[Full-disclosure] RFID used at Olympics in Germany
Adam Laurie
adam.laurie at thebunker.net
Thu Jun 1 10:08:01 BST 2006
Josh L. Perrymon wrote:
> Yeah.. I suppose their would be limitations on the amount of data that
> would be on the chip..
>
> Maybe the will just use an ID number that refrences the user info in the
> DB....
>
> Has anyone successfully performed SQL injections usinf RFID tags? I
> looked at a few papers but know it's not widespread.
> I'm thinking about getting an IPAQ and an RFID reader/writer to play
> around w/ this stuff.
It's certainly do-able if the target RFID reading system isn't doing the
proper checks... for playing, I can recommend the ACG reader - should
work fine in a Compaq as it's a CF card:
http://www.acg.de/synformation/servlet/PageServlet/corporate/RFIDProducts/Start?show=RFID_Basics
and if you've got python, you can drive it with RFIDIOt:
http://rfidiot.org/
BTW, if anyone's got access to these tickets I'd love to have a look at
one...
cheers,
Adam
--
Adam Laurie Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899
Ash Radar Station http://www.thebunker.net
Marshborough Road
Sandwich mailto:adam at thebunker.net
Kent
CT13 0PL
UNITED KINGDOM PGP key on keyservers
Full-Disclosure is hosted and sponsored by Secunia.