RFID Flap Silences Security Researchers

Old news (from 3 weeks ago). That RFID devices can be cloned has been known for quite some time. I and at least one other person raised the issue here a few weeks back when someone was hawking his company's RFID operated locks.

snipped-for-privacy@yahoogroups.com

A few weeks back? The last post about RFID from this gentleman was about six months ago. Someone posted about his automated lock products. Mr. Houston opined that the RFID devices could easily be cloned. There was discussion about it being unlikely that the typical burglar would resort to such means.

As one gentleman mentioned in that thread, most RFID tags have such a short read distance that monitoring and cloning is impractical at best.

RFID devices used in more public places might be easier to compromise, given the right hardware and know-how. But those used for single-family residential access control should be relatively safe from this sort of compromise. As another gentleman also mentioned, if it's harder to get in than throwing a rock through a window, it's [at least somewhat] secure. (brackets mine)

What's troubling about RFID entry systems is the reduction in physical effort necessary to compromise a wide range of facilities. For example, a thief can get key blanks quite easily, but carrying enough of them to allow easy entry becomes problem. Size, noise and likelihood of drawing suspicion make it impractical. I'm sure there's an argument to be made about how many/few combinations are actually needed, or that there are various types of 'more secure' key blanks. That's not the point. The point is by using a programmer it becomes possible for a relatively small box to be capable of compromising literally millions of systems.

Tangentally there's the problem of notification. There's really very little in the way of effective notifcation streams for the residence. There's no good and consistent way to know how to notify the occupant when important things occur. There's a mish-mash of possibilities, but nothing that's very practical at this point to appeal to the non-technical individual. So if the entry system senses being polled (sorta like too many login requests) there's no process for letting the occupant know about it.

So combine the lack of feedback/notification with condensed ease of abuse and it's a big problem.

-Bill Kearney

There's another reason that thieves don't go around toting key blanks. They don't open anything.

Actually, it is part of the point. Suppose a lock has six tumblers, each of which can have six positions. The thief will need to carry nearly 7,800 keys and then try them one at a time on a lock of the same make until he gets in. He'd spend almost as much time trying out keys as he would in jail after the policeman walked up. :^)

It's not that easy. Any decent system will initiate a lockout timer after three or four consecutive bad RFID codes. Suppose the system uses a 40-bit code. that would require trying upwards of

16,000,000,000,000 codes. With a lockout timer delaying things by as little as 30 seconds after 4 failed attempts (numbers picked at random), the thief will grow old waiting for one door to open.

I don't understand. If we're comparing RFID to mechanical keys or codes, how is this related?

Perhaps in cheap systems there's no method but in many access control systems there is.

Not really. Any access control system worth its salt will make provision for both.

"Robert L Bass" a écrit dans le message de news: vcadnW91BowImmfYnZ2dnUVZ snipped-for-privacy@comcast.com...

One thing that you have to understand here Robert,its that lockout after too much bad RFID reading CANNOT be use

if RFID become popular,and that most people come to have one RFID chip on them,there would be million of bad RFID credential read every days.....lets say a door of a small apartment is right on the street on a busy street like here in downtown Montreal,and lets say that RFID reader can read from a few feet,the chance that some people passing by the door and having RFID on them being high,there would be readings all day long,even worst at night when every one come home....

how would you like to have to wait a few minute before coming in your own house?

Not the blanks, duh, that cutting a significantly large enough quantity of them to be useful would be impractical. As opposed to the negligible difference between one RFID cloned key and a billion of them.

In a residential setting it's considerably less likely. Thus the uptake of RFID for residential settings presents an interesting target for greater abuse.

I'm not arguing one against the other; mechanical keys vs RFID. More that implementing things like RFID into a residential setting has considerably more possible problems than existing solutions effectively handle; in a

*residential* setting. Thus the silencing of potential risks because of the defects in the technology IS a troubling problem. Security through obscurity is worthless.

Cloning RFID keys isn't as easy as you might believe. Besides needing the equipment and knowledge of its use, the thief would need to gain possession of the original or at least find a way to con its rightful user into bringing the key within a few inches of the thief's scanner.

I seriously doubt it. The would-be cloner would need to get his device close enough to scan the RFID key. If I were the intended victim, I should think I'd notice him standing next to my door.

I understand your point. I disagree with you though.

On that point I agree wholeheartedly. I've tried to make that point among "security" people in the past but with limited success.

news:N4KdnbbuWflJC2fYnZ2dnUVZ snipped-for-privacy@speakeasy.net...

Google "lock bumping" to find sites with Presidents' Day Specials on lock bumping sets and training videos :-(

Seems that most anyone can make most residential locks useless in seconds.

Breaking RFID is much more difficult and complicated (for now, for most crooks).

Obscurity is but a tool. It is not a complete solution, but it can be part of an approach.

An example: I post frequently in this newsgroup and have several web sites also at the IP address that is in every header of each of my usenet posts. Do you think that IP address is also the portal to my HA and security system? If not, does not that additional obscurity provide me with an additional level of protection compared to if my IP address were public?

Another example: Internet portal devices (routers, firewalls, etc) have vulnerabilities that depend on the specifics of the device. Does not the fact that I have never revealed specifics of my portal hardware provide me with more security than if I did?

'Course no security is perfect. If someone really wants to get to my security panel or HA system, they could 'easily' do so by ringing the doorbell and shooting me and the dogs ...

... Marc Marc_F_Hult

I should have said "old hat" rather than "old news" as this was documented at an earlier Black Hat conference in August 2006 and I recall even earlier reports.

Here are a few URLs that may surprise you. The first one is the best.

snipped-for-privacy@yahoogroups.com

In article , snipped-for-privacy@gmail.com (Petem) writes: | | "Robert L Bass" a icrit dans le message de | news: vcadnW91BowImmfYnZ2dnUVZ snipped-for-privacy@comcast.com... | >> The point is by using a programmer it | >> becomes possible for a relatively small | >> box to be capable of compromising | >> literally millions of systems... | >

| > It's not that easy. Any decent system | > will initiate a lockout timer after three or | > four consecutive bad RFID codes. | > Suppose the system uses a 40-bit code. | > that would require trying upwards of | > 16,000,000,000,000 codes. With a | > lockout timer delaying things by as little | > as 30 seconds after 4 failed attempts | > (numbers picked at random), the thief | > will grow old waiting for one door to open. | | One thing that you have to understand here Robert,its that lockout after too | much bad RFID reading CANNOT be use | | if RFID become popular,and that most people come to have one RFID chip on | them,there would be million of bad RFID credential read every days.....lets | say a door of a small apartment is right on the street on a busy street like | here in downtown Montreal,and lets say that RFID reader can read from a few | feet,the chance that some people passing by the door and having RFID on them | being high,there would be readings all day long,even worst at night when | every one come home.... | | how would you like to have to wait a few minute before coming in your own | house?

I have always maintained that RFID devices which simply transmit a fixed serial number with no two-way interaction are not suitable for security. (Usually when I bring this up someone tells me that the requirements of residential security are not as stringent as those of a business. Then I ask why the lives of my family are less important than some office supplies. But I digress. :) In any case, even if you don't implement my preferred zero-knowledge-proof (and with the cost of RFID devices coming down as their available complexity increases I can't see any reason not to) a minimal handshake allows you to know that the RFID device is trying (and perhaps failing) to open *this* door. That in turn allows for a lockout.

If a manufacturer is bound and determined to minimize cost by using a one-way interaction (at least at normal read time) you can still implement a lockout by allowing some programmable bits in the RFID device which are set to a house code. Only when the house code matches and the rest of the code does not match do you start counting failed attempts for a lockout.

Finally, even if you don't do anything sophisticated with the hardware and are stuck with the above mentioned 40-bit code, you can still implement a reasonable lockout to protect against brute-force attacks. Simply count a failure when, e.g., the top 20 bits match and the lower 20 do not. (You do need to be careful not to display different behavior for a failure that is being counted for lockout purposes since an attacker could use that information to quickly probe the top 20 bits. Clearly if would be better if you had more bits to start with.)

