Interview

RSA researcher Ari Juels: RFID tags may be easily hacked

Neil Roiter
How might RFID be compromised, and in what cases would it be worth an attacker's while?
If we're talking about what may be the most prevalent form of RFID, the wireless bar code, the interest in attacking the tags may be motivated by interest in attacking supply chains. And that can be for economic gain, out of interest in disrupting commercial operations, or even done with political motivation. The technology's still in its nascence, so we don't understand all the modalities of attack. But these are the reasons, in principle, people might attack these devices.

    Requires Free Membership to View

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
What are the defenses against such attacks? These devices are very limited by their low power.
What makes research in RFID security so interesting is precisely the fact that RFID tags can't do very much. For instance, the barcode-type ID tags I've described are meant to be extremely cheap, and that's why their capabilities are so austere.

But, in fact, it's possible to shoehorn in capabilities for which these tags were not explicitly designed. For example, in RSA Labs, we proposed techniques to commandeer access control features on the tags -- those are an optional security mechanism -- and even the privacy feature on the tags, what's called the "kill" function, a self-destruct feature that's meant to protect consumer privacy. We've shown ways the tags can be commandeered for authentication. So, what's really required is a very flexible mindset; the constrained capabilities of RFID tags pose a design challenge to security architects. That's not intractable. Multifactor authentication has been a tough sell outside of specific environments. It's expensive, hard to manage; users, especially consumers, don't like to use it. Can you talk about RSA's research and the Wireless Access Research Project (WARP), which uses mobile phones for strong authentication?
The idea behind WARP is that users already have a device that can serve to authenticate them very nicely—the mobile phone. They have properties that make them particularly well-suited to convenient authentication. For example, mobile phones are increasingly equipped with Wi-Fi capabilities. What we've done in the WARP project is enable users to transmit a token code via Wi-Fi to their PCs. It eliminates the need to transcribe digits from a one-time passcode token to a keyboard. It's great from the standpoint of security, because if you don't have to type the token code in, the code can be as long as you like. That opens up the possibility of transmitting full-blown cryptographic keys.

RSA Conference 2009

For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

What current research projects get you excited?
We've been spending a lot of time on a project called HAIL (High Availability and Integrity Layer). Cloud storage posed some very knotty security problems. The one that we've focused on, in particular, is the problem of enabling a user to determine that a file or archive stored in the cloud is actually still there. You have no idea what physical platform your data resides on. You don't know what the quality of administration is; you don't know how reliable the platform is from a standpoint of degradation or vulnerability. We were able to achieve a kind of challenge-response protocol to receive a cryptographic assurance that the file was actually there. And, you're a novelist now. Tell us a little about Tetraktys.
My objective was to turn the usual formula of authorship on its head. Generally, novels about cryptography are written by people who just dip their toes into the subject of cryptography. I thought it would be interesting to write a novel as a scientist; rather to dip my toes into the writing and use the immersion in cryptography as a platform to write the novel.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: