RFID Flap Silences Security Researchers
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
Posted by Robert Green on March 15, 2007, 12:34 pm
Please log in for more thread options RFID Flap Silences Security Researchers "New research into security vulnerabilities in radio frequency identification cards made by technology giant HID Global has been pulled from the lineup at an East Coast security conference this week. Researchers from Seattle-based security provider IOActive were planning to detail a technique they developed to clone the credentials stored on certain RFID cards made by HID. The company was expected to present the findings Wednesday at the Black Hat Federal security conference in Crystal City, Va. However, IOActive last Thursday was contacted by HID attorneys, who claimed the researchers were infringing on HID's intellectual property. . . . Paget said he built the cloning device mostly using information from HID's publicly filed patents and materials that anyone could purchase off of eBay for about $20." (article continues at the WaPo site, registration required )-: -- Bobby G. | ||||
|
Posted by Dave Houston on March 15, 2007, 1:21 pm
Please log in for more thread options Old news (from 3 weeks ago). That RFID devices can be cloned has been known for quite some time. I and at least one other person raised the issue here a few weeks back when someone was hawking his company's RFID operated locks. http://davehouston.net http://tech.groups.yahoo.com/group/roZetta/ roZetta-subscribe@yahoogroups.com | ||||
|
Posted by Robert L Bass on March 15, 2007, 4:20 pm
Please log in for more thread options > Old news (from 3 weeks ago). That RFID
> devices can be cloned has been known > for quite some time. I and at least one > other person raised the issue here a few > weeks back when someone was hawking > his company's RFID operated locks. A few weeks back? The last post about RFID from this gentleman was about six months ago. Someone posted about his automated lock products. Mr. Houston opined that the RFID devices could easily be cloned. There was discussion about it being unlikely that the typical burglar would resort to such means. As one gentleman mentioned in that thread, most RFID tags have such a short read distance that monitoring and cloning is impractical at best. RFID devices used in more public places might be easier to compromise, given the right hardware and know-how. But those used for single-family residential access control should be relatively safe from this sort of compromise. As another gentleman also mentioned, if it's harder to get in than throwing a rock through a window, it's [at least somewhat] secure. (brackets mine) -- Regards, Robert L Bass =============================>
Bass Home Electronics
941-925-8650 4883 Fallcrest Circle Sarasota · Florida · 34233 http://www.bassburglaralarms.com =============================>
| ||||
|
Posted by Bill Kearney on March 15, 2007, 10:22 pm
Please log in for more thread options > RFID devices used in more public places
> might be easier to compromise, given the > right hardware and know-how. But those > used for single-family residential access > control should be relatively safe from this > sort of compromise. What's troubling about RFID entry systems is the reduction in physical effort necessary to compromise a wide range of facilities. For example, a thief can get key blanks quite easily, but carrying enough of them to allow easy entry becomes problem. Size, noise and likelihood of drawing suspicion make it impractical. I'm sure there's an argument to be made about how many/few combinations are actually needed, or that there are various types of 'more secure' key blanks. That's not the point. The point is by using a programmer it becomes possible for a relatively small box to be capable of compromising literally millions of systems. Tangentally there's the problem of notification. There's really very little in the way of effective notifcation streams for the residence. There's no good and consistent way to know how to notify the occupant when important things occur. There's a mish-mash of possibilities, but nothing that's very practical at this point to appeal to the non-technical individual. So if the entry system senses being polled (sorta like too many login requests) there's no process for letting the occupant know about it. So combine the lack of feedback/notification with condensed ease of abuse and it's a big problem. -Bill Kearney | ||||
|
Posted by Robert L Bass on March 15, 2007, 10:58 pm
Please log in for more thread options > What's troubling about RFID entry systems
> is the reduction in physical effort necessary > to compromise a wide range of facilities. > For example, a thief can get key blanks quite > easily, but carrying enough of them to allow > easy entry becomes problem. Size, noise > and likelihood of drawing suspicion make it > impractical... There's another reason that thieves don't go around toting key blanks. They don't open anything. > I'm sure there's an argument to be made
> about how many/few combinations are > actually needed, or that there are various > types of 'more secure' key blanks. That's > not the point... Actually, it is part of the point. Suppose a lock has six tumblers, each of which can have six positions. The thief will need to carry nearly 7,800 keys and then try them one at a time on a lock of the same make until he gets in. He'd spend almost as much time trying out keys as he would in jail after the policeman walked up. :^) > The point is by using a programmer it
> becomes possible for a relatively small > box to be capable of compromising > literally millions of systems... It's not that easy. Any decent system will initiate a lockout timer after three or four consecutive bad RFID codes. Suppose the system uses a 40-bit code. that would require trying upwards of 16,000,000,000,000 codes. With a lockout timer delaying things by as little as 30 seconds after 4 failed attempts (numbers picked at random), the thief will grow old waiting for one door to open. > Tangentally there's the problem of
> notification. There's really very little > in the way of effective notifcation streams > for the residence. There's no good and > consistent way to know how to notify > the occupant when important things > occur... I don't understand. If we're comparing RFID to mechanical keys or codes, how is this related? > There's a mish-mash of possibilities,
> but nothing that's very practical at this > point to appeal to the non-technical > individual. So if the entry system > senses being polled (sorta like too > many login requests) there's no process > for letting the occupant know about it. Perhaps in cheap systems there's no method but in many access control systems there is. > So combine the lack of feedback/notification
> with condensed ease of abuse and it's a > big problem. Not really. Any access control system worth its salt will make provision for both. -- Regards, Robert L Bass =============================>
Bass Home Electronics
941-925-8650 4883 Fallcrest Circle Sarasota · Florida · 34233 http://www.bassburglaralarms.com =============================>
| ||||
| Similar Threads | Posted |
| RFID Flap Silences Security Researchers | March 15, 2007, 12:34 pm |
| RFID for HA | March 3, 2006, 12:31 pm |
| RFID Starter Kit Available for HomeSeer | March 31, 2005, 2:24 pm |
| $50 long-range active RFID for HA | March 5, 2007, 4:01 pm |
| X10 RF "security" | October 20, 2005, 6:40 am |
| X10 HA vs. security | October 2, 2006, 10:02 pm |
| Home Security | January 30, 2006, 10:58 am |
| Security System | March 12, 2006, 10:35 pm |
| New HA - Security Install | March 29, 2006, 12:41 pm |
| X-10 and DSC Security System | August 5, 2008, 3:08 pm |
| 802.11 wireless home security | June 10, 2005, 11:40 pm |
| wireless security alternatives.. | June 16, 2005, 11:02 pm |
| Security+automation+mediacenter | December 5, 2005, 11:23 pm |
| FA: Security Stuff "Look at Other Items" | January 24, 2006, 9:10 am |
| Colour security cameras? | March 19, 2006, 11:29 am |
>
>RFID Flap Silences Security Researchers
>
>"New research into security vulnerabilities in radio frequency
>identification cards made by technology giant HID Global has been pulled
>from the lineup at an East Coast security conference this week.
>
>Researchers from Seattle-based security provider IOActive were planning to
>detail a technique they developed to clone the credentials stored on certain
>RFID cards made by HID. The company was expected to present the findings
>Wednesday at the Black Hat Federal security conference in Crystal City, Va.
>However, IOActive last Thursday was contacted by HID attorneys, who claimed
>the researchers were infringing on HID's intellectual property.
>
>. . .
>
>Paget said he built the cloning device mostly using information from HID's
>publicly filed patents and materials that anyone could purchase off of eBay
>for about $20."
>
>(article continues at the WaPo site, registration required )-: