The RFID Menace?

Or perhaps The Clone Wars:

[Patrick Riley,] a graduate student at UC Berkeley who just completed a Fulbright study on e-passport use in Germany...says the data encrypted US version can be hacked and counterfeited.

"There is technology out there that can also identify information on the passport," says Riley.

Because the passport is so new, we could not find one for this story to verify Riley's claim. But we wanted to know how easy it would be to clone my own building security badge.

"It's relatively simple to clone the cards," says Chris Paget, Director of Research for IOActive, a computer security company in Seattle. Paget and his engineers were able to create a portable RFID reader from off the shelf parts purchased at a local electronics store.

"We spend a hundred bucks on some random components and just built it. It's really that simple to do," Paget said. The reader was connected to laptop that was running software IOActive wrote specifically for this project. The reader and laptop were placed inside a regular computer bag.

Outside, on a busy street corner, Paget was able to read my building security badge that was in my pocket as I stood on a street corner. The reader was only six inches away, but on a busy street I would have never thought twice about a guy with a laptop bag next to me. It took just a matter of seconds.

To raise awareness of the risks of RFID tags on people, we took our test one step further. We rigged up a homemade reader to a make believe bus stop bench. Engineers from IOActive programmed a laptop connected to detonate a smoke bomb only when the reader recognized my unique badge number, a number they had grabbed on the street corner.

"That's kind of scary," says Ted Ispen of IOActive. The idea of the test was to simulate a targeted attack on one single person who had their RFID number copied.

Ted's RFID enabled security badge was similar to mine and made by the same company. When he sat on the bench, the reader picked up and recorded his unique ID number, but did not trigger the smoke bomb.

When I sat down, the reader recognized my number and the laptop triggered the simulated bomb. If a couple of smart tech guys could pull this off with off the shelf parts, who else could do this?

It's kind of old news for those of us who keep up with security and technology, but now it's hitting the mainstream awareness.  For more on RFID, check out Dave Johnston's podcasts... 

Published Friday, November 10, 2006 7:37 AM by ntodd
Filed under ,

Comments