Articles / Rethinking Contactless for Cyber

on 13 Jul 2017

I recently had a furnace repairman at my home asking to use the sink to wash his hands. He complained about having to log into the office with “this damn thing” (it was an iPad). I also remember my plumber showing me his iPhone and the thing looked like it had been dropped from a helicopter in Vietnam. Both guys were fine using technology, but they don’t sit in clean offices: They have their hands in pipes and toilets.

Now I know that mobile devices have been designed for harsh conditions: I’ve seen a hundred demos, and these products are great for many situations. But in my estimation, there are times when pen, paper, and clipboard are not only fine, but preferred. It was with this general background in mind that I hopped onto a call with principals of RF IDeas, a smart card reader firm run by an old friend and colleague, David Cottingham.

In case you're new to smart cards, here is a simplified overview: The primary functional characteristics of smart cards are proximity and contactless operation, meaning that the protocol between cards and readers is physically intimate. You’ve swiped badges at work, so you know what this is about. Low frequency readers operate at 125 kHz, and high frequency devices operate at 13.56 MHz. There are ultra-high frequency options.

David and his team at RF IDeas had asked me to provide a security once-over for their products, which is something I offer gratis for old friends. (When you are raised Italian, this results in a terrible business model.) Nevertheless, I listened carefully and could barely find much to complain about, other than some recent Black Hat card and reader hacks, most addressed in the higher frequency band (and yes, I know not all of them).

What I was particularly struck with, however, was a threat analysis drawing I sketched for contactless cards. When presented with any technology for threat investigation, I’ve developed the habit of drawing where that technology exists in the spectrum (ahem) of similar technologies. So, I compared the security of network connections between Alice and Bob using WAN, LAN, WiFi, Bluetooth, Zigbee, and contactless protocols. 

I found that in the higher frequency, contactless cards and readers include encryption, authentication, and relatively simple software. If you follow my column, then you know that I preach repeatedly that simple things are always more secure. So, I kept adding plus marks in the column next to contactless cards and readers – and damn if I wasn’t surprised at the good scores I was assigning to an old, familiar technology.

Maybe you think of contactless as just another network technology, but I never have. Accordingly, I am now of the fresh opinion that contactless cards and readers will not go the way of the Woolworth cash register. Rather, I now believe that the rugged nature of this technology (your dog can eat a card and it will still work), combined with the logistics of Alice and Bob close together, make it a good option for many future apps.

My aha moment was no surprise for the RF IDeas team. They explained that their technology was expected to play a fundamental role in securing the systems, apps, and environments that will power Internet of Things, industrial control, connected cars, and smart robotics. They expect RF IDeas to play a central role in these environments, because contactless cards and readers have so many logistic and ergonomic advantages.

Here’s a fun question: If I told you of a mature wireless security technology with few protocol vulnerabilities that would play a central role protecting IoT, OT, and connected cars, what would you say? What would you bet on such a technology? What would you be willing support financially? Well, contactless and proximity cards exhibit all these characteristics, including relatively low cost to implement and use.

Look, we all know that modern authentication is virtualizing onto your mobile, and that high tech, contextual, biometric, cloud-connected apps will be the primary means for validating identities moving forward. But the simple contactless smart card might carry more of the security load than any of us might have been expecting. For me, such a renewed role for a trusted technology is good news.

Let me know what you think.