Steven Bellovin wrote:
On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:
There seem to be a lot of misconceptions about RFID tags. I'm hardly an expert but I do know this much:
RFID tags are generic, you don't put data into them unique to your application.
Not true, the simplest rfid tags are energized and play back whatever string is embedded, passive tags, however, plenty of device that fall under the moniker rfid are at a minimum field programmable. Moreover when you get beyond passive tags, the devices can be found with full on java stacks, challenge response system, fips certified crypto engines, flash for stored value etc.
Part of the original (or at least early) context for this thread was recovery of default passwords. If the password is F(ser#), it's only learnable if you know both F() and ser#. The vendor knows F() -- who knows ser#? If it's in an RFID tag, or is DBlookup(tag#,vendor_db), being able to read this admittedly-arbitrary number may indeed be a threat.
--Steve Bellovin, http://www.cs.columbia.edu/~smb