Full Disclosure mailing list archives

Re: Sniffing RFID ID's ( Physical Security )

From: "Josh L. Perrymon" <joshuaperrymon () gmail com>
Date: Tue, 27 Jun 2006 15:31:12 +1000

My post was based more on *existing* RFID implementations used for physical
security access cards.

I know that non-contact cards such as RFID Credit Cards use encryption so
on...  But are still vulnerable to non-authorized transactions.. I'm mean..
there is no green button you push to authorize the transaction.

But I just don't believe that the RFID access-card I use to access client
premeises use any type of encryption or only communicate with specific
readers.

IF* this is the case then an attacker should have no problems powering the
card and making a "copy" of the contents.

JP
PacketFocus
www.packetfocus.com
josh.perrymon () packetfocus com

On 6/27/06, mikeiscool <michaelslists () gmail com> wrote:


On 6/27/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Tue, 27 Jun 2006 14:24:35 +1000, mikeiscool said:
> > eh?
> >
> > surely a RFID would only communicate it's private token with a trusted
> > (i.e. keyed) source.
> >
> > like a smartcard ...
>
> Well.. Yeah.  That *would* make sense.
>
> Unfortunately, some beancounter would likely realize they can shave
$0.02 per
> card by doing it the easy way, or that they can save $40K by hiring a
> bonehead designer rather than a clued crypto geek.
>
> If all software was actually designed and implemented to the "Surely it
would"
> standard, most of the people on this list, both black and white hats,
would
> be unemployed.  Fortunately for our collective ability to cover our rent
checks,
> almost all software has "Surely they *didn't*" flaws in it....

hang on,

does that make me a clued crypto geek? i better ask for a raise ...

but anyway; the op was asking for suggestions; my suggestion is to do
what i said. if someone is trying to make rfids secure; why not follow
the smartcard format?

-- mic

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Sniffing RFID ID's ( Physical Security ) Josh L. Perrymon (Jun 26)
- Re: Sniffing RFID ID's ( Physical Security ) mikeiscool (Jun 26)
  - Re: Sniffing RFID ID's ( Physical Security ) Valdis . Kletnieks (Jun 26)
    - Re: Sniffing RFID ID's ( Physical Security ) mikeiscool (Jun 26)
    - Re: Sniffing RFID ID's ( Physical Security ) Josh L. Perrymon (Jun 26)
    - Re: Sniffing RFID ID's ( Physical Security ) mikeiscool (Jun 26)
    - Re: Sniffing RFID ID's ( Physical Security ) Josh L. Perrymon (Jun 26)
    - Re: Sniffing RFID ID's ( Physical Security ) Andre Gagne (Jun 27)
    - Re: Sniffing RFID ID's ( Physical Security ) Hugo Fortier (Jun 27)
- Re: Sniffing RFID ID's ( Physical Security ) Saeed Abu Nimeh (Jun 26)
- Re: Sniffing RFID ID's ( Physical Security ) Brate Sanders (Jun 26)
  - Re: Sniffing RFID ID's ( Physical Security ) Josh L. Perrymon (Jun 27)
    - Re: Sniffing RFID ID's ( Physical Security ) Meder Kydyraliev (Jun 27)
    - Re: Sniffing RFID ID's ( Physical Security ) Gary E. Miller (Jun 27)
    - Re: Sniffing RFID ID's ( Physical Security ) Josh L. Perrymon (Jun 27)

(Thread continues...)