RFID Flap Silences Security Researchers

http://blog.washingtonpost.com/securityfix/

RFID Flap Silences Security Researchers

"New research into security vulnerabilities in radio frequency
identification cards made by technology giant HID Global has been pulled
from the lineup at an East Coast security conference this week.

Researchers from Seattle-based security provider IOActive were planning to
detail a technique they developed to clone the credentials stored on certain
RFID cards made by HID. The company was expected to present the findings
Wednesday at the Black Hat Federal security conference in Crystal City, Va.
However, IOActive last Thursday was contacted by HID attorneys, who claimed
the researchers were infringing on HID's intellectual property.

.. . .

Paget said he built the cloning device mostly using information from HID's
publicly filed patents and materials that anyone could purchase off of eBay
for about $20."

(article continues at the WaPo site, registration required )-:

--
Bobby G.

"Robert Green" <ROBERT_GREEN1963@YAH00.COM> wrote:

>http://blog.washingtonpost.com/securityfix/
>
>RFID Flap Silences Security Researchers
>
>"New research into security vulnerabilities in radio frequency
>identification cards made by technology giant HID Global has been pulled
>from the lineup at an East Coast security conference this week.
>
>Researchers from Seattle-based security provider IOActive were planning to
>detail a technique they developed to clone the credentials stored on certain
>RFID cards made by HID. The company was expected to present the findings
>Wednesday at the Black Hat Federal security conference in Crystal City, Va.
>However, IOActive last Thursday was contacted by HID attorneys, who claimed
>the researchers were infringing on HID's intellectual property.
>
>. . .
>
>Paget said he built the cloning device mostly using information from HID's
>publicly filed patents and materials that anyone could purchase off of eBay
>for about $20."
>
>(article continues at the WaPo site, registration required )-:

Old news (from 3 weeks ago). That RFID devices can be cloned has been known
for quite some time. I and at least one other person raised the issue here a
few weeks back when someone was hawking his company's RFID operated locks.

http://davehouston.net
http://tech.groups.yahoo.com/group/roZetta/
roZetta-subscribe@yahoogroups.com

> Old news (from 3 weeks ago). That RFID
> devices can be cloned has been known
> for quite some time. I and at least one
> other person raised the issue here a few
> weeks back when someone was hawking
> his company's RFID operated locks.

A few weeks back? The last post about RFID
from this gentleman was about six months ago.
Someone posted about his automated lock
products. Mr. Houston opined that the RFID
devices could easily be cloned. There was
discussion about it being unlikely that the
typical burglar would resort to such means.

As one gentleman mentioned in that thread,
most RFID tags have such a short read
distance that monitoring and cloning is
impractical at best.

RFID devices used in more public places
might be easier to compromise, given the
right hardware and know-how. But those
used for single-family residential access
control should be relatively safe from this
sort of compromise. As another gentleman
also mentioned, if it's harder to get in than
throwing a rock through a window, it's
[at least somewhat] secure. (brackets mine)

--

Regards,
Robert L Bass

=============================>
Bass Home Electronics
941-925-8650
4883 Fallcrest Circle
Sarasota · Florida · 34233
http://www.bassburglaralarms.com
=============================>

> RFID devices used in more public places
> might be easier to compromise, given the
> right hardware and know-how. But those
> used for single-family residential access
> control should be relatively safe from this
> sort of compromise.

What's troubling about RFID entry systems is the reduction in physical
effort necessary to compromise a wide range of facilities. For example, a
thief can get key blanks quite easily, but carrying enough of them to allow
easy entry becomes problem. Size, noise and likelihood of drawing suspicion
make it impractical. I'm sure there's an argument to be made about how
many/few combinations are actually needed, or that there are various types
of 'more secure' key blanks. That's not the point. The point is by using a
programmer it becomes possible for a relatively small box to be capable of
compromising literally millions of systems.

Tangentally there's the problem of notification. There's really very little
in the way of effective notifcation streams for the residence. There's no
good and consistent way to know how to notify the occupant when important
things occur. There's a mish-mash of possibilities, but nothing that's very
practical at this point to appeal to the non-technical individual. So if
the entry system senses being polled (sorta like too many login requests)
there's no process for letting the occupant know about it.

So combine the lack of feedback/notification with condensed ease of abuse
and it's a big problem.

-Bill Kearney

> What's troubling about RFID entry systems
> is the reduction in physical effort necessary
> to compromise a wide range of facilities.
> For example, a thief can get key blanks quite
> easily, but carrying enough of them to allow
> easy entry becomes problem. Size, noise
> and likelihood of drawing suspicion make it
> impractical...

There's another reason that thieves don't go
around toting key blanks. They don't open
anything.

