From: Mister Coffee (live4java@stormcenter.net)
Date: Mon May 17 2004 - 12:01:13 EDT
On Wed, May 12, 2004 at 04:43:51PM -0500, Thompson, Jimi wrote:
<snip>
>
> Let's go back to our hypothetical commuter train for a moment. I think
> that this would be more valuable in a targeted attack than a general
> fishing expedition.
Definately. Getting a sweep from an individual will be more useful than pinging an entire train (bus, theater, etc.) worth of people. Even if you could localize the responses (not a sure thing - signal strentgh, as mentioned previously, is not a sure indication of source) the sheer volume of information returned would probably make it of dubious value in a real-time situation.
> Let's pretend for a moment that I'm a black hat and
> I'm looking to score. The one thing people carry with them that's the
> most valuable is data. If I've been hired by ABC Company to snoop on
> XYZ Company, all I have to do find out which train the Finance Manager,
> Senior Director John Doe, rides on. Now I walk up to him, and instead
> of bumping into everyone on the train, I just bump into John Doe. By
> doing this, I've just cloned the contents of his wallet, PDA, cell
> phone, and briefcase.
But have you? You've gotten RFID identifiers from an ID'd hardware your target is carrying. That's not cloning the data that's contained on those items.
> If the business cards he's got tucked away carry
> RFID, I know who his business contacts are. His cell phone will give me
> even more data. Since cell encryption is a joke, at least in the US, I
> should be able to tap in to all the important cell numbers and monitor
> their discussions.
That would depend on how "smart" the RFID tags were on said business cards, which, while useful data, may not be meaningful. How many cards are in your wallet for people that don't really matter? And his Cell -may- give you more data, but from an RFID scan? Getting a cell phone to spill its guts remotely is a separate issue. While I haven't done much research into exploiting cell phones myself, I don't recall them being that easy to crack.
> I might even be able to remotely activate the phone
> and with the contents of his PDA, I'll have a better idea of when I want
> to listen.
And his Palm will spill it's contents on a simple RFID probe? Even one equipped with Bluetooth and Wireless isn't going to spill its guts if it's not turned on. Remotely cracking a live one may certainly be possible, but again, it's not a matter of a simple RFID probe.
> I can probably find out what his credit cards are being used
> for, even if I can't charge things on them myself. I'll know where he
> shops, since his clothing and other items all have RFID. How much more
> do you want to "own" someone? Using the information that tapping his
> personal data gives me, I can expand my net to include other employees
> of XYZ Company. If he's doing anything indiscreet, I'm going to know
> about it in fairly short order and then he's really mine.
>
You can almost certainly find out what his credit cards -are-, but transaction records from an RFID probe? Admitedly, having the card numbers would give you an off-line attack, but only for the cards that responded and you could identify.
Have to admit though, that Victoria's Secret tag coming back from Mister Jones could be useful...
> I can't get end users to quit downloading on line Casino software. I'm
> certainly not going to be able to get them to purchase shielded wallets!
>
Amen! Users are often their own worst enemy.
> Why should the attack simply be to read the data? What if I replace the
> data? Or what if I just destroy the data? Or if I'm a terrorist and I
> want to hide my identity? Can I obscure the data from law enforcement
> while I'm in a crowd at say a rock concert?
>
Replacing or destroying the data depends on the capability of the RFID tags you're trying to manipulate and how much gear you can reasonably conceal. Perhaps more interesting (and not something I've seen mentioned): building an "RFID Manipuation detector" should be considerably easier than building equipment that can remotely activate, read, and localize, RFID tags.
Not only is your attack easy to detect, it would be easy to defend against and jam (answering your "hide at a concert" question). While the average "Joe Normal" won't worry about it, or even be aware of it, a high ranking corporate officer with a half-way competent InfoSec team will probably be well aware of it. A directed attack would probably be against a high value target - the same target that's most likely to be defended.
Cheers,
L4J
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT