I've worked with several RFID implementations, and all of the (silicon-based) solutions have decent encryption to prevent "capture" of IDs or other data. Usually a shared-key system -- not unbreakable, of course, but pretty difficult to intercept on the sly.
What's the key management? If one of the reader units are removed from the sture, how hard is it to use it to get a valid key that can read all other prada rfid tags?
How hard is it to break into the readers that the store's using? Can you have to floor people direct people to randong items?
If the tags themselves are hard to game, can someone game the rest of the system?
You do not need to decrypt a signal that you can repeat. i.e. I can say "Bonjour" without knowing a lick of French, or even the literal meaning of that phrase.
Now, if there was some kind of challenge-response going on, it would be much harder to deal with, although not impossible, given enough "captures".
I can say "Bonjour" without knowing a lick of French, or even the literal meaning of that phrase.
Bad analogy, sort of, eh. If you speak a native language, you can tell aboot from where a speaker originates. Some interlopers can fake it for a little while, but further ecoutage always betrays them. Unless they are really good spies.
I've worked with several RFID implementations, and all of the (silicon-based) solutions have decent encryption to prevent "capture" of IDs or other data. Usually a shared-key system -- not unbreakable, of course, but pretty difficult to intercept on the sly.
If encrypted RFID systems don't include any nonce in the request, repeated in the response, then a replay attack is possible. You don't have to break the encryption at that point, just record and retransmit.
> If encrypted RFID systems don't include any nonce in the request, repeated in the response, then a replay attack is possible.
It's been a couple years, but I'm certain it had a challenge-response authentication system to prevent simulation. I am not a security expert, I just remember reading the specs while studying the api.
I also remember a story told by the owner of the company about a sales pitch he gave once. A nearby amusement park used an insecure rfid technology to sell access to
IF this is really strong encryption, and is well done, it could help to prevent a lot of the misuses of RFIDs. It doesn't stop them, of course, but makes them harder.
If the tags in my clothes will only talk in a useful way to authorized readers, then you can't just put a generic reader in the lamp post and discover everyone that walks by.
However, all that is needed to get the lampost reader to track people is to have the keys, or have some way to get the RFID to talk in a consistant way. For example, alwa
I've worked with several RFID implementations, and all of the (silicon-based) solutions have decent encryption to prevent "capture" of IDs or other data.
Bullshit.
Proximity cards based on ISO14443 have encryption, but very limited reading range due to the larger power consumption of the chip.
Popular types of vicinity (up to about 1 m reading range) cards such as I*Code, Tag-it, ISO 15693 use no encryption at all. I designed low-level firmware for a reader to read these, so I should know...
News flash, most people who have enough money to shop at Prada on a regular basis are not like wannabe middle-class 20-somethings that dress flashy with logos blinging like mad.
I work for a luxury department store and the people that spend the most wear labels you've probably never heard of. They also dress more conservatively (i.e. like bums) when they shop because they are not out to impress sales staff.
Marvelous! The super-user's going to boot me!
What a finely tuned response to the situation!
Messing with thier system (Score:5, Interesting)
Re:Messing with thier system (Score:5, Interesting)
Would be fun to see tons of snooty sales people running up to a guy dressed like a bum...
Re:Messing with thier system (Score:5, Informative)
S
Re:Messing with thier system (Score:2)
Re:Messing with thier system (Score:3, Interesting)
What's the key management? If one of the reader units are removed from the sture, how hard is it to use it to get a valid key that can read all other prada rfid tags?
How hard is it to break into the readers that the store's using? Can you have to floor people direct people to randong items?
If the tags themselves are hard to game, can someone game the rest of the system?
-Peter
Re:Messing with thier system (Score:4, Insightful)
Now, if there was some kind of challenge-response going on, it would be much harder to deal with, although not impossible, given enough "captures".
Re:Messing with thier system (Score:2)
I can say "Bonjour" without knowing a lick of French, or even the literal meaning of that phrase.
Bad analogy, sort of, eh. If you speak a native language, you can tell aboot from where a speaker originates. Some interlopers can fake it for a little while, but further ecoutage always betrays them. Unless they are really good spies.
Re:Messing with thier system (Score:3, Funny)
You're Canadian?
Re:Messing with thier system (Score:2)
I'd go so far as to say eastern Canadian, but I wouldn't bet much more than lunch money on him being a maritimer.
Re:Messing with thier system (Score:2)
I'm a transplanted Caper with Canadian Cajun roots. Good thing you didn't bet real money.
Re:Messing with their system (Score:2)
If encrypted RFID systems don't include any nonce in the request, repeated in the response, then a replay attack is possible. You don't have to break the encryption at that point, just record and retransmit.
Humans tend to repeat their mistakes, so i
Re:Messing with their system (Score:1)
It's been a couple years, but I'm certain it had a challenge-response authentication system to prevent simulation. I am not a security expert, I just remember reading the specs while studying the api.
I also remember a story told by the owner of the company about a sales pitch he gave once. A nearby amusement park used an insecure rfid technology to sell access to
Re:Messing with thier system (Score:2)
If the tags in my clothes will only talk in a useful way to authorized readers, then you can't just put a generic reader in the lamp post and discover everyone that walks by.
However, all that is needed to get the lampost reader to track people is to have the keys, or have some way to get the RFID to talk in a consistant way. For example, alwa
Re:Messing with thier system (Score:5, Informative)
Bullshit.
Proximity cards based on ISO14443 have encryption, but very limited reading range due to the larger power consumption of the chip. Popular types of vicinity (up to about 1 m reading range) cards such as I*Code, Tag-it, ISO 15693 use no encryption at all. I designed low-level firmware for a reader to read these, so I should know...
Re:Messing with thier system (Score:2)
I work for a luxury department store and the people that spend the most wear labels you've probably never heard of. They also dress more conservatively (i.e. like bums) when they shop because they are not out to impress sales staff.