RFID security for developer dummies

Chipping away

Boost IT visibility and business value

We've been hearing about RFID for a while (see the RFID Gazette, for example, here). The technology is genuinely useful as it solves an identification problem faster than other methods.

So, a store knows what product you've brought to the checkout without having to scan the barcode, for example, and the US government wants to put RFID in passports (see Bruce Schneier here, commenting on an article in Wired) so that instead of people forming orderly queues in front of a border guard they can be mass-processed.

Credit card companies want to put RFID in your credit card - instead of the slow process of swiping your card and entering your PIN you can wave it near a reader without taking it out of your wallet.

We're looking at an explosion of the applications of RFID, and a chunk of last month's RSA Conference in Nice was dedicated to highlighting the security risks associated with this.

Identity theft is a big concern as a terrorist can alter his passport to emit an assumed identity to get past a security check point, possibly with less risk than that associated with forged paperwork. And, if a thief creates an RFID chip that emits your card details, he doesn't even need to bother to make it look like a credit card because it stays in his wallet.

Privacy is another issue: you buy something in a store that uses RFID inventory control and all day long anyone interested can tell what you're carrying and where you shop. Some people argue that this information isn't personal, as RFID scanning a crowd may tell you that someone is carrying HIV treatments or pornographic films but it doesn't identify the person.

Nevertheless, things might be different if the person also happens to be carrying an RFID-enabled credit card, a passport, a store fidelity card, or whatever the next piece of RFID-enabled identification is.

A less personal threat is one against the enterprise that increasingly uses RFID to streamline business processes. The technology is being applied in new areas such as supply chain management; and each new application increases the vulnerability of the technology to attacks. If organised crime wants to know if a warehouse is worth exploiting then they've a whole new attack vector to exploit. Who knows if there will also be ways to extort by means of "denial of RFID service" attacks? Life will certainly be easier for the industrial "espions" among us.

Efforts are under way to mitigate the security risks, and several organisations have published codes of conduct that contain good solutions for privacy protection. For example, the RFID tags on your shopping will have tear-off antennas that are removed at check out.

This means they cannot be read remotely after you've paid for the goods. The effectiveness of these protections will, of course, depend on if and how they're implemented; clearly the stores would prefer a voluntary code of practice, but with regulation the consumer can have more confidence that corporations will do the right thing.

Regarding credit cards, it seems the motivation for this technology is to allow small payments to be processed more quickly. We've all been stuck behind someone searching for bus change and personally I'm all for anything that reduces my chances of being provoked into homicide. The designers of RFID micro payments say you'll have to wave your wallet right in front of the card reader so it's totally secure.

However, this confuses the difference between the distance the system is designed to work at reliably and the maximum distance it will work at if you're lucky. In other words, the card will always be readable at a couple of centimeters by normal equipment, but what's the distance it will work at for the criminal who has invested in specialist card reading equipment?

Would it be practical, for example, for someone with such equipment to walk through a crowded shopping centre, walking close to people, skimming card numbers without anyone realising? As long as the thief can get enough credit card numbers or make enough micro payments then the attack works, even if some cards can't be read.

With an RFID credit card, the attack will be invisible and we're not going to know it's happened until the end of the month when we trawl our credit card bill to pick out the bus-fare-sized payments we didn't make.

Of course, the card companies tell us this can't happen as the technology is completely safe, but security researchers sometimes discover otherwise.

On the bright side, at least there's going to be a whole new market for aluminum wallets... ®

Boost IT visibility and business value

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.