Thursday, January 18, 2018
Home Tags Near Field Communication

Tag: Near Field Communication

Flannel rag again shown to be essential kit for freeloaders RSA 2016 Security analyst Jerry Gamblin has turned a hotel towel into a pass for RSA's San Francisco conference. Gamblin says hotel towels often include RFID chips for inventory control and that hitchhackers can use a Proxmark to easily copy and paste the unique identification number stored in their RSA entry pass' NFC chip and embed it in another device. It means anyone can clone a US$2000 pass to the sold-out conference to enter sessions and the exhibition floor. "Near field communication wasn't written in general to be used in this manner - it was meant to be used in scanners in supermarkets or whatever," Gamblin (@jgamblin) told Vulture South "I could put my RSA tag onto a blank MiFare card that I have here with me and could scan it such that I can access everywhere. Jerry Gamblin. "Never leave home without your towel." Gamblin says he is not attempting to 'show up' RSA and won't be scanning in with his towel even though it is possible. But other conference hitchhackers could easily do so. There is no vulnerability within the MIFARE Ultralight C and Gamblin says it is the choice of technology that leaves it open to abuse. He will update his guide to cloning cards at the conclusion of the conference. Image: Jerry Gamblin. ® Sponsored: Speed up incident response with actionable forensic analytics
It's a "dream come true" for identity thieves and a "civil liberties nightmare."
The FIDO Alliance adds Bluetooth and near-field communications to security specifications first defined in December 2014. In December 2014, the FIDO (Fast Identity Online) Alliance issued the 1.0 version of its U2F (Universal Second Factor) security specifications to enable two-factor authentication. The U2F 1.0 specification is now being expanded to support the wireless Bluetooth and near-field communications (NFC) protocols. What U2F provides is a second-factor authentication mechanism that can be used to supplement a username and password to provide more secure access to a site or online service. With the initial rollout of U2F, USB-based devices were the primary technology mechanism. USB keys, including those from security vendor Yubico, can be used for U2F to enable secure authentication. As to why Bluetooth and NFC are being added now to U2F, Sam Srinivas, FIDO Alliance vice president and co-chair of the FIDO U2F Technology Working Group, said FIDO is being pragmatic and incremental in its approach to standardization. "We wanted to get the core USB transport, which is very appropriate for desktop use cases, shaken out and into the market," Srinivas told eWEEK. "We also wanted to make sure the higher crypto layer of the protocol was working well in the field before expanding to other transports—this higher crypto layer is the same regardless of the physical transport." Srinivas added that the need to make sure everything was working properly is why FIDO consciously decided to defer working on other transports, though conceptually it is just the same crypto running over a different underlying physical connection. "As soon as we successfully launched FIDO U2F with just the USB transport, we brought the focus back on to the work we were doing on the wireless transports which are most relevant to mobile [Bluetooth and NFC], and what we are announcing now is the completed work," he said. With the U2F specification additions for Bluetooth and NFC, new forms of FIDO-compliant devices can now be built and deployed. For example, FIDO U2F can now be used to enable a key fob or even a credit card-sized device to be used as a second-factor authentication mechanism. From a device certification perspective, Srinivas said that FIDO will certify Bluetooth and NFC the same as it has certified USB devices. The certification involves a standard test driver that exercises a device through all of the expected operations for that particular transport (NFC, Bluetooth etc.). He added that after a device passes the test, it is then subject to an operational test where it must perform actual log-ins against a reference test server (i.e., full stack test, not just the transport). Finally, there is an interoperability test where a device must perform log-ins against multiple vendor server implementations. "We expect to announce the certification program details at a later date, after people have had a chance to make prototype implementations," Srinivas said. "Again, here we are following the same model we established with USB in terms of how we sequence the various events." While USB is a universal standard with little variation, Bluetooth implementations can vary across different mobile vendors. However, as to the variations of Bluetooth stacks, many of the FIDO member companies have deep Bluetooth experience, and considerations about stack variations were brought into the design by various member companies that fleshed out the transport protocol design, he said. Looking beyond Bluetooth and NFC, Srinivas said FIDO is considering SIM cards and secure memory cards acting as FIDO U2F devices, or more precisely as repositories of FIDO U2F keys. "The user would be able to move a SIM or a secure memory card from one phone to another, and their FIDO U2F keys would move to the new phone," he said. Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.
NEWS ANALYSIS: Information gleaned from the Mobile Pwn2own event—what was and what wasn't exploited—could help improve mobile security in the future. The annual Mobile Pwn2own competition, sponsored by Hewlett-Packard's Zero-Day Initiative (ZDI) and held in Tokyo on Nov. 12 and 13, yielded some surprising results. The mobile version of the Pwn2own hacking challenge offers security researchers cash and prizes for successfully exploiting mobile devices. In the 2013 event, researchers exploited Android and iOS devices alike. On the first day of the 2014 event, all the targets that were attacked were exploited. The exploited devices included a Samsung Galaxy S5, which was actually attacked twice, with two different exploits demonstrated against the phone's near-field communication (NFC) capabilities. Samsung wasn't the only vendor that had its NFC technology exploited; researchers were also able to exploit the NFC features on an LG Nexus 5. Both the Samsung Galaxy S5 and the LG Nexus 5 are Android-powered devices. In addition to NFC, mobile Web browsers were also a prime target at Mobile Pwn2own 2014. Researchers took aim at the Amazon Fire Phone's Web browser and were able to exploit it successfully. Additionally, an Apple Phone 5S was successfully exploited via its included Safari Web browser. While Apple's iOS and Google Android-based phones were attacked and exploited on the first day of the event, there was a mobile device operating system that was attacked but not actually fully exploited on the second day of the event. Surprisingly, the unhacked mobile device was the Lumia 1520 Windows Phone. According to an HP blog post on the event, researcher Nico Joly was able to exfiltrate the cookie database from the Windows Phone; however, the operating system sandbox held, and he was unable to gain full control of the system. That's interesting for a number of reasons. For one, it means that Windows Phone was able to successfully withstand the scrutiny of some of the world's best security researchers, while Android and iOS was not. It's also interesting that it was the sandbox that prevented the full exploit. An operating system sandbox is intended to control access and limit risk from attacks or rogue application processes. The fact that the Windows Phone sandbox held back the full exploit could be an indicator of the technology's strength. Then again, it could just have been a question of time, as the Mobile Pwn2own event is a live event and that can be a real pressure cooker for any researcher. At the 2013 event, researchers from Keen Team were able to partially exploit iOS, but were not able to bypass the Apple sandbox. In 2014, the Apple sandbox did not hold back researchers from exploiting an iPhone 5S. If history is a guide, perhaps, we will see a research team come back in 2015 that is able to bypass the Windows phone sandbox. Also of note is the emphasis overall on NFC-related exploits. The fact that not one, but two different Android phone vendors were exploited via NFC is a cause for concern, especially in an era when NFC is increasingly being considered as a payment technology. Although it is somewhat worrisome that both iOS and Android mobile devices can be exploited, there is a silver lining to the Mobile Pwn2own event.The good news with Mobile Pwn2own is that the vulnerabilities demonstrated by the security researchers are not likely to be exploited in the wild any time soon. HP buys the vulnerabilities from the researchers and then keeps them private, responsibly disclosing them to the affected vendors so they can fixed before any harm is done. Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.  
As throngs of shoppers prepare to descend on shopping malls and retail stores during the holiday period, it's important to remember to be safe with your wallet.

