<<< Date Index >>>     <<< Thread Index >>>

[IP] more on RFID Clonable





Begin forwarded message:

From: Joseph Lorenzo Hall <joehall@xxxxxxxxx>
Date: July 25, 2006 2:24:05 PM EDT
To: dave@xxxxxxxxxx
Cc: Ross Stapleton-Gray <ross@xxxxxxxxxxxxxxxxxx>
Subject: Re: [IP] more on RFID Clonable
Reply-To: joehall@xxxxxxxxx

On 7/25/06, David Farber <dave@xxxxxxxxxx> wrote:


Begin forwarded message:

From: Ross Stapleton-Gray <ross@xxxxxxxxxxxxxxxxxx>
Date: July 25, 2006 1:02:13 PM EDT
To: dave@xxxxxxxxxx
Subject: Re: [IP] RFID Clonable

At 07:48 AM 7/25/2006, David Farber wrote:
> In case anyone needed more proof that we're all living in a Philip K.
> Dick novel, a pair of hackers have recently demonstrated how human-
> implantable
> RFID chips from VeriChip can be easily cloned, effectively stealing
> the
> person's identity.
> ...
> For its part, VeriChip has only said they haven't yet had a chance
> to review the evidence but still
> insist that "it's very difficult to steal a VeriChip."

Certainly literally true, if by "steal" one means, "get one's hands
on the original, e.g., pry one out of Annalee Newitz's arm."

But we should recongize that the vast majority of RFID applications
[BUT NOT ALL djf]  don't depend on inability to clone them.  RFID
tags in most commerce will be as unclonable as license plates, which
anyone with a little tin, paint and shop skills could zap out copies
of, but which nonetheless serve as a cheap means for reasonably
reliable identification.  Think of most RFID applications as just
like print bar codes; there have been various cases of fraud
committed against systems employing the latter, most notably where
thieves use bar codes for inferior goods to purchase expensive ones
("Bar code says that's a drill bit, and it looks like a drill
bit...") then return the goods to pocket the difference in price.

To expand on Dave's "BUT NOT ALL" comment, there are many institutions
that are using RFID-enabled ID cards as access control keys -- a far
cry from a barcode.  For example, my University uses Prox cards to
allow access to many areas (although more sensitive areas require more
sophisticated entry keys).  This also seems to be the case at MIT and
to gain entry to many parts of the California Legislature Building in
Sacramento.

A few MIT students have done an analysis of the vulnerabilities of
their system, find it here (the MIT cards operate on AM frequencies so
they were able to build a cloner for less than $30):

MIT Proximity Card Vulnerabilities (Josh Mandel, Austin Roach, Keith Winstein)
<http://www.josephhall.org/tmp/mit_prox_vulns.pdf>

(The best quote from that work, IMO, is: "Don't use prox card for
monetary transactions or high-security areas. Remove from nuclear
reactor.")

I've been advocating at Berkeley for our administration to issue mylar
envelopes for our ID cards and to start educating faculty, students
and staff about how they should treat their ID card like a sensitive
document.  Unfortunately, there are many uses of our ID cards that rub
directly against this; for example, to swim at a UC Berkeley pool you
have to surrender you ID card to an attendant.  Sigh.

-Joe

--
Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information
<http://josephhall.org/>


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/