The RFID Hacking Underground

They can steal your smartcard, lift your passport, jack your car, even clone the
chip in your arm. And you won't feel a thing. 5 tales from the RFID-hacking
underground.

By Annalee Newitz mailto:annalee@techsploitation.com )

The RFID Hacking Underground
http://www.wired.com/wired/archive/14.05/rfid_pr.html

James Van Bokkelen is about to be robbed. A wealthy software entrepreneur, Van
Bokkelen will be the latest victim of some punk with a laptop. But this won't be
an email scam or bank account hack. A skinny 23-year-old named Jonathan Westhues
plans to use a cheap, homemade USB device to swipe the office key out of Van
Bokkelen's back pocket.

"I just need to bump into James and get my hand within a few inches of him,"
Westhues says. We're shivering in the early spring air outside the offices of
Sandstorm, the Internet security company Van Bokkelen runs north of Boston. As
Van Bokkelen approaches from the parking lot, Westhues brushes past him. A coil
of copper wire flashes briefly in Westhues' palm, then disappears.

Van Bokkelen enters the building, and Westhues returns to me. "Let's see if I've
got his keys," he says, meaning the signal from Van Bokkelen's smartcard badge.
The card contains an RFID sensor chip, which emits a short burst of radio waves
when activated by the reader next to Sandstorm's door. If the signal translates
into an authorized ID number, the door unlocks.

The coil in Westhues' hand is the antenna for the wallet-sized device he calls a
cloner, which is currently shoved up his sleeve. The cloner can elicit, record,
and mimic signals from smartcard RFID chips. Westhues takes out the device and,
using a USB cable, connects it to his laptop and downloads the data from Van
Bokkelen's card for processing. Then, satisfied that he has retrieved the code,
Westhues switches the cloner from Record mode to Emit. We head to the locked
door.

"Want me to let you in?" Westhues asks. I nod.

He waves the cloner's antenna in front of a black box attached to the wall. The
single red LED blinks green. The lock clicks. We walk in and find Van Bokkelen
waiting.

"See? I just broke into your office!" Westhues says gleefully. "It's so simple."
Van Bokkelen, who arranged the robbery "just to see how it works," stares at the
antenna in Westhues' hand. He knows that Westhues could have performed his
wireless pickpocket maneuver and then returned with the cloner after hours.
Westhues could have walked off with tens of thousands of dollars' worth of
computer equipment - and possibly source code worth even more. Van Bokkelen
mutters, "I always thought this might be a lousy security system."

RFID chips are everywhere - companies and labs use them as access keys, Prius
owners use them to start their cars, and retail giants like Wal-Mart have
deployed them as inventory tracking devices. Drug manufacturers like Pfizer rely
on chips to track pharmaceuticals. The tags are also about to get a lot more
personal: Next-gen US passports and credit cards will contain RFIDs, and the
medical industry is exploring the use of implantable chips to manage patients.
According to the RFID market analysis firm IDTechEx, the push for digital
inventory tracking and personal ID systems will expand the current annual market
for RFIDs from $2.7 billion to as much as $26 billion by 2016.

RFID technology dates back to World War II, when the British put radio
transponders in Allied aircraft to help early radar system crews detect good
guys from bad guys. The first chips were developed in research labs in the
1960s, and by the next decade the US government was using tags to electronically
authorize trucks coming into Los Alamos National Laboratory and other secure
facilities. Commercialized chips became widely available in the '80s, and RFID
tags were being used to track difficult-to-manage property like farm animals and
railroad cars. But over the last few years, the market for RFIDs has exploded,
driven by advances in computer databases and declining chip prices. Now dozens
of companies, from Motorola to Philips to Texas Instruments, manufacture the
chips.

The tags work by broadcasting a few bits of information to specialized
electronic readers. Most commercial RFID chips are passive emitters, which means
they have no onboard battery: They send a signal only when a reader powers them
with a squirt of electrons. Once juiced, these chips broadcast their signal
indiscriminately within a certain range, usually a few inches to a few feet.
Active emitter chips with internal power can send signals hundreds of feet;
these are used in the automatic toll-paying devices (with names like FasTrak and
E-ZPass) that sit on car dashboards, pinging tollgates as autos whiz through.

For protection, RFID signals can be encrypted. The chips that will go into US
passports, for example, will likely be coded to make it difficult for
unauthorized readers to retrieve their onboard information (which will include a
person's name, age, nationality, and photo). But most commercial RFID tags don't
include security, which is expensive: A typical passive RFID chip costs about a
quarter, whereas one with encryption capabilities runs about $5. It's just not
cost-effective for your average office building to invest in secure chips.

