Physical Security Hacking

[DNR]

This tutorial comes from my education in Security Administration, crime lab, and work experience.
There are a few elite computer hackers that will agree with me, your computer network is only as secure as the room or building it is in. Who cares if you have all of your servers patched and your own IDS system, when all a attacker has to do is pull the fire alarm to discharge the _water_ sprinkler system.

Attacking networks is almost as fun as those days you lit off firecrackers in school with ciggerette timers.
At hacking conventions, you can bet that your wake-up call system, cable/network/phone lines, even electronic doorlocks to be compromised, compromising physical security was just another fun drunken hack.

I will break this tutorial on physical security into sections. Unfortunately I don't think I will include photographs of techniques, I'll try to be descriptive.

Lets start this off with the useless, typical legal disclaimer. Breaking and entering is a _crime_, usually a felony. Breaking just means you opened a door or window - without permission or rights - you do not have to actually 'break' anything. Entering is simply the act of walking into a vehicle or building you do not have permission or rights to, the door or window can be open, but you are still guilty of criminal trespass/entry.
Commiting illegal entry with tools or weapons will add 5 more years to your sentence. Commiting another felony while commiting the act of illegal entry will automatically double your prison time.
You are learning illegal entry so you can learn to secure your own home from people that will abuse these skills of illegal entry.

This tutorial will assume the building will be two types, residental and commercial. At this time you would have already determined that the building has no electronic security, at least not one that will contact outside authority.

One of the newest threats to conducting a illegal entry are cameras. It is easy to setup video surveillance with equipment from radio shack.
When you consider a building for physical attack, you have to approach the building in ranges, using shadows or cover, use binoculars to scan for video cameras before you get in their range of clarity. Many security cameras are of poor resolution and in black and white. But, color cameras, telephoto lenses, high res, and human-operator controlled are serious threats. At night time, invisible IR lighting will get your picture as if it was daylight, so smile.
Once the building or entry point has been cleared of cameras, you then observe the weak points of entry, doors and windows. Doors and windows were designed for allowing access to the building, hence are inherently failure points. Locks are not meant to keep people out, only to slow down a illegal entry if the person is determined enough. Also people sometimes spend so much money on a strong lock, but didn't consider the door hinges or material the door/door frame is made of. Since windows are not usually under the threat of forcible entry, like kicking in a door, their locks are flimsier. Most window locks are simple mechanical devices, all it takes is simple observation to determine what tool you'll need.

As with any 'hack' you always try to pick the leet-o techniques that leave little trace of your attack/intrusion.
You can attack the building's glass, but it is evidentary and with tempered glass- very messy.

You can also conduct a 'daylight' intrusion while the building is open to the public or employees. Entering most office/education/factories is possible, I have even 'procured' army manuals from a armory - it was open for family day and I happened to drive by with my friends in the car, we walked into their buildings like 'family' No one questioned us as we left with armfuls of books. Sorry didn't see any M-4s laying around.
Entering the building while it is full of employees can make any other actions impossible and you might have to be very quick about this. The idea is to setup the building for illegal entry later. You will use techniques like simply duct-taping a doorlock, or unlocking a window. Covert entry during operating hours is helpful for determining electronic defenses and even prepping those for illegal entry (tape over motion sensors with aluminum foil)(you can also 'short' entry sensors that are exposed above the doors - the electronic security system would arm - either thinking the door is always closed, or bypass it as a failed sensor.)
Again beware of cameras, I would trespass many college computer labs for internet access, and even library computer labs, they all had cameras. You have seen video on tv of people breaking into party stores caught on video, the same can happen in office buildings. Most of the time, the video tape will be reused and evidence of your trespass will be erased. Since watching security video tape end-to-end is not only boring but impossible, they only watch the video tape if something happened and perhaps with a known time frame of occurence. At Best Buy, they run their video security systems at night, using regular VCRs, the problem is, that VCR uses up the tape by say 4am..
you didn't hear it here
Most video security systems use a set of seven tapes, one for each day. So if you do a covert entry and get caught on camera, you have to hope that seven days later, they are taping over your image.
Remote video can be transmitting to a VCR or even computer harddrive elsewhere via telephone line or computer connection.
It is now possible to detect cameras and even binocular optics upto 1200 yards away
$99.usd opics detector
http://www.shomer-tec.com/site/product. ... D767C5F04C

ok, got to break here. I will write more later, feel free to write your own experience/study of physical security

