Re: RFID Flap Silences Security Researchers

["Robert L Bass" <no-sales-spam@bassburglaralarms>]

> What's troubling about RFID entry systems
> is the reduction in physical effort necessary
> to compromise a wide range of facilities.
> For example, a thief can get key blanks quite
> easily, but carrying enough of them to allow
> easy entry becomes problem.  Size, noise
> and likelihood of drawing suspicion make it
> impractical...

There's another reason that thieves don't go
around toting key blanks.  They don't open
anything.

> I'm sure there's an argument to be made
> about how many/few combinations are
> actually needed, or that there are various
> types of 'more secure' key blanks.  That's
> not the point...

Actually, it is part of the point.  Suppose a
lock has six tumblers, each of which can
have six positions.  The thief will need to
carry nearly 7,800 keys and then try them
one at a time on a lock of the same make
until he gets in.  He'd spend almost as
much time trying out keys as he would in
jail after the policeman walked up.  :^)

> The point is by using a programmer it
> becomes possible for a relatively small
> box to be capable of compromising
> literally millions of systems...

It's not that easy.  Any decent system
will initiate a lockout timer after three or
four consecutive bad RFID codes.
Suppose the system uses a 40-bit code.
that would require trying upwards of
16,000,000,000,000 codes.  With a
lockout timer delaying things by as little
as 30 seconds after 4 failed attempts
(numbers picked at random), the thief
will grow old waiting for one door to open.

> Tangentally there's the problem of
> notification.  There's really very little
> in the way of effective notifcation streams
> for the residence.  There's no good and
> consistent way to know how to notify
> the occupant when important things
> occur...

I don't understand.  If we're comparing
RFID to mechanical keys or codes, how
is this related?

> There's a mish-mash of possibilities,
> but nothing that's very practical at this
> point to appeal to the non-technical
> individual.  So if the entry system
> senses being polled (sorta like too
> many login requests) there's no process
> for letting the occupant know about it.

Perhaps in cheap systems there's no
method but in many access control systems
there is.

> So combine the lack of feedback/notification
> with condensed ease of abuse and it's a
> big problem.

Not really.  Any access control system worth
its salt will make provision for both.

--

Regards,
Robert L Bass

=============================>
Bass Home Electronics
941-925-8650
4883 Fallcrest Circle
Sarasota · Florida · 34233
http://www.bassburglaralarms.com
=============================>