RandomPrincess
Keep Moving Forward
I just thought of a question I'm not sure has been answered yet. My son will be 2.5 years on our trip - if we had Magic Bands would he get one? I'm assuming yes since he got a KTTW card when he was a baby.
-
Welcome to the WDWMAGIC.COM Forums!
Please take a look around, and feel free to sign up and join the community.
My Magic + details ...
- Thread starter WDW1974
- Start date
luv
Well-Known Member
I'm thinking the stand-by waits for SSE will increase, as will Haunted Mansion and all the rides that didn't have FP before.
They're actually going to create longer stand-by waits to make the FP look like a better deal. Come to think of it, they jacked up the cost of food to make the dining plans look like a better deal, so I don't see why I should be surprised.
ford91exploder
Resident Curmudgeon
Back in my college days I helped develop a early form of RFID which we used to track the behavior of Norway Rats in the Tokyo subway. We were catching rats and surgically implanting the tracking chips which were little glass pills at the time. My thought then was they will be implanting these capsules in people someday so I've had a LONG time to think about the social ramifications of RFID.
Biggest problem with RFID is that most people think (and Disney site says) that these RFID devices are secure because you need to tap them on the reader. This is NOT true as the video notes and while the long range reader is not small it is small enough that one can have one near (or even in rooms) collect all the nearby RFID data and then use it to break into rooms and grab the loose goodies and other stuff commonly left around.
What I really would like to see is TRUTH from Disney, the RFID readers made your room less secure when you were not occupying it because your 'key' can be copied from a distance unlike the old magstripe system where you needed physical possession of the key to copy.
1023
Provocateur, Rancanteur, Plaisanter, du Jour
This is odd...
I just made a similar point on the "RapidFill" mug thread. Any NFC equipped phone can "bump" a mug and clone the RFID. With the right apps, you have a mug refill button. The same is true for the key cards and the like in your wallet. The trick in these systems are the back end query systems. Once you have a clone though, only NGE can save you. (That last bit was for humorous effect, although biometrics tied to RFID would be hard to overcome.)
*1023*
P.S. Of course the bad guy would need your room number.
Nubs70
Well-Known Member
So I can bring my 5 year old Disney mug, my Samsung SIII, and and get free soda for life?
1023
Provocateur, Rancanteur, Plaisanter, du Jour
If you possess the technical skills to upgrade your firmware to something like JellyBean, your S3 has a working NFC/S-Beam feature, can combine the correct apps, "bump" some unsuspecting guest's mug, and be super sneaky with your phone curiously near your mug during the whole event of dispensing soda....Possibly.... The fact that your artwork may not be current could be a dead give away that you are scamming and would probably sink your ship. Not to mention, it would make me sad that I sent someone over to the "dark side" or enabled an evil do-er that read my posts to increase everyone's financial misery.
so....
Nah, can't be done. NGE would prevent this on all levels.
*1023*
YankeeMouse
Well-Known Member
Are you people lawyers?
KingStefan
Well-Known Member
You make a very good point about the room being less secure, and I agree with you there. Unless there is something I don't understand. The first time I saw a video of how it works, I was a little surprised.
However, the issue is *not* the ability to read RFID ultra-long-range. That doesn't really buy you anything that you can't already do some other way. All you really need is to be able to get within a few feet of someone, which is really easy to do. Although I haven't researched it, I suspect that you can do that with something you can put in your pocket.
Anything else I can think of is either not useful or practical or both.
For example in his presentation (some of the slides he skipped in the video) Paget talks about surveilling from across a parking lot at a high-end store and reading the RFID tag of a customer exiting the store, then discovering somehow that he bought something expensive and stealing it. You could easily do this by just following him into the store and watching what he buys, and it would be a lot less suspicious than sitting out in a parking lot with a big antenna pointed at the store entrance.
But yes, I want Disney to explain why they think RFID tag is as secure as mag-stripe pass keys (because I think it is not), especially in light of the fact that they want you to enter a PIN to buy something, and check biometrics to enter a park. Apparently keeping someone from entering a park illegally is more important to them than someone entering your room illegally.
lazyboy97o
Well-Known Member
Part of the massive expense behind the MyMagic+ program is upgrading outdated infrastructure throughout Walt Disney World. Just due its sheer size, can Disney keep pace with advances in technology? Today you may need a big antenna to pick the RFID information from people's cards and MagicBands, but what about tomorrow?
KingStefan
Well-Known Member
OK, did some thinking, and some research, and I've changed my opinion *slightly*.
I still think RFID is less secure than mag-stripe. However, it's not as bad as I've been thinking. The reason being with the latest technology RFID, if properly implemented, the ID is "disguised" or "cover coded". This is done using a device specific, 32-bit "password". Not as good as encryption, but it is something.
It means, among other things, that you cannot read the ID with an illegal reader and clone the device (with the intention of using it to open a room, for example) without knowing the password, which is kept secret on the back-end (Disney) network.
So the only way to get enough data to enter a room illegally with a clone (without breaking into the back-end network data base) would be with a side-channel attack. That means eavesdropping on a "real" transaction, then analyzing the data to infer the password. This is certainly possible, but not so easy.
There are several reasons it is difficult. First, it would require eavesdropping on very weak signals both from the "real" reader and the RFID device. Offhand, I don't think you can do this with today's technology from more than a few inches, or feet at most anyway, and it would have to be during the transaction (that is, while you were opening the door, for example). Second, inferring the password is not so easy, and would require some sophistication, and some significant computer power, so could probably not be done in near real-time. That's not really an issue if you're staying in the room for a few days - the intruder could analyze the data and come back another time. It just makes it a little less accessible to the average thief than buying a cloner on the internet and making a clone tag right there in the parking lot.
Of course I can think of examples where a device is planted near a door (on the top door sill, for example) and can implement a side-channel attack on the door-open transaction - maybe even several - then be retrieved later, analyzed, and a clone made. But still, not as bad as I originally thought.
So I feel a little better anyway. I just wish that Disney would come out with a bit more detailed explanation than saying, "it's perfectly secure - trust us".
KingStefan
Well-Known Member
Last edited:
KingStefan
Well-Known Member
maxairmike
Well-Known Member
I wanted to skip right to this point because, really, isn't this exactly what is happening with card skimmers right now using a different medium and placement strategy? Given how slim and almost invisible skimmers have gotten, I've got to think this could be a real concern down the line a short way for RFID tech, and it wouldn't require anything to be as close as a mag-stripe skimmer. Interesting to note that Florida has been a bit of a hotbed for skimming activity as well.
KingStefan
Well-Known Member
That is basically true. But mag-stripe skimmers are relatively simple technology compared to a Gen-2 side-channel attacker.
Industry's hope, as I understand it, is for the Gen-3 standard to come out before practical side-channel attack devices are realizable. Industry does fully admit that side-channel attack is the biggest vulnerability today.
The hope is that Gen 3 will allow for features such as stronger encryption and authentication, and that the cost will not significantly increase, implementers like Disney will take advantage of those features (as they may be optional depending on the cost involved - implementers using them for pallet control in a secure area may not want to spend extra to implement those features and continue to use Gen-2 compliant devices, for example, especially if they are buying 10s of thousands or 100s of thousands of devices).
In any case, if those features are implemented properly, it would render side-channel attacks virtually impossible. Devices now are in the order of magnitude of $1 in quantity.
[correction: I slipped a decimal point - they are about $0.10, not $1 - maybe less]
If [it's ten times as much] to implement better encryption and authentication, I'm hoping that Disney would spring for an upgrade. They are bottom-liners, to be sure, but $1 per family per resort stay to get more security sure won't break the bank.
And they really need that extra security - not because there is so much of a chance that rooms will be broken into - there is not - but because they need more than anything else for the consumer to have confidence and trust in the system. If there is not a general perception that they are safe and secure (regardless of the true level of threat), it will be disastrous.
Last edited:
KingStefan
Well-Known Member
Of course it just occurred to me that Disney might already be implementing stronger encryption and authentication methods with their RFID implementation. There is no restriction in Gen-2 about going beyond what is required. I wonder how we can find out?
[edit] Of course, I'm pretty sure they have enhanced features, because IIRC I heard someone talk on these boards about battery life. And long-range sensing, and self-forming networks. That doesn't correlate with the use of plain-vanilla Gen-2s by themselves. [/edit]
[edit] Of course, I'm pretty sure they have enhanced features, because IIRC I heard someone talk on these boards about battery life. And long-range sensing, and self-forming networks. That doesn't correlate with the use of plain-vanilla Gen-2s by themselves. [/edit]
Last edited:
flynnibus
Premium Member
The battery life is to tied to the active part of the band.. the band has both RFID and a 2.4GHz transmitter
1023
Provocateur, Rancanteur, Plaisanter, du Jour
Through the wonders of science and technology, I bring you the ramblings of an evil genius from somewhere in his secret lair.
"2.4Ghz transmitter paired with RFID? I wonder if a evil super geek could sample enough keys too ...hmmm....or perhaps sample the traffic to break down 32 bit encryption....hmmmm.... and you say they ship these to me and I can keep them afterward? hmmmmmm"
Meanwhile..... we join our heroes, out to enjoy some NGE fun... when suddenly....
"2.4Ghz transmitter paired with RFID? I wonder if a evil super geek could sample enough keys too ...hmmm....or perhaps sample the traffic to break down 32 bit encryption....hmmmm.... and you say they ship these to me and I can keep them afterward? hmmmmmm"
Meanwhile..... we join our heroes, out to enjoy some NGE fun... when suddenly....
flynnibus
Premium Member
The 2.4GHz radio has been referred to as Bluetooth a few times, but I have yet to see anything explicitly validating it as Bluetooth, or some variant of 802.11, or just some proprietary beacon/radio.
RSoxNo1
Well-Known Member
Yes, best case scenario it's a $1.5-3 billion infrastructure improvement that will result in 0 additional trips being booked. Infrastructure is important, but guests are brought to Disney World because of the rides.