DNR



Ok, barring the chance of entering the building while it is unlocked, you now have to make entry while it is unlocked, also unoccupied. Of note, entering a building like a home while it is occupied is a more serious crime than if it was unoccupied. Most burgulars want to break into your home while you are not there because of this fact.

The door is frequently chosen for illegal entry because it is obvious and easy to enter. If the door appears to be heavily secured, check windows. I have entered factories via windows left open because of poor ventilation, and people were too lazy to close them.

When you examine the door, you right away look at the door swing, does it open outward or inward, as those attacks are different. If the door opens outward, that means you can consider attacking the door hinges vs the door locks. The different door swing also means the locking mechanism works differently, the outward opening door has its door lock latch sloped inside. Picture this; if the door opens inward to the room, the door lock can be slipped with a credit card or thin piece of metal - thats because the lock is sloped outside.
You cannot use a credit card/flat metal to slip the lock if it opens outward.
It has to be a hook type tool, picture a hooked knife blade or even coat hanger bent into a hook.
(again, if the door opens towards you, it swings out, if the door swings away from you, it opens in-ward <is that a #@%& word?>)
You also count the locks. A doorknob lock is the easiest, because you can slip a hook or flat metal to between the door and door frame to control the latch. You want to coax it out of the hole in the doorframe. Sometimes the gap between the door and doorframe is so bad you can even try to yank the door.
the more locks you have on the door, you might want to consider other routes of entry. Lock picking is possible, but better locks have more pins and even double sided pins.

http://www.lysator.liu.se/mit-guide/mit-guide.html


Real pros use a electronic lock pick, but they can be restricted and are certainly considered burglary tools if you get pulled over with one in your car.

DNR

[DNR]

Because new locks have more pins (those fit in the notches on your key) and closer tolerances than old locks, lockpicking is for the movies.
I think at best I could pick a 7 pin lock. All I used was a dental pick and a piece of spring steel.

Think outside the box, and come with the right tools.

When I was younger my friends and I lived in 'punk' houses, he ran one and I ran one, basically its young punks (m/f) that share a house by dividing up rooms. You would occasionally get a renter that ain't got rent.
Now, every room was locked by their own personal locks. This room had a hasp and combo lock, so what do you do?
All it took was a circular saw with a regular blade, not on the door! But on the chrome hook of the padlock. It cut through it in a shower of sparks, but it was off in 5 seconds. Wear eyeprotection. When you hold people's stuff for ransom (rent+utilities share) people pay up

I even got to check out a report where burglars used road flares lined inside a metal garbage can to cut a round hole through 3/8 think break resistant acrylic window of a business. It worked.

Other people have removed the door frame from the building, by prybars or even a motor vehicle.

You can fashion your own 'SWAT' tools, the battering ram, the hydralic jack to spread the door frames, etc. The idea is to come prepared.
Any lock can be defeated, you just need the right tool. The hydralic jack is used inside the door frame, to expand the frame and allow the lock to slip out. If done correctly on a wood frame/large gap door, you might not leave a mark

Windows can be a means of entry, but can be harder to exit the building quick/safely. Newer commercial buildings may not have windows that open, as proper heating/AC controls are more efficent.
Windows are made of several types of material, glass - in plate, tempered, double/triple pane, and plastics - mainly acrylic or polycarbonate.
The two types of plastics is important, polycarbonate is not only very break resistant, but bullet resistant. It is expensive and has a greyish tint.
polycarbonate peels more than cracking like acrylic.
Acrylic is preferred not only because its cheaper than polycarbonate, but it has no tint.
Both have different flame properties, and as I said, acrylic can be chipped away, while the polycarbonate has to be peeled away.