Dan Lanciani ddl@danlan.*com

Ideally, the system should employ rolling codes plus a lockout function.

Agreed. In designing security systems I always try to implement full perimeter with backup interior protection, regardless if the job is residential or commercial. In fact, a residential system often requires more features and flexibility than a conmmercial one.

Even without a 2-way "conversation" the system will always know that someone is trying to access it. RFID devices have such a short range that any signal which is reasonably close to a "request to enter" can be counted. Even a rundimentary system can easily perform a lockout after a predetermined number of failed attempts within a given time period.

True but it's actually simpler than that. Since the range is limited, any received transmission of the same protocol could be treated as an attempt.

The most secure approach is to require "something you know" plus "something you have." That would mean RFID plus a code. Alternatively, you could use RFID plus biometrics. With the cost of biometric devices dropping this isn't such a far-fetched idea for systems in the next 3-5 years. We're already supplying biometric scanners to government and industry clients. It won't be long before reasonably secure scanners are available at consumer pricing.

In article , no-sales-spam@bassburglaralarms (Robert L Bass) writes: | > I have always maintained that RFID devices | > which simply transmit a fixed serial number | > with no two-way interaction are not suitable | > for security... | | Ideally, the system should employ rolling | codes plus a lockout function.

Ideally the system should use a zero knowledge proof. Rolling codes are a clever hack to get some security in a one-way environment, but there is really no need to resort to them here.

| In fact, a | residential system often requires more | features and flexibility than a conmmercial | one.

Absolutely. I wish more folks in the industry realized this.

| > ... a minimal handshake allows you to know | > that the RFID device is trying (and perhaps | > failing) to open *this* door... | | Even without a 2-way "conversation" the system | will always know that someone is trying to | access it. RFID devices have such a short | range that any signal which is reasonably close | to a "request to enter" can be counted. Even | a rundimentary system can easily perform a | lockout after a predetermined number of | failed attempts within a given time period.

I was responding to the previous poster's unrealistic scenario of millions of RFID devices wandering past the door daily. Nevertheless...

| > If a manufacturer is bound and determined | > to minimize cost by using a one-way | > interaction (at least at normal read time) | > you can still implement a lockout by allowing | > some programmable bits in the RFID device | > which are set to a house code... | | True but it's actually simpler than that. Since | the range is limited, any received transmission | of the same protocol could be treated as an | attempt.

This still leaves you open to denial of service attacks. Not a big problem now, you may say (as likely thought the developers of tcp/ip about SYN floods), but why set yourself up for trouble if you don't have to? We should all take a lesson from the "broken is good enough" design philosophy perfected by the WEP committee...

Dan Lanciani ddl@danlan.*com

I don't get your meaning. Please elaborate.

They add another layer in front of the would-be hacker.

I know a few who do. Most believe precisely the opposite is true. A few points. Commercial systems usually only require two states -- armed and disarmed. Residential systems can be disarmed, armed "away", armed "at home awake" or armed "at home asleep." While away every sensor should be active. While at home awake perimeter sensors are on and the entry door(s) may be instant or delay armed. Motion sensors are off. While asleep everything except bedroom and perhaps certain common area motion detectors will be armed. Doors will be armed instant.

In a commercial alarm system there may or may not be a panic or holdup function, but in a home there should always be a means of summoning help.

As you alluded earlier, a commercial alarm system primarily protects "stuff" but a residential alarm primarily protects people. The emphasis is an important factor in designing the schedule of protection.

OK. We're on the same page.

Agreed. There's always a compromise between security and convenience. The safer we make the system from hacking the easier it becomes for someone to hassle us. Fortunately, a DOS attack using RFID would be more of a pain for the attacker than the attackee. This goes back to the short range of RFID cards. In order to trigger a lockout the hacker would need to be very close to the reader. A brief lockout (say 30 seconds after three or four failed attempts) will have negligible impact on authorized users but will greatly impede the individual trying to use random or sequential codes to break in.

