Check out Woz’s New Toy

As the co-founder of Apple, admitted gadget freak and tinkerer who helped create the Apple I and II, before becoming an evangelist for the uncertain new sport of Segway Polo, Steve Wozniak, we can presume, has his choice of cool new tech toys to play with.

So when InfoWorld heard that Woz was to be the recipient of a prototype RFID spoofer by Chris Paget, director of R&D at IOActive, and that Paget was demo-ing the device in a booth on the floor of the RSA Conference last week, how could we resist? The spoofer (video demonstration here) is one of two Paget created using what he described as around $50 in electronics. The other one — yeah, that’s right — it’s a gift for Woz, who sits on IOActive’s advisory board.

The device, though just a proof of concept, is even cooler than it looks. At RSA, Paget demonstrated how it can be used to read the security codes transmitted by RFID proximity or “prox” cards manufactured by HID, one of the largest makers of secure cards. If that name sounds familiar, it should. HID has an estimated 300 million cards in circulation, so you’ve probably seen the company’s logo on the door reader at your building and on the back of the contact-less door access card you’re wearing around your neck like a dog tag.

You might have also seen some coverage of this announcement last week that HID’s new Crescendo series smart cards will support Microsoft Identity Lifecycle Manager 2007 (ILM 2007) and the Windows Smart Card Framework. “As organizations realize that user names and passwords may not be strong enough to maintain their required level of logical access security, the use of proximity cards in conjunction with ILM 2007 will be an ideal solution to increase security by employing strong, multi-factor authentication technology,” HID says.

Unfortunately, after HID customers find out that at least some of those secure cards send access codes in the clear to the reader devices, and that those codes can be passively read, stored and re-used by a simple device like Paget’s, they might just want to go back to user names and passwords, not to mention deadbolt locks and keys.

In the demonstration, Paget holds a HID card under the spoofer, pushes a button to grab the security codes off the card, and then another to store them on the device. He then holds the spoofer over a HID reader, presses another button to “play back” the codes, and bam — the HID reader detects the code. In the demo, the codes were simply displayed on a computer screen. In a real deployment, a door would open, giving the RFID hacker access to a building or data center or…you name it.

Just as a test, I gave Paget my own HID door card for IDG’s 2nd street headquarters in San Francisco, and the device read the card with no problem and displayed the secure access codes on the screen. Creepy!

As Paget describes it, HID’s secure cards aren’t insecure of themselves, just poorly designed. Paget was particularly critical of HID’s decision to have complete access codes transferred between card and reader, rather than, say, some kind of shared secret that would allow valid cards to identify themselves to the reader, but leave sensitive information secured.

The cloner could be used surreptitiously to grab data directly from RFID door cards, say by bumping up against a building employee, Paget said. And, with minor tweaking, the spoofer could be changed to work with any number of RFID cards, not just HIDs.

And creating devices like this will get a lot easier next week,after Paget gives a live demonstration of the spoofer next week at Black Hat Federal in DC and releases blueprints for creating your own RFID clone device.

Now that RFID has started popping up on next generation credit cards from Citibank and others, it wont’ be long before criminals figure out that RFID is their ticket to easy street, and before the hoopla over multifactor access dissolves into a discussion of that old addage about a chain only being as strong as its weakest link.

So what’s Steve Wozniak playing with these days? You’re looking at it!