Posts Tagged ‘sleeves’

DN Systems has published a helpful overview of the considerable benefits that come with new ‘contactless’ technologies, and also some of the alleged associated risks for businesses keen to deploy this new technology. Firstly, it seems important to keep in mind that this is a relatively new sector, and therefore security policies are still in their infancy – so this is a shifting terrain.  Whilst companies may have given much thought to the design of their RFID enabled devices (for instance door-access control cards, RFID tags, and ID cards) – their supporting ‘back-end’ IT systems may still have possible inherent flaws.

A spokesperson for DN Systems said, “…RFID tags are always an integral part of a larger IT system and should be seen in this context. Given a compatible RFID reader device, anyone can freely read and modify data stored on these RFID tags without the legitimate owner even being aware of it. RFID auditing tools like RFDump can be used to explore the weaknesses of existing RFID infrastructures.”

Is on-tag encryption – a cause for concern?
Certain RFID tags carry something called ‘on-tag encryption’.  DN Systems argue that this approach is inherently vulnerable to unauthorised access and modification.  ‘On-tag’ encryption simply means that the code used to access the RFID devices’ data is stored on the device itself.  (In this respect, it would be a little like writing down the PIN code for a new credit card somewhere on the surface of the card – duh!)

Some suggest that with the right equipment it is possible to break the encryption on such devices.  Using a software package such as ‘RFDump’, DN Systems suggest the information contained within the RFID device can be manipulated.

The ‘Mifare Classic’ chip (used in public transport systems and building access control across the globe – even today?) appears vulnerable to this sort of probing.

DN Systems have this to say on the matter, “At the Chaos Computer Congress 2007 Karsten Nohl from the University of Virginia presented the results of his research. Nohl had analyzed the Mifare chip layer by layer under an electron microscope and reverse engineered significant parts of its proprietary encryption logic revealing major design flaws showing how easy it is to break the chip’s security features. With the dollar amount of the ticket directly stored on the tag, ticketing systems based on this chip, like the Oyster Card in London or the Charlie Card in Boston, are at risk. An attacker could attempt to either clone a ticket or change its value to gain illegal access to the service provided. Similar cloning and tampering scenarios apply to other open loop applications as well, including hotel key cards, ski lift and event tickets, electronic payment systems and the electronic passport.”

But that was then – this is now…
The ‘Mifare Classic’ chip emerged way back in 1994 and has since been superseded by more improved products with so-called “light-weight cryptography” solutions for the RFID element.

Today’s RFID chips contain approximately 15,000 secure ‘gates’. Although DN Systems is keen to stress that, “…only a fraction of these are available to implement crypto functionality, the rest is required to implement the tag’s state. Strong private key crypto systems on the other hand require at least 20,000 – 30,000 gates alone when implemented in hardware.”

What the above would appear to suggest (to this layperson at least) is that in order to deliver a 100% secure solution a designer would require more ‘gates’ than are currently available with commercially available RFID tags.  Therefore, whilst recent developments – i.e. since the ‘Mifare Classic’ –  have made our ‘contactless’ experience far more secure –  there is still further to go.

Some percieved RFID vulnerabilities
Ranked in no particular order of importance, what follows is an overview of common perceived RFID vulnerabilities:

  • RFID Cloning: Here the target RFID device (often a tag) is probed for vulnerabilities, and once compromised a duplicate is made.  This identical copy allows the perpetrator access to a secure area (i.e. cloned door-entry pass) or the prospect of introducing non-authorised products into an operations’ supply chain.  Another tactic would be to manipulate the value of goods, via cloned item tags, when shopping.  This phenomenon has been dubbed, “Cyber Shop-lifting”.
  • Malicious Code Injection: In this scenario, the aim of the perpetrator is to introduce a virus into the RFID device, which once read seeks to corrupt or crash an associated ‘back-office’ IT support system.  The main aim is to cause disruption or ‘hack’ into a secure area – such as a database.  What, you don’t believe the databases of major corporations can be ‘hacked’ – well, here’s an overview of some of the more staggering database ‘hacks’ over the last decade.
  • Man in the middle: Here the perpetrator seeks to trick users into presenting their RFID enabled device to a non-authorised reader.  The goal is to decrypt certain information during this electronic transaction that might provide useful keys for performing other attacks in due course.
  • Electronic eavesdropping / Skimming information:  This subject has already been explored at length elsewhere on this blog:
    https://contactless.wordpress.com/2011/06/11/eavesdropping-attacks-on-high-frequency-rfid-tokens/

The above vulnerabilities should not be read as proof that all RFID devices will be compromised in due course.  Nor should we fear a new crime wave at this point in time.  Rather, this article seeks to raise awareness that with any new technology come benefits and drawbacks – often in equal measures.