An apt description if ever there was one. :^)

In article , no-sales-spam@bassburglaralarms (Robert L Bass) writes: | > Ideally the system should use a zero | > knowledge proof... | | I don't get your meaning. Please elaborate.

In the abstract, a zero knowledge proof allows you to prove that you know a secret without disclosing that secret or even any (much) information that would allow someone else to appear to know the secret. There are various well-understood ways to accomplish this. It really doesn't matter which one you use (well, as long as it isn't one that has been shown to be flawed). Google the term if you want the underlying details of some of the algorithms.

| > Rolling codes are a clever hack to get | > some security in a one-way environment, but | > there is really no need to resort to them here. | | They add another layer in front of the would-be | hacker.

A zero knowledge proof provides a superset of their functionality.

| > | True but it's actually simpler than that. Since | > | the range is limited, any received transmission | > | of the same protocol could be treated as an | > | attempt. | >

| > This still leaves you open to denial of service | > attacks. Not a big problem now, you may say | > (as likely thought the developers of tcp/ip about | > SYN floods), but why set yourself up for trouble | > if you don't have to?... | | Agreed. There's always a compromise between | security and convenience.

There is no need to compromise in this case.

| The safer we make the | system from hacking the easier it becomes for | someone to hassle us.

No, a properly implemented zero knowledge proof system makes it both harder to hack the system and harder to hassle us. Again, this technology is well understood and used--at least where the purveyors consider real security important. As an example, the smart cards used to authorize satellite television decoder boxes have used a zero knowledge proof handshake since their inception. (In case you are concerned about computing power, available RFID cpus these days are more powerful than smart cards were back then.)

Now of course, the same companies (more or less) that recognize the critical need to prevent satellite signal piracy with appropriate crypto will tell you that residential alarm/access control can get by with the simplest fixed code systems. You can decide for yourself whether they have consumers' best interests at heart.

Dan Lanciani ddl@danlan.*com

A brief foray into Google proved interesting. Thanks.

There's a reason for that. Increasing satellite smart card security makes it harder for people to steal from them. Increasing *your* security doesn't do as much for them.

There's more to it than that, of course. Over the last

20+/- years there has been a growing movement in the security industry away from comprehensive protection and toward quick, cheap installation. Not every alarm company follows this but the majority have come to recognize that alarm companies can make far more profits installing three, five or ten small systems than one really comprehensive one in the same time. This is because the primary profit center is the monitoring contract.

Some still do. Unfortunately, too many don't.

The "Pay Pass" has been around for a while - now it's down to credit card size. It doesn't even have to be swiped through a reader, just passed near it. The problem with these sorts of systems is that it's probably pretty easy for some dweeb to put a second reader, hidden nearby, that also scans the card and captures the information.

There would be little chance of snatching hundreds of RFID codes from passers-by out of thin air with known technologies, AFAIK. But I also know hackers are ingenious - as evidenced by hardware like cantennas - and it may be quite possible to build a longer-than-normal range device that would allow you to set up a covert reader near a "funnel point" like a subway turnstile where 1,000's of people pass with the wallets and pocketbooks at very much the same height and distance.

You might not even need s super reader if you could locate your hijacking reader quite near a legitimate one. I can also easily see a hacker designing a very small, easy to conceal device that would record every RFID that was used in the reader that had been tapped. This is a well-known criminal technique. I read sometime back that some gang of criminals had figured out how to add a vampire tap to a plain old POTS credit card authorization machine that provided them with the card data from every card that was swiped through the reader in the restaurants they targeted.

Hackers are ingenious. I remember people making 1,000's of long distance phone calls for free way back when with the:

Maybe we'll all need some sort of pro-active technology to carry with us:

http://www.m There's also some interesting information about "blocking tags" here that "spam" readers that try to scan your wallet without the proper authentication:

More interesting to me was:

I recall reading that Wal-Mart wants to be able to track shoppers' movements throughout the store, and then use a computer system to compare it to sales. That would give them data on which sales displays were more effective than others and other information about people's shopping habits. Those narrow anti-shoplifting detectors they use now are probably close enough to be able to extract RFID data from the wallets of customers entering and leaving the store.

