Security Now 278
Topic: Tag Me With RFID
Recorded: December 8, 2010
Published: December 8, 2010
Security Now 278: Tag Me With RFID
Windows 7 SP1 reaches RC level, Google Chrome v8.0 released, What is SHIELD?, How to keep track of people using RFID tags, and more.
News & Errata
9:10 - 9:20
- Quiet week no security updates
9:21 - 12:50
- Still Waiting On: New Local Privilege Escalation 0-Day Kernel Vulnerability: 32 & 64 bit XP, Vista, Win7 & Win2008/SP2
12:51 - 16:23
- Google's Chrome Browser v8.0 released (v8.0.552.215)
- Built-in PDF viewer with Sandboxing technology.
- Coming Soon: a Sandboxed Abode Flash Player (it's in the dev channel code)
- Also fixes 13 security vulnerabilities.
16:24 - 18:20
- Windows 7 SP1 @ RC level
18:21 - 25:40
- FTC beginning to stir in the online-privacy world
- Some form of "Do Not Track" mechanism similar to the national "Do Not Call" registry?
- Microsoft's IE9 may have some sort of feature.
25:41 - 28:33
- Open Source ProFTPD source code tampered with
- 0-day vulnerability in ProFTPD used to access master source
- New command: "HELP ACIDBITCHEZ" gives a root command shell
- Users who downloaded it between November 28th through Dec 1st are at risk
28:34 - 34:14
- RansomeWare making a comeback - with newer "better" technology
- Carried in infected PDF files
- Uses RSA-1024 and AES-256 crypto to encrypt and lock up user's information... then demands payment of up to $120 to recover data.
34:15 - 37:25
- SHIELD - "Securing Human Intelligence and Enforcing Lawful Dissemination"
- Amend the Espionage Act, adding a prohibition on publishing of human intelligence.
- Leaking the information is already a criminal offense, so the proposed legislation is taking aim directly at publishers.
37:26 - 42:11
- Blackberry/RIM & India
- RIM is again saying/explaining that they cannot provide access to the content of encrypted Blackberry communications of companies using the BES - Blackberry Enterprise Servers - since Blackberry doesn't have the keys.
- India is, therefore, going to the individual companies to see about obtaining the required credentials.
42:12 - 48:20 Doug White (Unknown)
Spinrite fixed a broken drive
49:50 - 59:10 & 01:00:43 - 01:25:18
- Coolness and convenience if there’s minimal down-side.
- Hobbyists are doing this now:
Yeah, the cosmetic surgeon gave me an injection to numb the area, cut a 3mm hole in my skin, lifted it a bit using medical scissors to separate it from the underlying tissue, then gently pushed the glass tag into the hole and seated it at least 2mm deeper into the hole by gently pushing on it with a medical instrument of some kind. The important thing is to get it between the dermis layer and the underlying tissues, and not to go deeper than just under the skin... otherwise migration could be an issue, and you will likely have a much more difficult time removing it.
- "Philips Hitag S 2048"
- 2 x 12mm Glass RFID Tag - $10
- Biological / Medical
- Mice got cancer, but apparently that's what mice do.
- Medical researchers don't see anything preventing safe human implantation.
- Implant migration / non-migration coatings make removal more difficult
- MRI scans? (Mythbusters busted that one)
- Low “RF” field concern since there’s no RF.
- The technology is magnetic loop induction in the 100khz-150khz region.
- "VeriChip" - FDA-approved human-implantable RFID
- 16-digit fixed ID
- The trouble with any fixed-ID tag
I can copy a proximity card at least as easily as I can take an impression of a key. This means that it's not a very good idea to reuse visitor cards without changing the id (and that it doesn't really matter whether you get the physical card back from the guy you just fired).
More insidiously, it's quite practical to read someone's card without removing it from their wallet. A bit of deliberate clumsiness, a reader up my sleeve, and I would have little trouble cloning anyone's card. I could also exploit the fact the distance at which the cards will be powered is less than the distance at which they can be read; if another reader is exciting the card then my reader can read that card from the other side of a wall!
This means that a sniffer concealed somewhere near a legitimate reader could intercept real transactions at a significant distance. This sort of attack is particularly good because the card repeats its id over and over as long as it is in the field, so that I could use signal processing techniques to combine multiple copies of the pattern to further improve my read range.
- Using Crypto to solve the security side
- Chip contains a secret
- No crypto: Secret is just blurted out
- Private key:
- (Symmetric) Secret
- Used to drive a 1-way (hash) or 2-way (encryption) function
- Secret is shared ONLY with trusted authenticators
- Benefit: low computational cost
- Trouble: leakage of secret allows cloning
- Public Key:
- (Asymmetric) Secret and Non-Secret
- Also used to "sign" a "challenge"
- Public-key can be shared, even published and no one can clone the chip since secret key cannot be determined from matching public key
- Benefit: nothing to keep secret
- Trouble: higher mathematical computational cost
- Public Key:
- Requirements before it makes sense (even to me!)
- Proven biological safety.
- Physically fixed, non-migrating.
- "Non migration coatings" can make implants more difficult to remove.
- A single settled standard (no Betamax/VHS or HD/BluRay)
- Proven biological safety.
- Fully Clone-Proof to offer true authentication
- Either private or public key crypto to support a challenge/response protocol.
- Key length needs to be long enough to prevent brute-force attacks
- Several current solutions are only 32-bits
- REAL industry-standard crypto, not something home-grown
- "Speedpass" used a 40-bit cipher designed by Texas Instruments engineers -- it was weak and soon hacked.
- Open standards: The Texas Instruments & Phillips are proprietary
- Rewritable secret
- Rewritable is a LOT better than re-implantable!
- Could thus simulate being turned off.
- Operating Distance - a mixed blessing
- Short distance is inherently more secure, but might be less convenient
- Distance is not measured, it's based upon power and sensitivity, thus can't be relied upon.
- Legislation exists in several states to prohibit employers from requiring employees to have RFID chips implanted. (Voluntary implantation is okay.)
- Sync #9
- ad times: 0:44-0:55 and 7:09-9:10
- CarbPro #2
- ad times: 0:56-1:09 and 48:27-49:44
- G2A #6
- ad times: 1:11-1:24 and 59:13-1:00:41
- Edited by: Tony
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|