If the building is older, they might have upgraded the windows to plastics, but they still have the old wood/fiberglass window frames - just remove the 'glass' from the window frame genius

Tempered glass as you know is the kind that is heat treated so it will break in to many little pieces rather than long sharp, knife-like pieces.

Tempered glass can also bend before breaking, you could bounce a cinder block off a sidewindow of a car- and it won't break. The key is putting the window under pressure before trying to break it. Not to get complex, but to keep it simple - just do this -
Don't use a large rock to break tempered glass, you need to focus the force in to one tiny area of the glass. You can toss a simple nail punch tool at the window like a dart, when it hits the glass with the tip, it break the glass and the tool will sail right through. Large tempered glass windows will likely collapse, while the regular/auto sized windows will remain in place, abeit cloudy because of all the cracks.
All you need to do is wear gloves and push it down, but try not to get the glass in your hair, clothes, or embedded in your shoes - its an old cop trick to shine a flashlight on you to spot glass fragments.

As far as window security, if windows do not open, there will not be any magnetic or pin switches to worry about. The days of metallic tape that rips when the glass breaks, and glass mounted sensors are over, as they use motion sensors installed in the room.

Another tut can cover alarm systems, but this building in mind has none.

Try to be clever and not leave any trace of your trespass, there should be plenty of flimsy doors or windows to try, rather than blowing out a window.

Crazy shit like shooting off a lock, or door locks, just watch Mythbusters. If done incorrectly, its just noise and more work.

If you take the time to examine door locks and even their installation manuals, you can see they are pretty much the same design, just stronger or weaker. You might have the screws that hold the door knob assembly facing you If you came prepared with even an SOG tool, you can just disassemble the knob, and then manipulate the latch inside.
Reassemble the knob before you leave, and noone would know..

Lacking access to the screws, you have to do some damage. Cheap doorknob locks can be broken with a pipe wrench, just apply and twist open. If your SOG tool does not come with a pipe wrench, you can try peeling back the plate behind the knob. Just like learning code to hack, you need to play with locks to learn to crack them. They are simple mechanical devices, unlike something like a computer

By the way, this article assumed you wanted to try something other than kicking the door open. You could kick the door open if you want, but you'll do some damage, maybe even to yourself. If you insist on kicking the door, the proper way is to face _away_ from the door, with your back to the doorframe, this has alot of power in the back kick, you won't hurt yourself, and if someone shoots at the door from the inside, they won't hit you.

More tuts later..

DNR

[computathug]

Myself for one am quite enjoying you back at the forum. I enjoy reading posts where people put time and effort in and can make people think wider or bigger than they have been doing. I must say though i could take up being a burglar with this LMAO. just add a few extras like always where gloves. Dont wear the surgical type gloves or gloves thatt can lose fibres. Petrol Station gloves are the best as these arent traceable. Also remember they can trace footprints from shoes and trainers etc, so get rid and burn the after.

I also like how you included both residential and commercial and also the fact that if someone is on the premisses at the time the this becomes aggrivated burglary....a seriouse crime that holds quite a legthy sentence.

Any way nice post matey and i look forward to reading your future posts

[DNR]

Sidenote, I'll try to continue with the Physical Security Tut later today, its my day off.

C-Thug, well my prefference IS rubber gloves, esp. surgical flesh colored. Since they match skin tone, at a distance, it looks like you are not wearing gloves. Surgical grade is best as they are stronger than regular latex gloves. Now, as a crime lab tech, it is possible to recover fingerprints inside the glove, so make sure you dispose of the gloves elsewhere and destroy them, you can just pour gasoline on them - they'll melt. If you are going to be doing some deconstruction work, like tearing down a wall or window - then mechanic's gloves are good - just make sure that you discard them, along with the shoes and clothes you wore.

I might also suggest going to a salvation army/flea market and buying old shoes, they can be sizes too small or too big. Wear them to the crime scene and then discard them.

Remember than stores like Wal-mart, have security cameras. Many criminals have been caught buying tools and gloves even just a few blocks away from the crime scene or where they live. Detectives actually visiting nearby stores to check out video tape - transactions can be stamped to the videotape - meaning that they can look up your video by querying the computer when/what register a CC was used or when someone brought item #007 ball-peenhammer. The same #007 ball-peen hammer you left at the #@$% crime scene.

Of course smaller stores may not have this technology, or even video cameras, just hope you don't run in the old lady with a photographic memory.

Flea markets are ideal - esp. outdoor displays, cash only, no reciept, etc.
I brought my hooligan tool here.

Again, this thread is meant as a infomational posts. Security specialist and the police already know this stuff, so you might as well know too.

DNR

[DNR]

This section will assume you are entering a commercal building or home while it is open.
The tactics have already been used by others and myself included. This also comes from work experience in security in these settings. This can be a office building, hospital, military armory.

Rule number one: People look for what does not belong there.
This is based on tunnel vision that people have when they are at their work place, they are too busy to see everything going on, so they only have their 'radar' set for things unusual or out of place. IF you are dressed like everyone else and behaving like everyone else, you will blur into the background.

Why bother trying to figure out how to sneak past a security desk by the elevators, when you can do what everyone else does, just walk up to the desk and sign in! By quickly scanning the sign in book you can see how everyone else signs in, and copy it. Unless you are trying to get in to a real high security facility like Los Alamo labs, the low-paid officer won't even glance at you twice as he gives you a visitor badge

As you might profile a person on a computer, by watching their behavior, you can also apply this tactic to real life situations. Everyday, everywhere, everybody is following a routine of daily behavior.

Lets use the medications room on my hospital unit as an example. The medications room has a five digital punch code lock on it. It is a solid door, and it is in a heavy traffic area, right by the nurses station even.
If you wanted to gain entry to this room, you would observe the behavior associated with that room - who gets in, how they get in, how often they access the room. You would try to spot the weak link in their process, for example, lets start with the lock itself. The lock itself has only 5 digits, the number one starting at the top, and ending with the number five on the bottom. The touch-pad is plainly visible to anyone within 15 feet of the door, it is in a heavy traffic area - an area where even visitors can stand nearby. Since you know the numbers are arranged top-to-bottom, you are just trying to spy people's hand movements as they punch in the code. If you can observe this from several different views, you'll get the code numbers. The next thing is trying to blend in as you access the room, you need a person that is not known to the locals, like the people working at the nurse station - so dressing as a nurse would be a bad idea, capice? I observed the room for several days and noticed that they have a transporter that is usually new, and did not interact with the nursing staff. They were nobody's that were completely ignored by the local staff. The scrubs worn by the transporter can be brought at a wal-mart. The next observation would be the timing of that transporter's visits, it was found that the timing was random. I would only have to make sure the transporter is on rounds else where.

The same observations and tactics can apply to other scenarios/locations.
The best damn thing I ever got for my spy kit was a brown UPS uniform, you can go any where with one, including a court house.

The key to any 'attack' is observing your 'enemy'. No one is smart to go up against a person or building with no nfo to prepare for. Learning how to conduct surveillance is important. You learn how to install sniffers on a network, so learn how to sniff people else where.

I liked my job as security, it gave me access and keys to anywhere in the facility. I have been in high rise residentals, hotels, factories as big as TRW, and even a bank's wire-transfer server farm. Going to hackercons are cool too, hackers will go to any length to invade every locked closet, one of them will have the PBX, network equipment there.

Keys:
There are several entry devices you may need to get into some doorways, I have worked with several.

