RE: RFID Tags

From: John (Tyler) Markowsky - Seccuris (tmarkowsky@seccuris.com)
Date: Tue May 11 2004 - 15:49:06 EDT

• Next message: Chan Fook Sheng: "enumeration of SQL column names failed when a column is of type "bit""
• Previous message: Steven Trewick: "RE: RFID Tags"
• Next in thread: Steven Trewick: "RE: RFID Tags"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Like Wal-Mart in 1984, RFids are beginning to take off because of corporate
compliance requirements set by the United States Military. As mentioned by
previously by Mr. Shein, these tags will be used to identify large,
previously packaged crates in secure warehouses.

The reactive, un-powered RFids pose little risk of personal, private
information imposition, for 1) you need to have a powerful receiver that
cycles through a large amount of varying standards; 2) costs associated with
implementing these everywhere are high and 3) people will be able to figure
out a way to mitigate the potential transmission (take tag off and throw in
garbage).

Regards,

Tyler Markowsky
IS Risk Analyst
Seccuris

-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Tuesday, May 11, 2004 11:57 AM
To: stuart@cyberdelix.net; tim@labmonkey.co.uk
Cc: pen-test@securityfocus.com
Subject: RE: RFID Tags

It seems to me that some of these attacks sound great at first, but break
down when you consider how it would REALLY play out. For one, if you get on
the train and inventory everyone's clothing...how do you know which shirt
goes with which pants or shoes? You just have a list of clothes, all
jumbled up. If you're on the cast of "Queer Eye for the Straight Guy" it's
an effective thing to do, perhaps, but I don't see the point from a black
hat perspective.

As for credit cards, this is extremely easy to deal with. The cards
themselves that have been seen so far have a very limited range, measured in
inches. I can think of a wallet design that would shield the cards a bit,
and thus cut that down to the point where the black hat would have to make
physical contact with the wallet to be able to pull the information; at this
point you're going to notice the black hat as he goes down the car rubbing
up against everyone like a comically-indiscreet pickpocket. And this all
assumes that all the credit cards in the wallet don't respond at the same
time, on the same frequency, thus garbling the results.

I don't think RFID was ever intended to be a feature of security, but rather
one of convenience. Things like being able to inventory a packing crate
without opening it, having a credit card without a magnetic strip to wear
out, and groceries that can be scanned while still in the shopping
cart...these are the benefits of RFID technology. As will all increases in
functionality, there is opportunity for added insecurity, but it's not the
end of the world either.

> -----Original Message-----
> From: lsi [mailto:stuart@cyberdelix.net]
> Sent: Tuesday, May 11, 2004 4:50 AM
> To: tim@labmonkey.co.uk
> Cc: pen-test@securityfocus.com
> Subject: Re: RFID Tags
>
>
> I read about some theoretical attacks on RFID:
>
> - unauthorised usage: Black Hat walks onto train with rogue ID
> sniffer, gets IDs of all tags in the carriage - this info might be
> used to compute the relative value of each commuter's clothes and
> belongings, and their origins. If RFIDs go into drivers licenses,
> passports etc, then the presence of those documents will be revealed
> without a search. If the RFIDs go into credit cards, Black Hat will
> know how many, and which ones, you have. And if RFIDs go into cash,
> then Black Hat will know how much you're carrying.
>
> - replay attack: sniff a tag's ID, then later, play it back to the
> detector and impersonate that tag
>
> "Security professionals need to realize that RFID tags are dumb
> devices. They listen, and they respond. Currently, they don't care
> who sends the signal. Anything your companies' transceiver can
> detect, the bad guy's transceiver can detect. So don't be lulled into
> a false sense of security." --
> http://www.securityfocus.com/columnists/169
>

----------------------------------------------------------------------------

--
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Chan Fook Sheng: "enumeration of SQL column names failed when a column is of type "bit""
• Previous message: Steven Trewick: "RE: RFID Tags"
• Next in thread: Steven Trewick: "RE: RFID Tags"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT