Comment by vel0city
2 years ago
RFID just means radio frequency identification. It does not imply any particular standard. NFC can be a type of RFID system. Even saying NFC isn't necessarily implying any particular system of protection, basic NFC has no real protection out of the box and would require the higher-level protocols to actually provide any kind of encryption or relay protection or the like. An NFC-based system of RFID can also be incredibly insecure.
Saying "RFID is insecure, use NFC" is like saying "radio is insecure, use WiFi." NFC is a subset of the concept of RFID, much the same way WiFi is a subset of digital radio protocols.
In my opinion it's clear that NFC is indeed designed with a higher focus on security than general RFID applications. In fact it emphasizes secure data exchange by design. Yes it is a subset of RFID technology operating at 13.56 MHz. Because NFC enables encrypted communication over very short distances (typically less than 4 cm), it is more challenging for unauthorized interception to happen. Also NFC supports two-way communication, which allows for more dynamic and secure interactions between devices, such as payment systems or secure access controls.
RFID, while versatile and utilized across a range of applications from inventory management to access control, does not inherently prioritize security to the same extent. Its broader application spectrum means that specific security measures can vary significantly based on the use case and the design of the RFID system. For example, passive RFID tags, which are widely used due to their cost-effectiveness and simplicity, can be read from distances up to several meters, potentially exposing them to unauthorized scans. Active RFID tags offer longer read ranges and can incorporate additional security features, but their cost and complexity limit their use to specific applications.
Therefore, when comparing the security aspects directly, NFC's design principles inherently prioritize secure exchanges, leveraging close proximity communication and encryption standards that are well-suited for transactions and sensitive data exchanges. This focus on security, combined with the technology's adaptability for consumer use (e.g., smartphones for payments), underscores NFC's advantage in scenarios where security is paramount.
Most hotels use non-NFC RFID and on top of that most use passive tags. So it is certainly an inherent security flaw of hotel door locks. Unfortunately non-meatspace security is also drastically in need of choosing more effective already existing measures.
You keep suggesting NFC has a lot of security concepts baked in, but it's not really true. The base standards of NFC provide no encryption concepts. It provides no protection against sniffing. It provides no authentication. It provides no relay protection. The only "security" you get is it's designed for near communication, but you can absolutely read and write NFC tags from a distance with the right hardware.
Base NFC has almost no security and relies on protocols on top to be secure. For example, Amibos use NFC and are trivially duplicated with cheap writable NFC tags. Contactless credit cards aren't secure because they do NFC, they're secure because NFC allows for an EMV transaction, it's the EMV handshake that handles all the security.
Once again, suggesting NFC just has a lot of security by default is acting like WiFi is always secure. But even worse, because at least WiFi standards have encryption and what not built in and optional, NFC doesn't even provide that.
And then you point out passive tags as if that's a thing that makes RFID less secure (ignoring NFC used for identification is RFID) but then I guess don't realize NFC allows for passive tags as well. I don't need to change batteries on my Amibos or the NFC stickers I put on the Wi-Fi info around the house.
You could build a key card system with NFC that has the same or worse system as older key card platforms. It being NFC gives you absolutely no additional benefit.
I think both our views are valid within their contexts, with the key difference being the distinction between NFC's base capabilities and the security measures actually implemented in NFC applications (where often upper layer protocols like in credit cards, are doing the heavy lifting for security). Since this discussion centers around real world incidence, you're right to point out that NFC does not inherently mean the application will be secure.
I actually will also correct myself about saying that NFC is shorter range than RFID. Both HF and LF have about the same range. UHF has a range on the order of 10m but is almost never if at all used for high volume applications like hotel door locks. I do however disagree with your rejection of the colloquial usage of RFID to exclude NFC. In everyday conversation, I believe it is understood that NFC is a subset.
1 reply →