The keys, refer to the part about lockpicking.
Your only other hope is to find a set of keys left in a custodian's/security closet.
Keycards; these have to be swiped to open a door, usually the data is on a magnetic strip, but newer ones are working by RFID. Some are so cool you can be 10 feet away form a door for it to RFID you and open it.
One hack that is discussed is trying to chirp a RFID from a authorized user, and then playing it back to the door - to fake the RFID. RFID hacks are very possible as the technology is new.
Those creditcard keyfobs like Speedpass, and other creditcards you wave over a CC transaction device, can emit RFID if you get close enough to their wallet.

Doorlocks with touch keypads - you can use a dye that can only be seen under UV light/black light, mark the entire keypad with the dye, the numbers used will be rubbed off. Then you need to determine the order the number is used, most mechanical touchpad locks will _not_ lock you out after failed attempts. You might have to hit the '* or #' on the keypad to reset though.

Video cameras can be used to observe buildings, doors, and ATM keypads even. By observing usual items that people are used to seeing around the building, door, or keypad - you can make a hidden camera built in to the device. The police have even made a Power transformer that can be installed on the telephone pole outside your house - with a controllable color video camera inside. I have built one in to tissue boxes, pop cans, a brouchure box. For Best Buy, I installed a remote camera in a product box to cover an area that shady employees knew was a 'dead' area from the regular surveillance cameras. Gee, we caught two employees that weekend.. Pin-hole cameras are cheap nowdays, and run off 9 volt batteries. The wifi system you'll need to transmit your camera to a VCR is cheap also. I think I could put one together now for about $45USD, VCR not included.
You can also conduct surveillance by sitting in a vehicle, hiding in brush, or from your own house. I don't need to discuss those basics, like not running the vehicle, esp. in cold weather,bringing something to piss in, not getting caught transitioning into woods while wearing woodland camo.

Oh, I guess rule number two is "don't stand out". Dress as the locals do, if they are wearing shop clothes, you do too. If they wear business suits, you do too. I also like non-descript vehicles, colors that don't stand out, a model that fits in business or neighborhood. Nothing better than someone complaining to a cop about a 'white, four-door sedan', rather than "Cherry red, two-door with 20" wirerims"

The idea of this thread is to expand your thinking in situational awareness, and use this for your defense.

At least you learned today not to trust someone just because they are dressed alike, or wearing a utility worker/public worker uniform.
The hardest part of social engineering a building intrusion, is the identification - so always ask to see their ID.

DNR

[DNR]

Outdoor lighting for security is basic, you try to eliminate shadows where burgulars can pull up a vehicle and get to work on a door or window.
Outdoor lighting assumes that someone will be watching, either a neighbor or a camera.
Outdoor lighting since used at nighttime either runs on a timer or photocell. The timer will be located inside the building if the light is installed on it or very close by. If the light is on a timer, but located at a distance from the building (like a lit sign), the timer box maybe installed on it or nearby, this is due to ease of construction and installation.
Photocell switches are usually contained on the light itself, they can also be called 'electric eyes'. As light darkens or brightens, the photocell controls a switch for the light.

I fooled a photocell switch by making a little kit out of a 9-volt battery and a LED (light-emitting-diode for you noobs), it made the photocell think it was daylight and shut off the annoying light By the same principle, you should be able to aim a laser beam at a photocell to fool it into thinking its daylight.

Timers located inside buildings are usually accessable by the custodian, so look for custodian closets. Timers on the outside of the building can easily be broken into, but they only control that specific light.

Lights can be broken out, newer lights have break resistant shields. The air rifle will always break them, while rocks from a sling shot won't. BTW, use ball bearings in the slingshot and it will!

Lights are also vulnerable because they need power, instead of attacking the light on a pole, you can access the wire panel on many poles, even with a SOG tool
for noobs, the SOG tool is a multitool like a swiss army knife


Beware of high tech lighting like IR, IR just requires a special lense to use invisible IR lighting. It can illuminate a doorway or an entire front yard. IR light can be detected with IR detector/lenses - thats why snipers do not use IR light systems - the bad guy can easily see the IR beam too!

Other generation night vision uses exsisting light and is too expensive, and perhaps not as high quality for commercial/security use.