> I'm sure there's an argument to be made
> about how many/few combinations are
> actually needed, or that there are various
> types of 'more secure' key blanks. That's
> not the point...

Actually, it is part of the point. Suppose a
lock has six tumblers, each of which can
have six positions. The thief will need to
carry nearly 7,800 keys and then try them
one at a time on a lock of the same make
until he gets in. He'd spend almost as
much time trying out keys as he would in
jail after the policeman walked up. :^)

> The point is by using a programmer it
> becomes possible for a relatively small
> box to be capable of compromising
> literally millions of systems...

It's not that easy. Any decent system
will initiate a lockout timer after three or
four consecutive bad RFID codes.
Suppose the system uses a 40-bit code.
that would require trying upwards of
16,000,000,000,000 codes. With a
lockout timer delaying things by as little
as 30 seconds after 4 failed attempts
(numbers picked at random), the thief
will grow old waiting for one door to open.

> Tangentally there's the problem of
> notification. There's really very little
> in the way of effective notifcation streams
> for the residence. There's no good and
> consistent way to know how to notify
> the occupant when important things
> occur...

I don't understand. If we're comparing
RFID to mechanical keys or codes, how
is this related?

> There's a mish-mash of possibilities,
> but nothing that's very practical at this
> point to appeal to the non-technical
> individual. So if the entry system
> senses being polled (sorta like too
> many login requests) there's no process
> for letting the occupant know about it.

Perhaps in cheap systems there's no
method but in many access control systems
there is.

> So combine the lack of feedback/notification
> with condensed ease of abuse and it's a
> big problem.

Not really. Any access control system worth
its salt will make provision for both.

--

Regards,
Robert L Bass

=============================>
Bass Home Electronics
941-925-8650
4883 Fallcrest Circle
Sarasota · Florida · 34233
http://www.bassburglaralarms.com
=============================>

"Robert L Bass" <no-sales-spam@bassburglaralarms> a écrit dans le message de
news: vcadnW91BowImmfYnZ2dnUVZ_u-unZ2d@comcast.com...
>> The point is by using a programmer it
>> becomes possible for a relatively small
>> box to be capable of compromising
>> literally millions of systems...
>
> It's not that easy. Any decent system
> will initiate a lockout timer after three or
> four consecutive bad RFID codes.
> Suppose the system uses a 40-bit code.
> that would require trying upwards of
> 16,000,000,000,000 codes. With a
> lockout timer delaying things by as little
> as 30 seconds after 4 failed attempts
> (numbers picked at random), the thief
> will grow old waiting for one door to open.

One thing that you have to understand here Robert,its that lockout after too
much bad RFID reading CANNOT be use

if RFID become popular,and that most people come to have one RFID chip on
them,there would be million of bad RFID credential read every days.....lets
say a door of a small apartment is right on the street on a busy street like
here in downtown Montreal,and lets say that RFID reader can read from a few
feet,the chance that some people passing by the door and having RFID on them
being high,there would be readings all day long,even worst at night when
every one come home....

how would you like to have to wait a few minute before coming in your own
house?

> There's another reason that thieves don't go
> around toting key blanks. They don't open
> anything.

Not the blanks, duh, that cutting a significantly large enough quantity of
them to be useful would be impractical. As opposed to the negligible
difference between one RFID cloned key and a billion of them.

> It's not that easy. Any decent system
> will initiate a lockout timer after three or
> four consecutive bad RFID codes.

> Perhaps in cheap systems there's no
> method but in many access control systems
> there is.

In a residential setting it's considerably less likely. Thus the uptake of
RFID for residential settings presents an interesting target for greater
abuse.

I'm not arguing one against the other; mechanical keys vs RFID. More that
implementing things like RFID into a residential setting has considerably
more possible problems than existing solutions effectively handle; in a
*residential* setting. Thus the silencing of potential risks because of the
defects in the technology IS a troubling problem. Security through
obscurity is worthless.

"Bill Kearney" <wkearney-99@hot-mail-com> wrote in message news:N4KdnbbuWflJC2fYnZ2dnUVZ_q6vnZ2d@speakeasy.ne t...
>> There's another reason that thieves don't go
>> around toting key blanks. They don't open
>> anything.
>
> Not the blanks, duh, that cutting a significantly
> large enough quantity of them to be useful would
> be impractical. As opposed to the negligible
> difference between one RFID cloned key and
> a billion of them.

Cloning RFID keys isn't as easy as you
might believe. Besides needing the
equipment and knowledge of its use,
the thief would need to gain possession
of the original or at least find a way to
con its rightful user into bringing the
key within a few inches of the thief's
scanner.

