Cellphone Could Crack RFID Tags 138
diverge_s writes "Adi Shamir of RSA is at it again. This time pointing out flaws in RFID systems. From the article: 'I haven't tested all RFID tags, but we did test the biggest brand and it is totally unprotected,' Shamir said. Using this approach, 'a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity.'"
Link to the dude itself, dude! (Score:5, Informative)
http://media.omediaweb.com/rsa2006/1_5/1_5_High.a
Prof Shamir comes on at 6:15, but I recommend watching the whole hour through.
Shamir (Score:1, Insightful)
Re:Shamir (Score:5, Interesting)
The patent was never applicable in the UK nor the EU.
Re:Shamir (Score:5, Insightful)
This "prior art" did not count as it was unpublished. However the point about the mathematics is exactly correct. Shamir is one of the the greatest trinity of conmen to ever plauge the computer industry.
If you ever want to know why you still don't have encrypted email, this guy is 33.33333....% of the reason.
Re:Shamir (Score:3, Interesting)
So, why havent we seen people working on a simple to use way to do encrypted email now that they dont have to pay RSA for the patent?
Re:Shamir (Score:2, Insightful)
I well remember the party I attended to celebrate the patent expiry, in September 2000
Ever used Outlook? Or Thunderbird? Those email clients (and many others) do have a simple way to encrypt (and sign) email using S/MIME. The problem never was patent restrictions, rather the difficulties associated with key manag
Re:Shamir (Score:2)
PGP (or GPG) is a better option, you dont need to buy anything
I want to see PGP/GPG support in email programs.
Or, at least, something that can layer on top of all major email programs and can handle PGP/GPG.
Re:Shamir (Score:2, Informative)
Dude, 2000 called. They want their excuse back.
The first copy of PGP was released in 1991 [1] [vie-privee.org]
The RSA patent expired in 2000. If you're in the US. I don't believe it was patented elsewhere. [2] [daemonnews.org]
Re:Shamir (Score:2)
Re:Shamir (Score:2)
Because unencrypted standards are firmly entrenched... thanks to RSA!
this thread (Score:2, Interesting)
Re:this thread (Score:2, Informative)
Re:Shamir (Score:5, Insightful)
I disagree. Many non-trivial and ingenious algorithms in math ought to be as patentable as other fields. Developing an algorithm to perform a useful task, or significantly improving an existing algorithm to perform a useful task, is no different than other fields. It requires time, resources, effort, and ingeniouty.
The thing that I object to is the blanket patent period of 17 years that apply uniformly to all patents. The situation does not call for a one size fill all solution. The period of 17 years was probably decided a long time ago, and did not envision how rapidly the world had evolved. Even for other fields of engineering, 17 years may not always to be the most appropriate amount of time.
In the computing world, 17 years is WAY too long. That's the equivalent of probably 5 or 6 revolutions in technologies. If patents for mathematics and computing was limited to say 2 or 3 years, then I can fully support it.
As a mathematician ... (Score:5, Insightful)
Re:As a mathematician ... (Score:4, Insightful)
Quicksort ought to be patentable, sorting numbers should not.
Algorithms for solving Linear Programs ought to be patentable, duals should not.
RSA ought to be patentable, public key crypto should not.
In order for something to be patentable, it has perform a useful task.
To address your point about implementation vs algorithm, in software and mathematics, the implementation is often trivial (hence not deserving of a patent). The real innovation happens in the algorithm.
Perhaps patents is a thing of the past, but I still wish to reward innovation to inventors of complex non-trivial algorithms which advance the state of the art. And patents are the closest thing we have.
Re:As a mathematician ... (Score:1)
The idea of patenting an algori
Re:As a mathematician ... (Score:3, Insightful)
And astonishingly enough, even before [insert patented physical device here] was invented, the physics that allowed it to work the way it does still held. But you think that combining Widget A and Widget B to produce Result C is somehow more patentable than combining Number A and Number B to produce Result D?
Why? Because you can touch them?
Re:As a mathematician ... (Score:2)
And I'm guessing that the RSA patent only covered the application of Fermat's little theorem (not quite, but close enough) to cryptographic uses (encryption and signing). If you could use it for, I don't know... making perfect flapjacks, you'd have been perfectly free to do so. T
Re:As a mathematician ... (Score:2)
Re:As a mathematician ... (Score:2)
I will welcome the time when the US's power has shrunken so much that those copyright and patent agreements will be broken unilaterally.
Re:Shamir (Score:2)
The claim is that what was patented was not a mathematical algorithm. It was an cryptography system that USED a mathematical algorithm. (It's like the difference between patenting a process for building a car that happens to use a stamping press versus patenting the stamping press.)
