RFID security for developer dummies
We've been hearing about RFID for a while (see the RFID Gazette, for example, here). The technology is genuinely useful as it solves an identification problem faster than other methods.
So, a store knows what product you've brought to the checkout without having to scan the barcode, for example, and the US government wants to put RFID in passports (see Bruce Schneier here, commenting on an article in Wired) so that instead of people forming orderly queues in front of a border guard they can be mass-processed.
Credit card companies want to put RFID in your credit card - instead of the slow process of swiping your card and entering your PIN you can wave it near a reader without taking it out of your wallet.
We're looking at an explosion of the applications of RFID, and a chunk of last month's RSA Conference in Nice was dedicated to highlighting the security risks associated with this.
Identity theft is a big concern as a terrorist can alter his passport to emit an assumed identity to get past a security check point, possibly with less risk than that associated with forged paperwork. And, if a thief creates an RFID chip that emits your card details, he doesn't even need to bother to make it look like a credit card because it stays in his wallet.
Privacy is another issue: you buy something in a store that uses RFID inventory control and all day long anyone interested can tell what you're carrying and where you shop. Some people argue that this information isn't personal, as RFID scanning a crowd may tell you that someone is carrying HIV treatments or pornographic films but it doesn't identify the person.
Nevertheless, things might be different if the person also happens to be carrying an RFID-enabled credit card, a passport, a store fidelity card, or whatever the next piece of RFID-enabled identification is.
A less personal threat is one against the enterprise that increasingly uses RFID to streamline business processes. The technology is being applied in new areas such as supply chain management; and each new application increases the vulnerability of the technology to attacks. If organised crime wants to know if a warehouse is worth exploiting then they've a whole new attack vector to exploit. Who knows if there will also be ways to extort by means of "denial of RFID service" attacks? Life will certainly be easier for the industrial "espions" among us.
Efforts are under way to mitigate the security risks, and several organisations have published codes of conduct that contain good solutions for privacy protection. For example, the RFID tags on your shopping will have tear-off antennas that are removed at check out.
This means they cannot be read remotely after you've paid for the goods. The effectiveness of these protections will, of course, depend on if and how they're implemented; clearly the stores would prefer a voluntary code of practice, but with regulation the consumer can have more confidence that corporations will do the right thing.
Regarding credit cards, it seems the motivation for this technology is to allow small payments to be processed more quickly. We've all been stuck behind someone searching for bus change and personally I'm all for anything that reduces my chances of being provoked into homicide. The designers of RFID micro payments say you'll have to wave your wallet right in front of the card reader so it's totally secure.
However, this confuses the difference between the distance the system is designed to work at reliably and the maximum distance it will work at if you're lucky. In other words, the card will always be readable at a couple of centimeters by normal equipment, but what's the distance it will work at for the criminal who has invested in specialist card reading equipment?
Would it be practical, for example, for someone with such equipment to walk through a crowded shopping centre, walking close to people, skimming card numbers without anyone realising? As long as the thief can get enough credit card numbers or make enough micro payments then the attack works, even if some cards can't be read.
With an RFID credit card, the attack will be invisible and we're not going to know it's happened until the end of the month when we trawl our credit card bill to pick out the bus-fare-sized payments we didn't make.
On the bright side, at least there's going to be a whole new market for aluminum wallets... ®