MIT Reveals "Hack-Proof" RFID Chip (thestack.com) 53
JustAnotherOldGuy writes: A group of researchers at MIT and Texas Instruments claim that they have developed a new radio frequency identification chip that may be impossible to hack. Traditional RFID chips are vulnerable to side-channel attacks, whereby a hacker can extract a cryptographic key from the chip. The new RFID chip runs a random-number generator that creates a new secret key after each transaction. The key can then be verified with a server to ensure that it is correct. The group at MIT also incorporated protection against a power-glitch attack, an attack that would normally leave a chip vulnerable to an interruption of the power source that would in turn halt the creation of a new secret key. Texas Instruments CTO Ahmad Bahai stated, "We believe this research is an important step toward the goal of a robust, lo-cost, low-power authentication protocol for the industrial internet." The question is, how long will it be before this "hack proof" chip is hacked?
I call bullshit (Score:1)
I give it a week. Not that this will ever make it into commercial production anyway
Hack proof? (Score:4, Insightful)
How many times have we heard this over the years. To be truly hack proof it'll have to be a quantum system. Is it? Doesn't look like it.
Re:Hack proof? (Score:5, Insightful)
Hackproof, unsinkable, indestructible ... at a certain point the superlatives just become meaningless.
The be truly hack proof it needs no inputs and no outputs. It would be useless, but it would be hackproof.
Re:Hack proof? (Score:4, Funny)
You just described my senior management.
Re:Hack proof? (Score:5, Insightful)
TFA says it has its own power supply. Presumably a battery. Kinda breaks the most important feature of RFID.
Re: (Score:2)
How many times have we heard this over the years. To be truly hack proof it'll have to be a quantum system. Is it? Doesn't look like it.
The real question should be when will companies learn that using terms like "hack proof" will result in an exponentially shorter life span for their "secure" product.
At least enjoy some vetting and success in the wild before making such claims, because if you're smart you already fucking know the inevitable will happen.
Re: (Score:2)
I wish companies and organizations would stop using the term "hack proof," the same way they did with "waterproof." Like "waterproof," there is no such thing in most products. There is only "water resistant" and "hack resistant".
Re: (Score:2)
Re: (Score:2)
I wish they'd simply say: "Not hackable by all currently known methods". This is not an OTP encrypted device, it's breakable in some manner, even if the necessary capability or process is completely impractical at present.
I hope this is just journalistic bullshitting, because a researcher should know better than that.
SecureID on a chip? (Score:2)
Because that is what TFS and TFA read like. I hope there is more to this than meets the eye.
Re:SecureID on a chip? (Score:5, Interesting)
Almost.
The MIT solution, as described, appears to do away with the clock-based system that RSA uses, and instead has the server and the chip stay in lock-step as transactions occur.
What happens when the two drift out of synchronization will be the key to disrupting the technology.
If the server and chip stop talking to each other when they get out of synch, then the whole system is vulnerable to a wide scale DOS simply by corrupting the server's database of keys.
Imagine an industrial plant manager's reaction when 1000 different devices brick themselves due to a hacker's attack. If it takes a day to replace and reset everything so it all works again, that manager will rip out the technology so that his or her plant is never down that long, ever again.
On the other hand, if the server and chip and re-synchronize after a glitch, then a hacker can emulate that resynchronization process.
I wonder if a Man in the Middle attack would work where the MiM and server exchange one set of keys, while the MiM and chip exchange a second set of keys. Would either side know that it was talking to a fraudulent data source?
Re: (Score:2)
unhackable? (Score:3, Insightful)
Un-hackable? and a thousand hackers said challenge accepted.
Marketing "hack proof" (Score:3)
"The question is, how long will it be before this "hack proof" chip is hacked?"
How long you ask?
*looks at watch*
Probably not hack-proof (Score:4, Interesting)
Impossible to hack (Score:3)
Slashdotters still the same old (Score:3, Informative)
"Hack-proof" to SIDE CHANNEL attacks.
Re: (Score:2)
It seems even if Slashdot is having a new owner, the Slashdotters are still the same old. Why bothering reading and trying to understand the f... article when you can comment and brag so easily and call everything bullshit?
"Hack-proof" to SIDE CHANNEL attacks.
If there's been no shift in the fabric of the universe, your first reporting of the article should lead to you being modded informative.
There's a reason they don't say fireproof or foolproof any more. In both cases, whenever a proof is realized in the laboratory, nature evolves a greater fool.
Re: (Score:2)
Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. Albert Einstein.
Re:Slashdotters still the same old (Score:5, Informative)
resources (Score:2)
So in order to use this whizzy new technology, I must have an independent power source for the RFID chip and I need a server. Yup, that won't be too expensive for most RFID applications.
Re: (Score:2)
Wouldn't need it's own power source. Just NVRAM to keep track of how far into the PRNG sequence it's at. It doesn't use a running clock.
"may be impossible to hack." (Score:2)
may be impossible to hack
...in the same way that I may be the sexiest guy in the world.
