RFID Hacked (Again)

Why anyone thinks these things are a good idea is beyond me, since they’re pretty vulnerable, but now, perhaps people are really starting to wake up to that fact.

These “smart cards” are also used as part of locks of “secure” government facilities. According to the article, the news has so spooked an EU nation that they’re posting armed guards.

I have a friend who works for the state Department of Transportation. She was telling me the other day about some of the new requirements for state IDs and drivers licenses that are going to be implemented under some federal mandate or other that grew out of the 9/11 Commission’s recommendations. One of them is that RFID chips will be embedded in every license and ID and the state won’t do anything to prevent anyone with a reader from scanning strangers’ cards. This is still several years in the future but I’m thinking when the day comes I’ll invest in a lead wallet.

it looks like the problem isn’t with the RFID chip, it’s with the programming.

from the cited article:

So the real question is why some high-security facilities are using a bus-fare card to protect themselves.

Yeah, but RFIDs are really easy to hack and/or clone. The subject of their insecurity has come up here a number of times. I wouldn’t trust those things to protect my pron collection, much less my personal info or secure a building with them.

Because the people in charge of making the purchases of such things don’t understand the technology involved and just believe the crap the salesborgs spew at them, that’s why.

I’m going to have to go with low bidders and ignorance.

Obviously no one involved with the process was a Doper.

It’s not RFID cards in and of themselves that’s been hacked. The cards are no more or less secure than what they’ve been programmed with. In the case of the Mifare cards, they appear to have been programmed to use a double ROT-13 algorithm.

Once again, it’s people taking things into their own hands and trying to create their own cryptography process, rather than using something that’s been publically scrutinized for years like RSA, 3DES or AES.

Good point. The US Military’s CAC (Common Access Card) is looking to be a pretty well-designed smartcard with security better than what you’d need to ride a bus.