I, too, happen to think that the patent should not have issued, because it can be argued that the cryptography
Good thing (Score:2, Interesting)
So wait, besides inventory tracking, why do we use RFID at all?
RFID != Smart Card (Score:2, Informative)
I knew this was coming the second I saw the headline.
Biometric passports and most other applications that need secure tokens utilize smart cards.
RFID [wikipedia.org] tags are not the same as smart cards [wikipedia.org]. The difference is huge. Please do your homework.
Besides inventory tracking, we usually don't. It is just confusion and FUD.
Re:RFID != Smart Card (Score:3)
Which means, a good amount of companies really don't. Of course the same applies for magstrips, etc.
The problem is not just RFID centric, that wasn't the point I was making. It is the trade off of security for convienence.
Re:RFID != Smart Card (Score:3, Informative)
Except for the ones which really are planed to use RFIDs.
Here's some homework for you:
http://www.schneier.com/blog/archives/2005/08/rfid _passport_s_1.html [schneier.com]
http://www.theregister.co.uk/2006/01/30/burnham_rf id_evasions/ [theregister.co.uk]
http://catless.ncl.ac.uk/Risks/22.98.html#subj7.1 [ncl.ac.uk]
http://catless.ncl.ac.uk/Risks/23.87.html#subj5.1 [ncl.ac.uk]
Re:RFID != Smart Card (Score:2, Interesting)
In fact, the article by The Register you refer to deals with this issue. People are worried because "The con
Re:RFID != Smart Card (Score:2)
Using your terminology where these things everyone else is calling RFIDs but you want to call contactless smart cards?
http://www.wired.com/news/technology/0,69453-1.htm l?tw=wn_story_page_next1 [wired.com]
http://www.theregister.co.uk/2006/01/30/dutch_biom etric_passport_crack/ [theregister.co.uk]
http://hasbrouck.org/blog/archives/000434.html [hasbrouck.org]
http://www.engadget.com/2006/02/03/dutch-rfid-e-pa ssport-cracked-us-next/ [engadget.com]
Re:RFID != Smart Card (Score:2)
Describes attacks on contactless smartcards, a subset of RFID devices.
Re:RFID != Smart Card (Score:3, Informative)
A smart card still needs to be swiped. I have one in my american express card. My roommates new debit card has an RFRC in it as well. As he can simple place his card on a special sign and have it read it.
Re:RFID != Smart Card (Score:1)
A smart card does not have to have contacts. It does not have to be swiped. It can be contactless, and more and more of them are these days. In fact, a single smart card chip can have both methods of communication.
Again, you may argue that it's RFID if it's contactless, but this is confusing as RFID generally refers to RFID tags,
Re:RFID != Smart Card (Score:2)
Hence why I said it should be called RFRC basically an RFID chip is a radio frequency tag that transmits an ID number when activated. a smart card transmits more information. The difference between a barcode model number and a full page of "product information".
It relys on the same basic technology and thus is
Re:RFID != Smart Card (Score:2)
The funny thing is that the link you give for RFID tags contains this:
http://en.wikipedia.org/wiki/RFID#Passports [wikipedia.org]
It's always fun to do homework, right?
M.
Re:RFID != Smart Card (Score:5, Insightful)
My reference? I work on smart cards, including biometric passports. In this field, no one in their right mind would use RFID tags for passports, or anything requiring security. Ever.
It is sad that the web is full of stuff about RFID security, or the lack of it, and people then make the assumption that anything contactless is RFID, and thus insecure. It it really hard to try to set the facts straight, when the correctness of your facts can be questioned with a bunch of links to FUD. (And damn, even the links you provide yourself prove to contain incorrect or misleading information! Argh.)
I guess I should just give up. It'll give me a warm and fuzzy feeling to know I'm right, after all.
Re:RFID != Smart Card (Score:2)
--jeffk++
Re:RFID != Smart Card (Score:3, Informative)
The problem here seems to be terminology (and clueless moderators).
You are incorrectly assuming that "RFID" means a simple tag with no crypto.
RFID is a generic term for any device that uses RF and identifys it's presence or absense. A resonant circuit without a chip that is used
to tag library books is an RFID. A contactless smartcard that use
Re:Good thing (Score:3, Insightful)
I have heard people mention that it can help rescue teams find you if you are lost in the woods, or buried in a snowdrift. Sure, I guess it could. Considering that the majority of people don't have this happen to them on a regular basis, I concluded that was not it's intended purpose.
Maybe the RFID makers greased lawmakers to make more money. Could happen. Maybe we are all getting tagged so that we can be 'found' easily. Could al
Re:Good thing (Score:1)
Upon reflection, the officer comment I made above gave me an idea. If they could see who was driving a vehicle with the RFID scanner, and have an automatic camera take pictures when you break the law while driving, what we have a an ironclad case against the driver of the car.
It could be that they are going to use it as a means of generating revenue in the form of tickets while simultaneously reducing the number of cops on the road for that task.
Sounds more plausible
Re:Good thing (Score:2)
Really the only way that it could be useful for surveillance/tracking is if there was a large number of cell phones 'looking' for the tag, and if 'they' were tracking a tag with a decent transmitting distance.
Re:Good thing (Score:5, Insightful)
(...) besides inventory tracking (...)
See the link yet ??
the only explanation is that your government sees it's citizens as inventory, just like cattle
Re:Good thing (Score:1, Offtopic)
The international plutocracy controls virtually every western nation (south america being my one shining hope..). They write the both the Domestic law (keeping out/keeping in their labour) and their ability to move their own capital as they see fit, unhinged in any way to the community (the labour) that built it (or operates or relies on it for survival).
I'll be honest, this is standard socialist rhetoric. But its also true.
Re:Good thing (Score:2)
Saying that the USA has an "international monopoly on violence for the last 60 years" is ridiculous.
Sudan
Eritrea vs. Ethiopia
China vs. Tibet
India vs. Pakistan
N. Korea vs. S. Korea
Indonesian vs E.
Re:Good thing (Score:2)
Ok...you got me on this one. What does free trade have to do with illegal aliens trying to sneak into the US? If Mexicans came to the US through legal immigration channels...they'd bypass the death in the desert thing.
No one has a right to come into this country illegally. Frankly, I wish they'd put up landminds or booby traps to keep the borders secure. Everyone should have to come in through
Re:Good thing (Score:2)
That Mexico and USA allows the WEALTHY to move their capital at will is contrary to the notion of 'freedom' between the two nations. Not only does this capital move, but the wealthy do as well. The USA isnt so much a nation any more than it is a 'home based' for the international plutocratic classes. They arent any loyal to the USA. It is absurd to think that these Internationally Privileged People could be "loyal" to the l
Re:Bad thing (Score:1)
Re:Good thing (Score:1)
We need to track the other kinds of state inventory, like "citizens" (or as Cato would say, the "talking livestock").
Because we're inventory (Score:2)
If you have any doubt look at hos the soldiers in Iraq are being treated. They aren't getting much body armor, so some soldiers are going into debt to buy theory won body armor. The most popular brand, Dragon Skin, is BETER than what the army provides.
However, the military doesn't like their soldiers taking the initiative like that, so if you're killed in combat while wearing body armor that wasn't issued by the military, your family doesn't get your death benefits. Your wife and children d
Re:Because we're inventory (Score:2)
Re:Because we're inventory (Score:2)
Army Orders Soldiers to Shed Dragon Skin or Lose SGLI Death Benefits [sftt.org]
There was a a case a few weeks ago where a guy was paralyzed from the waist down, and the military withheld his pay until he paid back a few grand in combat pay
Wounded Soldiers Told They Owe Money to Army [veteranstoday.com] Seems this is happening so m
Injected RFID tags... (Score:5, Insightful)
Comment removed (Score:5, Funny)
Re:Injected RFID tags... (Score:4, Interesting)
Re:Injected RFID tags... (Score:5, Informative)
Whether you can or can't consent to assault is irrelevant, as by agreeing to have the surgery, it would become elective and there would be no assault to consent to.
Re:Injected RFID tags... (Score:1)
Re:Injected RFID tags... (Score:2)
That is sanctioned physical assault...and it perfectly legal.
Re:Injected RFID tags... (Score:5, Informative)
Note also that you cannot consent to assault, and just because you said it was OK the perpetrator can still be prosecuted.
Your high school business law teacher who told you that didn't know what he was talking about. You can consent to a battery (unlawful touching) or an assault (reasonable apprehension of a battery). How do you think boxing, hockey, or football work? Each participant consents to being battered and assaulted (within the rules of the game) by other participants.
Re:Injected RFID tags... (Score:1)
In other news, Mike Tyson's opponent goes to jail.
