What probably happened with Mythbusters and RFID

People seem to be upset at the potential censorship Mythbusters’ Adam Savage described when he said industry lawyers prevented him from creating an episode about security problems with RFID.  Now new accounts are being released both by TI and Adam indicating the situation wasn’t so coercive.

According to a TI spokesperson, this all began when:

“To move the process along, Texas Instruments coordinated a conversation with Smart Card Alliance (SCA) who invited MasterCard and Visa, on contactless payments to help MythBusters get the right information.”

And, instead of an army of credit card company lawyers, TI claims that:

“Of the handful of people on the call, there were mostly product managers and only one contactless payment company’s legal counsel member.”

Since I’ve developed for smart cards before and attended an SCA event, I can give more background information on the players involved.  I doubt anything sinister happened, and Mythbusters’ status as an outsider probably contributed to the misunderstanding.

There may be hundreds of different types of system covered by the name “RFID”, so when Mythbusters contacted TI, it’s likely they hadn’t identified exactly what they wanted to talk about.  Given the references to “contactless payment” in TI’s statement, they’re probably talking about ISO 14443 contactless smart cards.  However, there are numerous other implementations of “contactless payment”, for example, the proprietary (and broken) SpeedPass system.

Once they had narrowed down the discussion, it still would not have been clear which payment application Mythbusters would examine.  This is because ISO 14443 merely specifies the communication protocol and modulation, not how to talk to an application to perform credits, debits, etc.  This is probably what the spokesperson was referring to when he said:

“Some of the information that was needed to pursue the program required further support from the contactless payment companies as they construct their own proprietary systems for security to protect their customers.”

The most common application standard is EMV.  It describes a standard between readers and cards to perform payment transactions on top of the underlying wire protocol, whether it is contactless or not.  There are other payment applications supported on a single card.  EMV does describe cryptographic security (encryption and signatures) to authenticate the transactions, say, to prevent unauthorized debits.

But there may be more here when the spokesperson said “proprietary systems for security”.  Depending on the direction Mythbusters took, he could also be talking about attempts to prevent side-channel (DPA) or physical attacks (glitching, probing).  Those are usually very specific to a given implemenation of a device.  It would be interesting to see if Mythbusters was really that skilled to consider attempting those kinds of attacks.

The other interesting thing to note is the presence of product managers on the call.  Most of the time, a product manager can’t answer really technical questions about protocols, interfacing, etc.  Their job is a marketing role — to explain the features of the product in the most appealing light.  A product manager wouldn’t know how to help someone attack their system (nor would they want to), however they would be good at extolling the many great security features their product has.

So while Mythbusters was probably not threatened by the industry, they were definitely being provided a very RFID-positive perspective.  That’s obvious and what any company would do in the same situation.

The biggest question that remains is what exactly did Mythbusters hope to show?  Did they have some outside expert lined up to do the actual work?  If not, why did they start by asking the parties least motivated to help them?

[Update: I think the episode Mythbusters did air about RFID is this one.  They test that an implantable RFID chip does not heat up or explode when present during an MRI.  At the end, they hint that they might investigate payment systems (a quite different type of RFID), but dismiss that plan.]