Wednesday, August 27, 2008

RFID is Useful, But is It Safe?

Posted by Carl Weinschenk on August 21, 2008 at 10:08 am

It’s good to see that the government is taking the topic of Radio Frequency Identification (RFID) security seriously. This SC Magazine piece, which notes that RFIDs are getting more attention as their use increases, says that the Federal Trade Commission will host a free workshop on the topic next month.

One example cited in the story – a paper written by three MIT students detailing how to beat the Boston subway system’s RFID-based Charlie Card fare collection system — is detailed in this Tech Radar piece.

A judge ruled that the students couldn’t be forced to withhold the paper detailing their exploit until the Massachusetts Bay Transportation Authority studied the document. The students said that they planned to delete key details and safeguard the fare system. MBTA now will try to meet with the students.

The story says that a similar situation exists in London, where the Oyster Card system has been hacked by Dutch university students. That vulnerability is discussed in this Control Engineering item. The story says that the SANS Institute reports that the Mifare RFID chip, which is the same one used by the Charlie Card, has been broken. SANS says that Mifare is used to access UK government departments, hospitals and schools. This Heise Online story explains the threat to British ePassports. The Dutch, understandably, have put their use of Mifare on hold.

This well written E-Commerce Times feature details the shortcomings of RFID security. The bottom line is that the technology is evolving rapidly and that its uses are changing drastically.

For instance, RFIDs to this point essentially have been short-distance technologies. Ways are being found to combine RFIDs with Wi-Fi and other long-distance platforms to greatly increase the distance the signals are carried. In many cases, new systems are creative combinations of several technologies. For this reason, end-to-end security is lacking.

Where there are problems, there are vendors offering solutions. Earlier this month, for instance, a British company released a system that prevents “skimming,” or reading, of wireless payment access cards. The new technology has the impressive name Quantum Tunnelling