Thinking about security

  • I think it's important to consider the security of NFC when thinking about potential applications.. While the ring has been designed to thwart attempted reading from distances, there is little that can be done to prevent someone from reading the tag if it gets within proximity of their reader. So what does this mean for users? It means we should be very thoughtful about what type of data we store on our ring. I would really like to see this kind of technology take off, I think it's super cool and oh so slick. For me, being able to unlock my phone just by picking it up is awesome! It solves some problems for me. But lots of people talk about using it for doors or to store a master password of some sort.. But I'm just not sure that's a great idea, yet.. or is it? maybe I'm just paranoid and I should take my tin foil hat off.

    Admittedly, at this point, one would probably have to be targeted for an attack rather than just randomly selected.. As when/if the popularity of wearable nfc tags (or whatever comes next) increases, these could be extended to be general "fishing" expeditions... Anyway..consider the ability for someone to sneak an NFC reader (or at least just the antenna) into something you come into contact with.. something you would pick up without giving it a second thought.. A computer mouse, a camera, a stuffed toy, their gloved hand.. all sorts of things.. Or perhaps they pass you their phone (loaded with a silent NFC logging app) under the guise of showing you a photo or asking for help with some problem they just can't figure out.. The reader activates your private tag and your data is copied leaving you none the wiser.

    I think the analogy being used that the ring is like a key and the security of the data it contains lies in the physical security of the ring is solid.. To copy someone's house key all you really need is a good photo of it and to know which door it fits.. Similarly, to copy someone's ring all you need to do is get your reader close to it and to know what the data is used for. What concerns me is that these rings are on our hands.. We go through our days touching countless objects, not thinking about the possibility of there being an NFC skimming antenna in it.. It's only a matter of time until someone exploits this weakness.. it's been done with traditional RFID tags for a long time.

    I'm not really sure where I'm going with this, it's just an open discussion I'd like to hear other people's opinions on.. Knowing that it is possible (even if it is unlikely) for someone to copy your private information.. how willing are you to put your data on the chip? what kind of data are you willing to put there?

  • Good kick off to this sort of discussion.
    I guess, as you have mentioned, it's impossible to be foolproof. However there are several things you could sort of do to make it harder.
    I was thinking that every time you unlock your phone with the ring, could you use an app to rewrite the code automatically on the ring so that the unlock code changes constantly. This could also work I imagine with a suitable house lock, every time you unlock your phone, a new door code is rewritten to your ring and either through some algorithm or communication directly from your phone to the lock (data from phone to wifi lock sort of thing) the new code could change.

    A few good points have been bought up on Kickstarter already, it would be good to see the discussion carry on.

  • Regarding security:

    [size=150:7de1m2xq]Rolling challenge/response code stored in the ring[/size:7de1m2xq]
    Since it is not a [b:7de1m2xq]static[/b:7de1m2xq] datastore, we can update the data it in whenever we like. An oversimplified sequence -
    [list=1:7de1m2xq][:7de1m2xq]Door NFC sensor reads two values from the ring's private tag:
    :7de1m2xq] a consistent ID number that doesn't change (so it's not just any NFC tag)[/:m:7de1m2xq]
    :7de1m2xq]A "doorkey" response value [/:m:7de1m2xq][/list:o:7de1m2xq] [/:m:7de1m2xq]
    [:7de1m2xq]Sensor checks a database via wifi to confirm the doorkey code for this specific ring ID is valid[/:m:7de1m2xq]
    [:7de1m2xq]Values match, door unlocks [/:m:7de1m2xq]
    [:7de1m2xq]Door sensor creates a new code, which writes to ring before it leaves the sensor[/:m:7de1m2xq]
    [:7de1m2xq]On successful write, sensor updates the central database[/:m:7de1m2xq][/list:o:7de1m2xq]
    Additional thoughts, if someone duplicates the ring's private tag -
    [list=A:7de1m2xq][:7de1m2xq] If they hurry and get home before you, they'll get in. After which:
    :7de1m2xq] Your smartphone gets a notification of successful access, but turns into an alarm when it detects you're not at home - whether by GPS or not in range of wireless devices (home Wifi or maybe home stereo's Bluetooth).[/:m:7de1m2xq]
    :7de1m2xq]Ignoring the alarm, you'll know there's an issue, since your own ring won't get you in your house[/:m:7de1m2xq]
    :7de1m2xq]A smartphone app will let you reset the challenge code on the database (meaning a 1-time access where only the ID portion is required)[/:m:7de1m2xq]
    :7de1m2xq]As soon as you're in, your ring now has the right code and the duplicate is invalid[/:m:7de1m2xq][/list:o:7de1m2xq] [/:m:7de1m2xq]
    [:7de1m2xq] If you get home first, your ring works fine, gets updated with a new code, and the duplicate won't work at all[/:m:7de1m2xq]
    [:7de1m2xq] Depending on the technology within the NFC private tag (and I don't know enough about NFC to know if this is feasible), but perhaps at step 1A [b:7de1m2xq]also[/b:7de1m2xq] check a read-only record containing the manufacturer's product code, verifying the tag [u:7de1m2xq]is[/u:7de1m2xq] actually an NFC Ring and not just a random tag someone wrote NDEF records to.[/:m:7de1m2xq][/list:o:7de1m2xq]

