[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )

To: michaelslists@xxxxxxxxx
Subject: Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
From: "Josh L. Perrymon" <joshuaperrymon@xxxxxxxxx>
Date: Tue, 27 Jun 2006 15:31:12 +1000

My post was based more on *existing* RFID implementations used for physical
security access cards.

I know that non-contact cards such as RFID Credit Cards use encryption so
on...  But are still vulnerable to non-authorized transactions.. I'm mean..
there is no green button you push to authorize the transaction.

But I just don't believe that the RFID access-card I use to access client
premeises use any type of encryption or only communicate with specific
readers.

IF* this is the case then an attacker should have no problems powering the
card and making a "copy" of the contents.

JP
PacketFocus
www.packetfocus.com
josh.perrymon@xxxxxxxxxxxxxxx

On 6/27/06, mikeiscool <michaelslists@xxxxxxxxx> wrote:


On 6/27/06, Valdis.Kletnieks@xxxxxx <Valdis.Kletnieks@xxxxxx> wrote:
> On Tue, 27 Jun 2006 14:24:35 +1000, mikeiscool said:
> > eh?
> >
> > surely a RFID would only communicate it's private token with a trusted
> > (i.e. keyed) source.
> >
> > like a smartcard ...
>
> Well.. Yeah.  That *would* make sense.
>
> Unfortunately, some beancounter would likely realize they can shave
$0.02 per
> card by doing it the easy way, or that they can save $40K by hiring a
> bonehead designer rather than a clued crypto geek.
>
> If all software was actually designed and implemented to the "Surely it
would"
> standard, most of the people on this list, both black and white hats,
would
> be unemployed.  Fortunately for our collective ability to cover our rent
checks,
> almost all software has "Surely they *didn't*" flaws in it....

hang on,

does that make me a clued crypto geek? i better ask for a raise ...

but anyway; the op was asking for suggestions; my suggestion is to do
what i said. if someone is trying to make rfids secure; why not follow
the smartcard format?

-- mic

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
  - From: mikeiscool

References:
- [Full-disclosure] Sniffing RFID ID's ( Physical Security )
  - From: Josh L. Perrymon
- Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
  - From: mikeiscool
- Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
  - From: mikeiscool

Prev by Date: Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
Next by Date: Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
Previous by thread: Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
Next by thread: Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
Index(es):
- Date
- Thread