Disney’s RFID "Magic Band" arrives on the FCC

[Ava83]

That's assuming the card was used in two different places within a short enough period of time that the person could not have gotten from on to the other. Yes, they could look for unusual patterns, but the question is will they be concerned enough about this happening to bother doing that.

I think liability/image issues that require them to be concerned.

If the bracelets transmit and is "Fred's" bracelet is showing up in two locations there would be cause for alarm. I don't understand how a travel time comes into play? With a clone it would show two locations.

 

[danlb_2000]

I think liability/image issues that require them to be concerned.

If the bracelets transmit and is "Fred's" bracelet is showing up in two locations there would be cause for alarm. I don't understand how a travel time comes into play? With a clone it would show two locations.

It depends on how granular their tracking is going to be. If they are only going to track at certain key points, for example when entering and exiting attractions, then duplicate checking gets a little harder. Also, If the payment function uses the passive RFID which require very close proximity then the person doing the cloning could just clone that part to use for charges.

It would be nice to think Disney would put safeguards in place for things like this, but there have been and endless list of cases where companies have been hacked using very simple well know exploits that you would think they would have protected against.

 

[Ava83]

It depends on how granular their tracking is going to be. If they are only going to track at certain key points, for example when entering and exiting attractions, then duplicate checking gets a little harder. Also, If the payment function uses the passive RFID which require very close proximity then the person doing the cloning could just clone that part to use for charges.

It would be nice to think Disney would put safeguards in place for things like this, but there have been and endless list of cases where companies have been hacked using very simple well know exploits that you would think they would have protected against.

Neither of us know enough about this product to know what it will be in the end do we? What all of its capabilities really are.

 

[Rob562]

It depends on how granular their tracking is going to be. If they are only going to track at certain key points, for example when entering and exiting attractions, then duplicate checking gets a little harder. Also, If the payment function uses the passive RFID which require very close proximity then the person doing the cloning could just clone that part to use for charges.

It would be nice to think Disney would put safeguards in place for things like this, but there have been and endless list of cases where companies have been hacked using very simple well know exploits that you would think they would have protected against.

What would *really* be interesting would be if Disney created a system that required *both* active and passive. (Or at least used the active system as a double-check). To use the band to pay for a purchase at the register, you need to wave it near the reader so the passive RFID tag can be read. But if the system cross-checked to make sure that the band's *active* RFID tag was also within proximity to the cash register, it would be a double-check.

While a hacker could conceivably clone one system, it's doubtful that they could accurately clone *both* of them at the same time.

An alternative would be that if an active or passive RFID tag was read by the system at the same time or within a timeframe that physically couldn't happen (within Animal Kingdom and Epcot within 5 minutes of each other) the system could flag that tag as being suspect, and bar any additional transactions from it.

-Rob

 

[bhg469]

I heard exactly that. There will be both active and passive systems in use for exactly what you've said. An example is NFC which is built into most new phones these days. NFC is really RFID but extremely close range. If I want to send a picture or a video to my wife's phone or if I want to use my Google wallet to make a purchase I have to literally touch my phone to the reader otherwise the chip in my phone doesn't "Wake up". This will not work if someone was to try to read my device through my clothing.

 

[George]

I suppose we're all paying a price for my sarcasm. You see years ago I filled out a guest survey and said that the ability to get fps months in advance and soda pop appts. at Columbia Harbour House would really complete my trip. *sigh*

 

[Cosmic Commando]

What would *really* be interesting would be if Disney created a system that required *both* active and passive. (Or at least used the active system as a double-check). To use the band to pay for a purchase at the register, you need to wave it near the reader so the passive RFID tag can be read. But if the system cross-checked to make sure that the band's *active* RFID tag was also within proximity to the cash register, it would be a double-check.

While a hacker could conceivably clone one system, it's doubtful that they could accurately clone *both* of them at the same time.

An alternative would be that if an active or passive RFID tag was read by the system at the same time or within a timeframe that physically couldn't happen (within Animal Kingdom and Epcot within 5 minutes of each other) the system could flag that tag as being suspect, and bar any additional transactions from it.

-Rob

That does sound like an interesting idea. Hopefully they have something at least that clever up their sleeves.

At Disneyland, APs have to have their photo taken by any Photopass CM. The photo shows up basically instantaneously when the barcode is scanned at the entrance turnstiles... super easy way for Disney to check and see if the AP holder is actually the person in front of them (forgive me if they also do this at WDW). If DL can do that for every entrance turnstile, $1.5B should be able to get us this tech at every RFID-enabled POS terminal on property. Yeah, there is a burden there getting everyone's picture, but as long as the CM is paying attention it should be foolproof. Even if someone spoofed your wristband, they would need to get into Disney's database and successfully replace the picture with their own. Not impossible per se, but a completely different level of hacking. Doing it at check-in would probably add about 20 seconds per person with charging privileges to the check-in time... worth it IMO. I really hope they roll this out.

 

[Maerj]

Don't worry everyone. Soon everyone will be required to wear these type of bands everywhere they go. All the time. Be happy.

 

[Paul jr]

I dont know if this subject have been discussed here or in a other thread (if so... sorry). Did the ''Magic Band'' will be reusable for futur trip to WDW? I mean, if I paid extra bucks to customize my Wrist Band... I would like to use it more than for my 4 days visit to the World .

 

[ExtinctJenn]

I dont know if this subject have been discussed here or in a other thread (if so... sorry). Did the ''Magic Band'' will be reusable for futur trip to WDW? I mean, if I paid extra bucks to customize my Wrist Band... I would like to use it more than for my 4 days visit to the World.

I was wondering the same thing once I saw that you can customize it in some way. My assumption is it's a "life of stay" thing and it's only going to work for the trip it's associated with. I can see it becoming a nightmare to keep up with bands from 2013 in 2015 (if they haven't changed it all again by then) etc. etc. The technology will probably change again or whatever.

 

[DisneyCane]

For all the ultra paranoid people here is something that illustrates how the RFID tag ID will be transmitted to the system. I don't have specifications for exactly what they did on these bands but it is the process used to keep cell phones from being cloned by intercepting IDs over the air.

The wristband will probably have 2 ID numbers. One will be a "serial number" the other a random generated number. When the band is activated the first time the system will read the serial number and the hidden random generated number or more likely will provide the hidden random number to the band. The system will store the random number and associate it with the "serial number".

When the band is read (including by somebody trying to clone it) the steps are something like this:

1) System says hello wristband what is your serial number
2) Wristband responds with serial number
3) System says OK wristband here is a random number I just came up with. Use this random number and your internal random number to run the formula you have stored inside of you and tell me the answer
4) Wristband responds with the result of the calculation, the random number is NEVER transmitted
5) System runs the same calculation internally and compares the results
6) If the results match the transaction continues, if not it doesn't

The algorithms used for the secret number calculation are designed so that even if somebody gets the random number that the system generates for verification (at the transaction time) and the result of the calculation it will take weeks for a supercomputer to crack the code and figure out the stored random number.

All credit card and personal info are stored in the secure network, not on the RFID tag.

 

[danlb_2000]

For all the ultra paranoid people here is something that illustrates how the RFID tag ID will be transmitted to the system. I don't have specifications for exactly what they did on these bands but it is the process used to keep cell phones from being cloned by intercepting IDs over the air.

The wristband will probably have 2 ID numbers. One will be a "serial number" the other a random generated number. When the band is activated the first time the system will read the serial number and the hidden random generated number or more likely will provide the hidden random number to the band. The system will store the random number and associate it with the "serial number".

When the band is read (including by somebody trying to clone it) the steps are something like this:

1) System says hello wristband what is your serial number
2) Wristband responds with serial number
3) System says OK wristband here is a random number I just came up with. Use this random number and your internal random number to run the formula you have stored inside of you and tell me the answer
4) Wristband responds with the result of the calculation, the random number is NEVER transmitted
5) System runs the same calculation internally and compares the results
6) If the results match the transaction continues, if not it doesn't

The algorithms used for the secret number calculation are designed so that even if somebody gets the random number that the system generates for verification (at the transaction time) and the result of the calculation it will take weeks for a supercomputer to crack the code and figure out the stored random number.

All credit card and personal info are stored in the secure network, not on the RFID tag.

This all assumes the Disney chooses to implement it this way. What you are describind requires active RFID, which the bands have, but the also have passive RFID which doesn't provide this sort of protection.

 

[flynnibus]

This all assumes the Disney chooses to implement it this way. What you are describind requires active RFID, which the bands have, but the also have passive RFID which doesn't provide this sort of protection.

The FCC filing only describes having the active radio (the 'beacon') it doesn't describe if the system has an intelligent RFID tag or just a fixed ID. The 'passive UF/HF RFID' described in the FCC filing only corresponds to the idea that the tag is not locally powered - it does not dictate if it can do challenge/response. This type of scenario DisneyCane described is independent of if the card has local power or active radios. Your smartchip enabled credit card is an example of a non-powered, but intelligent 'tag' similar to a RFID tag.

What DisneyCane is describing is the classic challenge/response system to prevent sending the secret out over the wire. The system adds protection against replay attacks by varying what the challenge sent is (the random portion) and making it time sensitive. This is how you prevent cloning a card itself.

In addition, you can have data encryption of what is on the card itself. The problem with videos you see about copying credit cards, etc is because they didn't just detect and read the card.. but because they had the actual reader and in turn the algorhythms used to decrypt the data stored on the card.

