RFID Security

Contributed by Joanne C. Kelleher

Are you going to the RFID World conference in Las Vegas in September?  I am.

Please join me at the session titled “RFID Security Should Not Be an Afterthought.” I will be part of the panel discussion, along with other members of the RFID Security Alliance (look for the official announcement of this organization coming out soon).
The talk will be presented on Tuesday, September 9, 2008 from 1:00 pm — 1:50 pm in room 113 of the MGM Grand Hotel. This session is in the Transportation track, but really applies to all industries.

I will also be walking the exhibit floor. I would love to meet the people who are reading this blog, so please introduce yourself. Based on the mostly male attendees at past RFID shows, I shouldn’t be that hard to spot. I may be the only 5’6” female with short brown hair and glasses in attendance.

For more information about the RFID World conference, visit http://www.cmpegevents.com/web/rfid/home.

Contributed by Joanne C. Kelleher

My household is starting to think about back to school, so here is a quiz for you:

Students/researchers at ______(a)_______ hacked the ______(b)____ transportation card. These researchers planned to share results at _______(c)_________. The _____(d)______ Transportation Authority filed an injunction to prevent presentation, claiming that disclosing the details would inflict damage.

Depending on when you take this quiz the answers may vary.

The latest answers are:
(a) Massachusetts Institute of Technology (MIT)
(b) Boston’s CharlieCard
(c) DEFCON 16, an annual hackers conference in Las Vegas
(d) Massachusetts Bay Transportation Authority (MBTA)

This past weekend, the MBTA was successful in obtaining a temporary 10 day injunction against three MIT students preventing them from giving the planned presentation at DEFCON about how they hacked the CharlieCard which is based on the Mifare Classic card from NXP.

A copy of the presentation, which was distributed to all DEF CON attendees prior to the lawsuit, has these sections:

• Attack physical security - with photos of unlocked doors and open turnstiles
• Attack the Magcard – about reverse engineering the card
• Attack the RFID – Using the reverse engineered work done by Karsten Nohl against the Crypto-1 algorithm used on the Mifare classic card.
• Attack the Network

A similar injunction requested by NXP against publication of the Mifare hacking report by researchers at Radboud University in Nijmegen was denied. See www.securerf.com/RFID-Security-blog/?p=67.

The Electronic Frontier Foundation, which is representing the three MIT students, is appealing the ruling and, in the process, obtaining more press for the MIT students. If the MBTA hadn’t filed the injunction, this would have been just another hacker presentation instead of news covered by the Boston Globe, CNet, Wall Street Journal Blogs, Computer World and the AP. 

We will see what happens with the appeal and when the 10 day injunction period is over.

For an article in the MIT paper which includes links to court documents and a copy of the presentation, see http://www-tech.mit.edu/V128/N30/subway.html.

Contributed by Joanne C. Kelleher

Back in May I wrote a post titled Olympic Tickets: RFID Security in Sports Illustrated http://www.securerf.com/RFID-Security-blog/?p=61. Now that we are getting closer to the opening ceremonies, there is more press about the security surrounding the Olympics and how RFID is being used.

Laurie Sullivan at EE Times wrote a good article titled RFID’s the ticket for secure Games.
http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=209101142

ZDNet Asia covers the behind the scenes IT planning in Unfolding the Olympic IT roadmap.
http://www.zdnetasia.com/news/business/0,39044229,62044563,00.htm

United Press International Asia covers additional security issues in Securing
China for the Olympics and beyond.
http://upiasiaonline.com/Security/2008/08/04/securing_china_for_the_olympics_and_beyond/9149/

The combination of these three articles provides a good insight into the massive amount of planning that went into this event. I’m looking forward to watching the Summer Games and hearing about how well these plans are executed.

Contributed by Joanne C. Kelleher

I found a briefing from The Center for Democracy and Technology (CDT) called Security and Privacy Issues Associated With Federal RFID-Enabled Documents.

The CDT is a “non-profit public policy organization dedicated to promoting the democratic potential of today’s open, decentralized global Internet. Our mission is to conceptualize, develop, and implement public policies to preserve and enhance free expression, privacy, open access, and other democratic values in the new and increasingly integrated communications medium.”

Policy Post 14.11, July 25, 2008
A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
Security and Privacy Issues Associated With Federal RFID-Enabled Documents
(1) U.S. Government Should Abandon RFID-Enabled Border Crossing Documents
(2) Government Moves Ahead Despite Privacy Warnings
(3) Alleged Benefits Do Not Outweigh the Privacy Risks
(4) Still Time to Change Policy and Adopt Privacy Protecting Technology
Read the full briefing at
 http://cdt.org/publications/policyposts/2008/11

I had never heard of The CDT before but based on the News section of their web site, they are very active in testifying before Congressional committees and developing reports, press releases and briefings.

This briefing provides some interesting insights into the history of the decision to select RFID for passport cards.  Their conclusion is to “force the State Department and DHS to reconsider the choice of “vicinity” RFID.”

Another option would be to encourage the State Department and DHS, along with their contractors, to incorporate recent technological developments in the RFID industry that will provide encryption and data security on the tag and protect the public’s privacy.  Unfortunately for the public (as well as my company which has such a solution),  this is easier said then done.

