Contributed by Joanne Kelleher
Over the past week, there have been two presentations about hacking RFID, followed by silence from the RFID industry.
Computer security expert Lukas Grunwald cloned and manipulated the content of a German RFID passport, then used the hacked e-Passport to crash the machine needed to read it. Grunwald discussed the vulnerability at the DefCon 15 hacker convention.
Dave Bullock, a random code hacker wrote in his eecue blog about Adam Laurie.s presentation at Black Hat 2007. Laurie showed how to clone an RFID chip using the same form factor and discussed the security on passports.
I wasn.t surprised that Grunwald and Laurie were able to accomplish these hacks. What I found interesting was how I learned about them and the types of media that have covered or not covered their stories.
Every day I get email newsletters from a variety of RFID industry publications and associations. So far, none of them have included any comment about these two hacks. Are they hoping that if they don’t cover the stories then customers and the public won’t hear about these security breaches?
Both of these articles appeared in my Google Alert for content related to RFID security. Google Alert is a service that sends email updates of the latest relevant Google results (web, news, etc.) based on your choice of query or topic.
Laurie’s hack appeared in an article in The Guardian (UK) and in several blogs. Grunwald’s hack also appeared in several blogs and in mainstream media such as CNN Money, ABC News, Computerworld, New Zealand and Yahoo! Tech.
As Lewis Parks wrote about in his RFID Privacy in Perspective contribution last winter (https://veridify.com/RFID-Security-blog/?p=13), the RFID industry is not doing itself any favors. Rather than addressing the issue directly both through security technologies and a direct dialogue with the public they continue to keep their heads down and hope no one looks their way. This can not go on much longer.