October 8th, 2017
Attacks on Smart Cards, RFIDs and Embedded Systems
Prof. Keith Mayes
Royal Holloway University of London
10-11:00am Tuesday, 10 October 2017, ITE 325, UMBC
Smart Cards and RFIDs exist with a range of capabilities and are used in their billions throughout the world. The simpler devices have poor security, however, for many years, high-end smart cards have successfully been used in a range of systems such as banking, passports, mobile communication, satellite TV etc. Fundamental to their success is a specialist design to offer remarkable resistance to a wide range of attacks, including physical, side-channel and fault. This talk describes a range of known attacks and the countermeasures that are employed to defeat them.
Prof. Keith Mayes is the Head of the School of Mathematics and Information Security at Royal Holloway University of London. He received his BSc (Hons) in Electronic Engineering in 1983 from the University of Bath, and his PhD degree in Digital Image Processing in 1987. He is an active researcher/author with 100+ publications in numerous conferences, books and journals. His interests include the design of secure protocols, communications architectures and security tokens as well as associated attacks/countermeasures. He is a Fellow of the Institution of Engineering and Technology, a Founder Associate Member of the Institute of Information Security Professionals, a Member of the Licensing Executives Society and a member of the editorial board of the Journal of Theoretical and Applied Electronic Commerce Research (JTAER).
November 15th, 2010
As TechCrunch and others report, Google’s Eric Schmidt announced that the next version of Android (Gingerbread 2.3) will support near field communication. What?
Wikipedia explains that NFC refers to RFID and RFID-like technology commonly used for contactless smart cards, mobile ticketing, and mobile payment systems.
“ Near Field Communication or NFC, is a short-range high frequency wireless communication technology which enables the exchange of data between devices over about a 10 centimeter (around 4 inches) distance.”
The next iphone is rumored to have something similar.
Support for NFC in popular smart phones could unleash lots of interesting applications, many of which have already been explored in research prototypes in labs around the world. One interesting possibility is that this could be used to allow android devices to share RDF queries and data with other devices.
October 5th, 2010
Fastcompany has an article, Credit Cards Will Go Electronic, Then Disappear Into iPhone 5, predicting the merger of RFID-enabled credit cards and smart phones.
“Nokia plans to add antennas and RFID communications chips into its phones soon, and Apple has been patenting the heck out of the idea, but both companies were probably going to rely on an in-phone antenna loop. It seems increasingly certain Apple is going to bring RFID into common usage with the iPhone for 2011 (the iPhone 5) because there’s a new patent that shows just how far Apple has gone with design thinking for RFID. The patent shows how an RFID loop, powerful enough to act as both RFID tag or a tag-reader, can actually be built right into the complex layered circuitry of the iPhone (or iPod Touch) screen. We know Apple is fond of highly-polished design and integration, and this innovation is no exception. The screen has to be exposed by its very nature, which is good for RFID purposes — the wireless signal is unobstructed by other bulk in the smartphone, and it frees up Apple to do what it likes with the rest of the phone’s design.”
Maybe building RFID into smart phones will finally unleash the potential the technology offers for cool people oriented applications, as opposed to boring inventory management tasks. However, I don’t like the idea of not being able to use my credit card because my phone ran out of power.
August 30th, 2008
The September 2008 Scientific American is a special issue on The Future of Privacy. The issue has a good range or articles that all look like they are well worth reading and touch on all of the theme in our new MURI project on assured information sharing.
- Privacy in an Age of Terabytes and Terror. Peter Brown. Introduction to SciAm’s issue on Privacy. Our jittery state since 9/11, coupled with the Internet revolution, is shifting the boundaries between public interest and “the right to be let alone.”
- Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles. Simson L. Garfinkel. Mashing everyone’s personal data, from credit card bills to cell phone logs, into one all-encompassing digital dossier is the stuff of an Orwellian nightmare. But it is not as easy as most people assume.
