologies ability to perform the scenario you outline below,
viz inventorying a crate of goods containing tags in close proximity,
which (for the sake of argument) could respond at the same time, on
the same frequency ?

> I don't think RFID was ever intended to be a feature of security,
> but rather one of convenience. Things like being able to inventory a
> packing crate without opening it, having a credit card without a
> magnetic strip to wear out, and groceries that can be scanned while
> still in the shopping cart...these are the benefits of RFID technology.
> As will all increases in functionality, there is opportunity for added
> insecurity, but it's not the end of the world either.

I agree, even if you are capable of retrieving the information
off the tag (which in most cases will likely be some kind of
semi-unique item ID), it makes no sense outside of the informational
context within which it is embedded.

A unique ID on a RFID enabled credit card need not necessarily
be the same as the card number, it could be a reference number
to the CC issuers card database, and possession of the number does
not necessarily imply the ability to correctly present and (more
importantly) authenticate the card during a transaction.

On the other hand, if you are doing a pen test (or are a blackhat)
being able to gain covert (ish) access to even a single unique
identifier could be enough to get you in through someone's maze,
(although obviously, it shouldn't be, but that's what you're supposed
to be testing, right ? :-)

</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.
joplings.co.uk

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT