[Clips] The RFID Hacking Underground
R.A. Hettinga
rah at shipwright.com
Fri May 5 11:18:02 PDT 2006
--- begin forwarded text
Delivered-To: rah at shipwright.com
Delivered-To: clips at philodox.com
Date: Fri, 5 May 2006 13:49:14 -0400
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: [Clips] The RFID Hacking Underground
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://www.wired.com/wired/archive/14.05/rfid_pr.html>
Wired 14.05:
The RFID Hacking Underground
They can steal your smartcard, lift your passport, jack your car, even
clone the chip in your arm. And you won't feel a thing. 5 tales from the
RFID-hacking underground.
By Annalee Newitz
James Van Bokkelen is about to be robbed. A wealthy software entrepreneur,
Van Bokkelen will be the latest victim of some punk with a laptop. But this
won't be an email scam or bank account hack. A skinny 23-year-old named
Jonathan Westhues plans to use a cheap, homemade USB device to swipe the
office key out of Van Bokkelen's back pocket.
"I just need to bump into James and get my hand within a few inches of
him," Westhues says. We're shivering in the early spring air outside the
offices of Sandstorm, the Internet security company Van Bokkelen runs north
of Boston. As Van Bokkelen approaches from the parking lot, Westhues
brushes past him. A coil of copper wire flashes briefly in Westhues' palm,
then disappears.
Van Bokkelen enters the building, and Westhues returns to me. "Let's see if
I've got his keys," he says, meaning the signal from Van Bokkelen's
smartcard badge. The card contains an RFID sensor chip, which emits a short
burst of radio waves when activated by the reader next to Sandstorm's door.
If the signal translates into an authorized ID number, the door unlocks.
The coil in Westhues' hand is the antenna for the wallet-sized device he
calls a cloner, which is currently shoved up his sleeve. The cloner can
elicit, record, and mimic signals from smartcard RFID chips. Westhues takes
out the device and, using a USB cable, connects it to his laptop and
downloads the data from Van Bokkelen's card for processing. Then, satisfied
that he has retrieved the code, Westhues switches the cloner from Record
mode to Emit. We head to the locked door.
"Want me to let you in?" Westhues asks. I nod.
He waves the cloner's antenna in front of a black box attached to the wall.
The single red LED blinks green. The lock clicks. We walk in and find Van
Bokkelen waiting.
"See? I just broke into your office!" Westhues says gleefully. "It's so
simple." Van Bokkelen, who arranged the robbery "just to see how it works,"
stares at the antenna in Westhues' hand. He knows that Westhues could have
performed his wireless pickpocket maneuver and then returned with the
cloner after hours. Westhues could have walked off with tens of thousands
of dollars' worth of computer equipment - and possibly source code worth
even more. Van Bokkelen mutters, "I always thought this might be a lousy
security system."
RFID chips are everywhere - companies and labs use them as access keys,
Prius owners use them to start their cars, and retail giants like Wal-Mart
have deployed them as inventory tracking devices. Drug manufacturers like
Pfizer rely on chips to track pharmaceuticals. The tags are also about to
get a lot more personal: Next-gen US passports and credit cards will
contain RFIDs, and the medical industry is exploring the use of implantable
chips to manage patients. According to the RFID market analysis firm
IDTechEx, the push for digital inventory tracking and personal ID systems
will expand the current annual market for RFIDs from $2.7 billion to as
much as $26 billion by 2016.
RFID technology dates back to World War II, when the British put radio
transponders in Allied aircraft to help early radar system crews detect
good guys from bad guys. The first chips were developed in research labs in
the 1960s, and by the next decade the US government was using tags to
electronically authorize trucks coming into Los Alamos National Laboratory
and other secure facilities. Commercialized chips became widely available
in the '80s, and RFID tags were being used to track difficult-to-manage
property like farm animals and railroad cars. But over the last few years,
the market for RFIDs has exploded, driven by advances in computer databases
and declining chip prices. Now dozens of companies, from Motorola to
Philips to Texas Instruments, manufacture the chips.
