Jefferson's Wheel

Randolph Yu Yao is joining our research group and the NSF RFID project. He’s a PhD student in Computer Engineering and will be working on something related to security and privacy for RFID systems that integrates cryptographic requirement with circuit-level designs.

His brief bio is below. Please join me in welcoming Randolph to the group!

I was born in a small city in southeast of China, and traveled from south to north during my high school, undergraduate, half-graduate study. I’m very happy to travel to the other half of the planet for my PhD study here in the end.

I was an EE major and love to deal with various aspects of embedded system. I’ve worked on the RoboCup, which forms a robot team to play “football”; the Mobile Satellite Communication Vehicle, which essentially control the attitude of antenna in dynamic circumstance; the Multi-Agent Cooperation via wireless communication etc. I didn’t realize before that the security issues of the embedded system are very challenge problems and becomes a bottleneck for their ubiquitous deployments, no matter for sensor networks or RFID. My ultimate goal is to enable these smart embedded systems acceptable by common people and put into daily service without concern about the security and reliability in the face of expanding network connection.

I also like sports such as swimming, traveling, exploration, basketball, hiking but no running which I think too boring. I enjoy the weather, the blue sky and fresh air here.

Technology Review has an article surveying the state of RFID security: RFID’s Security Problem, Technology Review, January/February 2009. It focuses on security and privacy issues related to RFID-enabled passports and driver’s licenses.

Excerpt: (bolding is mine)

Meanwhile, although experts say that some RFID technologies are quite secure, a University of Virginia security researcher’s analysis of the NXP Mifare Classic (see Hack, November/December 2008), an RFID chip used in fare cards for the public-­transit systems of ­Boston, London, and other cities, has shown that the security of smart cards can’t be taken for granted. “I think we are in the growing-pains phase,” says Johns Hopkins University computer science professor Avi Rubin, a security and privacy researcher. “This happens with a lot of technologies when they are first developed.”

…
As long as the remaining problems are ignored, though, it’s unlikely that the technology will become good enough to protect international borders without compromising the privacy of thousands or millions of people. Tadayoshi Kohno, for one, says that at this point, he is not convinced that RFID even offers security advantages over the old IDs. Technology used on this scale, and for purposes this important, should be clearly better than what it’s replacing: the U.S. experience with electronic voting systems shows what can happen when it’s not. If officials continue to advocate band-aids such as privacy sleeves rather than working to address the full extent of critics’ concerns, they will ultimately undermine the very technology that they hope to promote. While new ID technology seems likely to stay, it could become a fiasco if officials don’t pay attention to the work of hackers and security researchers. These people try to expose weaknesses before they can be exploited maliciously. It’s much less painful to swallow the news from them than to wait until a problem becomes embarrassing–or devastating.

The list of papers accepted to the 2009 IEEE Symposium on Security and Privacy (Oakland Conference) is now posted here:
http://oakland09.cs.virginia.edu/papers.html.

Twenty-six papers were accepted (from over 250 submissions).

The symposium will be held 17-20 May 2009 at the Claremont Resort in Oakland, CA. Hope to see you there!

As for our common defense, we reject as false the choice between our safety and our ideals.

And so, to all other peoples and governments who are watching today, from the grandest capitals to the small village where my father was born: know that America is a friend of each nation and every man, woman and child who seeks a future of peace and dignity, and we are ready to lead once more.

President Barack Obama, Inaugural Address, 20 January 2009

Jonathan McCune successfully defended his PhD thesis at Carnegie Mellon University last week. Jon (sorry, that’s “Dr. McCune”) was an undergraduate researcher in our group from 2001-2003, when he worked on agent-based software (for our RoboCup team) and adaptable sensor network security, before joining CMU’s PhD program in 2003. Dr. McCune’s recent research has focused on leveraging trusted hardware to build secure systems.

Congratulations Dr. McCune!

