Sunday, October 29, 2006

RFID Credit Cards Hacked

Video of an RFID credit card being copied:

A New York Times Article ( States:

"In tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.

And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. “Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?” Mr. Heydt-Benjamin, a graduate student, asked. "

RFID Skimming Toolkit

RFIDIOt is an open source python library for exploring RFID devices.

"This program will exchange crypto keys with the passport and read and display the contents therein, including the facial image and the personal data printed in the passport."

Wednesday, October 11, 2006

RFID Payment Card Vulnerabilities Technical Report Released

Sunday, October 08, 2006

Passport Hacking Roundup - US, UK, DE, NL

Passports issued by the following 4 governments have been shown to be vulnerable to attack. The articles describe demonstrations of attackers copying and maliciously reading the information stored on ePassports.

United States (08/03/2006),71521-0.html

United Kingdom (08/07/2006),,1838754,00.html

Germany (08/04/2006)

Netherlands (07/28/2005)

RFID Tags Shown to Trigger Viruses

RFID tags can be used to trigger SQL Injection Attacks. These attacks are possible because RFID tags contain strings of text which systems assume are safe. Often, input validation is not performed on data coming from RFID tags. This lack of validation results in the ability for an attacker to perform the injection attack.

A Computer Business Review article suggests:
"RFID software should not implicitly trust the data it pulls off RFID tags. It should be subject to the same security check as any potentially untrustworthy user input."

Vetoed: Identity Information Protection Act

Senator Simitian’s proposed Identity Information Protection Act was vetoed on Oct 2nd 2006.

The act imposed security standards on RFID devices.

An RFID Journal Article Reports:
"The security rules called for the incorporation of tamper-resistant authentication tools to prevent duplication, forgery or cloning of the ID. Mutual authentication between the interrogator and tag embedded in the ID would have been required if any personally identifiable information—such as an individual's picture, Social Security number or name—were transmitted between the tag and reader. The IDs would have also needed to employ encryption or some other method of making such information unreadable or unusable by an unauthorized person, as well as offer an on/off switch or similar means of giving the ID holder direct control over any data transmission."

Saturday, October 07, 2006

RFID Security Blog Begins

The purpose of this blog is to provide a platform for presenting RFID vulnerabilities, attack scenarios involving RFID devices and privacy intrusions resulting from the use of RFID. News articles related to the topic will be referenced and commented on.