Motion controlled lights, they work by lightbeams, radio/radar, and ultrasonic/radar. The lightbeam is like a gate opener when a vehicle breaks a beam of light in the driveway. The radio frequency is indoor/outdoor type - this will set off your police radar detector because its the same freq. The ultrasonic one is comon indoors because they work best in small areas with little interference. Either radio freq or Ultrasound waves, rely on the radar picking up the return signal of the bounced radio freq/ultrasound waves. Anything blocking or interupting the expected signal return sets off the alarm.
You can defeat motion sensors if you block it from detecting motion. The ideal case would be you'd tape over the sensor _before_ the system is activated. Now, Mythbusters - a TV show, did prove that you can use a shield and slowly move it in place, if done slow enough, the motion sensor will not see a dramatic change in the signal return. The weakness is to prevent the damn motion sensor from going off when a plant farts or the room temperature changes.

Enough on lights?

DNR

[Oppconsulting]

I really don't believe in encouraging crime or bad behavior but whatever you guys do what you want and live the lives you want I use many tactics from alarm response jobs and working hand in hand with the police and others that are pretty dam close to fool proof because of how hidden and UN expected they are so I will never make lists of them all or all my knowledge for anyone or criminals to use but thats me and my own personal preference and say or disbelieve all you want but we had a 100% rate with the buildings using these systems but not all had them or enough of them so whatever have fun

[DNR]

When I worked at a banks international wire-transfer building, I also had monitors showing video from remote locations - usually nearby bank's lobby and Vault areas. This ran off an old 386 PC, it would refresh every 5 seconds, black and white. For network security, I have always said there is nothing better than real-time monitoring of networks. Real-time monitoring has a person watching monitors of several locations, to catch anything unusual and quickly report to supervisors or police. This takes care of the lag in the alarm type security and a bit more fool-proof to false alarms because the security officer would be watching the crime take place, rather than calling the building owner first, then police, over what might be a faulty sensor. This security used to be only for banks, but now any building with a telco/internet commo can be set up to send video images to a security office for a low monthly fee.
Pin-hole cameras are now pretty cheap, and high-res color ones are the best. Theives can't 'worry' about cameras if they don't see any. This might be a good idea to prevent shop keepers from being beaten or killed over a video tape.

[DNR]

System for biometric security using a FOB
http://www.patentgenius.com/patent/7303120.html

System and method for payment using radio frequency identification in contact and contactless transactions
US Patent Issued on July 3, 2007
http://www.patentstorm.us/patents/7239226/fulltext.html

--
https://www.speedpass.com/forms/frmTermsOfUse.aspx

You may not copy, modify, rent, sell, distribute or transfer any part of the software or information contained in the Speedpass Device. You may not reverse engineer, decompile, decrypt, extract, or disassemble the software or information contained in the Speedpass Device nor attempt in any other manner to obtain the source code, including any algorithms contained therein, of such software. You agree not to extract any information or concepts from the Speedpass Device, nor to assist anyone else in such an effort. You agree that any breach of this Agreement will result in irreparable and continuing injury to Exxon Mobil Corporation and therefore in addition to all other remedies available, any breach or threatened breach of this Agreement may be prohibited by restraining order and/or injunction and that Exxon Mobil Corporation shall also be entitled to recover its attorneys’ fees and to seek any other equitable remedy available at the time

---
RFID: Speedpass Hacked (video)
http://nosheep.net/story/rfid-speedpass-hacked/

Johns Hopkins professor Avi Ruben and his graduate students were able to quickly find a way to reproduce an existing Speedpass token. They built a small device that attaches to a laptop, which can then swipe Mobil Speedpass codes just by casually walking by someone who has one in their pocket.

----
Attack on a Cryptographic RFID Device
http://www.rfidjournal.com/article/articleview/1415

The Digital Signature Transponder (DST), as TI calls this tag, helps secure millions of automobiles against theft and millions of payment transactions in Speedpass tokens against fraud. The JHU-RSA team consisted of six academic and industrial researchers, of which I was one.

The mechanism for digital security in the DST is an encryption algorithm, also known as a cipher. Every DST contains a secret, cryptographic key that it shares with trusted RFID readers. For example, a DST-equipped automobile ignition key shares a cryptographic key with an RFID reader in the automobile. (To clarify: The ignition key is physical, of course. The cryptographic key is digital, i.e., a secret string of bits.) To authenticate a DST--that is, to verify that an ignition key is legitimate--the reader in an automobile transmits a random string of bits to the DST in the ignition key. The DST encrypts this bit-string using its secret, cryptographic key and transmits a portion of the result as its response to the reader. Because the reader possesses the secret key too, it can verify the correctness of the response. In this way, the automobile distinguishes a valid ignition key from a bogus one.



The Texas Instruments DST encryption algorithm is secret and proprietary. One scientific result of the JHU-RSA team was a successful reverse-engineering (unraveling) of the DST encryption algorithm. We did not accomplish this by examining the internal workings of a DST. Rather, we obtained a rough schematic of the cipher from a published Texas Instruments presentation, and purchased several DST tags. Using a normal TI RFID reader, we interrogated the DSTs in a carefully devised, mathematically structured way.

Having reverse-engineered the cipher, we demonstrated that the 40-bit length of its cryptographic keys is inadequate--not just vulnerable to brute-force attack, as the cryptographic community knows, but inadequate in the face of practical attacks against the DST system. We implemented a system of attack that operates in three phases against a target DST:

1. “Skimming”: We use an RFID reader in our possession to establish brief radio contact with the DST. The reader interrogates the DST twice over the course of a fraction of second.

2. Key cracking: Employing the “skimmed” data, we use a specially programmed hardware “key cracker” to recover the unique cryptographic key of the DST. With a few hundred dollars worth of equipment, this takes about 10 hours on average. We are working on a software system that uses standard cryptographic techniques to crack a key in minutes.

3. Simulation: We program a hardware device with the cryptographic key recovered from the DST. This device can then impersonate the original DST; while our device is dissimilar in shape and size to a DST, it is digitally indistinguishable.

Loosely speaking, we demonstrated the digital cloning of DSTs. We believe that an attacker with the right expertise could manufacture a self-contained apparatus about the size of Apple iPod that implements all three phases of the attack. Such a device might cost as little as several hundred dollars.

Anyone capable of the attack we have demonstrated can effectively roll back automobile security by 10 years, contravening a mechanism that has been responsible, by some accounts, for a 90 percent reduction in automobile theft. Alternatively, such an attacker could charge gasoline purchases to a victim’s Speedpass account. We have not created a weakness in the DST: We have uncovered one with serious implications.

To validate the correctness and practical implications of our research, we purchased gasoline using a device that simulated a Speedpass tag that belonged to us. We likewise started an automobile in our possession with an ignition key that lacked its companion DST. Of course, in a real attack, additional security mechanisms like the fraud-protection mechanisms of the Speedpass network and the mechanical steering-column lock system in automobiles would pose additional impediments.

Setting aside the technical legwork to create the system, the difficulty of our attack (and thus debate about its impact) hinges on the difficulty of skimming. Using one of TI’s standard RFID antennas, we have achieved an experimental skimming range of several inches. An attacker that brushes up near a victim’s pocket or a parking valet handling a victim’s car keys could easily skim a DST. In contrast to picking a pocket, an attacker can perpetrate skimming with relative ease and impunity.

We believe that longer skimming ranges--perhaps 1 or 2 feet--are possible, but have not yet tried to achieve these. A special form of skimming is possible in which an attacker eavesdrops on communications between a legitimate reader and DST. This type of attack could be viable at a distance of tens of feet or more. We have not yet experimented with such attacks.

--------

How To Cheat At Deploying And Securing RFID
http://www.en-genius.net/site/zones/des ... ook_040708
----
http://www.spychips.com/
http://www.nocards.org/AutoID/overview.shtml