- Do Social Networks Bring the End of Privacy?. Daniel J. Solove. Young people share the most intimate details of personal life on social-networking Web sites, such as MySpace and Facebook, portending a realignment of the public and the private.
- How Loss of Privacy May Mean Loss of Security. Esther Dyson. Many issues posing as questions of privacy can turn out to be matters of security, health policy, insurance or self-presentation. It is useful to clarify those issues before focusing on privacy itself.
- Cryptography: How to Keep Your Secrets Safe. Anna Lysyanskaya. A versatile assortment of computational techniques can protect the privacy of your information and online activities to essentially any degree and nuance you desire.
- Internet Eavesdropping: A Brave New World of Wiretapping. Whitfield Diffie and Susan Landau. As telephone conversations have moved to the Internet, so have those who want to listen in. But the technology needed to do so would entail a dangerous expansion of the government’s surveillance powers.
- How RFID Tags Could Be Used to Track Unsuspecting People. Katherine Albrecht. A privacy activist argues that the devices pose new security risks to those who carry them, often unwittingly.
- Beyond Fingerprinting: Is Biometrics the Best Bet for Fighting Identity Theft?. Anil K. Jain and Sharath Pankanti. Security systems based on anatomical and behavioral characteristics may offer the best defense against identity theft.
- Digital Surveillance: Tools of the Spy Trade. Steven Ashley. Night-vision cameras, biometric sensors and other gadgets already give snoops access to private spaces. Coming soon: palm-size “bug-bots”.
- Tougher Laws Needed to Protect Your Genetic Privacy. Mark A. Rothstein. In spite of recent legislation, tougher laws are needed to prevent insurers and employers from discriminating on the basis of genetic tests.
- Industry Roundtable: Experts Discuss Improving Online Security. Experts from Sun, Adobe, Microsoft and MacAfee discuss how to protect against more numerous and sophisticated attacks by hackers; security professionals call for upgraded technology, along with more attention to human and legal factors.
January 1st, 2008
Today’s Washington Post has a story, Electronic Passports Raise Privacy Issues, on the new passport card that’s part of the DOS/DHS Western Hemisphere Travel Initiative. The program is controversial since the cards use “vicinity read” radio frequency identification (RFID) technology that can be read from a distance of 20 or even 40 feet. This is in contrast to the ‘proximity read’ RFID tags in new US passports that require that the reader be within inches. The cards will be available to US citizens to speed their processing as they cross the borders in North America.
“The goal of the passport card, an alternative to the traditional passport, is to reduce the wait at land and sea border checkpoints by using an electronic device that can simultaneously read multiple cards’ radio frequency identification (RFID) signals from a distance, checking travelers against terrorist and criminal watchlists while they wait. “As people are approaching a port of inspection, they can show the card to the reader, and by the time they get to the inspector, all the information will have been verified and they can be waved on through,” said Ann Barrett, deputy assistant secretary of state for passport services, commenting on the final rule on passport cards published yesterday in the Federal Register. src”
As described in the ruling published in the Federal Register, the Government feels that privacy concerns have been addressed.
“The government said that to protect the data against copying or theft, the chip will contain a unique identifying number linked to information in a secure government database but not to names, Social Security numbers or other personal information. It will also come with a protective sleeve to guard against hackers trying to skim data wirelessly, Barrett said.” src
Of course, if you carry the card in your purse or wallet, your movements can still be tracked by the unique ID on the card. There are also security concerns since the tag’s ID may be cloned.
“Randy Vanderhoof, executive director of the Smart Card Alliance, represents technology firms that make another kind of RFID chip, one that can only be read up close, and he is critical of the passport card’s technology. It offers no way to check whether the card is valid or a duplicate, he said, so a hacker could alter the number on the chip using the same techniques used in cloning. “Because there’s no security in the numbering system, a person who obtains a passport card and is later placed on a watchlist could easily alter the number on the passport card to someone else’s who’s not on the watchlist,” Vanderhoof said.” src
November 27th, 2005
Here is what a smart doorknob can do.
