PDA

View Full Version : Risks Of RFID ePassports And 'Blink' Credit Cards



InlineSIX24
Thu Oct 2nd, 2008, 09:35 AM
Newer style ePassports and credit cards that use the 'Blink' system or allow you hold your card up to a reader to make purchases currently have a security flaw that allows anyone that has a handheld reader and can get within a couple meters of your card to retrieve all of the information and hack into it if they have the knowledge.

I think I'll stick with the old credit cards that you have to manually swipe for now thanks..

http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html

http://freeworld.thc.org/thc-epassport/ (http://freeworld.thc.org/thc-epassport/)

What is RFID?
http://en.wikipedia.org/wiki/RFID

rforsythe
Thu Oct 2nd, 2008, 12:27 PM
While I agree with respect to the weaknesses in the system (this is also why a national ID is not a good idea), that THC article seems bent on fear mongering. Just my $0.02.

rybo
Thu Oct 2nd, 2008, 12:47 PM
I have a CC with a "blink" type chip in it and have to say, it's more like a couple of inches, not a couple of meters for the thing to work...

rforsythe
Thu Oct 2nd, 2008, 01:01 PM
It's a couple inches for the readers you're using. It is possible to pick up that signal from an increased distance however, both actively and passively.

Filo
Thu Oct 2nd, 2008, 01:22 PM
Yeah, what Ralph said. They were testing RFIDs for timing and scoring at a recent motorcycle race. They showed me an antenna that was about 3.5 feet long that they said could read from a very big distance. I can't tell you what very big is without having to kill you. A few meters would be no problem.

BTW, the timing and scoring test went very well. An RFID sticker for your bike is about $0.40. What do transponders cost these days?

puckstr
Thu Oct 2nd, 2008, 01:36 PM
there are much greater concerns with the e-passports
http://www.wired.com/science/discoveries/news/2006/08/71521

this part makes me chring...

Two RFID researchers created a video showing how an RFID reader attached to an improvised explosive device could theoretically identify a U.S. citizen walking past the reader and set off a bomb. They haven't yet tested the theory on a real U.S. passport since the documents have yet to be distributed. The still here shows an attack using a prototype passport with RFID chip placed in the pocket of the victim. As the chip passes the reader, the reader detonates an explosive device placed in the trash can.

This sucks I wonder if my passport has one?

InlineSIX24
Thu Oct 2nd, 2008, 01:42 PM
It's a couple inches for the readers you're using. It is possible to pick up that signal from an increased distance however, both actively and passively.

This is true. We are looking into using them at my company for parts tracking. Each part has a tag on it and would pass under a ceiling-mounted scanner to let you know when it transfers out of inventory.

rforsythe
Thu Oct 2nd, 2008, 02:02 PM
Adam - I'd imagine the RFID transponder system has a range of 20-60'.

I don't have the details on the passport system so I'm not sure if they adequately encrypt anything, but I'd guess no. Even if they did, it would have to be a challenge response system, so even if you got a bullshit answer back you just need to get the same answer to identify a person, assuming you had already queried their tag at some point.

To be fair though, a passport really doesn't present any sort of new risk for some "smart IED" (which is pretty high tech considering most of these devices are built out of pipes and coffee cans and other random trash). Think about this for a sec - we all (or at least most of us) walk around with employee badges that open doors; this is a simple RFID tag, nothing more. You just need to have determined what a certain person's employee badge returns when queried, and set something up to read it. The chance for a false positive is small, and you still positively identify someone. If someone's after you enough to build something like this, they're probably going to get within range at some point to get that data without you even knowing it. If all they're after is mass-carnage of office going types, then the responses don't even matter, just that you get a certain number of unique ones.

RFID is NOT a secure system. It can be made resistant to certain attacks and some kinds of duplication of tags, for instance, but nothing about it was ever designed to keep information obscure. RFID tags were created with the idea of instantly disseminating certain information any time they were keyed up. They're incredibly stupid devices that people are using to store some amazingly sensitive stuff these days.

InlineSIX24
Thu Oct 2nd, 2008, 03:01 PM
..RFID tags were created with the idea of instantly disseminating certain information any time they were keyed up. They're incredibly stupid devices that people are using to store some amazingly sensitive stuff these days.


:lol::shock:
Such as:
http://amal.net/blog/links/2006-03-08_-_GMA_low.mp4