MIT students create and circulate open source, covert RFID rings to subvert campus tracking system

Never said I was a good one.

Somewhat related: a biohacker in Sydney implanted their public transport card’s RFID tag into their skin and was fined for fare evasion, despite it working and having a positive balance.

Yeah that 1000 dollar fine is unfair. The card was there, just inside his hand. If he was avoiding payment, fair enough but this was a paying customer.

Not really usefully, no. RFID/NFC devices are reasonably compact and require no internal power source because they harvest energy emittted by the reader to power up long enough to respond. With appropriate modifications to transmitter and power levels this can be at a distance greater than the “trust us, you can basically only read those things on contact!” claims would suggest; but it’s still not a long distance.

Bluetooth/zigbee/ANT/etc. give you ranges that might actually help; but then you need to find a way to sneak a battery (and a means to charge it or change it on occasion) into the device, which doesn’t do something like a piece of jewelry much good.

It wouldn’t be completely useless: a tag could be used to ensure that non-metallic objects have a signature that you could use a scanner wand to sweep under the couch for, and reduce the uncertainty of metal detector readings by giving items unique IDs(this is pretty much the use case for RFID in warehousing and logistics, barcodes are substantially cheaper; but with RFID you can scan a box full of stuff without opening it as long as it isn’t too large).

Because the range is tepid(and tags themselves don’t have any location information unless you specifically burn some geographic coordinates into them, adding GPS so that they know where they are would really blow the power, size, and budget budgets) nobody really sells ‘locators’ based on the tech: the ‘reader’ options are the closest thing to locators that exist(barring some probably-not-spec-or-FCC-compliant attempts to boost range slightly).

It’s the only thing they have to do, stare at the giant monitor in front of them. When a group of people walk in the door together, the guard will ask that each person swipes their ID.

Yes, this is the promise but in practice it is very tricky to get working. You are still dealing with low power EMF, both powering the chips and extracting data. Structure (like the containers the tags are in) can shield the signals. Race conditions mean that your reader can only interrogate a certain number of tags in a period of time. The orientation of the box matters a lot, as does its motion.

I worked for a company which did this and there was a lot of fiddling required to get every application working correctly.

From an institutional perspective keys have one substantial drawback: you have no way of knowing how many copies exist and no (realistic) way to get people to return them. Since you can’t ‘revoke’ a metal key you end up either changing a lot of locks or putting up with the fact that you have very little sense of who or can’t make it through a given door unless you change the locks after every other-than-amicable departure.

The temptation to use the oh so readily available authentication logs for creepy surveillance is a serious downside; but being able to just remove a card from the database and call it a day beats calling the locksmith (and in some cases the people behind the rollout do want that delicious data; or to tie it in with payment for r meals and vending machines and copiers, or both).

There are also some University facilities that do tend to need greater security: bio or medical research that involves animals can paint a target on your back; and it’s not like Lincoln Labs stopped doing sensitive fed work after they wrapped up their initial air defense and radar research.

Dorms and common areas are a bigger problem because, obviously, you subject basically everyone to the security measures; but given how bad “oh, the expelled for rape guy? nah, we made sure that he returned a copy of his dorm key, we don’t know hoe he made it back in” goes, admin can be jumpy enough to do it anyway (though, given how easy it tends to be to circumvent widely deployed access control (since people get fed up with it and quickly start politely holding doors for one another, plus lost cards that aren’t reported and the like, only really works well with a more manageable number of people who understand and accept the objective of the security measures) that one is heavier on theater than utility).

I’m not sure if this motivated MIT; but when I was in college there was the other, deeply umsecret but hard to get anyone in authority to admit to, motive provided by the fact that the university was busily attempting to expand into neighboring areas of rather high poverty and crime(you adjust to sleeping through the more or less nightly sound of cop sirens going in and ambulance sirens heading back out toward the hospital on campus; plus medical helicopter traffic).

Concerned parents tended to be pretty fretful about the ‘use students as the shock troopers of gentrification’ strategy; so it was very visible which parts of campus were considered to already be pacified(greens/quads, minimal obstacles, buildings with entrances on all sides) and which parts were expansion (fences, entrances only on sides facing the core campus, ‘blue light’ police call kiosk things, and so on)

RFID can also tell you who is in the building at any given time. So in an emergency, you can identify the areas where there might be people requiring assistance.

