Karsten Nohl spoke today at Prof. Yoshi Kohno’s weekly UW Security group lunch. The topic of the talk was “The (Im)possibility of Hardware Obfuscation”. In the talk, Karsten described the impracticality of hardware obfuscation techniques with a focus on the recent OV-chipkaart hack in which he played a key role. He also emphasized that it was quite feasible to reverse engineer Mifare Classic and similar hardware with a small budget and readily available tools (e.g. polishing paper, a microscope, Matlab).

Also in attendance were Starbug (Jan Krissler) from the CCC in Berlin and 3ric Johanson, a Seattle-area security professional, RFID hacker, and member of Shmoo. The presentation and discussion were great! A video of a similar talk which Karsten gave at Google can be found on his homepage: http://www.cs.virginia.edu/~kn5f/

Last week Washington State Governor Christine Gregoire signed into law two bills that affect RFID in Washington State. The first is House Bill 2729, “addressing the reading and handling of certain identification documents”, which was proposed by Rep. Deborah Eddy (D-Kirkland). HB 2729, which Prof. Balazinska testified in support of, makes it a felony and a violation of the Consumer Protection Act (with a few exceptions) for a party to read an Enhanced Driver’s License’s RFID tag without consent. It also protects the documentation and information provided upon applying for an EDL from public disclosure.

The second bill is House Bill 1031, “changing provisions concerning electronic devices”, which was proposed by Rep. Jeff Morris (D-Mt. Vernon). The bill was originally introduced in early 2007 as an “Electronic Bill of Rights” which would give consumers “the power to know who is collecting information and what has been collected”, as Morris explained it in late 2006. A series of revisions since that time have shifted the bill’s focus from regulating RFID technology to regulating the behavior of those seeking to abuse it. This shift is highly significant from both a public policy and an RFID industry perspective. More information on the bill can be found in an RFID Journal blog entry and on the Bill’s information page.