[Jair2K4] is using his unique RFID tag address as an online password. We’d bet that if you went far enough to get an implant in your hand you’d continually search for a reason to use it. Wanting to do more than just start his car with a wave of the hand, he built an interface module out of an Arduino and a Parallax RFID reader. Using a program called AAC Keys on Windows 7 he emulates a keyboard using the input from the Arduino. When it comes time to login he types his username and parks the cursor in the password box. By holding the RFID implant next the reader, the ID is dumped as the password, along with a newline (might be a carriage return, we’re not certain) character which submits the login. Take a look for yourself after the break.
On the one hand, nobody will be able to steal his tag as easily as they could steal one that is on a key ring. But we know RFID is rather notorious for a false sense of security. As long as you’re not using it for state secrets we think it’s a nice solution.
Update: After reading the comments on this feature, [Jair2K4] made some changes to his code. It now reads the tag and verifies it with stored data, then spits out whatever password you wish (making it easy to change passwords from time-to-time). He also added servo control to the sketch.
33 thoughts on “Embedded RFID For Online Passwords”
Yeah, this is a cool way to more easily enter your password, but it’s still just a text password, and anyone that figures it out can login without the RFID tag (just type it in normally). Its not the same as a real hardware key, since it just enters text.
When a software keylogger steals your RFID key as it sends it as keystrokes, it’ll be quite a pain taking it out of your skin to reset. It also violates the principle of “never use the same password twice.”
I did the same thing about 6 months ago with my usb rfid reader and a keyboard wedge emulator program because im planning to get an rfid implant one of these days. Same result, no microcontroller. Sure didnt think it was worthy of hackaday though or i’d have submitted it myself.
If you got the rfid implant in your wrist, could a somewhat-fashionable metal bracelet over it protect it, like the special passport wallets?
Couldn’t someone just hide a RFID scanner in something like a desk, use it to retrieve his tag address and then either try the tag address as password on different sites (i.e. Guild Wars, RFIDtoys forums) or just spoof the tag to steal his car? I think, he should at least come up with some random algorithm to calculate a different password from stuff like ID, username, pagename, and so on. That way it would at least be a little more secure (different passwords on different sites, password is not simply the ID). As well it might be safer to write this as a firefox plugin. Then could be inserted into the POST/GET data instead of being converted into keypresses. This should make it a little harder for other software to intercept it.
he did it on windows, cool. So after the next 0-day exploit, or one visit to an infected site, his OS will be trashed!
interesting idea, I suppose you could do the same with a modified CueCat, http://en.wikipedia.org/wiki/CueCat – grab some random barcodes and use them for your online passwords, or print out your own custom barcodes using a barcode font for a more definable password.
for those who wants to implant RFID tags, think twice.
This is going to evolve with higher capacity longer range higher security…
So be prepared to change it often, or you will soon look like having a floppy disc in your finger when others use 64GB usb keys.
Always love it when I make hack a day :)
@matt. Great suggestion. They should have added that I did this as a demo. I will be modifying my sketch to serial print in a password when it reads my tag so that when I scan in, the tag only makes it as far as my arduino. The output can be whatever. That should cover me.
@24601: two words: chainmail glove. It would act as a Faraday cage. I don’t think we can bring back the single glove look. Only MJ can do that.
@ anyone who is thinking ‘mark of the beast’…. No. Just no.
what you need is an interactive ZKT (zero-knowledge table) type of password query. This is one form of security used on satellite smart cards. This way, you can’t be a MIM and just copy the value , like you could with this hack. I don’t know all the details of the ZKT, look it up on wikipedia, but basically you can do RSA-like authentication and prove you know the password without revealing your password directly.
I’ve seen fingerprint reader and face recognition hardware with software that will log you into windows and enter your passwords on websites for you. They don’t work by acting like keyboards, which seems to be how all these rfid auth hacks work. I was wondering if there’s a library or free software out there to get something like that working. I looked a bit without any luck. Anyone?
I am sorry but this is a pointless hack. This is nothing more than preferring convenience over security. You can easily follow the same concept with either using a mindless password like “password” or utilizing the well known sticky notes.
If this was two factor authentication system that required an RFID tag and a password, it would’ve been cool, otherwise why not just go buy yourself a fingerprint reader and use that for logging in, that way at least you don’t have to get an RFID chip implanted.
Ungly monkey logging into his guild wars account with his h4x0r3d device.
I always thought people like this plays that crappy game. Thats even more ridiculous playing it on that small 13″ eePC :D
Ah and music also 0/10.
I foresee the next mouse mod on here to be a hidden RFID scanner inside the mouse to read such chips.
But for convenience an RFID logger could probably just be placed under the desk under the keyboard to ensure hand/wrist interaction. It would probably just feel like tape stuck to the underside as the antennas can be embedded in paper and the logger module elsewhere out of reach under there…
@Erik: Mmmm. i like that idea. The only problem is that if you used your mouse with the same hand you had chipped, it would constantly be sending code and carriage returns over and over. Since i’m chipped in my left hand and i use my mouse with my right… that sounds like a nifty idea… I’m going to think on that.
As for the keyboard, Amal Graafstra of RFID toys has already done that.
@Concino: You are missing the point. I got chipped for my own reasons. This is just a little project i was working on and decided to share my results. It’s not a polished product… just something in the works.
@anyone wanting to post garbage: Why is it that people always have to immediately jump to the negative when they post? How about something like, “wow, that’s different! Yay you for being creative!”
Take it for what it is, an informative website showcasing something someone else has done. If you have a helpful or constructive suggestion, like the other commenters on here, then by all means, let us know! But don’t waste anyone’s time just to say ‘Durr, that’s stupid.’
@jair2k4 Because, even though their input is completely worthless, they’re still entitled to their opinion. Stuff like this helps when determining whether or not a product would be readily accepted for a particular demographic;
say, 16 year old angst-ridden teenagers. ;)
Frankly I don’t see the current worth of this demo other than convenience (as stated), or getting ‘chipped’. Introducing unnecessary technology into my body that would rapidly become obsolete? Why bother. Still, handy for rapid access of secured information, even if you risk MIM attacks. Just know your login environment.
Akoi, I agree completely. I know the risks involved. The thing is.. where I live… there’s almost zero chance of anyone having a clue what the tech is or what it can do. As for the technology itself becoming obsolete… That’s something i considered. The readers themselves.. especially the one i used for my ignition system will work for all kinds of applications. I will be able to interface them with all sorts of hardware for years (if not decades) to come. All to suit my own needs of course.
My only concern was the availability of the hardware… which is why i stocked up.
Now… concerning angsty teenagers… well.. if we can convince them to chip themselves instead of turning to more damaging methods of bodily modification, then some day they may actually want to learn about the objects residing in their bodies. Which may just make productive members of society out of them somehow.. lawl.
“Introducing unnecessary technology into my body that would rapidly become obsolete? Why bother”
i completely agree with that statement, for my RFID tag i will wait until the government makes it mandatory. If i can buy,drive and get other services without it i wont get one implanted
As long as we’re blowing off security, why don’t you just build the tag into a phycon? Then the computer could authenticate you based on whether or not your My Little Pony is on the desk or across the room.
(Incidentally, this makes good *secondary* security if you’re subtle about it!)
The Government doesn’t need an RFID to know you’re in your Mom’s basement.
>we know RFID is rather notorious for a false sense of security
I was thinking about this. I want to go in the what if world.
What if there was a way for the tag to passively check a signal before it transmits its data. That way no one would know you had an rfid tag unless they know the right “password” to activate it.
So type in username name, click/tab to password box, and scan. That seems like more work than just typing, since your hands don’t have to leave the cardboard.
Cool idea, cool implementation, but impractical and I’d argue is worsens the security of the computer:
1- Someone can copy and spoof the RFID. Once RFID is powered its signal can be read from a lot farther than the power up distance
2- It means the RFID signal/number whatever is basically the password for your password vault (unless you’re actually using one password across everything, that would be even worse). This means somewhere on your computer you have a list of all your passwords stored.
So instead of different passwords for different websites, you’ve got one ‘code’ that can unlock all your private online data (and your car)
@Jair2k4 re: chainmaille glove… interesting idea, considering I’m a mailler :)
Use something like the MasterPass addon for firefox, it takes a master password (rfid code) and hashes it with the site the password is to be used on to create a unique password for each different site.
Aren’t those implants glass? So a sufficient shock to the hand would crack it? Don’t get in any barfights
@24601 That’s cool, def more secure, but that’s still using a master password that is beamed unencrypted every time it’s used.
@tim Regardless of how sensitive or powerful your reader is, the tag is only going to transmit so much power. You would not be able to read it from more than 3 inches away at max.
@grenadier The force it would take to smash a glass capsule that small delivered to your hand, and the minute pieces of glass in your hand would be the least of your worries.
Using windows yes it could be hacked, with hidden rfid readers, yes it could be sniffed. If someone is going to go through all the trouble of stealing an rfid tag ID, cloning it, and using it to break into something, you would think they would want something worth stealing. Windows can be cracked in seconds without its password, and i seriously doubt anyone wants his netbook or his email account. When i was working on my rfid reader, i could only find wedge programs for windows and i know nothing of programming so that was the end of its usefulness. However, if his shows as a generic HID, then it could theoretically be used on any device that supports a keyboard. If the government wanted to know where you were, they would know, regardless of whether you had an rfid implant.
What does this achieve?
Three factor security requires something you know, something you have, and something you are. Non of these require an implanted chip and, since RFID hacks are commonplace, you have to balance the convenience of just waving your hand against the inconvenience of periodically having your chip dug out of your body because it is either compromised or obsolete.
Also, you would be wise to ponder on this:
It tells of a lucky man who owned a Mercedes CLK with a fingerprint scanner. The car couldn’t be started without the owners fingerprint, so the thieves who stole it chopped off his finger. Make mine key-operated, thanks.
How far up your arm is your RFID chip implanted? I hope it isn’t near your shoulder…
Well i have 2 easy arguments for you Bacchus. 1. my implant chip is reprogrammable, i can handle it being obsolete because that makes it harder to duplicate, albeit more expensive for me. 2. If the rfid chip under your skin is the ONLY means of unlocking your door/computer/whatever, you are a freakin idiot.
Would you always have a backup system with you? If you do, then what’s the point of the chip? Are violent criminals open to reason when they’re committing a crime?
Consider bank security. Modern safes and similar are pretty much impossible to compromise within a reasonable time frame. This has put bank staff and their families at risk from the kind of people who’re prepared to use brutal methods of persuasion. A trick that’s been used several times in the UK is to simply douse someone in petrol (UKese for gasoline) and hold a cigarette lighter near them. Apparently most people find this “argument” compelling.
OK, you plainly aren’t talking about securing anything valuable with this technique, which begs the question of why anyone might go to these lengths in the first place. In short, it’s the old principle of always carrying “mugger money.” Property can be replaced – Body parts and lives cannot.
Are you really sure you haven’t created a solution that will just exacerbate the problem, however cool it may at first seem?
Quite a valid argument, i indeed do not always carry a backup system. However in the case of my car, i would have an external keypad that functions the same as the chip. I agree with you in that security both helps and hurts, and theres really no good way around that. I would assume that one would take these factors into account when making a modification of this sort though. If not, thats not good…
IF you use the rfid’s available for pets… they’re passive and only readable up to one foot, typically a couple of centimeters. Very unlikely to be found. And IF it were implanted in the wrist, a bracelet could easily be worn to prevent transmitting. RFID chips with encryption are available too, but I doubt implant size.
IF the rfid reader was attached to a wireless usb hub and hidden in the wall(away from the comp), nobody would know what the wireless usb dongle was used for or that rfid is the method of access if they were to find the chip.
IF the rfid was used for full-disk-encryption, one could implement a very strong 64 character password(+1 security +1 accessibility). And IF there was a way to disable the keyboard(perhaps port control with no usb driver support for keyboards), while still allowing password input from the chip(+1 security). Granted the chip could fail or break, leaving you without access.
IF the chip were reprogramable, one could change the password periodically and use it for multiple applications, also eliminating the need for upgrades.
“Installation” is fairly painless, although I think removal would be kinda painful.
A lot of IF’s, obviously it would be best just to remember a 64 character password. It all depends on how secret agent you want to get.
how to know the default password of rfid
Please be kind and respectful to help make the comments section excellent. (Comment Policy)