by Annalee Newitz
from
Wired Website
They can steal your
smartcard, lift your passport, jack your car, even clone
the chip in your arm. And you won't feel a thing. 5
tales from the RFID-hacking underground.
Contributing editor
Annalee Newitz
(annalee@techsploitation.com)
wrote about Spyware in issue 13.12. |
James Van Bokkelen is about to be
robbed. A wealthy software entrepreneur, Van Bokkelen will be the
latest victim of some punk with a laptop. But this won't be an email
scam or bank account hack. A skinny 23-year-old named Jonathan Westhues plans to use a cheap, homemade USB device to swipe the
office key out of Van Bokkelen's back pocket.
"I just need to bump into James and
get my hand within a few inches of him," Westhues says.
We're shivering in the early spring air
outside the offices of Sandstorm, the Internet security company Van
Bokkelen runs north of Boston. As Van Bokkelen approaches from the
parking lot, Westhues brushes past him. A coil of copper wire
flashes briefly in Westhues' palm, then disappears.
Van Bokkelen enters the building, and Westhues returns to me. "Let's
see if I've got his keys," he says, meaning the signal from Van
Bokkelen's smartcard badge. The card contains an RFID (Radio
Frequency Identification) sensor chip,
which emits a short burst of radio waves when activated by the
reader next to Sandstorm's door. If the signal translates into an
authorized ID number, the door unlocks.
The coil in Westhues' hand is the antenna for the wallet-sized
device he calls a cloner, which is currently shoved up his sleeve.
The cloner can elicit, record, and mimic signals from smartcard RFID
chips. Westhues takes out the device and, using a USB cable,
connects it to his laptop and downloads the data from Van Bokkelen's
card for processing. Then, satisfied that he has retrieved the code,
Westhues switches the cloner from Record mode to Emit.
We head to the locked door.
"Want me to let you in?" Westhues
asks. I nod.
He waves the cloner's antenna in front
of a black box attached to the wall. The single red LED blinks
green. The lock clicks. We walk in and find Van Bokkelen waiting.
"See? I just broke into your
office!" Westhues says gleefully. "It's so simple." Van Bokkelen,
who arranged the robbery "just to see how it works," stares at
the antenna in Westhues' hand.
He knows that Westhues could have
performed his wireless pickpocket maneuver and then returned with
the cloner after hours. Westhues could have walked off with tens of
thousands of dollars' worth of computer equipment - and possibly
source code worth even more.
Van Bokkelen mutters,
"I always thought this might be a
lousy security system."
RFID chips are everywhere - companies
and labs use them as access keys, Prius owners use them to start
their cars, and retail giants like Wal-Mart have deployed them as
inventory tracking devices. Drug manufacturers like Pfizer rely on
chips to track pharmaceuticals. The tags are also about to get a lot
more personal: Next-gen US passports and credit cards will contain
RFIDs, and the medical industry is exploring the use of implantable
chips to manage patients.
According to the RFID market analysis
firm IDTechEx, the push for digital inventory tracking and personal
ID systems will expand the current annual market for RFIDs from $2.7
billion to as much as $26 billion by 2016.
RFID (Radio Frequency Identification) technology dates back to World War II, when the British put
radio transponders in Allied aircraft to help early radar system
crews detect good guys from bad guys. The first chips were developed
in research labs in the 1960s, and by the next decade the US
government was using tags to electronically authorize trucks coming
into Los Alamos National Laboratory and other secure facilities.
Commercialized chips became widely
available in the '80s, and RFID tags were being used to track
difficult-to-manage property like farm animals and railroad cars.
But over the last few years, the market for RFIDs has exploded,
driven by advances in computer databases and declining chip prices.
Now dozens of companies, from Motorola to Philips to Texas
Instruments, manufacture the chips.
