RFID “Electronic Pickpocketing”

February 26, 2011

Interesting story on “electronic pickpocketing” or “skimming” as it’s sometimes called:


One solution would be if credit card designers used an approach that required the user to enable the tag like this “secure touch” technology demo video shows.

Here we see that unless touched in a certain spot, the card is unreadable. In this demo it is being read at quite a distance once activated but it’s technically an easy approach to limit the range when activated to avoid ‘snooping’.

Vodpod videos no longer available.

Hacking the Wireless Way

April 15, 2009

James Van Bokkelen is about to be robbed. A wealthy software entrepreneur, Van Bokkelen will be the latest victim of some punk with a laptop. But this won’t be an email scam or bank account hack. A skinny 23-year-old named Jonathan Westhues plans to use a cheap, homemade USB device to swipe the office key out of Van Bokkelen’s back pocket.

“I just need to bump into James and get my hand within a few inches of him,” Westhues says. We’re shivering in the early spring air outside the offices of Sandstorm, the Internet security company Van Bokkelen runs north of Boston. As Van Bokkelen approaches from the parking lot, Westhues brushes past him. A coil of copper wire flashes briefly in Westhues’ palm, then disappears.

Van Bokkelen enters the building, and Westhues returns to me. “Let’s see if I’ve got his keys,” he says, meaning the signal from Van Bokkelen’s smartcard badge. The card contains an RFID sensor chip, which emits a short burst of radio waves when activated by the reader next to Sandstorm’s door. If the signal translates into an authorized ID number, the door unlocks.

The coil in Westhues’ hand is the antenna for the wallet-sized device he calls a cloner, which is currently shoved up his sleeve. The cloner can elicit, record, and mimic signals from smartcard RFID chips. Westhues takes out the device and, using a USB cable, connects it to his laptop and downloads the data from Van Bokkelen’s card for processing. Then, satisfied that he has retrieved the code, Westhues switches the cloner from Record mode to Emit. We head to the locked door.

“Want me to let you in?” Westhues asks. I nod.

He waves the cloner’s antenna in front of a black box attached to the wall. The single red LED blinks green. The lock clicks. We walk in and find Van Bokkelen waiting.

“See? I just broke into your office!” Westhues says gleefully. “It’s so simple.” Van Bokkelen, who arranged the robbery “just to see how it works,” stares at the antenna in Westhues’ hand. He knows that Westhues could have performed his wireless pickpocket maneuver and then returned with the cloner after hours. Westhues could have walked off with tens of thousands of dollars’ worth of computer equipment – and possibly source code worth even more. Van Bokkelen mutters, “I always thought this might be a lousy security system.”

So begins the article by Annalee Newitz of Wired Magazine which highlights a concern that has existed for years and continues to grow as everything from credit cards to utility meters and medical implants go wireless.  Having the ability to hack the wireless communication not only allows for monitoring, and stealing, of data but, in many cases, to also control the device; pretty scary when the device in question is a utility meter or, worse yet, a medical implant.

Mythbusters is one of my favorite shows on Discovery Channel. I was surprised to learn that they were recently banned by lawyers from airing an episode in which they reveal how easily an RFID device can be hacked (or, more accurately, cloned). In this clip below Adam Savage of the Mythbusters TV show explains what happened when they wanted to do a show on RFID vulnerability.

The use of AES 128 bit encryption is well known to protect devices from this type of hacking and cloning but it 1. costs more than the price of a typical commercial RFID chip to implement and 2. takes longer to authenticate, requiring the user to hold the RFID-enabled device in reading range (aka “interrogation zone”) for a longer period of time.

“But if you put [128-bit] Triple DES in there, all this would take 2 to 3 seconds—and that wouldn’t be acceptable to most consumers.”says

identify consumption in more detail than a conventional meter and communicate that information via some network back to the local utility for monitoring and billing purposes. “They also have ability to reduce load, disconnect-reconnect remotely, and interface to gas & water meters.

“This means consumer could be denied gas or water based on load or even have service disconnected all via a network.”, says Jim Matteson of Consumer Watchdog.org.

Most smart meters use a wireless protocol known as Zigbee to allow communication between the meter and a reader used by utility personnel or with a transceiver typically mounted on a nearby utility pole. While many of these meters use a very secure 128 bit encryption, they may still be subject to what is known as side-channel attack. You can read more about it as well as a documented incident of RFID side channel attack here.

RSA Security Inc. is one of the leading developers of encryption and secure business communcations. In a recent whitepaper they reported…

“The implementation of cryptographic algorithms has not received attention until recently. This was partially caused by the communication gap between system engineers and cryptographers. System engineers usually lack the deep understanding of complexities related to implementing cryptographic algorithms in a secure manner. Instead they focus on meeting vendor requirements where security is typically at the bottom of the list. At the same time, cryptographers tend to focus on the mathematics of cryptography and tend to analyze an algorithm’s security in terms of mathematical proofs and algorithmic complexity.

Therefore, side-channel cryptanalysis calls for cooperation and understanding between system engineers and cryptographers. Secure algorithms are vulnerable to simple attacks not described by mathematical models. Yet, cryptographers now understand that information channels can exist in the physical world; such channels are used to apply new or already known cryptanalysis techniques on various algorithms.”

T&M Consulting can identify the vulnerability of wireless systems to attack/cloning and consult on how to cost-effectively minimize it without sacrificing performance.  One insight I can provide is that many suspected jamming or denial-of-service attacks were actually due to unintentional interference from other wireless systems. Interference analysis is becoming increasingly  important as the spectrum gets more crowded with wireless signals.