The Daily Progress has an rather odd article juxtaposing our RFID research with a donation from Bob Barker (“Price is Right” host) to the law school to fund animal rights research: Barker’s gift to found animal law program; Science Foundation funds chip research. Perhaps we can combine projects to work on preserving pet privacy when implanting RFID tags in animals.

…
“Animal law is a growing area that is in much discussion,” Riley said. “It is a good way even for a student who has no interest in practicing animal law to enlarge their interest and to understand different ways the law works.”

A recent of example is Leona Helmsley’s will, Riley said.

When the hotelier, dubbed the “queen of mean,” died at 87 in August 2007, she spurred a legal debate by leaving behind a $12 million trust for the care of her dog.

Riley said a group of students at UVa have shown interest in animal law.

Elsewhere at UVa, the National Science Foundation’s grant will enable a team of engineers to create a more secure design for RFID chips, which are commonly found in remote car-locking systems and touchless debit cards.

These tiny chips, which send information over short distances using weak radio waves, are an increasingly popular way to monitor potentially sensitive information.

UVa researchers have been working to create a stronger encryption scheme that would keep information on RFID chips secure while keeping costs low.

[Added: 14 Jan] NetworkWorld has also picked up this story: NSF gives University of Virginia researchers a million good reasons to improve RFID security, privacy, by Alpha Doggs, NetworkWorld, 14 Jan 2009.

UVa Today has an article about our (myself, abhi shelat, John Lach, and Ben Calhoun) recent NSF Cybertrust grant on RFID security and privacy: U.Va. Team Receives $1 Million Grant To Improve RFID Security, by Brevy Cannon, 9 January 2009.

Some excerpts:

To address the problematic use of custom cryptography, the U.Va. research team will develop an encryption scheme that is relatively strong — providing some measure of privacy and security — but that can be implemented at almost zero cost by repurposing the meager hardware resources already available on common RFID tags. Providing a solution that adds virtually no cost is crucial, because these RFIDs are made by the billions, at such low costs (5 cents or less apiece) that there is no margin for any added expense.

…

The team is breaking new ground by using a holistic design approach that considers how all the various levels of the design — the hardware, the encryption algorithm and how it is used — work together, mindful of how an attacker will target the single weakest link in the design.

…

The research team hopes their research will forestall that possibility, enabling RFIDs to be used in countless ingenious applications not yet dreamt of, without sacrificing privacy and security in a Faustian bargain.

I’m organizing a workshop next week on the “Science of Security”, co-sponsored by the National Science Foundation, IARPA, and the National Security Agency.

The goal of the workshop is to gather a group of about 40 leading scientists and researchers in a diverse range of areas to identify scientific questions regarding computer security, and to stimulate new work toward defining and answering those questions.

For more information, see the workshop website: http://sos.cs.virginia.edu.

This is a guest post by Sarah Scrafford (see below for details). It describes the AntiVirus XP 2008 malware, which is interesting because of the amount of information revealed about its financial success. Another article that provides some more details about this is in the New York Times: Antiviral ‘Scareware’ Just One More Intruder which provides some interesting financial details.

An important anniversary related to computer security recently went by without much publicity – the release of the first ever malicious program to spread widely on the Internet. The year was 1988, the date November 2, and the creator the worm, Robert Tappan Morris, then a student at the Cornell University, unleashed his creation on the Internet and succeeded in disabling 10 percent of all the machines that were online at the time. Although this was a criminal activity and Morris was convicted later of computer fraud, the incident proved to be the launching pad for the intensive research being done in the area of computer security today.

And so the antivirus, antispam and antispyware software packages made their appearance, each one more sophisticated and capable of detecting newer malware than its predecessors, and a whole new industry was born. Today, Morris holds a respectable position as associate professor of computer science at the prestigious MIT, but new and more innovative crooks are still continuing in his footsteps. Rather than write malware to disable systems, deny service or steal information, the conmen have hit upon a novel and almost foolproof method to make users part with their money – by preying on the insecurities (pun intended).

