Sunday, March 16, 2008

The latest nightmare with RFID

A few days ago, it was reported that one-billion RFID access devices could be compromised by hackers. These devices (using the MiFare RFID chip) are currently deployed as an access device used for mass transit systems, and of far greater concern, secure government facilities.

Please note, ComputerWorld has now revised the estimate of MiFare RFID chips in use to two-billion. For the final tally, we'll have to wait until a more detailed report is published.

According to news sources, this report will be issued on Wednesday.

One person, claiming to be able to hack the RFID devices is a University of Virginia student by the name of Karsten Nohl, according to ComputerWorld. Nohl claims that all he would need now is a latop, scanner and a "few minutes" to start duplicating cards using the chip.

The article cites a computer security consultant, Ken van Wyk of KRvW Associates, as saying at least one European country has dispatched guards to secure facilities where this chip was used in access systems.

From the ComputerWorld article by Sharon Gaudin:

It turns out it's a pretty huge deal," said van Wyk. "There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it's used in sensitive government facilities — and I know for a fact it's being used in sensitive government facilities."

Van Wyk told Computerworld that one European country has deployed military soldiers to guard some government facilities that use the MiFare Classic chip in their smart door key cards. "Deploying guards to facilities like that is not done lightly," he added. "They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun. They're safeguarding their systems." He declined to identify the European country.

While it probably is a good idea to be very specific about what sensitive government facilties use the card, Engadget mentioned some general places that use this particular RFID chip. They include, "London (Oyster Card, Boston, Netherlands (OV-Chipkaart Minneapolis / St. Paul, South Korea (Upass, T-money, Mybi), Hong Kong, Beijing, Milan, Madrid (Sube-T), Australia (Smartrider), Sao Paulo (Bilhete Unico), Rio de Janeiro (RioCard), Bangkok and New Delhi."

They also put up a YouTube video showing how easily these cards could be compromised. This video was created by the Digital Security section of the Radboud Nijmegen University in the Netherlands.



Full ComputerWorld story on this by Sharon Gaudin, here.

Other posts, I written about RFID nightmares, here.

1 comment:

Anonymous said...

Sooner or later enough RFID enabled cards will be around and the technology to steal their data will be so widely circulated that we will see routine reports of people getting their data nicked. Sure, people will think you're being paranoid if you think this. However, think about email problems with spam and viruses. Looking back, would the paranoia of installing and antivirus and spam filter seem justified? If you want to protect the data on your RFID credit cards or passports, check out the RFID Shield