This leaves most RFIDs vulnerable to cloning or - if the chip has a writable
memory area, as many do - data tampering. Chips that track product shipments or
expensive equipment, for example, often contain pricing and item information.
These writable areas can be locked, but often they aren't, because the companies
using RFIDs don't know how the chips work or because the data fields need to be
updated frequently. Either way, these chips are open to hacking.

"The world of RFID is like the Internet in its early stages," says Ari Juels,
research manager at the high tech security firm RSA Labs. "Nobody thought about
building security features into the Internet in advance, and now we're paying
for it in viruses and other attacks. We're likely to see the same thing with
RFIDs."

David Molnar is a soft-spoken computer science graduate student who studies
commercial uses for RFIDs at UC Berkeley. I meet him in a quiet branch of the
Oakland Public Library, which, like many modern libraries, tracks most of its
inventory with RFID tags glued inside the covers of its books. These tags, made
by Libramation, contain several writable memory "pages" that store the books'
barcodes and loan status.

Brushing a thatch of dark hair out of his eyes, Molnar explains that about a
year ago he discovered he could destroy the data on the books' passive-emitting
RFID tags by wandering the aisles with an off-the-shelf RFID reader-writer and
his laptop. "I would never actually do something like that, of course," Molnar
reassures me in a furtive whisper, as a nonbookish security guard watches us.

Our RFID-enabled checkout is indeed quite convenient. As we leave the library,
we stop at a desk equipped with a monitor and arrange our selections, one at a
time, face up on a metal plate. The titles instantly appear onscreen. We borrow
four books in less than a minute without bothering the librarian, who is busy
helping some kids with their homework.

Molnar takes the books to his office, where he uses a commercially available
reader about the size and heft of a box of Altoids to scan the data from their
RFID tags. The reader feeds the data to his computer, which is running software
that Molnar ordered from RFID-maker Tagsys. As he waves the reader over a book's
spine, ID numbers pop up on his monitor.

"I can definitely overwrite these tags," Molnar says. He finds an empty page in
the RFID's memory and types "AB." When he scans the book again, we see the
barcode with the letters "AB" next to it. (Molnar hastily erases the "AB,"
saying that he despises library vandalism.) He fumes at the Oakland library's
failure to lock the writable area. "I could erase the barcodes and then lock the
tags. The library would have to replace them all."

Frank Mussche, Libramation's president, acknowledges that the library's tags
were left unlocked. "That's the recommended implementation of our tags," he
says. "It makes it easier for libraries to change the data."

For the Oakland Public Library, vulnerability is just one more problem in a
buggy system. "This was mostly a pilot program, and it was implemented poorly,"
says administrative librarian Jerry Garzon. "We've decided to move ahead without
Libramation and RFIDs."

But hundreds of libraries have deployed the tags. According to Mussche,
Libramation has sold 5 million RFID tags in a "convenient" unlocked state.

While it may be hard to imagine why someone other than a determined vandal would
take the trouble to change library tags, there are other instances where the
small hassle could be worth big bucks. Take the Future Store. Located in
Rheinberg, Germany, the Future Store is the world's preeminent test bed of
RFID-based retail shopping. All the items in this high tech supermarket have
RFID price tags, which allow the store and individual product manufacturers -
Gillette, Kraft, Procter & Gamble - to gather instant feedback on what's being
bought. Meanwhile, shoppers can check out with a single flash of a reader. In
July 2004, Wired hailed the store as the "supermarket of the future." A few
months later, German security expert Lukas Grunwald hacked the chips.

Grunwald cowrote a program called RFDump, which let him access and alter price
chips using a PDA (with an RFID reader) and a PC card antenna. With the store's
permission, he and his colleagues strolled the aisles, downloading information
from hundreds of sensors. They then showed how easily they could upload one
chip's data onto another. "I could download the price of a cheap wine into
RFDump," Grunwald says, "then cut and paste it onto the tag of an expensive
bottle." The price-switching stunt drew media attention, but the Future Store
still didn't lock its price tags. "What we do in the Future Store is purely a
test," says the Future Store spokesperson Albrecht von Truchsess. "We don't
expect that retailers will use RFID like this at the product level for at least
10 or 15 years." By then, Truchsess thinks, security will be worked out.

Today, Grunwald continues to pull even more-elaborate pranks with chips from the
Future Store. "I was at a hotel that used smartcards, so I copied one and put
the data into my computer," Grunwald says. "Then I used RFDump to upload the
room key card data to the price chip on a box of cream cheese from the Future
Store. And I opened my hotel room with the cream cheese!"

