The Guardian reports that London’s Oyster transit card may have been hacked by a group of Security researchers at Radboud University in Holland.  The hack allows an attacker to clone the Oyster card’s RFID chip after cracking its encryption in just a few seconds.  This is the latest in a series of Mifare smartcard hacks which have compromised European transit card systems in the last year.

It’s interesting to note that the authorities are not considering the hack to be a serious threat.  London Transport has claimed not only that they can detect fraudulent use within 24 hours using checks in software (a level of security often ignored by hardware hackers), but that a criminal could gain at most about £3 per cloned card.  As such, the incentive to clone Oyster cards probably isn’t that great.  One point which the article does not highlight and which is perhaps more concerning from a privacy standpoint, however, is that London Transport collects and can process data on 38 million journeys per week to identify individual instances of fraudulent use (and who knows what else?).

Today’s talks covered a variety of topics, from effective and efficient strategies for managing RFID data in the supply chain, to a framework for security in interoperable RFID networks, to probabilistic RFID data cleaning and even RFID in mobile E-commerce.

One interesting talk on “Interoperable Internet Scale Security Framework for RFID Networks” was given by Tingting Mao at the MIT AUTO-ID lab. This work describes a framework whereby businesses can define policies for sharing EPC data and the associated business events. A key feature of this system is that it uses authentication and authorization based on an aggregation of business rules, enterprise information, and RFID tag information. In another talk, Antti Sirkka from TietoEnator discussed “Modelling Traceability in the Forestry Wood Supply Chain”. This work aims to use RFID to improve information on processes in the forestry wood production system – a pressing problem given the equivalent of Є5 billion of wood raw material going to waste in Europe.

There were also great talks and discussion from panelists Yanlei Diao (University of Massachusetts, Amherst) and Fusheng Wang (Siemens Corporate Research).

Slides from the talks will eventually be posted online at: http://rfid.cs.washington.edu/rfdm08/

Karsten Nohl spoke today at Prof. Yoshi Kohno’s weekly UW Security group lunch. The topic of the talk was “The (Im)possibility of Hardware Obfuscation”. In the talk, Karsten described the impracticality of hardware obfuscation techniques with a focus on the recent OV-chipkaart hack in which he played a key role. He also emphasized that it was quite feasible to reverse engineer Mifare Classic and similar hardware with a small budget and readily available tools (e.g. polishing paper, a microscope, Matlab).

Also in attendance were Starbug (Jan Krissler) from the CCC in Berlin and 3ric Johanson, a Seattle-area security professional, RFID hacker, and member of Shmoo. The presentation and discussion were great! A video of a similar talk which Karsten gave at Google can be found on his homepage: http://www.cs.virginia.edu/~kn5f/

Last week Washington State Governor Christine Gregoire signed into law two bills that affect RFID in Washington State. The first is House Bill 2729, “addressing the reading and handling of certain identification documents”, which was proposed by Rep. Deborah Eddy (D-Kirkland). HB 2729, which Prof. Balazinska testified in support of, makes it a felony and a violation of the Consumer Protection Act (with a few exceptions) for a party to read an Enhanced Driver’s License’s RFID tag without consent. It also protects the documentation and information provided upon applying for an EDL from public disclosure.

The second bill is House Bill 1031, “changing provisions concerning electronic devices”, which was proposed by Rep. Jeff Morris (D-Mt. Vernon). The bill was originally introduced in early 2007 as an “Electronic Bill of Rights” which would give consumers “the power to know who is collecting information and what has been collected”, as Morris explained it in late 2006. A series of revisions since that time have shifted the bill’s focus from regulating RFID technology to regulating the behavior of those seeking to abuse it. This shift is highly significant from both a public policy and an RFID industry perspective. More information on the bill can be found in an RFID Journal blog entry and on the Bill’s information page.

Prof. Magdalena Balazinska testified at a public hearing today in the Washington State House Committee on Technology, Energy & Communications. The hearing was on House Bill 2729, which addresses “the reading and handling of certain identification documents” and is sponsored by Rep. Deborah Eddy among others. This is an especially timely bill in that it addresses privacy concerns raised by emerging public RFID systems such as the U.S. Passport Card, the Enhanced Driver’s License (EDL), and the new Puget Sound area transit pass, the ORCA card. The bill essentially limits the reading of RFID licenses and identicards as well as the use of the information contained on them. From the bill:

“[...] Washington state recognizes the importance of protecting the confidentiality and privacy of an individual’s personal information contained in drivers’ licenses and identicards.”

“[...] A nongovernmental entity may only electronically read an individual’s driver’s license or identicard to verify the authenticity of the document or verify the individual’s age or identity. [...] When a nongovernmental entity electronically reads a driver’s license or identicard for one of the purposes permitted in (a) of this subsection, and except as otherwise permitted in subsection (3) of this section, the entity may not store, sell, or share personal information collected from the driver’s license or identicard without written consent of the individual.”

Magda provided expert testimony on the privacy risks of such systems. Using examples from our research in the RFID Ecosystem project, Magda described how the lack of security features…
(Read complete post >>)

I was fortunate to participate in the RFID CUSP workshop at Johns Hopkins University last week. The goal of the workshop was to bring together a broad cross-section of the RFID community in an effort to shape research agendas in service of pressing, real-world problems.

About half the speakers had government and/or industry backgrounds; the rest were RFID researchers. Among the government speakers was Hugo Teufel III, the CPO of the U.S. Department of Homeland Security, who spoke about his office’s work on authoring Privacy Impact Assessments for RFID-related issues such as WHTI and the EDL; he also said that he or someone from his office will go anywhere to speak on matters of privacy and homeland security (good to keep in mind!). Randy Vanderhoof of the Smart Card Alliance also gave an interesting presentation on his organization’s work with privacy – this included a note on their strong opposition to the use of EPC Gen 2 technology for WHTI.

The research portion of the program included presentations from Ari Juels and Ravi Pappu on practical key management techniques for crypto in real-world RFID applications. Christof Paar reviewed some lightweight crypto techniques which his group had developed for RFID, while Melanie Rieback and Karsten Nohl…
(Read complete post >>)