RFID: Coming to a Town Near You

Ian Kilpatrick, Wick-Hill
Ian Kilpatrick, Wick-Hill
Karsten Nohl
Karsten Nohl
Nick Miles, Evidian
Nick Miles, Evidian

After several years of apparent stagnation, RFID (radio-frequency identification) security looks set to become a hot topic this summer, largely thanks to a number of news-worthy developments in the fledgling industry.

Back in late February this year, a University of Virginia graduate student and two fellow hackers announced they had cracked the MiFare RFID crypto system that is used in a number of contactless (RFID) card systems.

Twenty-six-year-old Karsten Nohl and his two German partners startled the previously placid world of RFID by revealing they had dismantled the chip and mapped out its secret security algorithm. After running their decoded algorithm through a high-powered desktop PC, the trio claim they cracked the encryption within a few hours.

At the time, NXP, the company that developed the MiFare technology, claimed Nohl’s research had only partially mapped the algorithm, but media interviews with the University of Virginia graduate have since revealed the extent of his research.

As part of their research, Nohl and his colleagues stripped down several MiFare cards and examined the micro-circuitry using a microscope and OpenPCD, an open source RFID reader application. They took multiple pictures of the millimeter-square chipset, layer by layer.
By stripping the chip down and analyzing many of the gates and how they interacted, Nohl and his team learnt that there were around 70 different types of gates which made up the total of around 10 000 on the chip.

Using this approach allowed the team to reverse engineer the chipset and decode the 16-bit random number generator at the heart of the cryptographic process. From there, they managed to persuade the random number generator to ‘generate’ the same number in each transaction. Thus, they claim, the crypto process was effectively cracked.

Fast-forward to July and NXP - a Philips spin-off based in the Netherlands - has taken an injunction out against the University of Nijmegen, which plans on publishing an in-depth study into Nohl’s research at the European Symposium on Research in Computer Security (ESORICS) event in Malaga this October.

A preliminary legal ruling from the Dutch courts was expected as this issue of Infosecurity went to press, but a media statement from the University said that the study will simply allow other researchers to learn from NXP’s mistakes and that NXP had previously been sent a draft of the study.

RFID at the Heart

“The company should really be working with the researchers on how to improve the security, rather than seeking to gag them,”
Nick Miles, Evidian

According to Nick Miles, a technical manager with single sign-on specialist Evidian, whose range of single sign-on technologies - including AccessMaster and PortalXpert - make extensive use of RFID technology, NXP’s legal action is not the best way to solve the fact that the MiFare system may have been compromised.

“The company should really be working with the researchers on how to improve the security, rather than seeking to gag them,” he said, adding that, despite this very specific card technology hack, single sign-on remains an excellent means of restricting access to data via desktop and notebook computers.

Single sign-on, he said, means different things to different people, although RFID technology is generally still at the heart of the many different systems on the market.

Other uses of RFID technology, he said, can be used to track people and company assets as they move around. “A company could use RFID technology to alert them if a computer notebook or expensive IT component leaves a section of the building, and security can be alerted. Similarly, the technology can also be used to wirelessly locate an asset that is in transit. It’s a flexible system,” he said.

According to Miles, there are two types of RFID technology in today’s marketplace - active and passive.

Passive technology is relatively short range, but is useful in smart card payment systems, says Miles.

“Active RFID, on the other hand, has many more applications, since the card has a signal generator and a degree of intelligence on board. On top of that, the cost of a simple active RFID technology system has fallen to the same level as a passive system, so unless your needs are very specific, active technology is now the way to go,” he said.

Evidian’s Miles insisted that single sign-on technology is a fast-growing market, but RFID security is not always about security issues.

“RFID technology is also being used by the military to locate staff and assets in, for example, Iraq. If you’re in a military command situation, you’re going to want to know when an asset - an armored transport, for example - has left or arrived back at base, and who went out in the unit. RFID technology can tell you that information, and highly accurately,” he said.

“And when you start to mesh RFID security and single sign-on technology in with tracking systems like GPS (Global Positioning System) and mobile data (3G/GSM/GPRS) you start to have a constantly updated picture of who and what is deployed in the real world. It’s this meshing of different technology that we see as the most useful aspect of this security technology,” he added.

Safety First

“Most businesses we encounter are more interested in helping to prevent information leaking out, rather than preventing electronic theft of data, although that’s still a concern for most firms,”
Ian Kilpatrick, Wick-Hill

Deployment of a system within Washington DC’s Department of Corrections is a good example of real world deployment.

Gabi Daniely, vice president of marketing and product strategy for AeroScout, said the company’s Active RFID tags use the standard Wi-Fi network already setup to track equipment while performing a variety of wireless solutions.

AeroScout recently announced its Wi-Fi compatible technology will combine with Alanco Technologies TSI PRISM system to provide a 2.4 GHz Wi-Fi compatible inmate tracking system at the Washington DC Department of Corrections that tracks and monitors more than 2 000 inmates.

The Alanco/AeroScout system is intended to increase safety and improve inmate accountability.

The company’s hardware and software solution includes detecting tags, monitoring, readers and an application that stores the data.

“In the prison, we are using the solution to track inmates and provide specialized tags for the uncooperative wearer,” Daniely said. “Within hospitals, RFID systems are used in preventive maintenance, to manage temperature monitoring and in the trauma and mental wards where a screen can pop up with the patient’s location, so you would know where to go if a patient leaves the ward unattended.”

Ian Kilpatrick, chairman of IT security systems integrator Wick-Hill is another evangelist of RFID and says the bulk of his firm’s focus centers on helping to prevent data leakage using the technology.

“Most businesses we encounter are more interested in helping to prevent information leaking out, rather than preventing electronic theft of data, although that’s still a concern for most firms,” he explained.

Single sign-on technology, driven by RFID cards, is growing in popularity in office environments because of this, he said, adding that valuable assets such as PC hard drives can also be integrated into a RFID-driven single sign-on system to help prevent them going walkabout.

“What we’re seeing is that RFID technology is starting to be used at heart of a growing number of physical and electronic security systems,” he said, adding that, because of this, many users of the technology are often unaware they are actually using RFID chipsets as part of their security.

What’s hot on Infosecurity Magazine?