Thursday, October 16, 2008

Should we take cheap-as-chips RFID on trust?

The Guardian asks whether we should take the new generation of cheap RFID chips on trust:

RFID began appearing in passports, US payment cards and the UK's Oyster cards, used to make payments on London's Tubes and buses, in 2005. Many papers published in 2005 and 2006 highlight flaws in the chips' implementation. A 2005 RFID Journal paper from Johns Hopkins University and RSA Laboratories exposed weaknesses in the cryptography implemented in the Texas Instruments chip used in automobile keys and the "Speedpass" keyfob contactless payment device used in petrol stations. In 2006, Ross Anderson, author of Security Engineering, outlined the chips' vulnerability to "man-in-the-middle" attacks. More recently, the cipher used in Oyster cards has been broken and researchers have bypassed the public key infrastructure needed to manage the cryptographic keys for RFID passports.

Another problem: data stored on today's chip and pin cards is not encrypted.

Read more at - 'Should we take cheap-as-chips RFID on trust?'


No comments: