Arthur Clarke once proclaimed that “any sufficiently advanced technology is indistinguishable from magic.” Even as a Computer Science student, I find myself identifying with this idea. Because I’ve studied more on the software side, I tend to think of hardware as vaguely magical black boxes. When dealing with magic, things are supposed to “just work” and we don’t question why because it’s all mysterious. The problem with this thinking is that even if a technology works, it might not work well or have been implemented correctly, especially in terms of security.
RFID is a magical technology–it’s commonly used enough so that people will know what it is, but not well-known enough for people to understand what it is. If you’re unfamiliar with RFID, it’s the chip that can be found inside of some credit cards that forms the basis of “tap and go” payment. RFID tags can also be found in many transportation system cards, like the CharlieCard (Boston) or the SmarTrip (D.C.). RFID tags can store information (like how much money is on your card) and they communicate through radio frequency waves. The radio waves are why RFID can probably work through your wallet but doesn’t if you wrap it in aluminum foil. At Princeton, our student ids (”Prox” cards) have RFID tags inside them and students can use them to access buildings. They add an extra layer of building security.
Princeton’s security is based on our Prox cards, so I wanted to know how secure they were. I used an off-the-shelf RFID reader (an Omnikey CardMan 5321, around $100) and open source software (RFIDIOt, free) to see what I could get out of the RFID cards I had, including a Princeton Prox card, a CharlieCard, and a Princeton Public Library card. Luckily (or unluckily for me), the Princeton Prox card was an HID iCLASS card, which I found in my literature study to be one of the more secure cards on the market. HID claims that it built in anti-cloning (copying a card) physical devices into the card.
However, I discovered that hotlisting attacks were very possible with all three cards I had. Hotlisting is an attack that involves tracking an individual through a unique identifier (UID), a number that was unique to that card. Each of the cards had a UID that I could read with my unauthorized reader, and since it was a unique number, I could link it directly to that card. Because each card is linked strongly with one individual, I could then track individuals if I had a point of reference where I could confirm their identity and read the UID off their card. Reading a card’s RFID tag is very unobtrusive, especially when the cards are commonly used. All it would take is brushing up against an individual’s wallet, and I would have the number. This means that if I wanted to track an individual’s movements, all I would have to do is place a number of RFID readers in key locations, and obtain someone’s UID. Since I could read the UID of all the cards I tested and considering the ubiquity of cards with RFID tags, I believe that most people are trackable. RFID tags are also being found in items other than cards, such as library books and EZ Pass or related electronic toll payment systems. As more cards add RFID tags, this will become a bigger issue. Whenever you carry your card, you are followable.
This was one of two research projects I completed during my junior year at Princeton. Here is my other project on hidden metadata in Microsoft Word Documents.
Do these actually work? -> http://www.thinkgeek.com/gadgets/security/8cdd/
I don’t know about this specific model, but RFID blocking wallets usually work since it’s just physically blocking the communication between a card and a reader.