Wednesday, July 5, 2006

RFID hacking

It seems inevitable that we are now entering the RFID era. Many major corporations are already putting in their hands on a RFID environment for goods, services and employees. The good news is that the security aspect and privacy aspect of the technology are being recognised in the course of development.

First the good news. A recent article from Wired News reported that IBM is introducing a retail-safe RFID chip to meet the privacy concern. The chip is used in logistic management of goods and can be read at a distance of 30 feet, facilitating the tracking of movement of goods, security in the shop and automatic billing. The so-called Clipped Tag has a notched antenna that consumers can tear off, much like the end of a ketchup packet. Removing this panel drastically reduces the readable range of the device, from about 30 feet to less than 2 inches. This function in effect changes the RFID chip from a long-range device to a proximity device. Consumers then do not need to worry about the identity of the goods being monitored on the street.

The Clipped Tag is meant to mitigate privacy risks by reducing the range of the device without disabling it completely. This leaves the tag intact for returns and other purposes, while ruling out the possibility of security attacks from a distance. IBM argues that the Clipped Tag may be a better option for both retailers and consumers than an industry proposal to permanently disable tags which destroys their marketing and inventory-tracking value.

Now the bad news. In another article also from Wired News, the real face of RFID hacking is revealed. A senior officer of a software firm arranged a robbery for a hacker to challenge the RFID-based security lock system. The hacker used a home-made wallet-sized device he called a cloner which was equipped with a coil of antenna fit in his palm. He walked past the officer unnoticed on a busy street and came close to a few inches from the back-pocket wallet which contained the smartcard. The antenna picked up the signal of the RFID chip on the card and enabled the cloner to record it. The data was then downloaded to a laptop using a USB cable for processing. The cloner was then switched from Record mode to Emit mode. The antenna was now ready to open doors, same as the authentic smartcard, in the secured office of the software firm. See this sketch from Wired News of the robbery in action. I think for security reason, the hacker did not wish to be photographed. He was more security-conscious than the security company.

The sea that contains unlimited number of RFID fishes for easy picking is very tempting for criminals and hackers. The article reported that RFID chips are everywhere: "companies and labs use them as access keys, Prius owners use them to start their cars, and retail giants like Wal-Mart have deployed them as inventory tracking devices. Drug manufacturers like Pfizer rely on chips to track pharmaceuticals. The tags are also about to get a lot more personal: Next-generation US passports and credit cards will contain RFID, and the medical industry is exploring the use of implantable chips to manage patients. According to the RFID market analysis firm IDTechEx, the push for digital inventory tracking and personal ID systems will expand the current annual market for RFID from $2.7 billion to as much as $26 billion by 2016."

"For protection, RFID signals can be encrypted. But most commercial RFID tags don't include security, which is expensive: A typical passive RFID chip costs about a quarter, whereas one with encryption capabilities runs about $5. It's just not cost-effective for your average office building to invest in secure chips. This leaves most RFID vulnerable to cloning or - if the chip has a writable memory area, as many do - data tampering."

The article commented that the world of RFID is like the Internet in its early stages, that nobody thought about building security features into the Internet in advance, and now we are paying for it in viruses and other attacks. We are likely to see the same situation with RFID. For the moment, I am not thinking of protecting my Octopus card, or the chip implanted in dogs, or even the tag in my shirt. However, as things develop, more personal and important information will be stored in RFID chips we carry.

No comments:

Post a Comment