Look at how determined on-line vendors are to track people's every move through cookies, 0 bit GIF's and the like. Brick and mortar vendors are equally as obsessed with having that same sort of data on their customers. Eventually, all Americans will have an RFID chip inserted right after birth. It will be just like the Social Security number which was legislated never to be a national ID but became one anyway. Try getting a new doctor to even say hello to you without an SSN and a photo ID today.

Eventually, without your RFID implant you won't be allowed to board a plane, get medical treatment or perhaps even make a credit purchase. It won't be a government mandate. It will occur just the way credit and debit cards have taken over. Try to book a hotel or rent a car without a credit card. Big Business will make it so uncomfortable for the non-implants that they'll have to give up or live like monks in caves.

-- Bobby G.

Perhaps, but if it's so easy to do, why is it we haven't heard of anyone doing it? Bear in mind that the 2nd reader would need to be secreted within inches of the real one. I'm not familiar with Pay Pass so I can't say what kind of range it has. However, any hidden reader would also need a source of power and a device to collect stolen data. It's likely not as easy as one might think.

OK, let's suppose someone was able to hide such a device inside the 42nd Street station. He collects data from thousands of RFID devices as people pass by. Now what? He has no idea who they are or what facility their card accesses.

The reality is that there are far eaier, orders of magnitude simpler ways to break in. It's highly unlikely anyone will set up a code grabbing system in a subway station. Based in many years' experience in the security industry, I believe it's also unlikely most locations where people might rightfully use an RFID card are susceptible to installing a hidden device to steal data from the cards.

Perhaps, but that would be pretty noticeable. If I came home to use my RFID card to open the fron door I'd probably want to know why there's a new black box mounted next to the real one. In a workplace environment someone would notice right away if someone started installing a strange device next to the door.

The problem is twofold. If the device is to read data as it is entered, it has to be wired in place and remain there for all to see. On the other hand, if it is to grab data all at once it must be connected to the access control panel. The readers don't store data.

Hmm. I never heard of anyone doing it.

If that is the story I think it is, they just tapped and recorded the phone lines.

Totally unrelated.

And that would help someone hack into an RFID?

"We?" Did you poll the newsgroup? Inherit a kingdom? Develop a dual personality? Or are you just trying on the schtick of some others here who also try to sound more authoritative by implying they're somehow able to speak for the group?

It's never a good idea to point to your lack of knowledge of a subject as an indicator of anything other than your lack of knowledge of a subject. (-: While I don't have time to go over the numerous other errors in your post, I do have time to point out, again, that "skimming" is a very well-known criminal practice, whether "youse guys" (whomever they are) know about it or not. For your edification, I'll provide one of a the first dozen URLs to describe card skimming:

They've got the scoop about card skimming devices and how clever they can be. The irony of a local BBB having detailed pictures and descriptions in response to your comment was just too good to pass up. (-; I think the rest of the errors in your post are due to the fact that somehow you assumed we were talking about entry RFID systems when clearly I was talking about Paypass and credit cards with RFID chips embedded in them from the very beginning of my post.

-- Bobby G.

No.

Yes.

No, I didn't but I did.

Nope. I don't speak for anyone but myself (and my various personalities:)).

Hmm. Getting a bit testy, are we?

Not having time doesn't prove anything other than not having time.

Skimming devices have one flaw that so far makes them useless for RFID scanning. They don't interface with the real reader. Therefor the person who inserts a card into the false front does not get any money out of the ATM. If applied to an RFID access control reader the person using a card would not get in to work. This would result in a slew of complaints from valid users that they can't open the door. This in turn would result in someone checking and discovering the device. Any RFID cards "skimmed" would be taken out of service right away.

Sorry, I don't spaek Joysey.

You can provide lots more if you like. The technique would not work well on an access control reader.

I don't deal with credit card processing. I do deal with access control systems though and that is what I was speaking of. I think I mentioned something to that effect, no?