The tags work by broadcasting a few bits of information to
specialized electronic readers. Most commercial RFID chips are
passive emitters, which means they have no onboard battery: They
send a signal only when a reader powers them with a squirt of
electrons. Once juiced, these chips broadcast their signal
indiscriminately within a certain range, usually a few inches to a
few feet. Active emitter chips with internal power can send signals
hundreds of feet; these are used in the automatic toll-paying
devices (with names like FasTrak and E-ZPass) that sit on car
dashboards, pinging tollgates as autos whiz through.
For protection, RFID signals can be encrypted. The chips that will
go into US passports, for example, will likely be coded to make it
difficult for unauthorized readers to retrieve their onboard
information (which will include a person's name, age, nationality,
and photo). But most commercial RFID tags don't include security,
which is expensive: A typical passive RFID chip costs about a
quarter, whereas one with encryption capabilities runs about $5.
It's just not cost-effective for your average office building to
invest in secure chips.
This leaves most RFIDs vulnerable to cloning or - if the chip has a
writable memory area, as many do - data tampering. Chips that track
product shipments or expensive equipment, for example, often contain
pricing and item information. These writable areas can be locked,
but often they aren't, because the companies using RFIDs don't know
how the chips work or because the data fields need to be updated
frequently.
Either way, these chips are open to
hacking.
"The world of RFID is like the
Internet in its early stages," says Ari Juels, research manager
at the high tech security firm RSA Labs. "Nobody thought about
building security features into the Internet in advance, and now
we're paying for it in viruses and other attacks. We're likely
to see the same thing with RFIDs."
David Molnar is a soft-spoken computer
science graduate student who studies commercial uses for RFIDs at UC
Berkeley. I meet him in a quiet branch of the Oakland Public
Library, which, like many modern libraries, tracks most of its
inventory with RFID tags glued inside the covers of its books. These
tags, made by
Libramation, contain several writable memory "pages"
that store the books' barcodes and loan status.
Brushing a thatch of dark hair out of his eyes, Molnar explains that
about a year ago he discovered he could destroy the data on the
books' passive-emitting RFID tags by wandering the aisles with an
off-the-shelf RFID reader-writer and his laptop.
"I would never actually do something
like that, of course," Molnar reassures me in a furtive whisper,
as a non-bookish security guard watches us.
Our RFID-enabled checkout is indeed
quite convenient. As we leave the library, we stop at a desk
equipped with a monitor and arrange our selections, one at a time,
face up on a metal plate. The titles instantly appear onscreen. We
borrow four books in less than a minute without bothering the
librarian, who is busy helping some kids with their homework.
Molnar takes the books to his office, where he uses a commercially
available reader about the size and heft of a box of Altoids to scan
the data from their RFID tags. The reader feeds the data to his
computer, which is running software that Molnar ordered from RFID-maker
Tagsys.
As he waves the reader over a book's
spine, ID numbers pop up on his monitor.
"I can definitely overwrite these
tags," Molnar says.
He finds an empty page in the RFID's
memory and types "AB." When he scans the book again, we see the
barcode with the letters "AB" next to it. (Molnar hastily erases the
"AB," saying that he despises library vandalism.)
He fumes at the Oakland library's
failure to lock the writable area.
"I could erase the barcodes and then
lock the tags. The library would have to replace them all."
Frank Mussche, Libramation's president,
acknowledges that the library's tags were left unlocked.
"That's the recommended
implementation of our tags," he says. "It makes it easier for
libraries to change the data."
For the Oakland Public Library,
vulnerability is just one more problem in a buggy system.
"This was mostly a pilot program,
and it was implemented poorly," says administrative librarian
Jerry Garzon. "We've decided to move ahead without Libramation
and RFIDs."
But hundreds of libraries have deployed
the tags. According to Mussche, Libramation has sold 5 million RFID
tags in a "convenient" unlocked state.
While it may be hard to imagine why someone other than a determined
vandal would take the trouble to change library tags, there are
other instances where the small hassle could be worth big bucks.
Take the Future Store. Located in Rheinberg, Germany, the Future
Store is the world's preeminent test bed of RFID-based retail
shopping.