A former employer of mine introduced the electronic gates which are normally used on public transport. You needed cards to get in or out but you could jump the gate in an extreme emergency. They had a secure environment, but with ~300 employees, finished each day with about five discrepancies.

A major purpose of the access control system I previously worked on was to keep track of the number of people in every area, for safety reasons. Venues are licensed to have a certain number of people in each volume and access control records become important if there is an accident.

But useless, probably. If @vonbobo and a friend swap IDs for a day and simply do not look directly at the guard they’ll find out that most guards don’t have the superhuman resistance to tedium that’s required for such systems to work. If the guard says “this picture doesn’t look like you” just laugh brightly and say “I know! Everybody says that! I look like an old black guy in that picture, isn’t it amazing? And they won’t give me a new one, either!” or whatever. They’ll let you in.

It’s the same thing as signatures on credit card bills. In theory, your waitstaff is comparing your signature to the card. In reality, you can write anything you want, 99.999% of the time. Because humans.

Credit card signatures: It depends on the store. If the store is in a high-crime area, they’ll ask for your driver’s license and actually match you to the card. For a $5 purchase.

Also, if you’re selling very high-end merch, you get the special VIP treatment. We take you into the hidden ‘VIP’ room where you can sit at a table, a salesman pours you a beer, we all stand around and chat with you - while another salesman runs into the back room and runs a quickie credit check on you.

My brother is a slumlord. Immediately after the 2008 crash, he was loading up on empty houses. The houses weren’t ‘just vacated mere days ago’ by a hard-working proletariat, they usually had just come out of probate and were being dumped by out-of-state heirs, OR the family had been riding out the foreclosure process for almost 2 years. Either way, the first thing we had to do was mow the weeds and change the locks. We had a Rubbermaid tub filled with doorknobs and deadbolts, and we tried to re-use them when possible, but frequently the original set had been installed so poorly (non-standard hole placement), we had to replace the door, too. That was 35 houses, so about 70 exterior doors. Multiply that by an ENTIRE CAMPUS…that’s a lot of knobs and keys.

Again, not advocating for it. Just understanding it.

I agree. Security should only be on secured areas.

‘Dude’ was not meant as an insult nor a gender specific term. I’m just from the mid-80’s and that’s how I talk.

Sorry if I offended you.

Out of curiosity if we were sitting around somewhere (bar, coffeehouse, breakroom, etc) with a small group of people and I wanted to express surprise in a humorous manner at something you said, how would you fill in the blank? “____! What is wrong with you?”

(related questions: Generally speaking, when and where did you grow up?)

Chillax…I thought it was funny because the thread was veering dangerously close to the cliche of “Women.They’re not like us. Am I right?”

Oh, that blank would of course be filled in with ‘Dude’. Like the F-bomb, it’s too flexible to NOT use as a noun, adjective, etc. DUDE! (warning), DUDE! (congratulations), DUDE! (astonishment)

I didn’t pick it up from growing up east of Denver (w-a-y east), I’m sure I got it from my college days in Tucson.

My favorite catchall expression of warning/congrats/astonishment that you’d regularly hear in my high school halls in mid-michigan during 1986…

“Yo, Man! Duuuude!”

That sounds like a more formal greeting - like the difference between contractions and typing two separate words.

I dont believe it was intended to be fool proof, but rather an evolution of an already hacked system. RFID by itself? That’s a terrible investment.
RFID plus guard eliminates the low level breaches like a propped door, buddy swiping, etc.
Now, since you already have the guard there with a computer (used to communicate badge issues, activate guest badges, etc), the system might as well show him the picture that corresponds to the badge that was just swiped and attempt to eliminate even more low levelers.

I’m not saying its fool proof, but in my experience the guards do glare at the screen and the swipers.

Good points all! I have repeatedly tried to get my current employers to put a guard at the door simply to prevent tailgaters and buddy swiping, which are a recurring problem here.

One of the more regrettable incidents in my aerospace career was unintentionally getting a security guard fired. I was in a hurry and needed to get into a highly secure area, and, well, the guy recognized me as having had the requisite clearance a month or two previously. I still feel guilty.

Never thought you were. In case of Europe, there’s mostly no security involved, that’s my point. We just adopted it because … well, I don’t know, actually.