RFID Hacking and Countermeasures


This article was published by ComputorEdge, issue #2548, 2007-11-30, as the cover article, in both their print edition (on pages 14-15) and their website.

Beginning her morning commute, a older American woman approaches her Prius, but without carrying any conventional car keys. A transponder in her handbag, using radio frequency identification (RFID), automatically unlocks the car's doors and later deactivates the engine immobilizer. While driving on a toll road, she pays the toll without even slowing down, when an RFID device in her car is detected by the toll collection system.

Arriving early at her company's building, she unlocks the main doors temporarily by waving an RFID card in front of a card reader, and does the same to gain elevator access to her project's secure floor and laboratories. Her division is creating miniature RFID chips that will allow companies to inexpensively track inventory or livestock, and libraries to track books. Her company was exploring human-embeddable RFID chips, until recent legislation discouraged that effort.

Later that day, she leaves work early to pick up her father and take him to an air show, so he can view the old bombers — one of which he flew during World War II, in missions out of England. Neither father nor daughter realizes that both of them are alive only because the bomber he flew was equipped with a radio transponder — the first use of such technology — which one night informed British radar and antiaircraft crews that his off-course bomber was Allied.

So what's not to like about RFID? The US federal government, private industry employers, and other organizations are pushing for even more use of RFID chips and readers, to better track items, to store critical health information for faster access by medical response personnel, to pack more data into bank cards and passports, and innumerable other uses. It's already a multi-billion-dollar industry.

Crazy Card Crackers

It has been said that "What a man can make, a man can break". In ages past, that maxim was applied more to safe cracking and cryptanalysis. In this age, it is more often applied to vulnerable websites and, to the great concern of privacy advocates, RFID devices.

The techniques for breaking the security of RFID devices, are many and varied, but the basic principles are the same, and can be illustrated with an example: Consider the RFID "smart card" used by the woman in our earlier example for accessing her office building. If a criminal wanted to gain the same capabilities, he would use a handheld cloning device, which can generate and record signals to and from RFID chips.

The criminal would only need to position his cloner within inches of her security access card, for a few moments — such as brushing by her. During that time, he activates the cloner's antenna, which sends a burst of radio waves to the RFID sensor chip in her card. When the chip detects that signal, it responds the same way it does when she waves it in front of a legitimate card reader, by sending a signal that contains her authorized ID number. The cloner records this signal, and can be made to reproduce it, after some data processing — thus acting like the original security card.

The security vulnerabilities inherent in RFID devices are not limited to smart cards used for controlling access to buildings. RFID chips are being embedded in more debit and credit cards every day, despite the misgivings of those relatively few recipients who are aware of how easily the cards can be compromised. Banks and other financial institutions will typically reassure inquiring customers that the personal information on those cards is completely secure, using encryption. But there have been repeated instances of criminals and researchers defeating those security measures.

Passport to Lost Identity Land

The governments of the United States, Germany, the UK, and other countries, are at various stages of rolling out RFID-enabled passports — often referred to as "e-passports". Government officials claim that the new passports, which are digitally signed by the issuing countries, will make it much easier to detect forged passports, and thus improve border security. The cards already in service, as well as those planned, generally contain the cardholder's name, nationality, age, photograph, and other distinguishing information.

Yet shortly after the introduction of e-passports, and even while more governments piled onto this bandwagon, security analysts were demonstrating how easy it is to defeat these new identification documents. For instance, in August 2008 [No. 2007], Wired News reported that German computer security consultant Lukas Grunwald had successfully cloned a new European Union German passport, using information publicly posted on the Web, an RFID reader ordered through the mail, some available software, and a blank passport page embedded with an RFID tag. He also showed how e-passports can be cloned even onto building access cards.

The problem is not limited to German cards, since the e-passports of all countries within the United Nations, are planned to comply with standards developed in 2003 by the International Civil Aviation Organization (ICAO). The UK Identity and Passport Service has issued millions of such passports to English citizens, many of whom are probably unaware that the e-passports contain their biometrics and other personal data, and that these supposedly safe documents — protected by "an advanced digital encryption technique" — were cracked over two years ago.

Chips Fried, Not Baked

Short of joining an Amish or other low-tech community, what can the concerned citizen do in response to this widespread and forcible RFID usage? Many people are choosing countermeasures to disable the RFID chips in the cards and e-passports that they are given.

Those seeking the more drastic measures of permanently incapacitating the unwanted RFID chips in their lives, will fry the card in a microwave for a few seconds, and/or bang the chip with a hammer until it has been crippled A less destructive approach is to wrap it in some sort of material that will block the radio waves. Some people have chosen tinfoil (and no, not taken from proverbial tinfoil hats), while others have purchased metal mesh bags specifically designed and marketed for this purpose.

The most certain form of security would be to simply not use RFID-enabled devices. When banks or other financial institutions push for customers to accept RFID cards, more people are refusing, and threatening to close their accounts if necessary. In most cases, the financial institutions back down, in order not to lose business. Unless RFID chip makers and smart card distributors don't make them more secure, we may reach the point where the smartest way to keep one's information safe, is to never use a "smart card".

Copyright © 2007 Michael J. Ross. All rights reserved.