    [size=150:7de1m2xq]Sensor placement[/size:7de1m2xq]
    While a completely clean door without anything on it would be cool - the technology isn't ready, in my opinion. It needs more proving and maybe something like credit card's "secure element" and various private/public key stuff can help prevent the simple duplication of data being read on the ring by any other sensor. Once that's fixed though, I totally want to embed the sensor in the door (or even the wall next to it), paint over it and have it simply look like you're pushing on the door to open it (when in fact you're unlocking it with your open palm just before you push).

    [size=150:7de1m2xq]A second ring?[/size:7de1m2xq]
    Put two hands on the door to open it? A bit painful, but obviously a bit harder to duplicate both ring's private tags at the same time. Even more complicated if you combine it with #1 above.

    [size=150:7de1m2xq]Supporting Proximity Verification[/size:7de1m2xq]
    Depending on the technology in the door sensor, it could also detect the Bluetooth device on your phone is in range. A bit risky, since your phone might have a flat battery or lost. Other items like the car's Bluetooth being in range, or even your credit card - although the latter can't be "used" by non-payment devices, it can still be detected as an NFC tag; I don't know if the readable data would be considered unique though. These could all be fallback methods if there's a problem, kind of like a 100 point ID check in the event of not being able to get in using other methods.

    [size=150:7de1m2xq]Protect the Ring[/size:7de1m2xq]
    Another idea I had was a small metal cover on the ring - one that either flips open or rotates around to expose the private tag.

  • Community Helper

    With the idea of the rolling code stored in the ring and updated on a per-unlock basis I'm curious as to how often you are able to write to the ring before it fails - it's been a while since I last played with programmable storage but most devices have a finite limit to the amount of writes before you start encountering issues or failure.

    I already have a reasonable home security system, motion detectors, cameras and cloud storage for 'events', so even if someone does bypass the door lock I'll know, and know who so that doesn't faze me overly much. I'll be looking at adding to that kludge for front door unlocking and a timed 1 minute entry event to monitor who is doing the entering - I'm more interested in using one ring as an entry device for the ease of use factor and rolling codes on it will make it more difficult to use the same ring to enter and start my car if the house door reprograms it.

    I think the only real fallback method for security at home is to record events inside the property, a real thief would no doubt bypass the door lock entirely one way or another and the attraction of the ring is always going to be ease of use rather than outright security. Just my opinion, I'm open to thoughts on the subject.

  • Interesting ideas, but Lokki is right with the updated key issue: you can only unlock one thing with the device. If you unlocked your door and it rewrote the variable key portion then your phone wouldn't know what to expect (for example), unless they used the Internet of Things and a central database, which increases: power drain, probability of system being hacked, etc.

    If a device can just be read by proximity (even if it is very close proximity) then having it as the only mechanism for a master password isn't great, but having it as part of two-factor authentication is probably reasonable. I'm planning to use my ring for 2FA on my phone with a fallback to a really long password, because that way I get convenience when I have the ring (NFC and short password) but anyone breaking into my phone has to either brute-force a long password or have cloned my ring [i:1tpt4rbi]as well as[/i:1tpt4rbi] stealing my phone [i:1tpt4rbi]and then[/i:1tpt4rbi] break a password.

