RFID Security

Contributed by Joanne C. Kelleher

CNET’s article Protecting against Wi-Fi, Bluetooth, RFID data attacks covers a July 18th session at the Last HOPE hacker conference, entitled “How do I Pwn Thee? Let me Count the Ways” (pwn is hacker speak for “own” or control), where a security expert discussed how most people are at risk and don’t even know it. The speaker, a hacker who goes by the alias “RenderMan”, explained that using a laptop, cell phone headset, building access badge, credit cards, or even a passport can make you a walking target for data thieves and other criminals.

I didn’t think that what RenderMan warned about covered anything new, so I was surprised to see that this article has been picked up by several blogs. (Or, maybe I am now too involved in this field.)

RenderMan suggests that people disable Wi-Fi when it is not in use, change default passwords, disable the Bluetooth on the phones, turn off the headsets when not in use, limit access to the data and features when communicating with other Bluetooth devices and use VPNs and firewall software. He also joked about falling really hard, with a hammer, on the RFID enabled passport to disable the chip. All of these suggestions were aimed at the end user of the technology.

Neither CNET nor RenderMan questioned why these now ubiquitous technologies were designed, released and implemented without better security features. And both missed the opportunity to call for stronger security in future products so that end users won’t have to resort to turning off their devices or using a hammer.

http://news.cnet.com/8301-1009_3-9995022-83.html

Contributed by Joanne C. Kelleher

NXP Semiconductors took researchers at Radboud University in Nijmegen to court in an attempt to stop them publishing their controversial report on the security aspects of the Mifare Classic chip. Over one billion of MiFare Classic chips are used worldwide, including in many access control keys, governmental security systems and transportation or subway passes cards such as London’s Oyster card, Boston’s CharlieCard, and the planned OV-Chipkaart in Netherlands. NXP spokesperson Martijn van der Linden told Dutch news site Webwereld that publishing the report is ‘irresponsible’.
Details about the Mifare hack are at http://www.securerf.com/RFID-Security-blog/?p=53 and http://www.securerf.com/RFID-Security-blog/?p=46.

Last week, Karston Nohl, a computer science graduate students who also reverse-engineering MiFare security said “My opinion, [on the lawsuit, is that] NXP probably made the worst possible decision by suing academic researchers. Not only do they have no legal case whatsoever, because all the results were legally obtained through reverse engineering with no help from NXP. They also take away any trust that has existed between researchers and NXP before.”

The Dutch court has just ruled against NXP’s injunction and has allowed the researchers to move forward with publishing their report.

“This requires a balancing of interests,” the court stated. “It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks.”

“Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings,” the court said.

I’m glad to see that the ruling went this way. To stop researchers from publishing the results of their work that shines poorly on the decisions made by large corporations is a bad precedent.

NXP to sue researchers over Mifare chip ‘hack’
EE Times
http://eetimes.eu/germany/208803312;jsessionid=ALPCJ1REV2QVCQSNDLPCKH0CJUNN2JVN

Nohl: NXP making ‘terrible decision’
Contactless News
http://www.contactlessnews.com/news/2008/07/10/nohl-nxp-making-terrible-decision/

Dutch courts OKs publishing how to hack NXP chip
Guardian
http://www.guardian.co.uk/business/feedarticle/7661637

NXP denied in court against Dutch security researchers
EE Times
http: showArticle.jhtml?articleID=”209101132

Contributed by Joanne C. Kelleher

The July 10, 2008 issue of The New York Times had an article about the nation’s salmonella outbreak called “As Outbreak Affects 1,000, Experts See Flaws in Law.”

http://www.nytimes.com/2008/07/10/health/policy/10tomato.html?_r=1&th=&adxnnl=1&oref=slogin&emc=th&adxnnlx=1215698952-7EHBT2ulOF3rVfXSiXFHsA

The article says; Dr. David Acheson, the agency’s associate commissioner for foods, said in a telephone interview on Monday that the F.D.A. lacked authority to require full trace-back capability, adding, “It’s the industry’s responsibility to put that kind of system in place, not ours.”

This comment jumped out at me because the F.D.A. is involved with track and trace for prescription drugs and with medical devices. Why not food too?

Since 1993, the FDA has required that manufacturers of medical devices “must adopt a method of tracking devices whose failure would be reasonably likely to have serious, adverse health consequences; or which is intended to be implanted in the human body for more than one year; or are life-sustaining or life-supporting devices used outside of a device user facility.” http://www.fda.gov/cdrh/devadvice/353.html In 2006, the FDA began investigating how a unique device identification (UDI) system might help automate the collection of information about these devices in the supply chain.

The FDA Amendments Act of 2007 (FDAAA) covers standards that should be developed for “identification, validation, authentication, and tracking and tracing of prescription drugs” and the FDA recently collected comments about the technologies to be used, like RFID. See http://www.securerf.com/RFID-Security-blog/?p=30 and http://www.securerf.com/RFID-Security-blog/?p=60.

The New York Times article adds: But Dr. David A. Kessler, the F.D.A. commissioner in the Clinton and first Bush administrations, said the agency has the authority to require the industry to trace produce as it travels from “farm to table,” but has lacked “the impetus” to do so. “The technology exists to trace the entire chain of a food product,” Dr. Kessler said. “The agency needs to require the industry to put into effect mechanisms to do full trace-back. That regulation could be put in place in months, not years.”

Produce items have sickened over 1000 people in largest food-borne outbreak in the last decade and the FDA still can’t identify the cause (raw red tomatoes, jalapeño peppers or ???). How many more people need to get sick before there is enough of an impetus for the FDA to require the food industry to implement track and trace?

Contributed by Joanne C. Kelleher

Remko van der Togt, from Vrije University, in Amsterdam, led a study whose objective was “to assess and classify incidents of electromagnetic interference (EMI) by RFID on critical care equipment.” The results, which were published in the Journal of American Medical Association on June 25th, concluded that “in a controlled nonclinical setting, RFID induced potentially hazardous incidents in medical devices. Implementation of RFID in the critical care environment should require on-site EMI tests and updates of international standards.”

Remko van der Togt; Erik Jan van Lieshout; Reinout Hensbroek; E. Beinat; J. M. Binnekade; P. J. M. Bakker. Electromagnetic Interference From Radio Frequency Identification Inducing Potentially Hazardous Incidents in Critical Care Medical Equipment. JAMA, 2008;299(24):2884-2890 http://jama.ama-assn.org/cgi/content/short/299/24/2884

The media has responded to this study with headlines like:
  ‘Smart’ cards can interfere with medical equipment, study shows
  RFID may cause interference with medical equipment 
  Radio-Wave Devices May Play Havoc With Medical Equipment
  Wireless Chips: a Threat to Hospital Patients?
  Wireless chips may endanger patients in hospital
  How RFID Can Kill You
  RFID could kill you
Wow, what a change from standards should be updated and tests of EMI should be performed to you will die from RFID. And these are mainstream publications or journalists, not blogs by conspiracy theorists or RFID haters.

When researchers at the Mayo Clinic, University of Amsterdam, Britain’s Medicines and Healthcare Products Regulatory Agency and other organizations identified problems of electromagnetic interference by cell phones on hospital equipment, the headlines weren’t nearly as dire. The focus of many of the headlines was about the need to turn the phones off when in hospitals, not that the cell phones could kill you.

Cell phones can also be used to track your location, but RFID gets all of the bad press about that topic too. Is this because cell phones have become ubiquitous but the public and the media don’t understand the technology behind RFID? Headlines like this do not help.

I see the requirement to do on-site EMI tests as another RFID security issue that needs to be addressed during the RFID implementation process.

Contributed by Joanne C. Kelleher

After various efforts to crack the Mifare Classic card from NXP (see http://www.securerf.com/RFID-Security-blog/?p=46 and http://www.securerf.com/RFID-Security-blog/?p=53 ), Dutch security researchers were able to hack and clone London’s Oyster card and ride the system for free. The Oyster card is also based on the Mifare platform.

The Transport for London (TfL) has responded to claims. “We run daily tests for cloned or fraudulent cards and any found would be stopped within 24 hours of being discovered,” wrote a TfL spokesperson in an email to ZDNet.co.uk. “Therefore, the most anyone could gain from a rogue card is one day’s travel.”

The TfL response is based around the fact that they will catch anyone riding for free and that personal information is stored on a central database and thus secure. But they don’t address the Denial of Service attacks, which could have a much more disruptive effect. The DoS effectively jams up the entry gate preventing anyone else from entering the system. I suspect that riders will be much more tolerant of the possibility that a hacker may be riding for free than the realization that they can’t enter the Tube to travel to their destination.

Oyster card cloned: London’s travel card hacked by university researchers in the Netherlands
http://www.techradar.com/news/world-of-tech/oyster-card-cloned-398826

Fears for Oyster security as researchers claim crack
http://news.zdnet.co.uk/security/0,1000000189,39437719,00.htm

Contributed by Joanne C. Kelleher

Back in February I wrote about how the California Senate approved a bill to outlaw skimming of RFID tags.  See http://www.securerf.com/RFID-Security-blog/?p=42.  The bill was sent to the California State Assembly.

This update is from RFID Journal:

California RFID Bill Takes Another Legislative Step
The California’s SB 31 RFID Bill has unanimously passed the Assembly Judiciary Committee by a vote of 10-0, and re-referred it to the Assembly’s Committee on Appropriations. The bill, introduced by California State Senator Joe Simitian, makes it illegal for a person to intentionally read or attempt to read an RFID tag in another individual’s identification document without their knowledge and prior consent. The bill is particularly aimed at protecting private information that may be stored on drivers’ licenses and other forms of identification. SB 31 is one of several RFID laws the senator has introduced, which were derived from a larger bill he introduced in 2006. That bill, SB 768, passed both state legislative houses before being vetoed by California Governor Arnold Schwarzenegger (see Calif. Gov Terminates RFID ID Bill). The revamped bills include SB 31; SB 30, which calls for privacy and security safeguards on RFID-enabled, government-issued identification documents; and SB 29, which places a three-year moratorium on the use of government-issued RFID devices for the purpose of tracking, monitoring or recording the presence of students in public schools.

Original article:  http://www.rfidjournal.com/article/articleview/4157/1/1/

Contributed by Joanne C. Kelleher

I recently highlighted RFID privacy and security comments from two analysts, ABI researcher Michael Liard and Robert W. Baird & Co., and discussed how security functions can help provide privacy protection but security and privacy differ.

Key RFID Industry Concerns – Privacy Vs. Security
May 23, 2008
http://www.securerf.com/RFID-Security-blog/?p=59

RFID News, a publication of AVISIAN’s ID Technology, published an article on Friday, May 30 2008 called RFID Privacy and Security and I was glad to see this topic get more coverage. Overall, I thought it was a good article, but felt it was incomplete. For example, on the topic of RFID security threats, they said “High security RFID systems should have the ability to guard against the following categorized security and privacy threats:

• Eavesdropping
• Spoofing
• Relay Attack (also known as Cloning)”

These three types of threats, along with malicious code fall into the mimic category of threats, where readers will incorrectly accept compromised tag data as legitimate. To protect against the unauthorized gathering of data, systems should also guard against skimming and data tampering. There is also a denial of service category, which includes unauthorized killing of the tag and jamming or shielding, which makes the tag not detectable by reader systems. When implementing RFID systems, a risk assessment should be performed to identify threats from all three types of categories and determine which should be guarded against for a particular application.

RFID News also discussed RFID security methods. Most of the options they discussed would be appropriate for consumers (i.e. Faraday cages, antennas that clip off or sleep/kill commands implemented at the time of purchase) but not appropriate to protect the tags as they travel through the supply chain. During shipments the tag needs to ensure that it is only responding to authorized readers and to protect any data it is storing. If the tag is physically prevented from communicating with authorized readers then it isn’t a security method, it is a barrier.

The article summary says “As you can see, there are many challenges to creating a secure and privacy-enabling RFID solution. There are, however, a variety of technologies and mechanisms in place to assist issuers and consumers. Certainly, we are only beginning to understand the challenges and the solutions to this complex technological and societal question.” 

Certainly, more education needs to be done.

RFID Privacy and Security article from RFID News
http://www.rfidnews.org/library/2008/05/30/rfid-privacy-and-security/