The tags work by broadcasting a few bits of information to specialized
electronic readers. Most commercial RFID chips are passive emitters, which
means they have no onboard battery: They send a signal only when a reader
powers them with a squirt of electrons. Once juiced, these chips broadcast
their signal indiscriminately within a certain range, usually a few inches
to a few feet. Active emitter chips with internal power can send signals
hundreds of feet; these are used in the automatic toll-paying devices (with
names like FasTrak and
E-ZPass) that sit on car dashboards, pinging tollgates as autos whiz through.
For protection, RFID signals can be encrypted. The chips that will go into
US passports, for example, will likely be coded to make it difficult for
unauthorized readers to retrieve their onboard information (which will
include a person's name, age, nationality, and photo). But most commercial
RFID tags don't include security, which is expensive: A typical passive
RFID chip costs about a quarter, whereas one with encryption capabilities
runs about $5. It's just not cost-effective for your average office
building to invest in secure chips.
This leaves most RFIDs vulnerable to cloning or - if the chip has a
writable memory area, as many do - data tampering. Chips that track product
shipments or expensive equipment, for example, often contain pricing and
item information. These writable areas can be locked, but often they
aren't, because the companies using RFIDs don't know how the chips work or
because the data fields need to be updated frequently. Either way, these
chips are open to hacking.
"The world of RFID is like the Internet in its early stages," says Ari
Juels, research manager at the high tech security firm RSA Labs. "Nobody
thought about building security features into the Internet in advance, and
now we're paying for it in viruses and other attacks. We're likely to see
the same thing with RFIDs."
David Molnar is a soft-spoken computer science graduate student who studies
commercial uses for RFIDs at UC Berkeley. I meet him in a quiet branch of
the Oakland Public Library, which, like many modern libraries, tracks most
of its inventory with RFID tags glued inside the covers of its books. These
tags, made by Libramation, contain several writable memory "pages" that
store the books' barcodes and loan status.
Brushing a thatch of dark hair out of his eyes, Molnar explains that about
a year ago he discovered he could destroy the data on the books'
passive-emitting RFID tags by wandering the aisles with an off-the-shelf
RFID reader-writer and his laptop. "I would never actually do something
like that, of course," Molnar reassures me in a furtive whisper, as a
nonbookish security guard watches us.
Our RFID-enabled checkout is indeed quite convenient. As we leave the
library, we stop at a desk equipped with a monitor and arrange our
selections, one at a time, face up on a metal plate. The titles instantly
appear onscreen. We borrow four books in less than a minute without
bothering the librarian, who is busy helping some kids with their homework.
Molnar takes the books to his office, where he uses a commercially
available reader about the size and heft of a box of Altoids to scan the
data from their RFID tags. The reader feeds the data to his computer, which
is running software that Molnar ordered from RFID-maker Tagsys. As he waves
the reader over a book's spine, ID numbers pop up on his monitor.
"I can definitely overwrite these tags," Molnar says. He finds an empty
page in the RFID's memory and types "AB." When he scans the book again, we
see the barcode with the letters "AB" next to it. (Molnar hastily erases
the "AB," saying that he despises library vandalism.) He fumes at the
Oakland library's failure to lock the writable area. "I could erase the
barcodes and then lock the tags. The library would have to replace them
all."
Frank Mussche, Libramation's president, acknowledges that the library's
tags were left unlocked. "That's the recommended implementation of our
tags," he says. "It makes it easier for libraries to change the data."
For the Oakland Public Library, vulnerability is just one more problem in a
buggy system. "This was mostly a pilot program, and it was implemented
poorly," says administrative librarian Jerry Garzon. "We've decided to move
ahead without Libramation and RFIDs."
But hundreds of libraries have deployed the tags. According to Mussche,
Libramation has sold 5 million RFID tags in a "convenient" unlocked state.
While it may be hard to imagine why someone other than a determined vandal
would take the trouble to change library tags, there are other instances
where the small hassle could be worth big bucks. Take the Future Store.