Aside from pranks, vandalism, and thievery, Grunwald has recently discovered
another use for RFID chips: espionage. He programmed RFDump with the ability to
place cookies on RFID tags the same way Web sites put cookies on browsers to
track returning customers. With this, a stalker could, say, place a cookie on
his target's E-ZPass, then return to it a few days later to see which toll
plazas the car had crossed (and when). Private citizens and the government could
likewise place cookies on library books to monitor who's checking them out.

In 1997, ExxonMobil equipped thousands of service stations with SpeedPass, which
lets customers wave a small RFID device attached to a key chain in front of a
pump to pay for gas. Seven years later, three graduate students - Steve Bono,
Matthew Green, and Adam Stubblefield - ripped off a station in Baltimore. Using
a laptop and a simple RFID broadcasting device, they tricked the system into
letting them fill up for free.

The theft was concocted by Avi Rubin's computer science lab at Johns Hopkins
University. Rubin's lab is best known for having found massive, hackable flaws
in the code running on Diebold's widely adopted electronic voting machines in
2004. Working with RSA Labs manager Juels, the group figured out how to crack
the RFID chip in ExxonMobil's SpeedPass.

Hacking the tag, which is made by Texas Instruments, is not as simple as
breaking into Van Bokkelen's Sandstorm offices with a cloner. The radio signals
in these chips, dubbed DST tags, are protected by an encryption cipher that only
the chip and the reader can decode. Unfortunately, says Juels, "Texas
Instruments used an untested cipher." The Johns Hopkins lab found that the code
could be broken with what security geeks call a "brute-force attack," in which a
special computer known as a cracker is used to try thousands of password
combinations per second until it hits on the right one. Using a home-brewed
cracker that cost a few hundred dollars, Juels and the Johns Hopkins team
successfully performed a brute-force attack on TI's cipher in only 30 minutes.
Compare that to the hundreds of years experts estimate it would take for today's
computers to break the publicly available encryption tool SHA-1, which is used
to secure credit card transactions on the Internet.

Feature: While You Were Reading This, Someone Ripped You Off Plus: Risky Chips:
4 RFID Hacks ExxonMobil isn't the only company that uses the Texas Instruments
tags. The chips are also commonly used in vehicle security systems. If the
reader in the car doesn't detect the chip embedded in the rubbery end of the key
handle, the engine won't turn over. But disable the chip and the car can be
hot-wired like any other.

Bill Allen, director of strategic alliances at Texas Instruments RFID Systems,
says he met with the Johns Hopkins team and he isn't worried. "This research was
purely academic," Allen says. Nevertheless, he adds, the chips the Johns Hopkins
lab tested have already been phased out and replaced with ones that use 128-bit
keys, along with stronger public encryption tools, such as SHA-1 and Triple DES.

Juels is now looking into the security of the new US passports, the first of
which were issued to diplomats this March. Frank Moss, deputy assistant
secretary of state for passport services, claims they are virtually hack-proof.
"We've added to the cover an anti-skimming device that prevents anyone from
reading the chip unless the passport is open," he says. Data on the chip is
encrypted and can't be unlocked without a key printed in machine-readable text
on the passport itself.

But Juels still sees problems. While he hasn't been able to work with an actual
passport yet, he has studied the government's proposals carefully. "We believe
the new US passport is probably vulnerable to a brute-force attack," he says.
"The encryption keys in them will depend on passport numbers and birth dates.
Because these have a certain degree of structure and guessability, we estimate
that the effective key length is at most 52 bits. A special key-cracking machine
could probably break a passport key of this length in 10 minutes."

I'm lying facedown on an examination table at UCLA Medical Center, my right arm
extended at 90 degrees. Allan Pantuck, a young surgeon wearing running shoes
with his lab coat, is inspecting an anesthetized area on the back of my upper
arm. He holds up something that looks like a toy gun with a fat silver needle
instead of a barrel.

I've decided to personally test-drive what is undoubtedly the most controversial
use of RFIDs today - an implantable tag. VeriChip, the only company making
FDA-approved tags, boasts on its Web site that "this â€˜always there'
identification can't be lost, stolen, or duplicated." It sells the chips to
hospitals as implantable medical ID tags and is starting to promote them as
secure-access keys.

Pantuck pierces my skin with the gun, delivering a microchip and antenna combo
the size of a grain of long rice. For the rest of my life, a small region on my
right arm will emit binary signals that can be converted into a 16-digit number.
When