The big RFID shakeup
In case you have not heard by now, news reports are coming in of how Dutch security researchers have managed to successfully clone the Oyster Card used by the London Underground. For the unethical, unlimited free rides is now a possibility. Just how easy is it? With the right equipment, and some simple preparation, one can easily pick up sufficient data to clone dozens of Mifare-based cards on a couple of trips in a crowded subway.
This cloning the Oyster Card was possible as a direct result of work done independently by German researchers Karsten Nohl and Henryk Plötz, as well as by Bart Jacobs, an information security professor.
Of particular concern is that there are attempts by operators in certain countries — such as Singapore, to push their own RFID cards as a means for contactless payment. [Disclaimer: I do not know claim to know if the "ezlink" Card uses the affected Mifare technology. I do have a product brochure from HID featuring Mifare and HID's own iClass cards with a picture of the MRT train in the background through]
Less than Mifare
Before we even start to consider the immense security ramifications of the Mifare hack — up to one billion Mifare cards are estimated to be distributed worldwide, there is actually another RFID problem already in the making.
What many people are not aware of is that RFID does not automatically equate security. Many of the older RFID cards in use today does not even have an embedded chip that is able to provide the security mechanism that Mifare does. In fact, some of these cards rely on the guarantee of the manufacturer pertaining to the uniqueness of serial numbers on the RFID cards. Some of them are a trivial matter to clone by a simple read of all embedded data.
Yet what is happening is that many such cards are seeing use as access control tokens in offices, or as security tokens. What people need to understand is that these basic RFID cards are no more secure than how the magnetic strip of a credit card can be skimmed, or how a barcode can be photocopied.
Perhaps it can be argued that they are even less secure, given that it has been proven that coming near to you with a portable reader might be all that is necessary now.
Pictured below is a relatively bulky ruggedized RFID reader with a couple of RFID cards from one of my earlier DIY projects
No related posts.
I see more and more commercials for “wave to pay” schemes and I just sort of snort to myself. I know that there are smart cards that have the ability to generate and react to challenge/response from the reader, but I assume of any of these cards used it, they’d be touting how secure and easy to use they are, as opposed to how easy to use they are.
It’s scary, as a consumer and as a techie. On one hand, I don’t want my credit card stolen. On the other hand, I really don’t want my soldering iron taken away by an overreactive government who is in bed with the credit card companies.
Time to buy a boat and sail away, I think…
To me, perhaps the worrying aspect is when a non-secure technology is being re-packaged into an easy-to-sell product. Eager sales folks then take over, and more often than not, have no idea of the limitations of the technology. The result: Non-secure technology being sold to address needs even when they are clearly inadequate.
Thanks for helping us out!