Located in Rheinberg, Germany, the Future Store is the world's preeminent
test bed of RFID-based retail shopping. All the items in this high tech
supermarket have RFID price tags, which allow the store and individual
product manufacturers - Gillette, Kraft, Procter & Gamble - to gather
instant feedback on what's being bought. Meanwhile, shoppers can check out
with a single flash of a reader. In July 2004, Wired hailed the store as
the "supermarket of the future." A few months later, German security expert
Lukas Grunwald hacked the chips.
Grunwald cowrote a program called RFDump, which let him access and alter
price chips using a PDA (with an RFID reader) and a PC card antenna. With
the store's permission, he and his colleagues strolled the aisles,
downloading information from hundreds of sensors. They then showed how
easily they could upload one chip's data onto another. "I could download
the price of a cheap wine into RFDump," Grunwald says, "then cut and paste
it onto the tag of an expensive bottle." The price-switching stunt drew
media attention, but the Future Store still didn't lock its price tags.
"What we do in the Future Store is purely a test," says the Future Store
spokesperson Albrecht von Truchsess. "We don't expect that retailers will
use RFID like this at the product level for at least 10 or 15 years." By
then, Truchsess thinks, security will be worked out.
Today, Grunwald continues to pull even more-elaborate pranks with chips
from the Future Store. "I was at a hotel that used smartcards, so I copied
one and put the data into my computer," Grunwald says. "Then I used RFDump
to upload the room key card data to the price chip on a box of cream cheese
from the Future Store. And I opened my hotel room with the cream cheese!"
Aside from pranks, vandalism, and thievery, Grunwald has recently
discovered another use for RFID chips: espionage. He programmed RFDump with
the ability to place cookies on RFID tags the same way Web sites put
cookies on browsers to track returning customers. With this, a stalker
could, say, place a cookie on his target's E-ZPass, then return to it a few
days later to see which toll plazas the car had crossed (and when). Private
citizens and the government could likewise place cookies on library books
to monitor who's checking them out.
In 1997, ExxonMobil equipped thousands of service stations with SpeedPass,
which lets customers wave a small RFID device attached to a key chain in
front of a pump to pay for gas. Seven years later, three graduate students
- Steve Bono, Matthew Green, and Adam Stubblefield - ripped off a station
in Baltimore. Using a laptop and a simple RFID broadcasting device, they
tricked the system into letting them fill up for free.
The theft was concocted by Avi Rubin's computer science lab at Johns
Hopkins University. Rubin's lab is best known for having found massive,
hackable flaws in the code running on Diebold's widely adopted electronic
voting machines in 2004. Working with RSA Labs manager Juels, the group
figured out how to crack the RFID chip in ExxonMobil's SpeedPass.
Hacking the tag, which is made by Texas Instruments, is not as simple as
breaking into Van Bokkelen's Sandstorm offices with a cloner. The radio
signals in these chips, dubbed DST tags, are protected by an encryption
cipher that only the chip and the reader can decode. Unfortunately, says
Juels, "Texas Instruments used an untested cipher." The Johns Hopkins lab
found that the code could be broken with what security geeks call a
"brute-force attack," in which a special computer known as a cracker is
used to try thousands of password combinations per second until it hits on
the right one. Using a home-brewed cracker that cost a few hundred dollars,
Juels and the Johns Hopkins team successfully performed a brute-force
attack on TI's cipher in only 30 minutes. Compare that to the hundreds of
years experts estimate it would take for today's computers to break the
publicly available encryption tool SHA-1, which is used to secure credit
card transactions on the Internet.
ExxonMobil isn't the only company that uses the Texas Instruments tags. The
chips are also commonly used in vehicle security systems. If the reader in
the car doesn't detect the chip embedded in the rubbery end of the key
handle, the engine won't turn over. But disable the chip and the car can be
hot-wired like any other.
Bill Allen, director of strategic alliances at Texas Instruments RFID
Systems, says he met with the Johns Hopkins team and he isn't worried.