    At work we have mag-stripe cards or NFC passes to get into different buildings. For some buildings it is enough to just swipe, but for others you need swipe and pin. Unless those passes do extra crypto (i.e. they're not just passive NFC) then all you need is a clone of the card and you can get in to some places. The mag-stripe cards definitely won't do anything but give data, and many organisations will use those without concern (although they do need swiping rather than just proximity to clone, I believe).

  • Community Helper

    DanielAC, the backup is an interesting idea.
    In my case I'll be wearing two rings and will simply use the second ring to gain entry and then re-program the system minus the lost ring.
    The Samsung EZON range also allows pin entry, after which you could reset the unit and manually re-enter codes and remaining access devices minus the lost one.
    A similar thing could be implemented with a home built system.
    Personally I'd angle away from the backup card route if only because the attraction of the ring is that I can walk outside at a moment's notice without having to remember to pick up keys/wallet/etc and still get back inside with no hassle whatsoever.
    The three rings that I've pledged for, two of which I'll wear, will all be programmed differently but all will be entered into the various reader mechanisms I'm looking to have in place so all will allow access and a lost one wont necessarily be a huge trouble unless I'm storing bitcoin wallet details or similar.

    The current design of the rings allows self-programming and therefore the vendor doesn't need to be involved for anything more than the supply of a new/replacement ring.
    [b:1ijm9hya]As I understand it[/b:1ijm9hya] the NFC tags embedded in the ring will consist of a unique identifier and then whatever information the end user programs in.
    This is far preferable in my eyes to a solution that comes pre-programmed and is unchangeable, it gives a lot more leeway in usage. For instance you can program in a vcard on the public side of a ring and then program your access points to recognise that ring id+vcard as your unique entry ID.
    The tag identifier being different should also stop people from cloning the entire device (unless I'm completely off the beaten path here) because a surreptitious read would give ring id+vcard, then programming it into a different device would either end up with tag id+ring id+vcard or tag id+vcard and should therefore not work in your access point.

    So if the last paragraph is correct and not just a wrong assumption on my part then the only real remaining security concern for normal use is what you actually put in the writable area of the ring and how personal or privileged that information is. Security conscious people can go crazy with randomly generated keys that reference things known only to them or the average user can put their name and phone number or a random phrase. There'll probably be someone out there who puts in their credit card number plus ccv or pin, but they're hopefully few and far between.

  • This is some great discussion, and I hadn't considered the limitations that a finite number of reliable "write" actions can present to consumers.

    My suggestion here is this: Along with each ring, accompany with an inexpensive NFC-enabled card. The card should look like something quite innocuous (library card, discount card, etc). Instruct the consumer that if he intends to use the ring for security/authentication, then strongly urge them to place identical digital keys/signatures on both the ring and the card.

    The purpose of the card would be to act as a failsafe in the event the user loses his ring or it malfunctions. This gives the user the ability to either quickly replace the ring, or enter into one's house/system and disable the NFC authentication requirement just long enough to get a replacement.

    The card should stay on one's person at all times, much like a credit card in an NFC-shielded card holder or wallet. If successful, this should also serve to greatly reduce the burden on the vendor to answer calls for "what do I do now?" should the ring be lost or malfunctions.

    I would also strongly advise the vendor to shop around and see if some kind of partnership can be struck between themselves and some major digital certificate companies to design and market a consumer-level PKI solution for the ring. Symantec owns Verisign, as just one example. I'm not sure, but can SSL certificate technology be adapted to verify the identity of a ring-bearer just as much as a web server can have its identity authenticated to a web client? If so, it's worth noting that GoDaddy has been pioneering a lot of the low-cost SSL certificate services for consumers at about $60/yr.

    PS. -- Note to admins. I have some contacts with organizers of one nationally-known US-based conference held annually on the theme of web communications technology, and may be submitting a proposal to speak on personal security in 2014. Let me know if I might assist in helping market this in my own circles.