Wednesday, April 16, 2008

widespread RFID hacking a real concern

In mid-March news broke about a pair of researchers who had cracked the 48-bit encryption in one of the most widely used RFID chips in the world. These chips are used in more than 2 billion bank cards, door access cards, and transportation passes worldwide. Initially it was thought they would be secure for at least two years due to the complex nature of the hack (the researchers separated the chip into over 10,000 layers). New cryptographic techniques were applied and that quickly dropped to minutes, and now it's a matter of seconds. With no physical access to the card. From up to 10 meters away.

So why should you care? Well, you don't know if your bank card, door access card, passport or transportation pass has one of these. One European government has deployed soldiers at certain sites that use RFID badges. That oughta tell you something. If that doesn't concern you, how does it feel knowing that someone with a laptop could be sitting in an airport, a hotel lobby, or even a coffee shop you pass by and grab all your information? Within minutes your credit and bank accounts get wiped out, or your building security card could be duplicated so it looks like you're the one who accessed the computer room, stole the backup tapes, and sold them to a competitor.

In case you're wondering why such low-level encryption was released for such high-value purposes, the chipset involved was introduced in 1994 when cracking 48-bit encryption took months. It has been superseded by chips with stronger security, but it requires both the cards and readers to be upgraded. That's an expensive proposition. The lower-security chip is an entry level one, so it's popular from a cost perspective. I can't blame the manufacturer for offering it, I just wish it hadn't been adopted for such sensitive purposes. Library cards, sure. Shipment or inventory tracking, not a problem. Banking, building security, or personally identifiable information? What the hell are those people thinking?!

RFID is being deployed as a convenience with little thought to the security behind it. Until now it was assumed the need for special equipment was enough of an impediment. That has proven false, and I have no clue how you stop someone from stealing your identity from 30 feet away.


  1. Suddenly metal keys for door access and paper checks for accessing your bank account start to look like good ideas.

  2. I haven't gone that far yet, but I have been resistant to fully embracing RFID that might contain personally identifiable information. My bank offered me a new tap and go debit card and the teller seemed surprised when I said no thanks. It's a little disconcerting how willing people are to adopt technologies they know absolutely nothing about.

  3. Now you know how vulnerable your RF-Enabled cards truly are.
    Guys, we built something that is truly amazing to help protect yourself from "Wireless IDentity Theft", and it is "The Armadillo Dollar".
    I have never seen anything work like this does. We'll be filming a new discovery on how well our product works and should have it up on the web today at
    Our product works so well you can have it BEHIND your cards and the comm cycle is STILL defeated!
    Check it out. If you want one, use the code TopDog and take 20% off as an introduction.
    Thanks for spreading the word, "Code Poet"!