"Another strike for RFID security Filed under: Security
There's been quite a bit of controversy brewing over the use of radio frequency identification (RFID) technologies of late, with security researchers isolating weak points in applications of the chips in everything from building access cards to new-fangled passports.
In most cases, people are primarily objecting to the use of RFID as a form of identification, or as an access technology, for humans -- as no one but myself seems as peeved over their utilization in industrial applications such as retail merchandising.
(For the record, I keep forgetting to snip the tags off new clothes and I'm sick of getting jabbed in the gut by their sharp edges)
Last week, a firestorm of debate on the topic was ignited at the Black Hat DC 2007 conference when access card maker HID quashed a planned presentation by researchers from IOActive that would have instructed attendees of the security conference how to build a so-called "cloning device" that purportedly would allow you to intercept people's HID card security codes -- which are not encrypted -- for the purpose of recreating their credentials.
HID officials contend that IOActive was merely trying to make a name for itself by pointing out how their proximity cards -- which are used by millions of people (including myself) and considered very basic RFID transmitters -- could be defeated, a problem they said the company has not dealt with in the real world.
Of course, if people knew of the loophole and were using it to break into offices at night and steal laptops and/or data, they probably wouldn't admit it publicly.
Now, a U.K.-based security researcher has demonstrated for journalists in that country how he can hack information on Great Britain's new passports, which use RFID chips as a secondary form of authentication. U.K. officials have maintained that the more technologically-advanced documents would help cut down on illegal immigration, a growing problem in the nation.
Even worse, in the exercise orchestrated by the U.K.'s Daily Mail newspaper and detailed in a subsequent story, an independent security consultant proved that he could not only intercept data transmitted by the passport's RFID chips -- and read the personal details of whoever they belonged to -- but that he could also skim the information from the passports while they were inside the envelopes in which they're being mailed to their holders.
In essence, the flaw makes the new passports less secure than the old ones, as before if someone wanted to try and steal your credentials -- or copy them -- they needed some form of physical access. Now someone could conceivably just stand by the mailbox and grab details of any passport that happens to be there.
Yikes.
Thankfully for those of us in the U.S., the federal government has already scrapped earlier plans to use RFID chips in such documents, at least until security of the devices can be improved. The Department of Homeland Security bagged a pilot program last year through which the technology was being used in documents given to frequent travelers across several of the nation's largest land borders, based on security and privacy concerns.
RFID advocates say that when used properly the chips can be adequately secured for such purposes. HID recommends that anyone concerned with the security of its proximity cards should upgrade to its more expensive smart cards, which promise to provide better safeguards for the data they transmit.
But to me, it sounds like it's becoming painfully clear that the tags aren't ready for primetime use in IDs, at least not for anything as sensitive as a passport.
(As for use in clothing, can't they just give them rounded edges?) Posted by Matt Hines on March 8, 2007 09:35 AM
ERG Price at posting:
0.0¢ Sentiment: Buy Disclosure: Held
(20min delay)
