RE: RFID Tags

From: Rob Shein (shoten@starpower.net)
Date: Wed May 12 2004 - 11:49:38 EDT

• Next message: Keith Oxenrider: "RE: Code Cracking in Java"
• Previous message: ktabic: "RE: RFID Tags"
• In reply to: Steven Trewick: "RE: RFID Tags"
• Next in thread: John (Tyler) Markowsky - Seccuris: "RE: RFID Tags"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Some good points; comments inline.

> -----Original Message-----
> From: Steven Trewick [mailto:STrewick@joplings.co.uk]
> Sent: Wednesday, May 12, 2004 5:54 AM
> To: 'Rob Shein'; stuart@cyberdelix.net; tim@labmonkey.co.uk
> Cc: pen-test@securityfocus.com
> Subject: RE: RFID Tags

<snip>

> > and thus cut that down to the point where the black hat would
> > have to make physical contact with the wallet to be able to pull
> > the information; at this point you're going to notice the black hat
> > as he goes down the car rubbing up against everyone like a
> > comically-indiscreet pickpocket.
>
> I was under the impression, (which may well not be correct)
> that passive RFID tags derive their operational power supply
> from the radio signal transmitted by the reader. If this is
> the case, is it not possible to simply transmit a higher
> power signal, and thus boost the response from the tag to
> gain more range? (Obviously,
> this becomes the arms/armour cycle in the end if we are talking about
> shielding.) Or even simply build an extremely sensitive
> receiver and place it near where the cards will be used ? (etc)

Higher power, based on what? And what about the nearer RFIDs you cook while
trying to get enough power to the ones that are further away? And of course
this assumes that you can get enough gain without overloading all of them
(or cooking your own gonads).

>
> > And this all assumes that all the credit cards in the wallet don't
> > respond at the same time, on the same frequency, thus garbling the
> > results.
>
> If it were the case that multiple tags in close proximity
> responding to a probe would confuse a reader in this
> scenario, how would you account
> for the technologies ability to perform the scenario you
> outline below, viz inventorying a crate of goods containing
> tags in close proximity, which (for the sake of argument)
> could respond at the same time, on
> the same frequency ?
 
These are different tags than you find in a credit card. Keep in mind that
all RFID is, by definition, is something that transmits an identifier using
radio signals. As such, there are vastly different implementations, with
solutions for different problems.

 
> > I don't think RFID was ever intended to be a feature of security,
> > but rather one of convenience. Things like being able to
> inventory a
> > packing crate without opening it, having a credit card without a
> > magnetic strip to wear out, and groceries that can be scanned while
> > still in the shopping cart...these are the benefits of RFID
> technology.
> > As will all increases in functionality, there is
> opportunity for added
> > insecurity, but it's not the end of the world either.
>
>
> I agree, even if you are capable of retrieving the information
> off the tag (which in most cases will likely be some kind of
> semi-unique item ID), it makes no sense outside of the informational
> context within which it is embedded.
>
> A unique ID on a RFID enabled credit card need not necessarily
> be the same as the card number, it could be a reference number
> to the CC issuers card database, and possession of the number does
> not necessarily imply the ability to correctly present and (more
> importantly) authenticate the card during a transaction.
>
> On the other hand, if you are doing a pen test (or are a blackhat)
> being able to gain covert (ish) access to even a single unique
> identifier could be enough to get you in through someone's maze,
> (although obviously, it shouldn't be, but that's what you're supposed
> to be testing, right ? :-)
>

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Keith Oxenrider: "RE: Code Cracking in Java"
• Previous message: ktabic: "RE: RFID Tags"
• In reply to: Steven Trewick: "RE: RFID Tags"
• Next in thread: John (Tyler) Markowsky - Seccuris: "RE: RFID Tags"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT