The more pertinent matter is that it took this long for RFID exploits to start catching the public eye. RFID is the least secure communication protocol that could be used for locks. At the very least we should have NFC be the standard.
Someone with the intent and know-how to crack RFID readers could put together a hardware tool to do so. Does the Flipper Zero provide such a tool? Yeah. Does the responsibility of following ethics fall with the user? Debatable, but I think absolutely yes.
If one carries around a lockpicking set and learns how to use it, they can go right ahead, correct? We accept the fact that people exist that can pick locks and yet 80% of states allow possession and use of lockpicking tools in a legal manner.
It's not just that RFID isn't very secure, it's that a lot of locks are using the worst possible implementations. Just checking the ID of the RFID chip against a whitelist is an astonishingly common method. Not only makes that access cards easy to clone and provides no cryptographic security at all, if you bulk buy access cards you often get sequentially numbered cards ...
RFID just means radio frequency identification. It does not imply any particular standard. NFC can be a type of RFID system. Even saying NFC isn't necessarily implying any particular system of protection, basic NFC has no real protection out of the box and would require the higher-level protocols to actually provide any kind of encryption or relay protection or the like. An NFC-based system of RFID can also be incredibly insecure.
Saying "RFID is insecure, use NFC" is like saying "radio is insecure, use WiFi." NFC is a subset of the concept of RFID, much the same way WiFi is a subset of digital radio protocols.
In my opinion it's clear that NFC is indeed designed with a higher focus on security than general RFID applications. In fact it emphasizes secure data exchange by design. Yes it is a subset of RFID technology operating at 13.56 MHz. Because NFC enables encrypted communication over very short distances (typically less than 4 cm), it is more challenging for unauthorized interception to happen. Also NFC supports two-way communication, which allows for more dynamic and secure interactions between devices, such as payment systems or secure access controls.
RFID, while versatile and utilized across a range of applications from inventory management to access control, does not inherently prioritize security to the same extent. Its broader application spectrum means that specific security measures can vary significantly based on the use case and the design of the RFID system. For example, passive RFID tags, which are widely used due to their cost-effectiveness and simplicity, can be read from distances up to several meters, potentially exposing them to unauthorized scans. Active RFID tags offer longer read ranges and can incorporate additional security features, but their cost and complexity limit their use to specific applications.
Therefore, when comparing the security aspects directly, NFC's design principles inherently prioritize secure exchanges, leveraging close proximity communication and encryption standards that are well-suited for transactions and sensitive data exchanges. This focus on security, combined with the technology's adaptability for consumer use (e.g., smartphones for payments), underscores NFC's advantage in scenarios where security is paramount.
Most hotels use non-NFC RFID and on top of that most use passive tags. So it is certainly an inherent security flaw of hotel door locks. Unfortunately non-meatspace security is also drastically in need of choosing more effective already existing measures.
RFID is just a bidirectional link between the reader and the card. The security depends on what you send over that link. RFID in itself doesn't imply security or insecurity.
Feels like a very US-specific mentality. Back in the UK carrying lockpicking tools outside your home without good reason is "going equipped" and a crime in itself, and that's generally supported.
In general it's probably okay to bring your picks somewhere in most parts of the country if you're a hobbyist.
In general it's a bad idea to carry picks if you're doing anything that a prosecutor could construe as breaking into a building to steal things. This is an area to be particularly aware of for urban exploration, where trespassing is bad but burglary with burglarious tools is like felony bad.
UK is notoriously prohibitive of things that could be used in crimes; I mean, we're talking about a country where a screwdriver is potentially an "offensive weapon" if carried without a "legitimate purpose".
However, that is a fairly extreme case, and most countries don't have such laws on the books (or if they do, what's illegal is "possession with intent").
I don't have a formed opinion on available lockpicking kits other than if you make them contraband they will still be available in different ways and that measure will have the opposite effect.
But a lockpicking kit has one purpose, it's picking locks. A Flipper Zero type device has plenty of legitimate, legal, personal uses in an IoT equipped home.
The Flipper Zero being banned will lead to a flood of copies, not to mention black market OEM versions.
As long as we are talking about specific markets, I have a couple of stories.
In the United States, postal services have access to clusters of mailboxes and some common areas where mailman can leave mail and parcels, which can be entryways or some kind of storage rooms in them, for example, so that the owners can pick them up when they get home. These rooms are locked with padlocks made by several local companies. Once a key is inserted and turned in the lock, it can only be retrieved by turning it in the opposite direction to the default position, but even then they manage to forget them in the locks.
A customer from the USA came to us and asked us to combine this padlock with an intercom system we are developing to signal the administrator that the letter carrier came, opened/closed the lock or forgot the key in it. Nobody wants to switch to RFID, of course, or else the employees of the lock manufacturing company will have nothing to eat, so we had to enlarge the intercom vertically in order to build into it a lock whose transom will close a group of contacts on the panel, letting us know that something is going on. On the edge, lmao.
In the UK, mailmen are treated very differently - the intercoms have a special button on the intercom which, when pressed, will open the door so that the mailman can enter and drop off the mail without having to carry keys or RFID identifiers. Normally this button is set for some working hours, for example from 9 to 5 and of course anyone can press it and get into the premises.
The more pertinent matter is that it took this long for RFID exploits to start catching the public eye. RFID is the least secure communication protocol that could be used for locks. At the very least we should have NFC be the standard.
Someone with the intent and know-how to crack RFID readers could put together a hardware tool to do so. Does the Flipper Zero provide such a tool? Yeah. Does the responsibility of following ethics fall with the user? Debatable, but I think absolutely yes.
If one carries around a lockpicking set and learns how to use it, they can go right ahead, correct? We accept the fact that people exist that can pick locks and yet 80% of states allow possession and use of lockpicking tools in a legal manner.
It's not just that RFID isn't very secure, it's that a lot of locks are using the worst possible implementations. Just checking the ID of the RFID chip against a whitelist is an astonishingly common method. Not only makes that access cards easy to clone and provides no cryptographic security at all, if you bulk buy access cards you often get sequentially numbered cards ...
OTOH I can use my credit card to open my door - and this is even advertised as a feature by the manufacturer!
2 replies →
RFID just means radio frequency identification. It does not imply any particular standard. NFC can be a type of RFID system. Even saying NFC isn't necessarily implying any particular system of protection, basic NFC has no real protection out of the box and would require the higher-level protocols to actually provide any kind of encryption or relay protection or the like. An NFC-based system of RFID can also be incredibly insecure.
Saying "RFID is insecure, use NFC" is like saying "radio is insecure, use WiFi." NFC is a subset of the concept of RFID, much the same way WiFi is a subset of digital radio protocols.
In my opinion it's clear that NFC is indeed designed with a higher focus on security than general RFID applications. In fact it emphasizes secure data exchange by design. Yes it is a subset of RFID technology operating at 13.56 MHz. Because NFC enables encrypted communication over very short distances (typically less than 4 cm), it is more challenging for unauthorized interception to happen. Also NFC supports two-way communication, which allows for more dynamic and secure interactions between devices, such as payment systems or secure access controls.
RFID, while versatile and utilized across a range of applications from inventory management to access control, does not inherently prioritize security to the same extent. Its broader application spectrum means that specific security measures can vary significantly based on the use case and the design of the RFID system. For example, passive RFID tags, which are widely used due to their cost-effectiveness and simplicity, can be read from distances up to several meters, potentially exposing them to unauthorized scans. Active RFID tags offer longer read ranges and can incorporate additional security features, but their cost and complexity limit their use to specific applications.
Therefore, when comparing the security aspects directly, NFC's design principles inherently prioritize secure exchanges, leveraging close proximity communication and encryption standards that are well-suited for transactions and sensitive data exchanges. This focus on security, combined with the technology's adaptability for consumer use (e.g., smartphones for payments), underscores NFC's advantage in scenarios where security is paramount.
Most hotels use non-NFC RFID and on top of that most use passive tags. So it is certainly an inherent security flaw of hotel door locks. Unfortunately non-meatspace security is also drastically in need of choosing more effective already existing measures.
3 replies →
RFID is just a bidirectional link between the reader and the card. The security depends on what you send over that link. RFID in itself doesn't imply security or insecurity.
Feels like a very US-specific mentality. Back in the UK carrying lockpicking tools outside your home without good reason is "going equipped" and a crime in itself, and that's generally supported.
US lockpicking enthusiasts tend to know their states' laws (see e.g. https://www.toool.us/lockpicking-laws.php)
In general it's probably okay to bring your picks somewhere in most parts of the country if you're a hobbyist.
In general it's a bad idea to carry picks if you're doing anything that a prosecutor could construe as breaking into a building to steal things. This is an area to be particularly aware of for urban exploration, where trespassing is bad but burglary with burglarious tools is like felony bad.
UK is notoriously prohibitive of things that could be used in crimes; I mean, we're talking about a country where a screwdriver is potentially an "offensive weapon" if carried without a "legitimate purpose".
However, that is a fairly extreme case, and most countries don't have such laws on the books (or if they do, what's illegal is "possession with intent").
I don't have a formed opinion on available lockpicking kits other than if you make them contraband they will still be available in different ways and that measure will have the opposite effect.
But a lockpicking kit has one purpose, it's picking locks. A Flipper Zero type device has plenty of legitimate, legal, personal uses in an IoT equipped home.
The Flipper Zero being banned will lead to a flood of copies, not to mention black market OEM versions.
1 reply →
As long as we are talking about specific markets, I have a couple of stories.
In the United States, postal services have access to clusters of mailboxes and some common areas where mailman can leave mail and parcels, which can be entryways or some kind of storage rooms in them, for example, so that the owners can pick them up when they get home. These rooms are locked with padlocks made by several local companies. Once a key is inserted and turned in the lock, it can only be retrieved by turning it in the opposite direction to the default position, but even then they manage to forget them in the locks.
A customer from the USA came to us and asked us to combine this padlock with an intercom system we are developing to signal the administrator that the letter carrier came, opened/closed the lock or forgot the key in it. Nobody wants to switch to RFID, of course, or else the employees of the lock manufacturing company will have nothing to eat, so we had to enlarge the intercom vertically in order to build into it a lock whose transom will close a group of contacts on the panel, letting us know that something is going on. On the edge, lmao.
https://imgur.com/a/63GoaTB
In the UK, mailmen are treated very differently - the intercoms have a special button on the intercom which, when pressed, will open the door so that the mailman can enter and drop off the mail without having to carry keys or RFID identifiers. Normally this button is set for some working hours, for example from 9 to 5 and of course anyone can press it and get into the premises.