Schneier on Security
A blog covering security and security technology.
« Secret Military Technology |
| DNA Matching and the Birthday Paradox »
September 10, 2008
Mythbusters Episode on RFID Security Nixed
Seems that the idea was killed by lawyers under pressure from the credit card industry. Or maybe not; the person who started this rumor has retracted his comments. Or maybe those same lawyers made him retract his comments.
Don't they know that security by gag order never works, except temporarily?
Posted on September 10, 2008 at 2:34 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Here's the retraction: http://news.cnet.com/...
A pity they don't have the urban legends expert on the show anymore, as this makes a great teachable moment about how they spread.
I suppose you could think that maybe Mythbusters is staging all this for a segment to talk about exactly that...
I find it beyond belief that the technical aspects of the show are too great for Mythbusters to overcome, so somebody must be squelching this. Who? Given the current state of affairs with the US government, any of several TLAs come to mind.
Yeah, well those in glass houses should probably grow many plants as the glass will trap the heat while allowing incoming sunlight.
The fact that Adam Savage was *not* on the call that this information supposedly came from is the main reason I didn't spread the story around.
After reading the redaction, it seems like I was right to take it with a grain of salt.
Plus, it's Adam Savage. If Jamie had said it, I would have taken it much more seriously.
I agree that this is a great example of how urban legends can gain traction and that they need the creepy urban legend lady back every once and a while.
Given that Adam was not present during the call I am willing to accept he may have gotten the details wrong, but the fact remains that the show's production company was somehow pressured into not running the story on RFID insecurity. The corrected version of the report has only one lawyer present during the conference call, but even a single lawyer can exert a lot of pressure.
just wait until they will want to get the rfid chips implanted in humans. first to the immigrants, then slowly to everyone...
RFID implants are already underway (or attempts at least). They are starting with the homeless, who can hardly object when they will be offered warmth and a meal.
Where can I get an RFID implant? I'd like to find one that speaks a protocol that low-cost readers can understand.
I found a company selling sterile animal-implantable tags for ~$10 each in disposable syringe applicators, but none of the hobbyist-priced readers were compatible.
I suppose I'm actually looking for the opposite of the normal application, at least for my own implant desire. I want lots of small cheap readers; I don't mind if a tag for me is expensive.
@Gopi: building a reader isn't very difficult, if you have some experience with basic electronics and microcontrollers. The ISO something animal tags work at only ~125kHz, which makes decoding fairly easy. There are some IC's that will do all the hard work for you, but you can also do the decoding is software with a few external parts for the transmitter/receiver circuit.
There are quite a few projects available on the net, just make sure you get the right frequency and modulation type.
It would be great if the vast and terrible set of problems with RFID implementation was made very public on a popular science show. I hope they get this worked out. The world should be more aware of RFID.
Well, Mythbusters is still out to make money and to do that they need big explosions and to DISprove something a LOT of people believe in order to generate buzz. How may people believe RFID is safe? Probably not enough to keep their ratings up.
The rfid thing came up during the Q&A session following a presentation Adam Savage made to a geek conference called "HOPE" Here's the video of the part of the Q&A session where he answers the question about doing rfid testing on Mythbusters.
He says that it was "Linda and Tory" who were the ones that were on the call. He also says that Tory "still gets a little white" when recounting the experience of that call.
@Gopi: you might want to take a look @ http://rfidguardian.org
It can do lots of things, including "plain" tag-reading. Version 4 will come out pretty soon and will be a pre-built device with nifty things like an LCD screen.
If you don't mind DIY'ing you can get all the designs & software from previous versions on the website (its all open source). They will work fine for your purposes.
Put it this way: If the idea of testing RFIDs was not killed by the lawyers -- why wouldn't the mythbusters test it?
1) It's too technical? And boring? ...really?
2) They have better things to put on the show? Why would they make the call in the first place, then?
When hearing about this rumor, I always thought that the issues with RFID would be too much over the head of the average viewer. What's the myth to prove or disprove? A device that blinks green when it should be blinking red? And it doesn't even go boom.
They could have tested if you could set an explosive to go off when detecting a passport from a given country based on characteristics of the RFID chip/EM field? Goes boom, and also gets you the fear viewers. Even if they busted the myth, the advertising is scary and fear sells (plus, for fun they'd detonate the explosives afterwards like they always do). Contactless credit card reading/fraud is another easy idea. There's lots of ways they could have gotten watchers. I don't see why they would avoid the topic completely unless serious pressure was applied.
RFID as a subject matter might sound technically obtuse to the average joe, but all it takes is a fairly simple collage showing the accepted uses all over the world....and then show what nifty stuff you could do to tinker with it.
Not all MythBusters episodes involve dramatic visual stunts, though pissing on the electrified train rails is a personal favorite. Sheesh, we could talk about RFID technology for physical access to restricted spaces, personal identification, monetary exchanges, commerce....the scenarios one could think of to make something initially "too-techie" more palpable and visually appealing (aside from cops & men-in-black coming to take you away) should be easy to imagine.
However, I think Bob may have hit it on the head - it's a program designed to prove/disprove "common-knowledge" or urban myths & earn ratings to make money. What I've heard about this premise is interesting and important, but may simply be a break from format that might be controversial enough to impact some bottom lines.
... so is the use of RFID for contactless payments such as Mastercard's payPass as secure (better, hopefully) than chip and PIN?
And what about the likelihood of 'brushpast' reading of cards? Could this be used to obtain low-value goods (eg if a PIN is not required for less than £10-20)? Or to derive valid track-2 magstripe information for use in conjunction with a PIN (eg shoulder-surf for the PIN then interrogate the RFID card for information to fake the track-2)?
Background: I understand payPass payments are acquired as magstripe payments, so it should be possible to reconstruct a real magstripe from information from the RFID response (after decryption, I would hope)
So the retraction has it that the conference call was attended not by multiple corporate lawyers from major CC companies, but one corporate lawyers and a bunch of other officials; the decision to pull the story was made not by Discovery Channel, but by its production company; and the reason the show was pulled was not direct legal threats, but reasons "so bizarre and convoluted that no one would believe me."
How is this a "retraction"? Of course as Savage was just passing along hearsay, it is not surprising that he should get many details wrong. But in that case, we would expect his network endorsed retraction to say something like "no external party in any way influenced the decision not to go ahead with this show." But it says nothing of the sort. It addresses all the peripheral issues he got wrong (helping marvelously to damage Savage's credibility), but leaves the core issue hanging.
I say again, how is this a "retraction"?
Personally, I'm more inclined to believe the off the cuff comments than the subsequent retraction, which was no doubt carefully polished by the PR department and lawyers.
There are countless examples that have been on this blog of legal pressure being applied to to try to prevent security flaws in technologies from being publicized.
One might hope that in designing the RFID versions of credit cards, they would have created a public key based setup where the chip would be "active" (c.f. chip and pin, GSM) and would digitally sign each individual transaction with a unique id to prevent cloning, replay, etc.
However, convenience always trumps security, and from what I can discern from a brief online search, most of these devices are just a passive copy of the data that would be on the magnetic stripe of a conventional card, thus the risk of passers by reading them is very real. Sigh.
I don't think this is security by gag order, I think it's pure PR. The credit card companies know that the card is insecure, don't care, and don't want people to know so they can still sell them on it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.