Last week me and my good friend Manuel Fonseca presented a session on Instituto Superior Técnico’s XVI Semana Informática. The title of the presentation was “Hacking and Securing RFID”, but it ended up being a little frustrating for us and for the audience as we stripped most of the more sensitive stuff that we originally intended to expose.
We started with a disclaimer where we explained our interest: our company has over 10 years of experience on the radio frequency space, a lot of projects out there, most of them exposed on open loop, so we have to assess the security of these projects.
Then we listed a series of RFID scenarios we use daily and corresponding threats, identified as advantages the remote identification and process automation, and concluded that these are also the same disadvantages.
We presented the threats on the personal and system level, putting them into perspective compared to low tech security, like the one used on classic door keys and document since man can write. We concluded that RFID is different because:
- reading / writing doesn’t need physical access to the resource – on a classic door key we have to access it in order to clone it; this broadens the exposed security surface
- collection and consolidation automation capability
Then we listed some typical class of attacks:
- Man in the Middle
Basically nothing new here, just a sub-set of the standard security attacks.
We finally entered the “touchy” zone, describing some tooling and hacking case-studies. Not too deep, I’m afraid…
On to the approaches: from paranoiac to relaxed, we ended up concluding that we have to quantify the security risk, the business value and the impact upon security breach, and architect security accordingly, always keeping in mind how often we have to choose from commodity or security.
Then we set for more social waters, stating that:
lower security => lower privacy => lower liberty
On to how to secure, where we’ve covered:
- architecting security
- standard cryto
- key management, chip distribution
- keys and algorithms
- security live spawn
- hardware limitations
- processing limitations
- most tags can’t carry a clock, and little context
- secure tag are costly
- on passive RFID, higher processing => lower range
- blocking tags & DoS
From the user view, we’ve defended:
- users should prefer secure items & services
- if possible, users should kill the tags
- if not, users should be able to enable / disable tag reading / writing
And we ended up concluding that RFID technology is not always mature enough to assure the best security standards, and that is an issue we have to address. If not for other reasons, because the perception of insecure RFID poses a serious risk to the adoption of this technology.