Saturday, October 18, 2014

Attack of the Cloned Magic Bands - Are They Safe?

Can Magic Bands Be Cloned?
Your new Magic Bands are exciting! You can personalize them by color and accessories, and they are so convenient and easy to use!  

These geeky editions to your Disney vacation utilize the latest technology in Radio Frequency Identification (RFID) chips. This chip is embedded in your bracelet and will contain your fastpass+ selections, your dining selections and your resort information.  When you check in to your resort, you can even add the option for charging privileges to your band!

All sounds great doesn't it?   But, what is exactly is a RFID chip, is Disney keeping my data safe and what happens if my band gets Cloned!?
Radio Frequency IDentification

Well, first the techy-side, what is a RFID chip?

A RFID chip is a microchip much like one in your smartphone.  A computer simply implants data on the chip; and the data just sits and waits to be read. 

A RFID Reader is programed to recognize only certain chips.  The Reader identifies the chip as “belonging” to his group.  The chip and reader then communicate back and forth usually through electromagnetic energy.
Sometimes the Reader just records the information and sometimes it lets the holder of the chip perform a task such as buying merchandise at a Disney Store or riding Star Tours.
Now, is it safe to wear?  Will it hurt me?

RFID technology is used in many common everyday applications from clothing tags, to library books, to baggage handling and pet IDs.
Currently, the Food and Drug Administration (FDA) is not aware of any health concerns related RFID chips.  There could be a potential for the electromagnetic interference to degrade medical equipment such as pacemakers and defibrillators.  But currently, there aren't any issues posted on their website.


As with any medical concern, keep your physician in the loop on any issues that you might have.

Next, is my data secure?

With the increase in identify theft, having my data secure is a priority.  So, let's look at three important features:

First, the band and receiver are operating at a 2.4 GHZ frequency which wasn't designed for streaming data.  This prevents the most common wireless interception attacks.

Two, the band contains an encoded number or authentication factor that identifies you and the band to the Disney servers.  No personal information is exchanged, only the encoded number. 

Three, all monetary transactions require a Personal Identification Number (PIN) that you enter secretly at your resort check-in.  As long as you don't reveal this PIN to anyone, your magic band transactions are safe.  So, basic identify safety applies:  don't write your PIN number down and don't announce it where others can hear. 

Can the bands be cloned?

A vulnerability does exist that allows the RFID to be cloned.  However, it isn't an easy feat to do and requires specialized equipment to capture the code and write it to a fake band.  The cost of the equipment to clone a band would outweigh the cost of a park ticket.  

The RFID reader at the entrance of the parks registers each Magic Band as you enter.  So, if an attacker, who had your cloned band, entered before you, your band would not work.  The next step would be to ask a Cast Member about deactivating the band, which thereby removes the authentication code from the network and "kills" the band.  

Bottom line, You are the weakest link in the Magic Band participation:  remember to include your doctor if you are concerned about your health, report a lost band or stolen band to a Cast Member immediately, and remember to keep your PIN private.  

The Magic Bands provide a seamless experience to your Disney Adventure; relax, wear your bands, put on some sunscreen and enjoy your day at the park!  

------------
I am a Certified Information Systems Security Professional (CISSP) and currently serve as an Information Assurance Officer (IAO) for a major corporation.  If you have any other questions on RFID technology or other technology questions about Disney, please let me know!  You may contact me at kesselrunner77@gmail.com

No comments:

Post a Comment