In the modern world, keeping safe is now evolving from just keeping an eye on your purchases and your physical wallet to being aware of unseen digital risks too. I recently saw a wallet in a retail store that included a feature I had never before seen: radio frequency identification (RFID) protection. On the side of the wallet's box was a description of what this RFID protection is all about: "This item is made with a special lining that acts as a protective shield for ID and credit cards. It can help to prevent hackers from accessing the information contained on the microchip." Modern passports and credit cards now have RFID chips in them that are used for identification and payment.

At the Black Hat USA security event this past summer, there was an interesting presentation on RFID hacking that demonstrated how easy it is to exploit RFID-enabled cards.

At the time, Francis Brown, managing partner at security firm Bishop Fox, told eWEEK that one of the only ways to be protected against RFID hacking is by using an RFID sleeve that can keep information safe, simply by placing the RFID card into the sleeve, blocking any potential signal theft activities. Brown's presentation was specifically about RFID badges that are used by many companies for secure access to facilities, but the same basic idea likely holds true for credit cards and passports too. I also saw famed security researcher Charlie Miller talk about RFID and Near Field Communications (NFC) hacking at Black Hat USA this past summer. In a humorous presentation, Miller played a video where he tried to steal information from unsuspecting associates by literally bumping into them—as a ploy to steal their information over RFID and NFC. This is the modern world we now live in, so instead of the regular pickpockets that we used to have to be vigilant against who would physically lift the wallets out of our pockets, there is now potentially a new breed of digital pickpocket. To be fair, actually bumping into someone with some kind of device that somehow can steal information from a credit card is not a simple or easy task. I also strongly suspect that normal pickpocket attacks vastly outnumber any type of risk that RFID presents to payment cards. That said, there is a risk. Whether or not that risk is truly material or is simply just theoretical is subject to debate, but it's still there. So if you're wondering what I did after I saw that RFID wallet, here's the answer: I bought it.

As it turns out, I needed a new wallet anyway, and it's no more expensive to buy a wallet with RFID protection than it is to buy one without it. Time will tell whether or not the risk of RFID credit card hacking is real or not, but if the cost for protecting against it is so low, why not get RFID protection and eliminate the risk altogether? Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.
Dual-factor authentication can work by combining smartphones and PCs, but that approach needs to be updated for the mobile era.

An new IBM technique combines near-field communications and smartphones. Diego Ortiz-Yepes of IBM Research in Zurich describ...
After winning court cases which confirmed it had the right to tag children with RFID, a Texas school has abandoned the scheme in favour of spying on them with cameras. Northside, in San Antonio, has come up with an alternate technology to the problem of ensuring an accurate headcount instead. The scheme attracted much public interest when one kid, Andrea Hernandez, decided the RFID tags were the Mark of the Beast and refused to wear one. When she lost in court she transferred to another school to avoid the IDs. The court pointed out that the bible clearly stated that the mark of the beast had to be on the forehand or hand and was used for the buying and selling of goods. According to Chron, Northside Independent School District spokesman Pascual Gonzalez said the microchip-ID program turned out not to be worth the trouble. It was supposed to increase attendance by allowing staff to locate students who were on campus but didn't show up for roll call. But spying on the movement of kids did not increase attendance and school staff found themselves wasting a lot of time trying to physically track down the missing students based on their RFID locators. The district never acknowledged that the chips posed legitimate privacy concerns and still claims that if you are a student at school, there is no privacy. Apparently Plan B is the British Solution which is to install hundreds of HD CCTV cameras and follow kids around the school with them.