Rfid Unplugged presented at ShmooCon 2009

by 3ric Johanson,

Tags: Security Access Testing

Summary : Video
RFID system usage is increasing in the transit, access control, and payment sectors, with little to no foresight into effective security. This presentation will cover potential threat and attack models from the business, integrator, and consumer perspective. Beginning with an overview of the systems in place today, we will review specific vulnerabilities - many with demos - and offer potential mitigations. Security implemented in current RFID systems is very reminiscent of early wavelan or SIM technology. This talk will review classes of attacks in detail, including OTA sniffing, MITM, reply attacks, backend wire interception, duplication, data tampering, Denial of Service, escalation of privilege, etc. In addition, the real-world impacts of the cracked NXP-mifare-crypto1 system will be reviewed. Paypass vulnerabilities will also be demonstrated.
3ric Johanson has been breaking things for many years. A Shmoo Group member, he's been involved with several successful projects, including Shmoocon, Hackerbot Labs (A Seattle-based hacker space), vend-o-rand and rainbowtables. By day, he is a security consultant specializing in penetration testing and application assessments; By night, he has been spotted wearing his "so sue me already" t-shirt while drinking over-caffeinated coffees. Some of his recent public work has included "International Domain Name" vulnerabilities. His hobbies include building and breaking things in a secret underground lair in Seattle.