RFID tags

Prompted by: InfoWorld Video | InfoWorld | RSA IOActive

While I was aware of this issue before now, the video in the article prompted me to write something. As I’m also procrastinating, it seems like a good idea to me.

RFID tags are the bits inside those cool little cards or dongles that you can wave at a reader to let you into a building. They’re widely used on campus, and I’ve also seen them used in the more modern apartment buildings for the main door. Unfortunately, these aren’t quite as secure as everyone would like to think. The video shows a compact sniffer device that can be used to record the signal that an RFID tag sends out, then replicate it at a later point, alowing them to impersonate you.

Obviously, this situation could easily be resolved by having a challenge-response system: both the system and the card know the card’s “password” – the number that’s is hard-coded into it, the reader sends out a challenge string, the card encrypts the challenge with the password and transmits the result, the reader checks the result against the expected answer, and access is either granted or denied. Simple… unfortunately, not so.

In the majority of cases, the RFID tag is passive, meaning that it does not have its own power source, it gets its power from the signal it receives from the reader. Thus, it is difficult to integrate the encryption hardware without increasing power requirements. Other methods include a rolling response – the response changes with each access – and many others. Hopefully, though, we see one coming into mainstream usage soon, as I don’t think it will be long until these devices become readily available.