RFID (in)security

Boy, go on a trip, and miss all the good security news. Chris Byrne has a post on RFID, with a great video of Adam Savage from MythBusters talking about how they weren't allowed to air an episode about how easy it is to get past RFID security.

I won't add anything to Chris' post (other than my Google-fu reports 1.2 million hits for "RFID Hack"), other than this:

It's not just bad, it's worse than you can possibly imagine.

Not only is it trivially easy to read the data off credit cards (and passports, for crying out loud), it's trivially easy to change the data. People have figured out how to make RFID viruses, so by, say, sending a package via FedEx, you have your code on a bunch of FedEx's RFID machines, replicating itself onto every package going through the system.

Just as in the last two posts, security isn't an afterthought, it isn't thought of at all.

Reckless deployment of poorly designed system that makes it child's play to steal or change personal data? Check.

Legal threats used to try to stop publication of said lousy security system? Check.

Legal threats used to try to keep you from protecting yourself by disabling the RFID chip? Check.

Boy, I can't wait for socialized medicine.

Today's posts have totally harshed my mellow. Go read Chris' post, and check out the RFID shielding wallet and passport folio.

UPDATE 5 September 2008 12:12: Looks like Adam is backing off of this claim. You might say that this myth is busted.