Contributed by Joanne C. Kelleher

RFID Revolution, an RFID education and market strategy consulting firm, has introduced RFID Roulette, an Internet-based game designed to help people learn about the diverse uses of RFID technology.  http://www.rfidrevolution.com/rfid-roulette.html

On the positive side, I am glad to see that RFID Revolution is trying to educate consumers about the benefits of RFID. When you ‘spin’ their RFID Roulette wheel you are given a scenario about an RFID installation and then asked if it is real or fake. An answer is provided that gives more details. The wheel is really just a way to randomly generate your quiz questions; you don’t win or lose if the wheel stops at a certain place.

“RFID Essentials [their Internet based training tool] and RFID Roulette demonstrate that learning can be lively and even fun,” says Dr. Dan Dobkin, primary contributor to and narrator of both resources. “In fact, people learn the most when they’re so engrossed they don’t even know they’re learning! That’s why we’ve made RFID Essentials and RFID Roulette simultaneously educational and entertaining.”

But, with all of public relations issues that the RFID industry has faced, I question why they selected that name and format. To me, roulette implies gambling, risk, chance, betting, possible loss… not terms that a firm would want to associate with a system that is part of their company infrastructure or supply chain. Using a name like “RFID Roundup,” even if they still use the spinning wheel, would have reduced those negative connotations.

OK, I freely admit that I’m not a gambler and see little entertainment value in games of chance. Maybe it comes from spending over a decade in insurance Risk Management where we analyzed statistics and tried to minimize accidents and loss. With all of the security issues that the RFID industry faces, I just don’t like the idea of promoting a product that associates RFID with risky behavior and chance.

RFID Revolutions’ press release -
http://www.rfidrevolution.com/documents/RFID-Revolution_PRESSRELEASE_RFID-Roulette_7-16-2008.pdf

Contributed by Joanne C. Kelleher

CNET’s article Protecting against Wi-Fi, Bluetooth, RFID data attacks covers a July 18th session at the Last HOPE hacker conference, entitled “How do I Pwn Thee? Let me Count the Ways” (pwn is hacker speak for “own” or control), where a security expert discussed how most people are at risk and don’t even know it. The speaker, a hacker who goes by the alias “RenderMan”, explained that using a laptop, cell phone headset, building access badge, credit cards, or even a passport can make you a walking target for data thieves and other criminals.

I didn’t think that what RenderMan warned about covered anything new, so I was surprised to see that this article has been picked up by several blogs. (Or, maybe I am now too involved in this field.)

RenderMan suggests that people disable Wi-Fi when it is not in use, change default passwords, disable the Bluetooth on the phones, turn off the headsets when not in use, limit access to the data and features when communicating with other Bluetooth devices and use VPNs and firewall software. He also joked about falling really hard, with a hammer, on the RFID enabled passport to disable the chip. All of these suggestions were aimed at the end user of the technology.

Neither CNET nor RenderMan questioned why these now ubiquitous technologies were designed, released and implemented without better security features. And both missed the opportunity to call for stronger security in future products so that end users won’t have to resort to turning off their devices or using a hammer.

http://news.cnet.com/8301-1009_3-9995022-83.html

Contributed by Joanne C. Kelleher

NXP Semiconductors took researchers at Radboud University in Nijmegen to court in an attempt to stop them publishing their controversial report on the security aspects of the Mifare Classic chip. Over one billion of MiFare Classic chips are used worldwide, including in many access control keys, governmental security systems and transportation or subway passes cards such as London’s Oyster card, Boston’s CharlieCard, and the planned OV-Chipkaart in Netherlands. NXP spokesperson Martijn van der Linden told Dutch news site Webwereld that publishing the report is ‘irresponsible’.
Details about the Mifare hack are at http://www.securerf.com/RFID-Security-blog/?p=53 and http://www.securerf.com/RFID-Security-blog/?p=46.

Last week, Karston Nohl, a computer science graduate students who also reverse-engineering MiFare security said “My opinion, [on the lawsuit, is that] NXP probably made the worst possible decision by suing academic researchers. Not only do they have no legal case whatsoever, because all the results were legally obtained through reverse engineering with no help from NXP. They also take away any trust that has existed between researchers and NXP before.”

The Dutch court has just ruled against NXP’s injunction and has allowed the researchers to move forward with publishing their report.

“This requires a balancing of interests,” the court stated. “It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks.”

“Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings,” the court said.

I’m glad to see that the ruling went this way. To stop researchers from publishing the results of their work that shines poorly on the decisions made by large corporations is a bad precedent.

NXP to sue researchers over Mifare chip ‘hack’
EE Times
http://eetimes.eu/germany/208803312;jsessionid=ALPCJ1REV2QVCQSNDLPCKH0CJUNN2JVN

Nohl: NXP making ‘terrible decision’
Contactless News
http://www.contactlessnews.com/news/2008/07/10/nohl-nxp-making-terrible-decision/

Dutch courts OKs publishing how to hack NXP chip
Guardian
http://www.guardian.co.uk/business/feedarticle/7661637

NXP denied in court against Dutch security researchers
EE Times
http: showArticle.jhtml?articleID=”209101132