
Why the Mythbusters won't do RFID (2008) - moe
http://www.youtube.com/watch?v=X034R3yzDhw
======
donohoe
Actually Adam did a hasty follow-up to this when the video came out to say
something to the effect of 'Hmmm, I may have embellished the story - and um
that didn't happen' (BTW, thats me doing some heavy me para-phrasing, not a
quote)

Here's the link:

<http://news.cnet.com/8301-13772_3-10031601-52.html>

September 3, 2008 10:59 AM PDT

'MythBusters' co-host backpedals on RFID kerfuffle

~~~
epochwolf
Wonderful. Which account do we believe now?

~~~
rpledge
This was discussed on No Agenda recently as an example of why corporate
advertising is bad for media that does this kind of work (although Mythbusters
rarely broaches subjects that run against corporate culture).

It seems odd Adam would have made up his original account, but only he knows
the real story at this point.

~~~
keltecp11
Found this:
[http://www.youtube.com/watch?v=vmajlKJlT3U&feature=relat...](http://www.youtube.com/watch?v=vmajlKJlT3U&feature=related)

~~~
houseabsolute
I don't really understand the problem to be honest. Maybe someone can explain
it to me.

Sure it's mildly inconvenient if your CC number gets stolen. But the CC
company is the one that foots the bill. In that sense, they are the ones with
the best incentive to keep the number secure. If fraudulent transactions
instigated by RFID-scanning thieves ever gets to the point where it is a
serious concern, I am certain that the companies will act in their own best
interest to curb the behavior. In the mean time, who cares if they lose some
money?

~~~
fhars
If they can convince the judges that the cards cannot be skimmed, than the
very existence of a record of a transaction with a skimmed RFID is legal proof
that you did in fact authorize that transaction with your authentic card.
There is absolutely no risk for the card issuer involved.

It is like it was with debit card PINs here in germany, the banks convinced
the judges that the cards are absolutely secure so that any fraud was in fact
to blame on the card holder who either didn't protect his PIN or was actively
trying to defraud the bank.

~~~
VMG
[citation needed] (out of personal interest)

~~~
fhars
Here is a citation (in german legalese, sorry for that):
<http://www.jurpc.de/rechtspr/20000026.htm>

~~~
VMG
Even though I am German, thanks for the warning ;)

------
jackfoxy
This is just begging for a little unaffiliated team to do a professional
investigation along with a good amateur video producer.

~~~
angstrom
...and decent legal counsel.

~~~
impeachgod
What if they're outside North America or Western Europe? Some place with
weaker laws?

~~~
petsos
Personally I would call weaker the laws that don't allow you to produce a
video like this.

------
mcs
Well Adam has stated in at least one interview that he reads Hacker News
regularly so maybe we'll have a nice anonymous reply :)

~~~
mixmax
I was curious about the validity of your statement so I did a little digging.
It's true, he even mentions that he reads it on a daily basis.

Source: <http://www.youtube.com/watch?v=J8jqea8R-bE>

_[edit]_ if you don't want to watch the whole 3 part video:
<http://www.youtube.com/watch?v=fFcVaFhKd_4#t=08m32s>

~~~
invisible
You could use (also on HN front page) <http://speakertext.com> for linking to
that. Just thought it was a neat instance!

------
guelo
Can someone that knows about this stuff explain exactly what it is the CC
companies don't want us to know?

~~~
furyg3
I'm guessing it's:

a) RFID is readable from further away than they'd like you to think.

b) You don't know when your RFID card is being read.

c) Points a and b make tracking you really easy... for anyone to do.

d) The only thing that _should_ (ideally) be stored on any RFID chip is a
unique number... not any history (recent transactions), personal data
(name/phone/picture), or payment system (think public transport) where the
actual info about how much money is on the card is stored on the card
itself... but that's exactly the type of information which is stored on these
cards.

e) Nearly all encryption mechanisms are shoddy, either because they're poorly
implemented open standards, or developed in-house by the vendor (security
through obscurity). Cards that make use of real encryption would be (are?)
expensive to make.

Here in the Netherlands the entire public transit system is being switched to
an RFID-based system, and even to a non-security expert (me) it's clear that
the system is based on an insecure premise (d), and would be very vulnerable
to unknown scanning by someone wishing to track you from a decent distance
(a-b-c).

