MIT students create and circulate open source, covert RFID rings to subvert campus tracking system


#1

Originally published at: https://boingboing.net/2018/04/11/academic-freedom.html


#2

So…a private security firm thought they could make a system proof against MIT students?


#3

Seriously, you issue a challenge like that at a school like that? :slight_smile:

I’m surprised it took them more than a few weeks to crack it.


#4

One of those weeks must have been Spring Break, or midterms, or something…


#5

The technical system is long cracked, just subverting it is becoming increasingly popular the more obnoxious its rules become.



#6

I don’t get it. RFID is cool and all, but what are they doing that’s subversive? They can use their ring instead of their card which a neckless blart-alike will spot and bust them for. Or they can be someone else, the principal say, which could get ugly in all sorts of ways. That’s subversive, just, but how useful is it?


#7

“A couple years ago” MIT installed long-vulnerable 125kHz “Prox” credential technology for their physical access control system. This is negligence on the part of their security contractor - the system should have been upgraded to much more secure credential tech by now, which would permit “cardholders” to bump their phones, for example, but would also preclude attempts to clone the credentials.

https://www.schneier.com/blog/archives/2007/02/cloning_rfid_ch_1.html
https://threatpost.com/long-range-rfid-hacking-tool-to-be-released-at-black-hat/101448/


#8

Nothing at all - I give them credit for creativity. They are just presenting their EncodedID and Facility Code (that’s what’s mashed together in the RFID) in a different way.

They could have just as easily melted the plastic from their existing card in a bath of acetone, coiled up the antenna and crammed it into a different format… but then they’d not have their ID card for all its other purposes beyond access control.


#9

Many rings to rule them,
Many rings to find them,
Many rings to bring them all and in the darkness bind them.


#10

In the land of MIT, where the engineers lie.


#11

You guys are assuming they are using their own codes, and not a rotating assortment of other people’s codes. You can’t defeat the tracking if you use your own ID code, but you can if you and your friends all cycle through each others’ codes randomly.

Naw, you just have a dummy card in hand, tap it on the reader at the same time you tap your ring. Any vaguely card-shaped item will do.


#12

Mordor Institute of Technology


#NeedsMoreLikes (formerly known as "All the Likes")
#13

Somewhat off topic, but I bet BB would know:

I lose things a lot. Is there any sort of locatable wedding band thing I could get and then find later if I lose it? Looking at the NFC/RFID rings that exist, I can’t see any details on locator stuff for them.


#14

The guards at my campus see the student’s ID picture on a monitor when the card is swiped.


#15

read up on RFID:


Its not quite the tech you need.

There is other tech available that uses wifi, mobile towers, or Bluetooth, but those can’t fit into a ring yet.


#16

Thanks! This is pretty great; I had misread about Tile and thought it was RFID based. I know RFID is generally low-distance, but thought there was some new tech there. My misunderstanding.


#17

For me the bigger question is why MIT is so interested in the location of the people who pay them for a service.


#18

Can you just get a pile of cheap duplicate wedding rings from a pawnshop or Ebay? You know, - lose one, shrug, grab another from the bathroom cabinet and go on with your day.


#19

I would, but for my wife the physical object itself is very important; We just simply have different levels of attachment to physical goods and for her the wedding ring is a very important symbol, and I respect that.

The problem is I do woodworking so I can’t just ‘never take it off’. Wearing rings around power tools is a huge problem.


#20

Ah! Yes, I’m also a woodworker, but I chose to get rid of the spouse, too!

Your problem has spurred the ‘Bad Idea Factory’ in my head into overdrive. Get a nice (maybe in low-carat gold - 12K is the strongest) short necklace with a 12K carabiner (any goldsmith will enjoy the challenge), and you can take the ring off and clip it to the necklace until you’re headed back to the wife.

…OR have the ‘good ring’ reserved for special occasions, and wear disposable ones EXCEPT when you’re actually holding a power tool.