Identification chips are vulnerable to attacks
Radio Frequency Identification (RFID) chips can identify people, animals and objects from a distance of several metres but the technology is susceptible to misuse and hacking.
Denne artikkelen er over ti år gammel og kan inneholde utdatert informasjon.
They are used in key or access cards, electronic travel cards and ID cards to make life easier. Unfortunately some of them can be used to make our lives a little riskier.
RFID is a technology for automatic and wireless identification of an object, animal or person – without any physical or even visual contact with the RFID reader.
This is because RFID chips are designed to be read by radio waves.
These chips are also used in the new biometric or E-passports, and many pet owners equip their animals with the chips so they can be returned if they get lost or run away.
Simple, practical – and unsafe?
“RFID chips often contain essential information. This can be a problem when the chips are read surreptitiously and this data is misused,” says Mohammad Reza Sohizadeh Abyaneh.
He has studied the security systems intended to prevent such misuse in his PhD thesis Security Analysis of Lightweight Schemes for RFID Systems.
“Security systems are out there. The problem is whether they’re actually secure. My thesis is about ways of analysing the security of such systems,” he explains.
Cheapest isn’t best
Sohizadeh has analysed the security of some of the simplest and cheapest RFID chips or tags. The cheap chips displayed limited capabilities in implementing several types of security measures, for instance encryption.
Low-cost tags were designed to replace barcodes and are primarily made for identifying commodities in stores and warehouses. But according to Sohizadeh, these are also found in travel cards and even in certain ID cards.
He analysed the safety of these systems by simulating an attack on security solutions. The results wouldn’t mollify many fears.
“I discovered that all the solutions I studied lacked security and were vulnerable to attack,” he says.
Manufacturers of RFID systems have tried to maintain the security by using so-called lightweight cryptography protocols. Theoretically, these systems should provide a high security yield even with the limited capacity of low-cost tags.
Unfortunately, they often sacrifice security for an even easier solution, according to Sohizadeh.
“The designers of these security systems have claimed that they meet standards and their security solutions can readily withstand attacks. I’ve shown that this isn’t so and some types of attacks can successfully penetrate these solutions.”
Simulated attacks – real threat
Although Sohizadeh has only worked with simulated attacks, he maintains that the security threats are real enough. Although a bona fide hacking attack requires a solid understanding of the systems, as well as certain electronic devices, it’s completely feasible for someone with villainous intentions to crack the systems and read RFID chips illegally.
“If you’re sufficiently motivated, this isn’t hard or expensive to do. All you need is a laptop and some electronic gadgets,” says the researcher.
This sort of unauthorised reading of RFID chips isn’t just a security breach; it also threatens basic privacy protection. As the technology becomes ubiquitous, illegal scanning can reveal a whole lot about a person.
A miscreant could scan various cards to get hold of personal information. He could for instance find out which key cards and ID cards his victim is carrying and how and where he or she travels. Because common chips can be read from up to ten metres away, it’s no problem keeping RFID carriers under surveillance.
Crucial need for security evaluation
Fortunately, debit cards and electronic passports use more expensive and safer RFID chips. You have to get considerably closer to read these and they’re much harder to hack into than cheaper types. But they aren’t fool-proof.
Sohizadeh thinks a thorough and conscious security evaluation and analysis is now needed to make RFID systems safer. But users or consumers can do their b to prevent their chips from unauthorised scanning.
“Products are available that shield RFID chips from illegal reading,” says Sohizadeh, who practices what he preaches.
He walks around with his plastic in an RFID-proof wallet, for safety’s sake.
Read the Norwegian version of this article at forskning.no
Translated by: Glenn Ostling