I was interested in the security of this system, and found this video
([http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.h...](http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html))
of some hackers who did an amazing job tearing it to shreds. They're pretty
adiment that nobody is doing adequate encryption on RFID cards. If you're
interested in this at all it's an amazing hack, involving dissolving the cards
layer by layer to see the code.

~~~
Groxx
a) it's a radio signal. However low power it is, it gets transmitted _huge_
distances while still being detectable (especially if you capture it multiple
times to read through noise). I'd love to take a massive dish (say, 20 foot
diameter) & see how many can be captured from _inside_ a neighboring building.

b) I have yet to hear of a single RFID card which has a _switch_ on it to
address this. It's a _big_ security problem. I saw one hobbyist hook up an
OLED pixel, but that's it.

e) I've heard of a couple, _very_ expensive, challenge-response and public-key
RFID systems. _That_ is acceptable for authentication, but I've _never_ heard
of them actually being used, and one or two were only proofs-of-concept, IIRC.
Many (I'd say easily _most_ in use, from what I gather) simply transmit a
unique ID, that never changes, which is used to perform X, which is
ridiculously insecure.

~~~
pyre

      > I'd love to take a massive dish (say, 20 foot
      > diameter) & see how many can be captured from
      > inside a neighboring building.
    

Are you talking about active or passive RFID? I was under the impression that
most RFID in use is passive. In that case, you'd have to transmit something to
get a response, unless you're talking about camping out in an area where lots
of cards are going be activated by various things other than yourself (e.g.
entrance to the transit system). But even then the transmitting power of the
RFID chip is proportional (?) to the power used to activate it, so something
that only expects to read it from 2 feet away isn't going to blast it with
enough power to be reliably read from 100 feet away, unless I'm
misunderstanding how people do those long distance RFID reading records...

~~~
fragmede
So say a 5-foot range. Find a group of employees out for lunch together and I
walk past the table with a backpack on. Hardly suspicious, and I've probably
got most of their building access cards.

~~~
pyre
I was responding to someone to someone talking about a 20-foot dish though.
That's not something you stuff in a backpack. I was commenting on his desire
to listen with a huge dish at a distance.

------
michaelaiello
I'm the founder of a company that sells RFID blocking wallets and passport
cases <http://www.difrwear.com>. I met with Adam briefly back in 2008 at HOPE
when he gave this talk and gave him one of our wallets.

I ended up quite dissaponited they couldn't air the show. Would have brought a
lot of awareness to the issue. It is really easy to copy RFID credit cards...
all you need to do is go buy a point of sale terminal from eBay, poke the
little speaker that beeps when it reads a card with a needle and then plug it
into a laptop and you've got a skimmer.....

~~~
kaib
I totally want to buy one of your wallets but you are currently out of stock
on everything except the garish pink ones..

------
etm117
Johns Hopkins University researchers did a video where they got the RFID code
from one of those gasoline auto-passes that you put on your keychain. It was a
video where they sit next to someone with the RFID pass in their pocket, scan
it with their laptop and then use the code at a gas station. I am at work and
the link it blocked, but I do believe this here is the video and information.
<http://rfidanalysis.org/>

~~~
adulau
The link is now squatted but still available in archive.org :

[http://web.archive.org/web/20061109232923/http://www.rfidana...](http://web.archive.org/web/20061109232923/http://www.rfidanalysis.org/)

------
pedalpete
Thankfully with a community named 'HackerNews' hopefully somebody here will be
inspired to look into it deeper and see if they can do the show that networks
can't do.

What's required to figure out how to hack these chips which are clearly
readily available?

~~~
bff
This is actually an active research area so a google scholar search can turn
up interesting stuff from various security conferences. Here's a summary of
what I've read and heard about:

If a chip has unecrypted personal data stored on it an attacker can easily
gain access to it by stealing the device. If encryption is used throughout the
chip then side channel attacks can usually break the encryption. This requires
something like an oscilloscope, some resistors, and a soldering iron. The
danger of this attack to a consumer depends upon what's stored on the RFID
chip since the consumer will notice if someone has stolen their device and
will have it disabled in short order.

To clone a tag that doesn't use encryption, for instance a tag that just sends
an ID, you'd need a reader to query the tags and some device to copy the
responses. This is probably the easiest attack but the reader, which needs to
transmit a strong radio pulse and then listen for a response, either needs to
be very large or in very close proximity and you could protect a card in your
wallet by surrounding it in a metal mesh (which forms a faraday cage) so it's
not clear how dangerous this could be in the wild.

If the communcation channel is encrypted then an attacker could listen to the
query and response from a legitimate reader and RFID tag and could then
replicate the legitimate response later. However, if there is any timestamp or
counter involved this won't work.

------
jonah
Primarily about sniping bluetooth, but some basic discussion on reading RFID
tags at a distance in the comments on this thread:
[http://www.schneier.com/blog/archives/2005/04/bluetooth_snip...](http://www.schneier.com/blog/archives/2005/04/bluetooth_snipe.html)

------
vegasbrianc
Let HN users create our own RFID MythBusters?

------
motters
Ok, so how hackable/trackable is RFID?

------
bch
Site is 404-ing currently...

