Posts Tagged ‘sleeve’

DN Systems has published a helpful overview of the considerable benefits that come with new ‘contactless’ technologies, and also some of the alleged associated risks for businesses keen to deploy this new technology. Firstly, it seems important to keep in mind that this is a relatively new sector, and therefore security policies are still in their infancy – so this is a shifting terrain.  Whilst companies may have given much thought to the design of their RFID enabled devices (for instance door-access control cards, RFID tags, and ID cards) – their supporting ‘back-end’ IT systems may still have possible inherent flaws.

A spokesperson for DN Systems said, “…RFID tags are always an integral part of a larger IT system and should be seen in this context. Given a compatible RFID reader device, anyone can freely read and modify data stored on these RFID tags without the legitimate owner even being aware of it. RFID auditing tools like RFDump can be used to explore the weaknesses of existing RFID infrastructures.”

Is on-tag encryption – a cause for concern?
Certain RFID tags carry something called ‘on-tag encryption’.  DN Systems argue that this approach is inherently vulnerable to unauthorised access and modification.  ‘On-tag’ encryption simply means that the code used to access the RFID devices’ data is stored on the device itself.  (In this respect, it would be a little like writing down the PIN code for a new credit card somewhere on the surface of the card – duh!)

Some suggest that with the right equipment it is possible to break the encryption on such devices.  Using a software package such as ‘RFDump’, DN Systems suggest the information contained within the RFID device can be manipulated.

The ‘Mifare Classic’ chip (used in public transport systems and building access control across the globe – even today?) appears vulnerable to this sort of probing.

DN Systems have this to say on the matter, “At the Chaos Computer Congress 2007 Karsten Nohl from the University of Virginia presented the results of his research. Nohl had analyzed the Mifare chip layer by layer under an electron microscope and reverse engineered significant parts of its proprietary encryption logic revealing major design flaws showing how easy it is to break the chip’s security features. With the dollar amount of the ticket directly stored on the tag, ticketing systems based on this chip, like the Oyster Card in London or the Charlie Card in Boston, are at risk. An attacker could attempt to either clone a ticket or change its value to gain illegal access to the service provided. Similar cloning and tampering scenarios apply to other open loop applications as well, including hotel key cards, ski lift and event tickets, electronic payment systems and the electronic passport.”

But that was then – this is now…
The ‘Mifare Classic’ chip emerged way back in 1994 and has since been superseded by more improved products with so-called “light-weight cryptography” solutions for the RFID element.

Today’s RFID chips contain approximately 15,000 secure ‘gates’. Although DN Systems is keen to stress that, “…only a fraction of these are available to implement crypto functionality, the rest is required to implement the tag’s state. Strong private key crypto systems on the other hand require at least 20,000 – 30,000 gates alone when implemented in hardware.”

What the above would appear to suggest (to this layperson at least) is that in order to deliver a 100% secure solution a designer would require more ‘gates’ than are currently available with commercially available RFID tags.  Therefore, whilst recent developments – i.e. since the ‘Mifare Classic’ –  have made our ‘contactless’ experience far more secure –  there is still further to go.

Some percieved RFID vulnerabilities
Ranked in no particular order of importance, what follows is an overview of common perceived RFID vulnerabilities:

  • RFID Cloning: Here the target RFID device (often a tag) is probed for vulnerabilities, and once compromised a duplicate is made.  This identical copy allows the perpetrator access to a secure area (i.e. cloned door-entry pass) or the prospect of introducing non-authorised products into an operations’ supply chain.  Another tactic would be to manipulate the value of goods, via cloned item tags, when shopping.  This phenomenon has been dubbed, “Cyber Shop-lifting”.
  • Malicious Code Injection: In this scenario, the aim of the perpetrator is to introduce a virus into the RFID device, which once read seeks to corrupt or crash an associated ‘back-office’ IT support system.  The main aim is to cause disruption or ‘hack’ into a secure area – such as a database.  What, you don’t believe the databases of major corporations can be ‘hacked’ – well, here’s an overview of some of the more staggering database ‘hacks’ over the last decade.
  • Man in the middle: Here the perpetrator seeks to trick users into presenting their RFID enabled device to a non-authorised reader.  The goal is to decrypt certain information during this electronic transaction that might provide useful keys for performing other attacks in due course.
  • Electronic eavesdropping / Skimming information:  This subject has already been explored at length elsewhere on this blog:
    https://contactless.wordpress.com/2011/06/11/eavesdropping-attacks-on-high-frequency-rfid-tokens/

The above vulnerabilities should not be read as proof that all RFID devices will be compromised in due course.  Nor should we fear a new crime wave at this point in time.  Rather, this article seeks to raise awareness that with any new technology come benefits and drawbacks – often in equal measures.

British-based company RFID Protect has positioned itself in this arena, as an operation that provides a range of security counter-measures for those seeking to combat some of the above issues.

To learn even more about this fascinating subject or to view the original article visit: http://www.dn-systems.de/technology/risks/

Advertisements

Foil linings for all new e-passports in the USARFID Journal recently reported that all new generation US e-passports will have a protective foil lining inside their covers. Why you may well ask? The logic is simple – the foil provides an effective barrier, or shield, that protects against unauthorised access to sensitive passport information contained within the RFID chip.  (In many European countries, including Britain, passports issued since 2006 have embedded RFID or ‘contactless’ chips containing information about the passport holder.)

With this new improvement, US passport holders would have to have their passport open all of the time for it to be traced or intercepted.

This development is clearly terrific news for American citizens!

But it’s not such a bright outlook for other countries that have been slow to adopt foil linings.  Of course for UK citizens there’s a simple – and 100% effective – solution until Britain catches up with the States and issues new generation ‘foil lined’ e-passports.  RFID Protect supplies a range of  shielding products for British e-passports and is law enforcement partnered so you can be sure of an effective solution and decent customer support.  By placing your e-passport within one of RFID Protects’ shielding sleeves, wallets or holders there is no way on Earth anyone is going to scan your passport data remotely.

In fact – it’s like giving your passport its own portable firewall!

There’s an old saying – ‘when America sneezes, Britain catches a cold’.  On this occasion the UK would certainly benefit from ‘a day of fever’ in order to come out the other side feeling well again; as some will argue that the current unsatisfactory situation leaves British citizens exposed to potential RFID crime. The following link will take you to the RFID Protect webpage where you can get protected now!

http://www.rfidprotect.co.uk/products.html

http://www.rfidprotect.co.uk/For UK residents interested in anti-skimming products, we’d suggest making contact with RFID Protect. RFID Protect is a British-based company, and one that offers a full range of RFID shielding kit, much of which can be custom manufactured to carry a client’s branding.

There’s also an added benefit; this being RFID Protects’ work with law enforcement specialists both in the UK and overseas – their shared goal being to raise awareness about RFID skimming, and help people keep their personal data secure.

For more information visit:  RFID Protect

Finally, if you’re in any doubt as to whether or not RFID skimming is a real threat, then perhaps watch the following video evidence.  In this video by UK broadcaster Channel 4 News, Thomas Cannon, of ViaForensics, demonstrates how an ‘electronic pickpocket’ can skim personal information remotely from RFID enabled bank cards using a smartphone application.

Electronic Pickpocket – YouTube Video
(Approx. 4minutes – n.b: opens in a new window.)