09:49 AM
Connect Directly

RFID Under Attack Again

RFID hacking isn't rocket science, but the risk depends on proper use, deployment

Hacking some RFID-based technology is so frighteningly simple that it has even surprised the researchers who have recently demonstrated things like how it's possible to clone RFID cards, or to insert malware that dupes an unsuspecting -- and apparently, relatively unsophisticated -- card reader into unlocking the building for an intruder. (See Black Hat Cancels RFID Demo, HID, IOActive Butt Heads Again, and New RFID Attack Opens the Door.)

Take indie researcher Adam Laurie, who demonstrated at Black Hat Europe in Amsterdam late last month how he reprogrammed RFID tags and could duplicate a legitimate user's building cardkey. He wrote code based on his RFIDIOt tools and has released the source code. "I can take an existing door tag and reprogram it to believe it's a different one, and I can also make cards pretend to be another manufacturer's card."

And it didn't take much effort, says Laurie, who recently cracked one of the U.K.'s new biometric passports. "I didn't have to do much reverse-engineering: I just read the [RFID] manufacturers' data sheets."

Chris Paget, director of R&D for IOActive, says it's "remarkably easy" to clone RFID cards. But until recently, few researchers have paid any attention to it. "Most computer geeks see the word 'radio' and think it's some kind of voodoo," says Paget, whose company is still at a silent standoff with HID Global after the RFID vendor threatened legal action over cloning research he was to present at Black Hat D.C. "It has gaping vulnerability holes that go unnoticed."

Any electronics hobbyist could clone an RFID badge, he says. "With the clone I built, I could replicate this with a $20 part. A Furby is more complicated."

The stakes have gotten higher with RFID security, though, as personal information increasingly becomes part of the equation. The bottom line is that RFID, or more accurately, RF, is merely a transport technology. "It's a way of communicating with a contactless card," Paget explains. "And you can use it in a secure or insecure way, depending on what you do with it."

Laurie says it's often used improperly and without the necessary security layers. "The main weakness is that it's been used inappropriately. An RFID token is not an authentication token," he says. "In addition, you need to authenticate to prove you are who you say you are. Having a PIN should be the very least you should have to operate one of these."

Part of the problem is that while RFID is simple, it's also misunderstood. Kathleen Carroll, director of government relations for RFID vendor HID Global, says there's a difference between RFID badges and smart cards, the second generation of RF-based cards that come with encryption and authentication. Smart cards, like e-passports, can only be read from within three- to four-inches away, she says, plus they come with the encryption and authentication layers.

It's the older, 125-kHz cards that have been cloned by hackers, she says. HID, which sells cards in this category called Prox, also offers next-generation 13.56 mHz iClass smart cards with encryption and mutual authentication, she says. "But that's not to say the systems in place today are not secure. You can make them more secure," she says, by keeping these Prox cards hidden and not out in the open, or ensuring security cameras and/or security guards augment them.

"99.9 percent of access control systems don't have personal information on the card. The only information being transmitted between the card and reader is a unique ID number, and that's no risk to privacy," she says. "HID absolutely would not suggest using that technology if you are going to have personal information on a card."

Still, the very real threat of hacking these first-generation and more pervasive cards is creepy, and unnerving. Laurie says he can discretely "sniff" a badge while walking just inches from someone with their card exposed, or in their pocket. "I now know your ID and can program my tag to have that ID number."

And imagine the consequences of someone using a duplicate version of your RFID card to commit a crime, and it getting traced back to you. Laurie is testifying in an upcoming trial in the U.K. where a storekeeper stands accused of burglary. "He's accused of letting himself in on a Sunday and emptying the safe. The only evidence against him is his RFID keyfob opened the door," says Laurie, an expert witness who will discuss the possibility of cloning the tag.

Being falsely accused of a crime because your card was used -- or a clone of it was, that is -- is one of the real dangers of RFID hacking, he says.

Newer RFID technology isn't untouchable, either. Aside from Laurie's hack of the U.K. e-passports, IOActive's Paget says even the VeriChip locater technology, including the implantable chips, can be cloned. "And lots of passports can be broken because the encryption in them is pretty weak."

Carroll contends it's more likely you'd get piggybacked than hacked, however. Piggybacking is good old social networking, where an intruder just follows behind you when you swipe your way into the building, or asks you to hold the door for him. "Going out and buying a reader or building one is easy for a techie to do, but not for the average person or criminal element," she says. "The risk is more that someone would piggyback or steal a card."

She says the user side of the problem is obvious each time she commutes on the Metro subway in Washington, D.C. "I see people all the time on the Metro with their ID badges clearly visible -- most have a picture, name, and their place of employment," Carroll says. "If you're going to worry about security and privacy and being tracked, put that card away. It amazes me how little people think about what they have in full view."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • IOActive
  • HID Global Corp. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Government Shutdown Brings Certificate Lapse Woes
    Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    The Year in Security 2018
    This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
    Flash Poll
    How Enterprises Are Attacking the Cybersecurity Problem
    How Enterprises Are Attacking the Cybersecurity Problem
    Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-01-18
    TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
    PUBLISHED: 2019-01-17
    ** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
    PUBLISHED: 2019-01-17
    A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
    PUBLISHED: 2019-01-17
    A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
    PUBLISHED: 2019-01-17
    An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.