British-based company RFID Protect has positioned itself in this arena, as an operation that provides a range of security counter-measures for those seeking to combat some of the above issues.

To learn even more about this fascinating subject or to view the original article visit: http://www.dn-systems.de/technology/risks/

Nevada Attorney General warns of 'contactless' crimewave

A leading smart card shielding company in the States recently announced news that the Nevada Attorney General’s Office had issued a series of daily consumer briefings on the growing concern surrounding ‘contactless’ crime.   If this is true then things are heating up!

Warnings appear to have been linked with America’s 13th Annual National Consumer Protection Week (NCPW). During NCPW, groups across the States share consumer advice, in the hope that individuals will find better ways to protect their privacy and avoid fraud.

A spokesperson from ID Stronghold said, “Thieves can steal this information by using a frequency reader. These readers are inexpensive and easy to obtain. The thief can simply walk next to you and acquire your credit card number and expiration date without any physical contact. While these cards are in your wallet or purse they can transmit your card or passport number and in some states, your digital drivers’ license information when placed near a reader. The information almost immediately appears on a computer screen without you ever knowing about it. Apparently U.S. passports are more difficult to read than cards with RFID chips because they require a password. However, hackers with enough knowledge can see everything on the passport’s front page.”

From the above evidence there seems to be growing concern across America, (not least in Nevada), about a potential RFID crimewave. Against such a backdrop the case for consumers to protect themselves from this type of identity theft is growing stronger by the day.  And whilst it is important to also mention that the makers of RFID enabled devices still maintain that their products are 100% safe from unauthorised access, should you feel the need to buy some RFID sheilding just in case then you can learn more here…

US Department of Defense orders RFID shields

US Department of Defense orders RFID shields

It can now be reasonably argued that November 2010 will mark a significant turning point in the debate surrounding RFID or ‘contactless’ credit, debit, passport and door-access security.  For on Wednesday 29 November, 2010  Secure ID News reported the following news,

“…2.5 million radio frequency shielding sleeves (were delivered) to the Department of Defense to protect the contactless Common Access Card (CAC) from data interception. The FIPS 201-approved, shielding sleeves are distributed via RAPIDS ID offices worldwide with the issuance of new CACs.”

Furthermore, the online journal then went on to state,

“…an option to purchase an additional 1,675,000 sleeves was exercised by the Defense Department for final delivery in January 2011. This order will bring the total number of our sleeves 4.2 million. In September, an order for 200,000 rigid, RF shielding, non-metallic badge holders (was also placed).”

Of course, whilst unauthorised data interception from RFID enabled device is not commonplace – this development would strongly suggest that the potential threat of ‘skimming’ is real and growing by the day.

Original source: http://www.secureidnews.com/2010/11/29/defense-department-order-rf-shields-from-national-laminating

Here in the UK, the bio-metric passport project is now in its fourth year.  By all accounts the roll-out has proved successful, although there is a growing body of evidence that suggests the system is not entirely fool-proof; leaving a small window of opportunity for unscrupulous individuals to ‘skim’ the data contained therein.  It’s been argued that this can be done from distances up to a metre away, and what’s more – you wouldn’t feel a thing!

As someone who’s not keen to have their privacy compromised – even if this is just a ‘long shot’ – I’ve decided to put together a DIY guide to keeping your RFID enabled passport secure from skimmers. So, we’re going to use the ‘Faraday Cage’ approach of using aluminium foil to create a secure environment for our passport – rendering it inactive, whilst inside the foil.  Yes, I realise that this smacks of ‘tin hat paranoia’ – but there’s compelling evidence to suggest it works – as the signal from our passive RFID chip is effectively blocked from the reader; or ‘hacker’ as the case may be.

