From: Mister Coffee (live4java@stormcenter.net)
Date: Wed May 19 2004 - 12:01:27 EDT
On Wed, May 19, 2004 at 02:58:43AM +0100, lsi wrote:
> Firstly, it's evident there's a bunch of potential attacks out there.
>
Amen.
> In addition to unauthorised usage and replay attacks, multiple people
> have pointed out the potential for Denial of Service attacks, against
> the card, against the reader, against the user, or against the back-
> end database.
>
Agreed on all points. The fact that the technology is intended to be dirt cheap works against it being especially robust.
> Some people have also suggested attacks on data
> integrity, whereby false data is written back to the tag, in order to
> later manipulate the database which stores the altered data; others
> have suggested falsifying either the data on the tag, or the tags
> themselves, for various purposes.
>
Data manipulation of course depends on the capabilities of the individual tags. A point I know you're aware of. Creating fake tags (or simply acquiring surpluss ones - imagine the fun you could have with a bunch of product tags from a competitor's store on some shop's "smart" shelves) is almost certainly possible, as should be creating a 'spoofing transponder' that will respond to an RFID query however we want it to. Depending on the range to the scanner and the relative strength of the "normal" reply, we should be able to easily overwhelm the expected signal with our own.
> More comments inline..
>
> > > Let's go back to our hypothetical commuter train for a moment. I think
> > > that this would be more valuable in a targeted attack than a general
> > > fishing expedition.
> >
> > Definately. Getting a sweep from an individual will be more useful
> > than pinging an entire train (bus, theater, etc.) worth of people.
> > Even if you could localize the responses (not a sure thing - signal
> > strentgh, as mentioned previously, is not a sure indication of source)
> > the sheer volume of information returned would probably make it of
> > dubious value in a real-time situation.
>
> My one-word counter to the signal strength issue is: triangulation.
> OK, so this requires two readers and a bit of number-crunching. But
> depending on the value of the target, this is feasible. This
> technique would involve two transceivers pinging the tags
> simultaneously, and correlating the returned signal strength and tag
> data. It would allow the attackers to build a 3D map of every tag in
> range.
>
It's not quite that simple, but yes, having multiple receivers could localize your target. In the specific example of a crowded commuter bus/train/ferry/what have you, it becomes very difficult. However, as you point out, a high value target makes the effort worthwhile. Further, with a high value target you'd already know who you were trying to scan, and could pick your approach so localization won't be an issue.
The 3D map of all tags in range is fascinating, but I suspect there may be some issues with building usable hardware into a concealable form. We're assuming "Badguy gets onto a train to scan" situation. If I can place my equipment ON the train beforehand, my life (as the scanner) gets dramatically easier.
At least until someone brings his Pocket Pal RFID Jam-O-Matic 2000 to work.
> Couple this with the Big Database of All RFIDs in the Known Universe,
> and you have a device that can instantly identify and geolocate high-
> value targets, or targets matching specific criteria.
>
A bit big-brothery, but certainly conceivable. Of course, there is the search time on what will become an insanely large database. If my antagonist is portable, there are communications issues too. Plus the ongoing issue of trying to locate and sort through the huge number of signals you're bound to get in a crowd.
I don't put this past the Three Letter Acronym folks, but I suspect it's more resources than most potential attackers can manage.
> > > the case, is it not possible to simply transmit a higher
> > > power signal, and thus boost the response from the tag to
> > > gain more range?
>
> > Higher power, based on what? And what about the nearer RFIDs you cook while
> > trying to get enough power to the ones that are further away? And of course
> > this assumes that you can get enough gain without overloading all of them
> > (or cooking your own gonads).
>
> This attack is not suitable for all scenarios, as you note. However
> it would be suitable for a targetted attack on a specific individual,
> as the distance between the attacker and the victim could be
> controlled by the attacker. The attackers would of course wear foil
> underwear.
>
Agreed. For a targeted attack, I could simply arrange to walk along next to Mister CEO Target Guy for a block or so while he's on his way to work (we're still working from the Bus/Train scenario). Other situations would require different tactics, but most aren't especially difficult to arrange.
There are still defenses to contend with. And, the nice thing with a short range target attack, we can drop the power levels enough to make the foil shorts unnecessary.
> Some people have questioned whether it's a big deal to be able to
> recover tag data. Some tags store more than just ID's, so it's not
> as simple as saying 'it's just a number'. But even if it was just a
> number. Just one unique number leaking from your person could be
> used to track you around the transit system. A whole bunch of them
> would let the Watchers know what *mood* you were in! Your particular
> combination of RFIDs would make a specific pattern on their screens;
> and they could watch it morph, day-to-day, play it back and see when
> you bought this, when you stopped wearing that. Maybe nobody cares -
> today.
>
Again, seems a bit big-brothery, not unlike the obiquitious retina scans in Minority Report. The resources for such a system would be impressive. The sort of things governments do, rather than professional pen-testers, amature spooks, industrial spies, and the rest of us security geeks.
> What about tomorrow? Maybe it would suit someone to know
> where all the DVDs of Michael Moore's latest movie actually
> WENT...... Marketers could show you ads targeted at your specific
> shoesize. Stores in competition with one another could monitor the
> spending habits of people simply walking through their doors - no
> need to make a purchase! And if you ever did, well they could match
> all that up with your name, if you had one single leaking RFID on you
> at the time, that you also had on you when you were there previously.
>
I'm sure the stores would LOVE to know all that information. Which begs the question. If you, as a store, know the capability exists and that your competitors are using it, will you leave your merchandise tags "live" when they leave the store? You alread have the customer information on what they bought. The tags are potentially more valuable to the competition than they are to you.
> And this is only for RFIDs in shoes, jeans, etc. The privacy
> implications for RFIDs in documents would be far worse. An RFID in a
> drivers' license would take all the fun out of matching up
> individuals with RFID combinations!
>
There are certainly privacy implications for RFID, but I don't think it's going to be as severe as some have suggested. The physics of radio itself become an issue, especially when the number of devices within range grows to the levels expected. If I'm concerned about my privacy, jamming the RFID signals will be painfully easy.
> It seems to me that without authentication, these things are at best,
> useless, and at worst, an open door for criminal activity.
>
I disagree. They're very useful for some of the functions they're being employed for: inventory tracking, anti-theft, etc. There are other potential benign uses for them, and some of the more "intelligent" tags show potential - if they include authentication ofsome form as you suggest.
> Stuart
>
Cheers,
L4J
ps. Can I interest anyone in a Pocket Pal RFID Jam-O-Matic 2000 franchise?
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT