RFID security for developer dummies

Chipping away

Boost IT visibility and business value

We've been hearing about RFID for a while (see the RFID Gazette, for example, here). The technology is genuinely useful as it solves an identification problem faster than other methods.

So, a store knows what product you've brought to the checkout without having to scan the barcode, for example, and the US government wants to put RFID in passports (see Bruce Schneier here, commenting on an article in Wired) so that instead of people forming orderly queues in front of a border guard they can be mass-processed.

Credit card companies want to put RFID in your credit card - instead of the slow process of swiping your card and entering your PIN you can wave it near a reader without taking it out of your wallet.

We're looking at an explosion of the applications of RFID, and a chunk of last month's RSA Conference in Nice was dedicated to highlighting the security risks associated with this.

Identity theft is a big concern as a terrorist can alter his passport to emit an assumed identity to get past a security check point, possibly with less risk than that associated with forged paperwork. And, if a thief creates an RFID chip that emits your card details, he doesn't even need to bother to make it look like a credit card because it stays in his wallet.

Privacy is another issue: you buy something in a store that uses RFID inventory control and all day long anyone interested can tell what you're carrying and where you shop. Some people argue that this information isn't personal, as RFID scanning a crowd may tell you that someone is carrying HIV treatments or pornographic films but it doesn't identify the person.

Nevertheless, things might be different if the person also happens to be carrying an RFID-enabled credit card, a passport, a store fidelity card, or whatever the next piece of RFID-enabled identification is.

A less personal threat is one against the enterprise that increasingly uses RFID to streamline business processes. The technology is being applied in new areas such as supply chain management; and each new application increases the vulnerability of the technology to attacks. If organised crime wants to know if a warehouse is worth exploiting then they've a whole new attack vector to exploit. Who knows if there will also be ways to extort by means of "denial of RFID service" attacks? Life will certainly be easier for the industrial "espions" among us.

Efforts are under way to mitigate the security risks, and several organisations have published codes of conduct that contain good solutions for privacy protection. For example, the RFID tags on your shopping will have tear-off antennas that are removed at check out.

This means they cannot be read remotely after you've paid for the goods. The effectiveness of these protections will, of course, depend on if and how they're implemented; clearly the stores would prefer a voluntary code of practice, but with regulation the consumer can have more confidence that corporations will do the right thing.

Regarding credit cards, it seems the motivation for this technology is to allow small payments to be processed more quickly. We've all been stuck behind someone searching for bus change and personally I'm all for anything that reduces my chances of being provoked into homicide. The designers of RFID micro payments say you'll have to wave your wallet right in front of the card reader so it's totally secure.

However, this confuses the difference between the distance the system is designed to work at reliably and the maximum distance it will work at if you're lucky. In other words, the card will always be readable at a couple of centimeters by normal equipment, but what's the distance it will work at for the criminal who has invested in specialist card reading equipment?

Would it be practical, for example, for someone with such equipment to walk through a crowded shopping centre, walking close to people, skimming card numbers without anyone realising? As long as the thief can get enough credit card numbers or make enough micro payments then the attack works, even if some cards can't be read.

With an RFID credit card, the attack will be invisible and we're not going to know it's happened until the end of the month when we trawl our credit card bill to pick out the bus-fare-sized payments we didn't make.

Of course, the card companies tell us this can't happen as the technology is completely safe, but security researchers sometimes discover otherwise.

On the bright side, at least there's going to be a whole new market for aluminum wallets... ®

The essential guide to IT transformation

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
You'll find Yoda at the back of every IT conference
The piss always taking is he. Bastard the.
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.