03 August 2006

RFID Security

Wired had an interesting piece today about a demonstration at the Black Hat Convention where a hacker cloned the RFID tag inside a German "e-Passport". These passports include an RFID tag as an additional security measure and are due to be introduced by the United States in October. The US is also lobbying for international adoption of the standard. A US State Department official made the reasonable point that cloning the RFID data isn't necessarily a big deal. Nobody has yet been able to alter data on one of the tags (they are hashed to make tampering obvious to the scanning machines).

A few other, more interesting things were demonstrated, however. For instance, by cloning one passport's RFID onto a smartcard (like most current University IDs) and slipping it into the passport, the RFID reader could be fooled into reading the smartcard. In principle, this could mean that while the printed information said "Joe Terrorist" the automated reader would see "Joe Bloggs". Officials again dismissed this problem saying that they're not planning a fully automated security process, just that this provides another source of information for border agents (who would presumably compare the printed name to the RFID name and flag discrepancies).

Regardless of whether this technology will prove risky in passports, the fundamental problem with the design is evidently widespread in RFID systems: the data is unencrypted. If the data on the tags were encrypted it would raise a nearly insuperable barrier to even reading the information contained therein, let alone copying or modifying it. The article goes on to say, however, that something like 3/4 of the RFIDs they tested (hotel keycards, University cards, corporate IDs) were either unencrypted or used the factory-default key for their encryption(!).

Now I'm sure Scott is smiling smugly right now, but this illustrates an aspect of my personality that I feel ambivalent about: I'm inclined to believe by default that any system operated by a big enough organization (Oxford, a company, a hotel, the United States) will do a good job implementing basic security or will test procedures for safety and so forth. For instance, my office in Oxford is very uptight about people swiping in and out with prox cards. Since nobody ever checks the photographs on the cards, I assume they've verified the integrity of the RFID system to fill that potential gap. It just seems so obvious to me that RFID cards need to be encrypted that I can't believe that large Universities wouldn't bother or that they wouldn't reset the key. Don't they have anybody with a clue working for them?

Another example of my automatic trust is illustrated by the new low-energy x-ray machines being tested at Heathrow. You basically stand in this booth and adopt a series of funny poses (hands over your head, face sideways with legs akimbo and arms ahead and behind in a faux-running stance, etc) and they blast you with low energy x-rays which penetrate clothing but not skin. I just assume that some government body has tested this and it is safe for me to do, but some people are unwilling to accept that premise. And it's not unreasonable to be dubious: the dentist does cover you with a humungous sheet of lead when he zaps your teeth, after all.

So is this a good thing or bad? I'm happy that I'm not naturally inclined toward paranoia: I don't waste my time worrying about this stuff. On the other hand, I'm probably too accepting. Healthy scepticism, after all, drives interesting scientific research, and I never have a problem applying it in that arena. Plus, lots of "policy" decisions are made by blowhard politicians who probably have no idea how safe ionizing radiation is or that RFID tags should be encrypted. It seems crazy to me that they don't get expert advice, but it demonstrably happens all the time.

Balancing scepticism of The Man against pointless paranoia is something to keep in mind for my self improvement plan, I guess, along with being less of an arse when I'm drunk. :)

No comments: