[Abbenay] Using an AVR as an RFID tag + rant + project

Sat Jan 23 11:43:11 CST 2010

OMG.

A programmable chip and a resistor is all it takes to make a tag!

http://micah.navi.cx/2008/09/using-an-avr-as-an-rfid-tag/

There is source code for making EM4102 tags. That is the most common tag in
the world as far as I know. It has no encryption and basicly transmits a
number sequence when there is a reader sending radio waves to it.

It is used for many things, for example in almost every residential access
control card system, in booking systems, some library cards, hotels, baggage
claim systems, rental etcetera. I'd say that residential access control is
the most common use, for booking washing machines, to open doors to storage
spaces, bike parking and so on. That tag type is not used in subway or bus
ticketing systems.

The wholesale of tags to landlords in Sweden is more or less monopolized by
a company called Aptus. I believe that a majority of companies owning
residential real-estate have been investing heavily in these insecure
systems to save money and increase profits by eliminating the need of people
working on location with maintenance. As an added bonus, you can also
surveil and track residents. I'm still puzzled by the decision process
behind these expensive orders.

Didn't anyone check if the new system was secure before wasting soo much
money on basicly removing all locks everywhere? I am writing an a feature
article for a large Swedish magazine on these matters. I'm also a bit
worried about being tracked - even though I haven't even done anything!
What's up with that? In order to expose this, I've done lots of research (in
public sources mind you), so that I can make statements that are based on
actual facts.

It's also a very interesting technology, which unfortunately only seems to
be used for tracking people and making things unsecure and generally
dangerous for everyone. :) I have a RFID reader and a few EM4102 tags but
would like to test if methods like the one mentioned in the article (there
are several others) actually works. It has to be tested. (Responsibly.) It
would be quite a scandal if it did and if it was easy to do. I can imagine a
few people in positions of authority who might have to reconsider such
irresponsible deals in the future. We'll see.

If you are interested in helping out with this research, write on the list,
write directly to me or talk to me at a meet. I'm currently not on a
deadline.

// Simulacra

PS. I realize this kind if enquiry is a bit sensitive but think I've been
clear enough about the purpose (journalistic) and limits of this research.
On this matter the Swedish law is very firm - it is illegal to surveil
journalists in order to acquire information about the identity of someone
who has provided information for these purposes. It's also illegal for
journalists to expose people to the authorities. This goes if you are
requesting to remain anynomous. (Which I will assume if anyone is interested
in discussing this unless one chooses not to be anynomous.) This is
regulated in Grundlagen i 1 kap. 1 § 3 st tryckfrihetsförordningen
(TF)<https://lagen.nu/1949:105#K1P1S3>which actually is an interesting
read. Read it.