Re: RFID Flap Silences Security Researchers

["Robert L Bass" <no-sales-spam@bassburglaralarms>]

> I have always maintained that RFID devices
> which simply transmit a fixed serial number
> with no two-way interaction are not suitable
> for security...

Ideally, the system should employ rolling
codes plus a lockout function.

> (Usually when I bring this up someone tells
> me that the requirements of residential
> security are not as stringent as those of a
> business.

Agreed.  In designing security systems I
always try to implement full perimeter with
backup interior protection, regardless if the
job is residential or commercial.  In fact, a
residential system often requires more
features and flexibility than a conmmercial
one.

> ... a minimal handshake allows you to know
> that the RFID device is trying (and perhaps
> failing) to open *this* door...

Even without a 2-way "conversation" the system
will always know that someone is trying to
access it.  RFID devices have such a short
range that any signal which is reasonably close
to a "request to enter" can be counted.  Even
a rundimentary system can easily perform a
lockout after a predetermined number of
failed attempts within a given time period.

> If a manufacturer is bound and determined
> to minimize cost by using a one-way
> interaction (at least at normal read time)
> you can still implement a lockout by allowing
> some programmable bits in the RFID device
> which are set to a house code...

True but it's actually simpler than that.  Since
the range is limited, any received transmission
of the same protocol could be treated as an
attempt.

> Finally, even if you don't do anything
> sophisticated with the hardware and are
> stuck with the above mentioned 40-bit
> code, you can still implement a reasonable
> lockout to protect against brute-force attacks.
> Simply count a failure when, e.g., the top 20
> bits match and the lower 20 do not.  (You
> do need to be careful not to display different
> behavior for a failure that is being counted
> for lockout purposes since an attacker could
> use that information to quickly probe the top
> 20 bits.  Clearly if would be better if you had
> more bits to start with.)

The most secure approach is to require
"something you know" plus "something you
have."  That would mean RFID plus a code.
Alternatively, you could use RFID plus biometrics.
With the cost of biometric devices dropping
this isn't such a far-fetched idea for systems
in the next 3-5 years.  We're already supplying
biometric scanners to government and industry
clients.  It won't be long before reasonably
secure scanners are available at consumer
pricing.

--

Regards,
Robert L Bass

=============================>
Bass Home Electronics
941-925-8650
4883 Fallcrest Circle
Sarasota · Florida · 34233
http://www.bassburglaralarms.com
=============================>