Saturday, July 30, 2011

Gunsmithing a Chiappa revolver

Tam and some other folks are talking about Chiappa and their RFID chipped handguns.  People are exercised by the PR FAIL of the response to people's shock that their trust might be violated this way - pretty interesting marketing plan to address that loss of trust, if you ask me.

But I remembered the 2006 Black Hat Briefings (probably the premier computer security conference), where I listened to some folks talk about how you can make malware that spreads from RFID chip to RFID chip via the reader.

"Hmmm," I said to my self, "I wonder what you could do to give the hypothetical Officer Friendly an interesting day when he scans your heater?"  And since this scanning can be done from some distance away as you lawfully carry your piece, the opportunities for fun and games are probably legion.

Note that IANAL, but it's hard to see how you could be prosecuted under existing anti-hacking laws.  After all, the sum total of what you would have done is simply to put data on your own property.  You never accessed any computing device owned by anyone else.  They accessed yours.

Of course, I only use my Powers for Good, but the Black Hat presentation gets interesting around slide 18, and particularly interesting around slide 23.  Given that the RFID reading system and its backend database are administered by incompetents, it's very likely that a RFID payload delivering a SQL Injection attack could wipe out the entire database of scanned guns.


I mean, if I want to set the serial number of my Chiappa handgun to foo'); DROP TABLE Handguns;--, well that's just me practicing my, err, gunsmithing skillz.

Like I said, I only use my Powers for Good.  But it's astonishing how the world is filled with people who think they're smarter than everyone else, and that they understand everything worth knowing about something, and how their Cunning  Plan could never, ever, bite them in the butt.

Note to Chiappa: if you scan guns returned for service (almost a dead certainty), your p*ssed off customers could go this to you.  A little humility is perhaps called for, when your shorts are down around your ankles, security-wise.

14 comments:

TJIC said...

GENIUS!

Graybeard said...

Yeah, what TJIC said.

We mortals are lucky that you white hat guys are out there, but the hair on the back of my neck hasn't settled down from the post you did a few months ago about "the good guys should just admit we lost, the security was is over".

ajdshootist said...

Like it!

Stranger said...

While I spent most of my "trade" life making multi-kilowatt (35 KV @ 10 Amperes per device in one case) electronic apparatus work as intended, often when the designer seemingly did not, RFID chips did not escape my attention.

Essentially, they operate on the 13.56 mHz Medical, Scientific, and Industrial band. The presence of a sufficiently strong RF pulse causes the RFID chip to squeal a response. The intensity of the response depends on the size of the chips antenna and the distance from that antenna.

Not to quote Kraus or Douglas to any great extent, but the efficiency of the tiny antennas in the tiny chips is dreadful. The squeal is a few microvolts at a centimeter.

Giving a practical range for the tiny chips of a few inches, and for the combined customs/bill of lading size RFID responders of 100 meters or so. But it would be hard to stuff a bill of lading into a handgun.

Since the Italian Government, actually the Customs Service, requires such devices on all exports I cannot fault Chiappa, Beretta, Benelli, Tanfoglio, or the rest of the IT arms industry for including a chip in each gun shipped.

But given the limited range of RFID chips suitable for inclusion inside handguns, I cannot say I am much troubled by it either.

And, if it comes to that, I am sure someone could and would clone the commercial chip programmers. A million chips programmed "Winchester 73 s/n 100001" would be interesting.

Stranger

Old NFO said...

Meh... lousy gun, lousy PR, WHY should I buy one??? Re the RFIDs, you 'can' do some interesting things with them... and at more that a few inches too :-)

DirtCrashr said...

I'd buy one just to implement the melt-down plan since they already got a reputation for needing service-work.

amish - no I'm not.

TOTWTYTR said...

Or, "How to destroy your company's reputation in one email."

The RFID powerpoint was scary, even if some of it is above my head. Once again people fail to see that it's not the implement, it's the intent that is the problem.

Just as with firearms.

DaddyBear said...

I'd like to laugh at that, but I'm too busy writing it down.

Tam said...

Damn, and here I was just going to look for the guy with the reader and hit him in the kneecap with a lead pipe...

Ruth said...

Damn, now I want one so I can play around with their minds.....

@Stranger: the problem isn't really the RFID chip itself, they're easy enough to disable if nothing else, the problem is the PR response.

@Graybeard: I coulda told you that and I'm just the lucky average Joe (Jane?) who gets to fix all her friends computers, not a professional in the field!

jetaz said...

Remind me not to get on Borepatch's bad side.

Teke said...

I remember seeing the post where someone put a banner on the back of their car with a drop table for the stupid license plate OCR scanner on the red light camera. This is even more ingenious.

Here we sit worried about Faraday cage wallets to protect our credit cards when all we really need is a custom programmed RFID tag with the correct frequency response. I wonder if there is a command that can be issued over RFID to brick an I-Phone since they are the most prevelent one used for this with something like the Square Up scanner

Rivrdog said...

Hmmmm...Blackhat doesn't like being quoted. That link brings up what looks to be the correct site, but it is a blank page, not the .pdf it purports to be.

je1777 said...

I say go for it. Big Brother doesn't need to be scanning our guns anyway.