Disney's model could use any of these, a combination of these, or none(!) - there really is no way to tell from the FCC filing. All we know is Disney has said there is no personal data stored on the band itself.. so it's likely a simple 'ID' tag.. or a tag with anti-cloning challenge/response ability. My bet is on the latter.

 

[flynnibus]

All credit card and personal info are stored in the secure network, not on the RFID tag.

Yup - you described the classic challenge/response system. But when it comes to many Credit Cards.. they do store the card info in the response unfortunately because the reader is the one that decodes the response and then carries on similar to a traditional transaction (as if it read it from the mag strip). That's why simply having a merchant reader has allowed people to 'read' other people's credit card info without actually querying the banks.

But a system like Disney won't save info like that on the card, and will use either an ID, or challenge/response like you described to validate or encrypt the ID. Since the system was designed from the start with purchasing in mind, I have to believe they would NOT have selected a simple ID response tag and gone with something with anti-cloning methods.

 

[danlb_2000]

The FCC filing only describes having the active radio (the 'beacon') it doesn't describe if the system has an intelligent RFID tag or just a fixed ID. The 'passive UF/HF RFID' described in the FCC filing only corresponds to the idea that the tag is not locally powered - it does not dictate if it can do challenge/response. This type of scenario DisneyCane described is independent of if the card has local power or active radios. Your smartchip enabled credit card is an example of a non-powered, but intelligent 'tag' similar to a RFID tag.

What DisneyCane is describing is the classic challenge/response system to prevent sending the secret out over the wire. The system adds protection against replay attacks by varying what the challenge sent is (the random portion) and making it time sensitive. This is how you prevent cloning a card itself.

In addition, you can have data encryption of what is on the card itself. The problem with videos you see about copying credit cards, etc is because they didn't just detect and read the card.. but because they had the actual reader and in turn the algorhythms used to decrypt the data stored on the card.

Disney's model could use any of these, a combination of these, or none(!) - there really is no way to tell from the FCC filing. All we know is Disney has said there is no personal data stored on the band itself.. so it's likely a simple 'ID' tag.. or a tag with anti-cloning challenge/response ability. My bet is on the latter.

You are correct, I was under the mistaken assumption that doing these sort challenge/response protocol required active RFID, but I see now that this is not the case.

 

[flynnibus]

You are correct, I was under the mistaken assumption that doing these sort challenge/response protocol required active RFID, but I see now that this is not the case.

I still think the 'beacon' part is the part most responsible for all of the tracking. I call it a beacon because it sounds like it will just broadcast an ID all the time (or when triggered to be active) and you can use passive readers to listen for the beacons and determine proximity based on that. Then just leave the RFID system to payment/ID systems rather than actively blasting large areas to try to detect the tags. Leave RFID scanning to when you need precision - use the beacon for monitoring of volumes of people.

People could in theory clone the beacon.. but for what gain? Simply to confuse Disney? Invalid or cloned IDs could be flagged, and then the user associated with that ID would be flagged to have their band swapped out next time they hit a transaction and the cloned ID would just be blackholed.

I'm trying to find references on the challenge/response stuff.. to be sure it's not limited only to ICC (smartchip) systems.

 

[bhg469]

Are these only form resort guests or are they the new walk up ticket as well?

 

[Timekeeper]

I'm looking forward to the yellow Lance Armstrong edition.

 

[danlb_2000]

I still think the 'beacon' part is the part most responsible for all of the tracking. I call it a beacon because it sounds like it will just broadcast an ID all the time (or when triggered to be active) and you can use passive readers to listen for the beacons and determine proximity based on that. Then just leave the RFID system to payment/ID systems rather than actively blasting large areas to try to detect the tags. Leave RFID scanning to when you need precision - use the beacon for monitoring of volumes of people.

People could in theory clone the beacon.. but for what gain? Simply to confuse Disney? Invalid or cloned IDs could be flagged, and then the user associated with that ID would be flagged to have their band swapped out next time they hit a transaction and the cloned ID would just be blackholed.

I'm trying to find references on the challenge/response stuff.. to be sure it's not limited only to ICC (smartchip) systems.

I would agree the beacon is for tracking. The FCC application says:

""The radio of the device, Model MB-R1G1, is a wrist worn arm band that transmits a 2.4 GHz signal to an indoor wireless infrastructure. The PCB assembly is potted in plastic and completely overmolded with thermal plastic polyurethane. The band has no on off switch and is powered with a non-replaceable coin cell. The PCB assembly also includes a passive UHF RFID tag radio and a passive HF RFID tag radio.""


This leads me to believe that the 2.4 Ghz signal is the beacon and is the powered part just giving it the range needed for tracking. The UHF and HF RFID are generally shorter range.

 

[Justinj2]

Are these only form resort guests or are they the new walk up ticket as well?

Walt Disney Resort Guests & Passholders well get a Magic Band for free. Anyone else well have to purchase one or just receive a RFID ticket media card that offers the same advantages of the system.