“When you approach the door and you’re carrying groceries, it opens and lets you in. This doorknob is so smart, it can let the dog out but it won’t let six dogs come back in.
It will take FedEx packages and automatically sign for you when you’re not there. If you’re standing by the door, and a phone call comes in, the doorknob can tell you that ‘you’ve got a phone call from your son that I think you should take.”
This smart doorknob is part of a MIT research project called “Internet of Things” (see IHT). An interesting thing about this system is that it relies on the extensive usage of RFID tags. When it comes to RFID technology, some people are very worried, and some others are very excited.
November 17th, 2005
The Internet of Things is the seventh in the series of “ITU Internet Reports” published since 1997 by the UN’s International Telecommunication Union. The report will be available in mid November and include chapters on enabling technologies, the shaping of the market, emerging challenges and implications for the developing world, as well as comprehensive statistical tables covering over 200 economies. Here’s an AP story about today’s announcement at the World Summit on the Information Society  in Tunis.
Machines and objects to overtake humans on the Internet: ITU, AP, Nov 17
Machines will take over from humans as the biggest users of the Internet in a brave new world of electronic sensors, smart homes, and tags that track users’ movements and habits, the UN’s telecommunications agency predicted.
In a report entitled “Internet of Things”, the International Telecommunication Union (ITU) outlined the expected next stage in the technological revolution where humans, electronic devices, inanimate objects and databases are linked by a radically transformed Internet.
“It would seem that science fiction is slowly turning into science fact in an ‘Internet of Things’ based on ubiquitous network connectivity,” the report said Thursday, saying objects would take on human characteristics thanks to technological innovation.
August 13th, 2005
This new automatic door from Japan creates a minimal opening for an object to pass through. The door is composed of a series of strips which open when activated by the infrared sensors on their edges. It’s said that the door also can identify people (RFID?) for security. Such doors can help manage energy loss in a a room, garage or freezer and protect a space from unwanted dust, pollen, bugs, and germs. Plus, they are cooler than the doors on Star Trek. See this video.
Here’s a marketing tip: get the door to occasionally say “Gee, you’ve lost weight, haven’t you?” and it will sell like hotcakes.
July 31st, 2005
The U.S. Department of Homeland Security will install radio frequency technology at five border posts with Canada and Mexico to track foreigners driving in and out of North America beginning this coming Thursday. As people pass thorough the security check once, they will be given an index card sized document containing the chip. The document is to be placed on the car’s dashboard so that a person’s personal information can be read as they approach a border crossing. The mandatory program will apply to all foreigners with U.S. visas–including those from the 27 countries whose citizens don’t need visas for short U.S. visits–who cross into the United States at those points. Canadians and Mexicans, who fall under special immigration rules, are exempt from needing the chip. (Link )
I found these quotes, from Link), to be misleading:
Kimberly Weissman, spokeswoman for the US-VISIT program at the U.S. Department of Homeland Security told The Whig-Standard yesterday that the new devices canâ€™t be tracked outside the border crossing area. “It has a range of 10 to 15 metres,” she said. “The UHF frequency that weâ€™ve chosen makes it impossible to locate a specific person.”
She must have meant that (1) while the tags were in the border crossing area they couldn’t be read from outside the area; (2) the tags are not designed for localization. Such mistatements, which I assume were due to carelessness, can come back to haunt.
July 20th, 2005
President Bush’s first Health and Human Services Secretary, Tommy Thompson, former Governor of Wisconsin, is getting an RFID implant. Thompson has joined the board of Applied Digital, which owns VeriChip, the company that specializes in subcutaneous RFID tags for humans and pets. Thompson will get chiped to help promote the concepts behind the technology. If all of Applied Digital’s board members are required to get chipped it should make taking attendance at future board meetings much easier. (Link, spotted on Boing Boing)