You will need:

2 x A3 paper
A4 size strips of aluminium foil
C5 sized envelope/s
3M spray mount
1 x scalpel
1 x newspaper
1 x ruler
1 x strong adhesive (PVA / wood glue)
1 x kettle (for streaming the C5 envelope open)

Instructions:

  • Take your kettle, fill it with about one cup of water, and heat until boiling
  • Taking great care with this next step – steam the folded seams of your C5 envelop, until the original glue relaxes and you can peal the flaps apart
  • Once all flaps are released – unfold your envelop and allow to dry
  • Once dry, place your unfolded envelop between two sheets of A3 paper (creating a sandwich) and iron the top sheet of A3, thus in doing so the C5 envelop will be flattened.
  • Remove the 2 sheets of A3 paper, take the (now flattened) envelop and place it over a sheet of aluminium foil and ensure that there’s sufficient foil to cover your envelop.  Cut to size – allowing for at least 1 cm overlap on all edges.
  • Place the aluminium foil onto a sheet of old newspaper – spray well with 3M spray mount
  • Place inside face of envelop onto the sticky side of the foil – you’re attempting to glue the foil to the inside of your envelop.
  • Place a sheet of A3 paper over the top, then rest a heavy book on top – allowing up to 24 hrs for the glue to adhere
  • Once fully dried – and using a ruler – trim all edges with a scalpel, to the original dimensions of your C5 envelop.  TAKE CARE OF FINGERS!!!
  • Finally, crease any folds again to original C5 envelop configurations.
  • Use the strong adhesive to join the folded seams together.

You should now have a C5 envelope with a foil lining inside. All you need do now is insert your RFID enabled passport and close the flap.  You can use a paper clip to keep the flap closed.

All done!

Although with hindsight, you could well be better off simply buying an RFID protected passport sleeve (for around £2.99) from one of the suppliers listed elsewhere on this site. (Click here to buy from UK-supplier RFID Protect.)

And unless you already have most of the items detailed above then it’s probably also a cheaper option – but of course less fun!

Google has finally accepted that it harvested personal data from wireless networks as its fleet of vehicles drove down residential roads taking photographs for the Street View project. And yet only a few months ago it would have screamed ‘blue murder’ if anyone intimated that this had happened. Now it transpires that millions of internet users have potentially been affected. Google’s acknowledgment of guilt is an interesting U-turn from its earlier assertion that no sensitive personal information had been taken.

Google has now confessed that its, “…vehicles had also gather(ed) information about the location of wireless networks, the devices which connect computers to the telecommunications network via radio waves.”

The Daily Telegraph newspaper reported that, “…Privacy International lodged a complaint with Scotland Yard earlier this year about Google’s Street View activities and officers are still considering whether a crime has been committed. Google is facing prosecution in France and a class action in the US, with similar lawsuits pending in other countries.”

The full story can be read at: http://www.telegraph.co.uk/

Whilst this development does not relate specifically to RFID or contactless technology as such, nonetheless it’s an excellent example of a large multi-national operation initially stating – “guys, what’s the problem – there’s nothing to worry about your wireless internet connection because we’ve ensured that it’s 100% secure” – and then a few months later we arrive at a different place – “…er, you know that technology that we told you was secure, well there’s been a slight issue with it and as a result your email, passwords and other sensitive information are now in the public domain – whoops, sorry about that…”

Therefore it could be reasonably argued that whilst today contactless credit, debit, Oyster, and Olympics 2012 RFID passes are all being sold as 100% safe – tomorrow may bring with it a somewhat different outlook…

Watch this space, and in the meantime can you afford not to protect your biometric details now?

Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the “smartcards” commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and “the most anyone could gain from a rogue card is one day’s travel.” But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.

“The cryptography is simply not fit for purpose,” security consultant Adam Laurie told the Telegraph. “It’s very vulnerable and we can expect the bad guys to hack into it soon if they haven’t already.”

By Alexander Lew  Email Author| June 24, 2008

Source: http://www.wired.com/autopia/2008/06/hackers-crack-l/