All the items in this high tech
supermarket have RFID price tags, which allow the store and
individual product manufacturers - Gillette, Kraft, Procter & Gamble
- to gather instant feedback on what's being bought. Meanwhile,
shoppers can check out with a single flash of a reader. In July
2004, Wired hailed the store as the "supermarket of the future." A
few months later, German security expert Lukas Grunwald hacked the
chips.
Grunwald co-wrote a program called RFDump, which let him access and
alter price chips using a PDA (with an RFID reader) and a PC card
antenna. With the store's permission, he and his colleagues strolled
the aisles, downloading information from hundreds of sensors.
They then showed how easily they could
upload one chip's data onto another.
"I could download the price of a
cheap wine into RFDump," Grunwald says, "then cut and paste it
onto the tag of an expensive bottle."
The price-switching stunt drew media
attention, but the Future Store still didn't lock its price tags.
"What we do in the Future Store is
purely a test," says the Future Store spokesperson Albrecht von Truchsess. "We don't expect that retailers will use RFID like
this at the product level for at least 10 or 15 years."
By then, Truchsess thinks, security will
be worked out.
Today, Grunwald continues to pull even more-elaborate pranks with
chips from the Future Store.
"I was at a hotel that used
smartcards, so I copied one and put the data into my computer,"
Grunwald says. "Then I used RFDump to upload the room key card
data to the price chip on a box of cream cheese from the Future
Store. And I opened my hotel room with the cream cheese!"
Aside from pranks, vandalism, and
thievery, Grunwald has recently discovered another use for RFID
chips: espionage. He programmed RFDump with the ability to place
cookies on RFID tags the same way Web sites put cookies on browsers
to track returning customers. With this, a stalker could, say, place
a cookie on his target's E-ZPass, then return to it a few days later
to see which toll plazas the car had crossed (and when). Private
citizens and the government could likewise place cookies on library
books to monitor who's checking them out.
In 1997, ExxonMobil equipped thousands of service stations with
SpeedPass, which lets customers wave a small RFID device attached to
a key chain in front of a pump to pay for gas. Seven years later,
three graduate students - Steve Bono, Matthew Green, and Adam
Stubblefield - ripped off a station in Baltimore. Using a laptop and
a simple RFID broadcasting device, they tricked the system into
letting them fill up for free.
The theft was concocted by Avi Rubin's computer science lab at Johns
Hopkins University. Rubin's lab is best known for having found
massive, hackable flaws in the code running on Diebold's widely
adopted electronic voting machines in 2004. Working with RSA Labs
manager Juels, the group figured out how to crack the RFID chip in
ExxonMobil's SpeedPass.
Hacking the tag, which is made by Texas Instruments, is not as
simple as breaking into Van Bokkelen's Sandstorm offices with a
cloner. The radio signals in these chips, dubbed DST tags, are
protected by an encryption cipher that only the chip and the reader
can decode. Unfortunately, says Juels, "Texas Instruments used an
untested cipher."
The Johns Hopkins lab found that the
code could be broken with what security geeks call a "brute-force
attack," in which a special computer known as a cracker is used to
try thousands of password combinations per second until it hits on
the right one.
Using a home-brewed cracker that cost a
few hundred dollars, Juels and the Johns Hopkins team successfully
performed a brute-force attack on TI's cipher in only 30 minutes.
Compare that to the hundreds of years experts estimate it would take
for today's computers to break the publicly available encryption
tool SHA-1, which is used to secure credit card transactions on the
Internet.
ExxonMobil isn't the only company that
uses the Texas Instruments tags. The chips are also commonly used in
vehicle security systems. If the reader in the car doesn't detect
the chip embedded in the rubbery end of the key handle, the engine
won't turn over. But disable the chip and the car can be hot-wired
like any other.
Bill Allen, director of strategic alliances at Texas Instruments
RFID Systems, says he met with the Johns Hopkins team and he isn't
worried. "This research was purely academic," Allen says.
