RFID technology has been integrated into credit cards, passports, smart cards, locks, product tracking, cars, inventory systems, and humans. Yes, even humans have embedded RFID chips into their hands, wrists and shoulders to open locks, turn on lights and pay for drinks.
Don’t get me wrong I think for identification it makes a lot of sense; to track packages around the country in shipping or to replace barcodes. But when we’re talking about increasing the security of a system holding sensitive data they do little to help.
RFID tags work by responding with a unique ID and possibly a blob of data that could be sensitive such as the contents of a passport or payment information from a credit card or SpeedPass, a technology used to quickly pay for gasoline at Exxon and Mobil stations. Before RFID a thief would have to physically steal your sensitive item to make a copy, luckily by using this new technology the thief simply has to walk by a victim to gather much if not everything they need. It’s true, there is some encryption used in these schemes, but much of it is easily broken or poorly implemented. Researchers at John Hopkins University were able to break the encryption schemes used by more than 150 million electronic car keys and 6 million SpeedPass tags. Furthermore after a bit of work they were able to create a program that would quickly and easily allow the students to clone the tag and to use it to start the engines of the cars using the RFID technology and to buy gas using the cloned device. This is all possible simply by standing next to someone in an elevator, or sitting down at lunch next to the victim.
Last month Adam Laurie, a freelance security consultant, demonstrated simple cloning techniques that could be used to read and write the information contained within common RFID tags to blank tags.
Steps to steal your money
Now let’s break down the steps needed to clone that SpeedPass you have in your pocket right now:You happen to be unlucky enough to stand next to a malicious RFID thief in an elevator. In the time it takes you to go down 20 floors the attacker has gathered enough information to successfully crack the encryption on the SpeedPass and clone it. The attacker then stops in at a coffee shop for a couple of hours while he or she runs the cracking software on the data they just gathered. Once this has been done they rewrite it into a custom writeable RFID that looks identical to the legitimate SpeedPass.
This technology isn’t just in SpeedPass tags, but it’s now being shipped in US and many EU passports, it’s being used Mastercards in the PayPass, and certainly more to come.
Is it really that difficult to take your card out of your wallet and swipe a magnetic strip? Many times you won’t even be asked to sign. Of course there are problems with that, but at least you’ll have an idea of when your credit card may have been stolen.
What can you do to protect yourself?
Well, it turns out those crazy people talking about the tinfoil hat were actually right, wrapping RFID tags in tinfoil will render them unreadable. A number of manufacturers have started to sell RFID blocking wallets and passport holders for exactly this reason.
Look through your credit cards and keyless entry system cards and fobs and notice how many times we use RFID and how many locations it is securing. When you think all it takes is an attacker, a cloning machine and an elevator ride it gets kind of scary, huh?
There's your monday rant...
--Joe Basirico
For more information please see these websites:
- http://www.jhu.edu/~jhumag/0405web/wholly.html#car
- http://www.rfidiot.org/
- https://www.speedpass.com