Being fully aware of the mad scramble for antivirus and other security software, a group based in Russia is offering a free application, the Antivirus XP 2008, which they claim to be an antivirus software package. Once the unsuspecting user downloads it to their system, they’re constantly bombarded with security alerts that scare them into thinking their computers are veritable hotspots for viruses and Trojans to hang out. Antivirus XP 2008 recommends a paid upgrade to be able to quarantine or clean these viruses, and this is how the conmen make their money. Another stroke of genius on their part was to rename the software Antivirus XP 2009, and sell it to users as a new and improved version of itself.

The best part of this scam, according to Joe Stewart, director of SecureWorks Inc. which was responsible for bringing this shady operation to light, is that the kingpin has set up a phony company through which affiliates can market the fake antivirus software – true viral marketing in every sense of the word. If you’re aghast at what you’ve read so far, hold on, there’s worse to come. The crooks are making as much as $5 million a year by just scaring people into parting with their money. And if they’re ever caught, they have a slim excuse to cling to – that they’re not aware of the relative uselessness of their program.

It’s all in a day’s work for them; if not this scam, then something else. But for you and me, the legitimate and regular computer users, this should be a wakeup call to be more diligent and choosy in picking a security suite for our systems.

This article is contributed by Sarah Scrafford, who regularly writes on the topic of on line universities. She invites your questions, comments and freelancing job inquiries at her email address: [email protected].

The full details of the Crypto-1 cipher (initially exposed back in December) have now been released.

They are published in Appendix A of Henryk Plötz’s thesis report: Mifare Classic – Eine Analyse der Implementierung. The thesis is in German, but the algorithm is published as a C program (by Karsten Nohl, Henryk Plötz and Sean O’Neil), so should be understandable to non-German code readers.

Also yesterday, the paper, Dismantling MIFARE Classic, by Flavio D. Garcia, Gerhard de Koning Gans, Ruben Muijrers, Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, and Bart Jacobs of Radboud University Nijmegen, The Netherlands, appeared at ESORICS 2008. This is the paper that was the subject of NXP’s failed lawsuit.

The publication of these details remove any remaining doubts about the insecurity of the Mifare Classic.

News articles:

D-Day for RFID-based transit card systems, c|net News, 6 October 2008.

“Combining these two pieces of information, attacks can now be implemented by anyone,” RFID researcher Karsten Nohl told CNET News. “All it takes is a $100 (card) reader and a little software.”
…
Security systems like the Mifare Classic that are not peer reviewed are not as trustworthy as systems that can be openly analyzed by researchers looking for flaws, Johanson and Nohl said.

“Developing your own proprietary security mechanisms and not getting public scrutiny on it does not work,” Nohl said.

Boffins (finally) publish hack for world’s most popular smartcard, The Register, 6 October 2008.

Two research papers published Monday have finally made it official: The world’s most widely deployed radio frequency identification (RFID) smartcard – used to control access to transportation systems, military installations, and other restricted areas – can be cracked in a matter of minutes using inexpensive tools.

The two documents combined mean that virtually anyone with the time and determination can carry out the attacks, said Karsten Nohl, a PhD candidate at the University of Virginia and one of the cryptographers who first warned of the weakness in December.

“Now the weakness that we and others have been talking about for months can be verified independently by really anybody,” he said. “The flip side is that everybody can now attack Mifare-based security systems.”

Over the past six months, many organizations that rely on the Mifare Classic have upgraded their systems, but Nohl said he is personally aware of a “handful” of systems used by government agencies or large multinational companies that have been unable to make the necessary changes because of the logistical challenges of issuing new badges to employees.

“One hopes that just based on the announcement, most operators of critical security systems have adopted other technologies besides Mifare,” Nohl said.

Update: (10 Oct) Another article from the CBC: Security flaw in smart cards poses risk for transit, building access, CBC News, 10 October, 2008.