Nevertheless, he adds, the chips the Johns Hopkins lab tested have
already been phased out and replaced with ones that use 128-bit
keys, along with stronger public encryption tools, such as SHA-1 and
Triple DES.
Juels is now looking into the security of the new US passports, the
first of which were issued to diplomats this March. Frank Moss,
deputy assistant secretary of state for passport services, claims
they are virtually hack-proof.
"We've added to the cover an
anti-skimming device that prevents anyone from reading the chip
unless the passport is open," he says.
Data on the chip is encrypted and can't
be unlocked without a key printed in machine-readable text on the
passport itself.
But Juels still sees problems. While he hasn't been able to work
with an actual passport yet, he has studied the government's
proposals carefully.
"We believe the new US passport is
probably vulnerable to a brute-force attack," he says. "The
encryption keys in them will depend on passport numbers and
birth dates. Because these have a certain degree of structure
and guessability, we estimate that the effective key length is
at most 52 bits. A special key-cracking machine could probably
break a passport key of this length in 10 minutes."
I'm lying facedown on an examination
table at UCLA Medical Center, my right arm extended at 90 degrees.
Allan Pantuck, a young surgeon wearing running shoes with his lab
coat, is inspecting an anesthetized area on the back of my upper
arm. He holds up something that looks like a toy gun with a fat
silver needle instead of a barrel.
I've decided to personally test-drive what is undoubtedly the most
controversial use of RFID (Radio Frequency Identification) today - an implantable tag.
VeriChip, the
only company making FDA-approved tags, boasts on its Web site that
"this ‘always there' identification can't be lost, stolen, or
duplicated." It sells the chips to hospitals as implantable medical
ID tags and is starting to promote them as secure-access keys.
Pantuck pierces my skin with the gun, delivering a microchip and
antenna combo the size of a grain of long rice. For the rest of my
life, a small region on my right arm will emit binary signals that
can be converted into a 16-digit number. When Pantuck scans my arm
with the VeriChip reader - it looks sort of like the wand clerks use
to read barcodes in checkout lines - I hear a quiet beep, and its
tiny red LED display shows my ID number.
Three weeks later, I meet the smartcard-intercepting Westhues at a
greasy spoon a few blocks from the MIT campus. He's sitting in the
corner with a half-finished plate of onion rings, his long blond
hair hanging in his face as he hunches over the cloner attached to
his computer.
Because the VeriChip uses a frequency close to that of many
smartcards, Westhues is pretty sure the cloner will work on my tag.
Westhues waves his antenna over my arm and gets some weird readings.
Then he presses it lightly against my skin, the way a digital-age
pickpocket could in an elevator full of people.
He stares at the green waveforms that
appear on his computer screen.
"Yes, that looks like we got a good
reading," he says.
After a few seconds of fiddling,
Westhues switches the cloner to Emit and aims its antenna at the
reader. Beep! My ID number pops up on its screen. So much for
implantable IDs being immune to theft. The whole process took 10
minutes.
"If you extended the range of this
cloner by boosting its power, you could strap it to your leg,
and somebody passing the VeriChip reader over your arm would
pick up the ID," Westhues says. "They'd never know they hadn't
read it from your arm."
Using a clone of my tag, as it were,
Westhues could access anything the chip was linked to, such as my
office door or my medical records.
John Proctor, VeriChip's director of communications, dismisses this
problem.
"VeriChip is an excellent security
system, but it shouldn't be used as a stand-alone," he says.
His recommendation: Have someone also
check paper IDs.
But isn't the point of an implantable chip that authentication is
automatic?
"People should know what level of
security they're getting when they inject something into their
arm," he says with a half smile.
They should - but they don't.
A few
weeks after Westhues clones my chip, Cincinnati-based surveillance
company CityWatcher announces a plan to implant employees with
VeriChips. Sean Darks, the company's CEO, touts the chips as "just
like a key card."
Indeed.
|