> In a residential setting it's considerably
> less likely. Thus the uptake of RFID for
> residential settings presents an interesting
> target for greater abuse.

I seriously doubt it. The would-be cloner
would need to get his device close enough
to scan the RFID key. If I were the intended
victim, I should think I'd notice him standing
next to my door.

> I'm not arguing one against the other;
> mechanical keys vs RFID. More that
> implementing things like RFID into a
> residential setting has considerably
> more possible problems than existing
> solutions effectively handle; in a
> *residential* setting...

I understand your point. I disagree with you
though.

> Thus the silencing of potential risks
> because of the defects in the technology
> IS a troubling problem. Security through
> obscurity is worthless.

On that point I agree wholeheartedly. I've
tried to make that point among "security"
people in the past but with limited success.

--

Regards,
Robert L Bass

=============================>
Bass Home Electronics
941-925-8650
4883 Fallcrest Circle
Sarasota · Florida · 34233
http://www.bassburglaralarms.com
=============================>

On Fri, 16 Mar 2007 10:39:01 -0400, "Robert L Bass"
<no-sales-spam@bassburglaralarms> wrote in message
<Lbqdnbo2xZKUMWfYnZ2dnUVZ_g-dnZ2d@comcast.com>:

>
>"Bill Kearney" <wkearney-99@hot-mail-com> wrote in message
news:N4KdnbbuWflJC2fYnZ2dnUVZ_q6vnZ2d@speakeasy.ne t...
>>> There's another reason that thieves don't go
>>> around toting key blanks. They don't open
>>> anything.


>> I'm not arguing one against the other;
>> mechanical keys vs RFID. More that
>> implementing things like RFID into a
>> residential setting has considerably
>> more possible problems than existing
>> solutions effectively handle; in a
>> *residential* setting...

Google "lock bumping" to find sites with Presidents' Day Specials on lock
bumping sets and training videos :-(

Seems that most anyone can make most residential locks useless in seconds.

Breaking RFID is much more difficult and complicated (for now, for most
crooks).

>> Thus the silencing of potential risks
>> because of the defects in the technology
>> IS a troubling problem. Security through
>> obscurity is worthless.
>
>On that point I agree wholeheartedly. I've
>tried to make that point among "security"
>people in the past but with limited success.

Obscurity is but a tool. It is not a complete solution, but it can be part
of an approach.

An example: I post frequently in this newsgroup and have several web sites
also at the IP address that is in every header of each of my usenet posts.
Do you think that IP address is also the portal to my HA and security
system? If not, does not that additional obscurity provide me with an
additional level of protection compared to if my IP address were public?

Another example: Internet portal devices (routers, firewalls, etc) have
vulnerabilities that depend on the specifics of the device. Does not the
fact that I have never revealed specifics of my portal hardware provide me
with more security than if I did?

'Course no security is perfect. If someone really wants to get to my
security panel or HA system, they could 'easily' do so by ringing the
doorbell and shooting me and the dogs ...

.... Marc
Marc_F_Hult
www.NeuralHome.net

"Robert Green" <ROBERT_GREEN1963@YAH00.COM> wrote:

>http://blog.washingtonpost.com/securityfix/
>
>RFID Flap Silences Security Researchers
>
>"New research into security vulnerabilities in radio frequency
>identification cards made by technology giant HID Global has been pulled
>from the lineup at an East Coast security conference this week.
>
>Researchers from Seattle-based security provider IOActive were planning to
>detail a technique they developed to clone the credentials stored on certain
>RFID cards made by HID. The company was expected to present the findings
>Wednesday at the Black Hat Federal security conference in Crystal City, Va.
>However, IOActive last Thursday was contacted by HID attorneys, who claimed
>the researchers were infringing on HID's intellectual property.
>
>. . .
>
>Paget said he built the cloning device mostly using information from HID's
>publicly filed patents and materials that anyone could purchase off of eBay
>for about $20."
>
>(article continues at the WaPo site, registration required )-:

I should have said "old hat" rather than "old news" as this was documented
at an earlier Black Hat conference in August 2006 and I recall even earlier
reports.

Here are a few URLs that may surprise you. The first one is the best.

http://www.youtube.com/watch?v=4jpRFgDPWVA
http://www.wired.com/wired/archive/14.05/rfid_pr.html
http://www.schneier.com/blog/archive...s_clone_r.html
http://www.rfidbuzz.com/news/2005/jo..._hardware.html
http://cq.cx/verichip.pl
http://blogs.reuters.com/2006/07/22/high-tech-cloning/


http://davehouston.net
http://tech.groups.yahoo.com/group/roZetta/
roZetta-subscribe@yahoogroups.com