Seriously though, as neatly as this theory fits in with the Official Slashdot Interpretation of the story, it just ain't so. There's no way
Re:Injected RFID tags... (Score:1)
Re:Injected RFID tags... (Score:1)
Assault is simply to cause fear (shouting "i'm gonna kill you")
Battery is to cause fear, coupled with physical contact (the above, plus tapping on the shoulder)
ABH is assault plus a more serious injury, EG: punching several times
GBH is ABH but with bloodshed.
so involuntary RFID injection would count as GBH, which is only 2 offences down from murder (murder=killing with intent to kill, manslaughter=killing with intent to cause GBH)
PS: Do i get an award for most TLA or other acro
Re: Injected RFID tags... (Score:2)
No, it means my boss will end up with ten up his 455.
Re:Injected RFID tags... (Score:2, Funny)
Re:Injected RFID tags... (Score:2)
Re:Injected RFID tags... (Score:2)
Will it become the norm?
You're not brave until you're tested. (Score:2)
RFID tag reader already in many Nokia phones (Score:5, Interesting)
Re:RFID tag reader already in many Nokia phones (Score:5, Informative)
Re:RFID tag reader already in many Nokia phones (Score:1)
Not all tags. (Score:5, Insightful)
Also, in addition to tags that have a simple 'password', that they must have before they do anything - that may be trivially vulnerable to power analysis, there are tags that do more complex things - such as for example, send the reader a random token, which it then has to encrypt with a key known to both of them.
This can be immune to power analysis - in the simplest case, as it does not check each bit as recieved, but only at the end of a computation.
And, the fact that getting the first bit correct of a hash with a given key does not help you to guess the rest.
Re:Not all tags. (Score:1)
I'm sure they could have designed it to be, at least, much more insensitive to power analysis. I bet it just didn't occur to them to do so.
Ban Cellphones! (Score:3, Funny)
(Cynical, yes. Too close to the truth? Unfortunately)
Splut.
Re:Ban Cellphones! (Score:1)
RSA and Patents (Score:1, Offtopic)
That's the work this guy is famous for.
Um, he doesn't work for RSA (Score:1)
Re:Um, he doesn't work for RSA (Score:2)
you surely mean, an active member of the mossad
i think the rfid juggernaut can't be stopped (Score:5, Insightful)
all of the other far out uses people have imagined rfid tech will be useful for once you get past check out and out of the store- all the negative and all the positive (conspiracy theory tracking, smart fridges that know when you need more milk, etc.), won't really come to pass. not because people will suddenly care about their privacy, but because of exactly this: no one will be able to design a system that can't be gamed for some sort of illicit activity. rfid use outside of the store will be undependable simply because if rfid tags are being depended upon for any sort of proof of id in the "wild", then there is immediate and easily realized incentive to game the system
in other words, rfid tags will only be useful in controlled environments. once out of the store, any grand schemes, good or bad, imagined with rfid tags in mind will be ruined by spoofing, masking, obfuscation, forgery, mass duplication, etc.
this cell phone meddling is but a very preliminary indication of the kind of homegrown creative hacks and schemes people will be devising for fun and profit in the near future using rfid technology
Re:i think the rfid juggernaut can't be stopped (Score:3, Insightful)
But then the question comes to mind.
How long will it take for the Corporations to manage a media campaign to smear anyone who would spoof or obfuscate or reproduce the RFID tags and information collected? Then spend the money it takes to make any such tampering with RFID tags to be a Felony with punishment on par with Rape and Murder.
And before anyone thinks I think corporations are 'teh evil', It's the corporation being able to legally (the ethics of it is another matter) 'purchase' legislation to enforce
Re:i think the rfid juggernaut can't be stopped (Score:1)
Either way, corruption IS illegal. So even if legislation can be bought, it can't be done legally.
Re:i think the rfid juggernaut can't be stopped (Score:2)
It probably is already illegal... (Score:2)
Time for... (Score:5, Funny)
Re: Time for... (Score:2)
AKA "dialing for dollars".
A PCB for cloning RFID tags (Score:4, Interesting)
Tin Foil Hats? Thats so 20th century (Score:1)
Tin Foil Hats?
Thats 20th century technology, get with the times, these days we're microwaving everything to ensure total rfid tag destruction. "microwave everything" thats the wave of the 21st century.
RFID cloning and power consumption attacks (Score:5, Interesting)
http://www.cl.cam.ac.uk/~gh275/relay.pdf [cam.ac.uk]
The method Shamir talked about is a little more interesting because the cards are leaking information wbout what they are doing internally. It is possible that a more detailed examination of the power consumption may reveal other detail of what the card is doing as well as when it things it has receive a bad bit.
Power analysis has been a known attack on smartcards for a long time. A few cards were vulnerable to an attacker looking for increase current draw just after a PIN/password attempt when the card tried to increment a count of the number of failures, cut the power when it tries to write to the fail count and you could attempt a brute force attack. I believe the most obvious way around the problem, to decrement the counter before checking the PIN and increment it after if the check passed, is patented.