The TImothy Website (Score:2)
Seriously, since the buyout almost all slashdot postings are by timothy who might as well be the "I APPROVE ALL STUPID STORIES ROBOT."
Timothy - I have a captcha for you.
This story is just in line with the rest of the toilet-bowl material
- hack proof RFID because... um... MIT?
- Assange passport because UN committee?
- Vendors have firewalls with holes?
Next up something about the superbowl?
Please. Spare. Us. You can't resurrect good slashdot editors. Obviously you've killed them.
The honorable thing is to co
Turtles all the way down (Score:3)
"Hackproof"?? From TFA
Traditional RFID chips are vulnerable to side-channel attacks, whereby a hacker can extract a cryptographic key from the chip. However, a hacker would need to execute a cryptographic algorithm many times to extract usable information, as each execution leaks only a small amount of information. The new RFID chip runs a random-number generator that creates a new secret key after each transaction.
So they're backing up the base crypto in the chip with a stream cipher: instead of generating random session keys with a public-key cipher, they're generating secret keys with a random-number generator (i.e. a stream cipher) and using those to generate a session key to generate a session key. Which may be even less secure, if the RNG (i.e. stream cipher) is itself insecure. Perhaps they can fix that by using another RNG to generate an initial state for the RNG which generates the key which generates the session key for the transaction.
It's stream ciphers all the way down!
Here we go again (Score:2)
Re: (Score:2)
I've got something here that's 2157% unhackable. It's called a brick.
Hack in 3, 2, 1, oh wait, I mean .... (Score:1)
... hack in rand(), rand(), rand().
I love these "hack proof" announcements (Score:2)
It's almost like they're begging people to prove them wrong.
MIT: Add an egg! And an extra egg! (Score:5, Interesting)
Let's begin with a little story. In the 1950s the Betty Crocker company introduced just-add-water 'box' cake recipes that produced cakes that were as good as and often better than peoples' 'scratch' cakes --- sometimes the recipe was better (or) the mix in the factory-sealed box stayed fresher than ingredients taken from the pantry, why does not matter. Betty Crocker cakes aced blind taste-tests and were affordable, and yet the product did not take off as expected.
A bit of research uncovered a guilty secret. In spite of what the company perceived as pure convenience, cake-making women (and the manly cake-making men of the 1950s) were secretly ashamed of the simple steps to produce a product that had been the subject of family pride. They no longer felt sufficiently empowered by the process. By the simple addition of an actual egg, enough recipe-empowerment returned to remove this psychological deterrent and cake-box sales soared.
They later refined the tactic by suggesting on the box that the product might even be improved even further by the (optional) addition of that miracle of miracles, the extra egg. Two eggs! Everyone who was anyone tossed in that extra egg. And all remnants of cake-making insecurity vanished completely and America embraced the box-cake, to become the industrial cake-making giant it is today.
((SIDE NOTE: Even though this was known to me, to come up with a citation I found it not generally discussed. I had to delve down to 'book' level to find a good reference to it [google.com]. Thanks Google. Folks who imagine that web content sufficiently represents our culture should think again.))
(DO, a deer, a female deer) So not surprisingly the good people of MIT have re-discovered that to continue the cryptographic arms race every simple hard-coded tag must become a passive device, (RE, a drop of golden sun) every passive device must become an active computing device, (MI) and every active computing device must become a self-contained machine (FA) with an autonomous power source, (SO) non-volatile memory and significant processing power. It will soon move into the next phase where even this is not sufficient because of unforeseen circumstances like new attacks on hash algorithms or implementation errors, and a robust system must also include flash-update capability, (LA) which also requires a separate and secure chain of certificate-based authentication to prevent someone from planting the original 'stoned' virus [wikipedia.org] upon RFID tags. "Your passport is now stoned. Legalize marijuana!" (TI)
Which is itself moot if someone somewhere manages to leak or crack a single private flash update key. Which brings us back to (DO).
So the discovery is actually that RFID technology is mirroring nicely the same arms race that computers and communication links everywhere are experiencing. As Bruce Schneier sagely says, "Security is a process, not a product." So be generally conservative and wary every time someone offers a new security end-product --- and remind yourself every now and then, "Why again are we even riding this Merry-Go-Round?" By all rights Schneier should be helping to roll out the gravy train that would place RFID tags everywhere. More work for him! But surprisingly often he comes out in favor of less embed-intrusive and more human-intensive approaches to security. That's why humans love him and robots don't subscribe to his Twitter feed.
In addition to taking these (seemingly necessary) small steps in the direction of embedding additional complexity, we should devote equal time to considering the possibility of small steps that roll back complexity generally, to reveal what unforeseen benefits they may have. Perhaps the powdered egg once included in box-cakes was actua
Re: (Score:2)
all I see is endless fucking words.
Oh brave new world. I've got a brevity-stalker.
Check out his or her other fine word-product [slashdot.org].
The ship of the imagination has sailed without you.
I doubt the researchers said it was "hack-proof" (Score:1)
Saying "Hackproof" on Slashdot is like... (Score:2)
Anything can be reverse engineered and thus hack-proof doesn't really exist.