RFID security for developer dummies

Chipping away

New hybrid storage solutions

We've been hearing about RFID for a while (see the RFID Gazette, for example, here). The technology is genuinely useful as it solves an identification problem faster than other methods.

So, a store knows what product you've brought to the checkout without having to scan the barcode, for example, and the US government wants to put RFID in passports (see Bruce Schneier here, commenting on an article in Wired) so that instead of people forming orderly queues in front of a border guard they can be mass-processed.

Credit card companies want to put RFID in your credit card - instead of the slow process of swiping your card and entering your PIN you can wave it near a reader without taking it out of your wallet.

We're looking at an explosion of the applications of RFID, and a chunk of last month's RSA Conference in Nice was dedicated to highlighting the security risks associated with this.

Identity theft is a big concern as a terrorist can alter his passport to emit an assumed identity to get past a security check point, possibly with less risk than that associated with forged paperwork. And, if a thief creates an RFID chip that emits your card details, he doesn't even need to bother to make it look like a credit card because it stays in his wallet.

Privacy is another issue: you buy something in a store that uses RFID inventory control and all day long anyone interested can tell what you're carrying and where you shop. Some people argue that this information isn't personal, as RFID scanning a crowd may tell you that someone is carrying HIV treatments or pornographic films but it doesn't identify the person.

Nevertheless, things might be different if the person also happens to be carrying an RFID-enabled credit card, a passport, a store fidelity card, or whatever the next piece of RFID-enabled identification is.

A less personal threat is one against the enterprise that increasingly uses RFID to streamline business processes. The technology is being applied in new areas such as supply chain management; and each new application increases the vulnerability of the technology to attacks. If organised crime wants to know if a warehouse is worth exploiting then they've a whole new attack vector to exploit. Who knows if there will also be ways to extort by means of "denial of RFID service" attacks? Life will certainly be easier for the industrial "espions" among us.

Efforts are under way to mitigate the security risks, and several organisations have published codes of conduct that contain good solutions for privacy protection. For example, the RFID tags on your shopping will have tear-off antennas that are removed at check out.

This means they cannot be read remotely after you've paid for the goods. The effectiveness of these protections will, of course, depend on if and how they're implemented; clearly the stores would prefer a voluntary code of practice, but with regulation the consumer can have more confidence that corporations will do the right thing.

Regarding credit cards, it seems the motivation for this technology is to allow small payments to be processed more quickly. We've all been stuck behind someone searching for bus change and personally I'm all for anything that reduces my chances of being provoked into homicide. The designers of RFID micro payments say you'll have to wave your wallet right in front of the card reader so it's totally secure.

However, this confuses the difference between the distance the system is designed to work at reliably and the maximum distance it will work at if you're lucky. In other words, the card will always be readable at a couple of centimeters by normal equipment, but what's the distance it will work at for the criminal who has invested in specialist card reading equipment?

Would it be practical, for example, for someone with such equipment to walk through a crowded shopping centre, walking close to people, skimming card numbers without anyone realising? As long as the thief can get enough credit card numbers or make enough micro payments then the attack works, even if some cards can't be read.

With an RFID credit card, the attack will be invisible and we're not going to know it's happened until the end of the month when we trawl our credit card bill to pick out the bus-fare-sized payments we didn't make.

Of course, the card companies tell us this can't happen as the technology is completely safe, but security researchers sometimes discover otherwise.

On the bright side, at least there's going to be a whole new market for aluminum wallets... ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.