It would be interesting to see if any RFID cards have that flaw.
RFID is not meant for security (Score:5, Informative)
"To summarize:
RFID for inventory tracking ==> Good idea
RFID for security ==> Stupid idea"
Here below I copy parts a previous comment on another story (which wasn't moderated and thus, probably not read a lot):
Anyone interested in RFID could also start with the excellent wikipedia.org entry [wikipedia.org].
Of interest, Slashdot already discussed RFID production increases before [slashdot.org]. Yes, RFID can be scary, especially in a bank [com.com] or in passports [slashdot.org]. Imagine, even Sun [informationweek.com] cares for RFID. MobileMag have a small article about a 100% organic matter RFID chip developed in Korea, costing only 0.5 cents [mobilemag.com].
And if RFID and geospatial tech seriously interest you, see my sig
Is this news? (Score:2, Interesting)
There isn't any problem with this unless the tag claims to be secure. Also, as the report says, if the tags are going to be made cheaply available, they can't necessarily promise security. No doubt the communication could include the latest security technologies, but there would be an asso
What does the DMCA says about this ? (Score:2)
Re:What does the DMCA says about this ? (Score:2)
The DMCA specifically allows circumvention of security devices for the purpose of cryptogtaphy research.
Also, it is a stretch to imply that the purpose of any security mechanism in RFID is designed for the purpose of protecting someone's copyright. Hence, I think it would be hard to prosecute someone under the DMCA...
I cannot understand just one thing... (Score:5, Interesting)
You don't call your car security compromised just because everybody non-blind in victinity can read your license plate with naked eyes.
You need have access to police database in order to get sensitive information of car owner using car license plate. Nobody but criminals tries to hide their car license plate from casual observer.
Same for RFIDs - they just transmit some unique id, and one who wants to idenitfy person carrying RFID has to get access to right database (and indentity which database holds this info first).
I'd rather say that your security is compromised, if you cannot read what is transmitted by RFID tag in your passport or under your skin, and some unknown person with RFID scanner can.
So, in order to stop this hype about RFIDs compromising security, they have to cell RFID scanners for dollar on next corner, or make it standard feature of every cell phone (if components are really already in place) so everybody who is concerned about security can easily scan oneself and find out what kind of information is available from those tags.
Only reason why those RFID makers don't do it - is because they want to make money on scanners as well as chips theirselves.
Re:I cannot understand just one thing... (Score:3, Informative)
Re:I cannot understand just one thing... (Score:2)
some other simular number (oh, where is my hardware random number generator to make a sample) is my id in the local hospital database et cetera.
Re:I cannot understand just one thing... (Score:2)
Re:I cannot understand just one thing... (Score:2)
I just have to know what this RFID is for, what kind of my personal data can be found using it and which officials are authorized to access these data.
Re:I cannot understand just one thing... (Score:2)
EPCglobal
DOD-64 and DOD-96
GID-96
SGTIN-64 and SGTIN-96
SSCC-64 and SSCC-96
SGLN-64 and SGLN-96
GRAI-64 and GRAI-96
GIAI-64 and GIAI-96
I challenge you to identify a tag encoding construct that does have a field that identifies a database.
Re:I cannot understand just one thing... (Score:1)
Re:I cannot understand just one thing... (Score:3, Interesting)
Sadly I am not surprised by someone who works on a government IT project not knowing what he is talking about. The card systems currently on the market for opening doors generally use challenge-response authentication.
I'm told that the plan is for the UK RFID passports to use crypto. (and yes a contactless smart
Re:I cannot understand just one thing... (Score:3, Interesting)
Do you walk around wearing a large plate describing, in lettering visible from a considerable distance, all the items you are carrying about your person?
This technology could revolutionise the pickpocket industry. They don't need a complete database of all known tags. They just need to lurk down the street from the Apple store and know the code for "ipod" which is used at that particular store. Other valuable items (on the black market) that may incl
Re:I cannot understand just one thing... (Score:2)
This case is what public key cryptography is for.
Credit cards ... butt scanning (Score:1)
Define "Crack" (Score:3, Interesting)
Re:Overhyped bullshit, scam to attract investors (Score:2)
He's not talking about replacing a $$$$ digital osciloscope with a cellphone. He's talking about doing something with a cellphone that can also be done by a $$$$ digital osciloscope. Big difference. (You can do a LOT of stuff with the scope.)
Typical scam research claim trying to extract money from investors. Where is he from again? Ah, OK, now we all know...
This is Adi Shamir we're talking about. He can get all the investors he wants just