Elvis Takes Off

The other day I mentioned that it’s possible to clone a RFID passport, a massive security risk that the government seemingly doesn’t care to much about. It’s no longer really a proof of concept. Elvis now has an accepted RFID passport. That’s right. Mr. dead in 1977 Elvis Aaron Presley. The hack was done in Amsterdam, but you can bet it will be done elsewhere as time progresses.

How To Hack A RFID Card

Boing Boing TV has a great video on how to hack a RFID credit card for a mere $8. I’ve said it more than once that I don’t trust it yet. This is why. You just removed the best security feature on the card (the ability to keep it and it’s information out of view).

As a commenter noted, the Nokia 6131 NFC includes the following from their tech specs:

  • Explore mobile weather and news by touching your phone to radio frequency identification (RFID) tags

That’s right, a built in RFID reader. Just needs software for this particular task. I’m sure that won’t take too long.

Pacemaker Firewall

If you have a pacemaker or a defibrillator you may want to consider getting a firewall at some point in the future. They could potentially be “hacked“:

But hackers could transmit the same radio signals — causing a defibrillator to shock or shut down, or divulge a patient’s medical information — without needing a programmer, researchers found in a laboratory test of one model from Medtronic.

I’m surprised there’s no authentication at all on these things. Considering it’s implanted, it should at least require it’s own serial number to be sent back to it to suggest the sender is authorized (presumably because they have the serial number of the implanted device). By not responding to commands for 10 minutes after 3 wrong guesses, it would take a long time to hack. That’s pretty basic, and not foolproof (what about a mistyped serial number during an emergency?), but a start.

False Alarm, Go Back To Bed

The other night I was reading about this new security flaw, and for some reason I couldn’t figure out why it was a security flaw. Why couldn’t you just download Firefox and open the file yourself? I presumed I was just tired, and went to bed.

Ends up I wasn’t the only one who didn’t think it was a vulnerability. Mike Shaver has more info on it. If someone wanted to get that information, they don’t need to get people to visit a hacked server. They can just download Firefox and open the file itself. No big deal.

Theoretically a custom enterprise build made by a company for use on it’s network could be modified, but I doubt it. Even if it was, it wouldn’t really contain anything very useful.

Always take things posted on a tech site with a grain of salt, unless they are confirmed by multiple experts. Slashdot ran the story a little premature.