Friday, October 3, 2008

California RFID Law = FAIL

I've been looking for something good to give the "FAIL" to and here it is:

From Wired Threat Level:

"California followed Washington State's footsteps this week to become the second U.S. state outlawing so-called Radio Frequency Identification Device skimming.

Skimmers can easily pilfer information from non-encrypted RFID tags that are growing commonplace. California's bill was adopted and signed by Gov. Arnold Schwarzenegger this week after a demonstration showed that personal information skimmed from entry-card badges from statehouse workers allowed hackers access to secured areas of government offices.

Still, California's measure (.pdf) and the one Washington State adopted in March, don't mandate any RFID encryption. So the vulnerabilities of the Golden State statehouse's entry system remains."

All I can say is wow (or fail). The only people this is going to hurt is the security consultants trying to find and fix insecure RFID applications for customers. Much akin to banning guns so only the bad guys have them. Non-technicians making technical policy FTW!

1 comment:

Morgan Storey said...

this is exactly the same as any law that doesn't have proper enforcement. You aren't allowed to hack either, but it happens, spam is illegal too. Security can be done through policy but it is better to do stuff like; tags used to enter sensitive areas must use challenge response and encryption at a minimum say sha-1 hash.