Thanks to Scott Loftesness on Payments News for pointing to a Simon Garfinkel's post on the MIT Technology Review Blog.
Garfinkel in turn points to an article that presumes to show how you can build your own reader and clone Pro-X proximity cards.
The article extensively describes how author/engineer Jonathan Westhues measured the resonant frequencies and the resulting signal interchange that could be conducted with a Pro-X card from Motorola. He was then able to build a reader that could discover the serial number of the card.
He could have saved himself a bunch of time by just buying a reader rather than build one.
In his summary, Westhues states, "All these attacks can be stopped with a challenge/response scheme. I've seen brochures for cards and readers that do this; I guess it's not just a marketing gimmick."
That's just the point. Pro-X cards have challenge/response built in. This security feature will prevent unauthorized readers from obtaining any sensitive information stored on the card. True, a hacker can build (or buy) a reader that can read the unique card ID. Also true, all the other content on the card is protected by sophisticated security.
To me, you must duplicate the challenge/response keys and the secured data before you have cloned a Pro-X card. In my opinion, Westhues recipe falls far short.
By pointing to this as an effective cloning scheme, Loftesness and Garfinkel do their readers no service and they fan unjustified consumer fear. If someone has actually breached Pro-X security, that would be news. |