"This research was purely academic," Allen says. Nevertheless, he adds, the
chips the Johns Hopkins lab tested have already been phased out and
replaced with ones that use 128-bit keys, along with stronger public
encryption tools, such as SHA-1 and Triple DES.
Juels is now looking into the security of the new US passports, the first
of which were issued to diplomats this March. Frank Moss, deputy assistant
secretary of state for passport services, claims they are virtually
hack-proof. "We've added to the cover an anti-skimming device that prevents
anyone from reading the chip unless the passport is open," he says. Data on
the chip is encrypted and can't be unlocked without a key printed in
machine-readable text on the passport itself.
But Juels still sees problems. While he hasn't been able to work with an
actual passport yet, he has studied the government's proposals carefully.
"We believe the new US passport is probably vulnerable to a brute-force
attack," he says. "The encryption keys in them will depend on passport
numbers and birth dates. Because these have a certain degree of structure
and guessability, we estimate that the effective key length is at most 52
bits. A special key-cracking machine could probably break a passport key of
this length in 10 minutes."
I'm lying facedown on an examination table at UCLA Medical Center, my right
arm extended at 90 degrees. Allan Pantuck, a young surgeon wearing running
shoes with his lab coat, is inspecting an anesthetized area on the back of
my upper arm. He holds up something that looks like a toy gun with a fat
silver needle instead of a barrel.
I've decided to personally test-drive what is undoubtedly the most
controversial use of RFIDs today - an implantable tag. VeriChip, the only
company making FDA-approved tags, boasts on its Web site that "this
b$�always there' identification can't be lost, stolen, or duplicated." It
sells the chips to hospitals as implantable medical ID tags and is starting
to promote them as secure-access keys.
Pantuck pierces my skin with the gun, delivering a microchip and antenna
combo the size of a grain of long rice. For the rest of my life, a small
region on my right arm will emit binary signals that can be converted into
a 16-digit number. When Pantuck scans my arm with the VeriChip reader - it
looks sort of like the wand clerks use to read barcodes in checkout lines -
I hear a quiet beep, and its tiny red LED display shows my ID number.
Three weeks later, I meet the smartcard-intercepting Westhues at a greasy
spoon a few blocks from the MIT campus. He's sitting in the corner with a
half-finished plate of onion rings, his long blond hair hanging in his face
as he hunches over the cloner attached to his computer.
Because the VeriChip uses a frequency close to that of many smartcards,
Westhues is pretty sure the cloner will work on my tag. Westhues waves his
antenna over my arm and gets some weird readings. Then he presses it
lightly against my skin, the way a digital-age pickpocket could in an
elevator full of people. He stares at the green waveforms that appear on
his computer screen. "Yes, that looks like we got a good reading," he says.
After a few seconds of fiddling, Westhues switches the cloner to Emit and
aims its antenna at the reader. Beep! My ID number pops up on its screen.
So much for implantable IDs being immune to theft. The whole process took
10 minutes. "If you extended the range of this cloner by boosting its
power, you could strap it to your leg, and somebody passing the VeriChip
reader over your arm would pick up the ID," Westhues says. "They'd never
know they hadn't read it from your arm." Using a clone of my tag, as it
were, Westhues could access anything the chip was linked to, such as my
office door or my medical records.
John Proctor, VeriChip's director of communications, dismisses this
problem. "VeriChip is an excellent security system, but it shouldn't be
used as a stand-alone," he says. His recommendation: Have someone also
check paper IDs.
But isn't the point of an implantable chip that authentication is
automatic? "People should know what level of security they're getting when
they inject something into their arm," he says with a half smile.
They should - but they don't. A few weeks after Westhues clones my chip,
Cincinnati-based surveillance company CityWatcher announces a plan to
implant employees with VeriChips. Sean Darks, the company's CEO, touts the
chips as "just like a key card." Indeed.
Contributing editor Annalee Newitz wrote about Spyware in issue 13.12.
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy
mailing list