Hacking some RFID-based technology is so frighteningly simple that it has even surprised the researchers who have recently demonstrated things like how it's possible to clone RFID cards, or to insert malware that dupes an unsuspecting -- and apparently, relatively unsophisticated -- card reader into unlocking the building for an intruder. (See Black Hat Cancels RFID Demo, HID, IOActive Butt Heads Again, and New RFID Attack Opens the Door.)
Take indie researcher Adam Laurie, who demonstrated at Black Hat Europe in Amsterdam late last month how he reprogrammed RFID tags and could duplicate a legitimate user's building cardkey. He wrote code based on his RFIDIOt tools and has released the source code. "I can take an existing door tag and reprogram it to believe it's a different one, and I can also make cards pretend to be another manufacturer's card."
And it didn't take much effort, says Laurie, who recently cracked one of the U.K.'s new biometric passports. "I didn't have to do much reverse-engineering: I just read the [RFID] manufacturers' data sheets."
Chris Paget, director of R&D for IOActive, says it's "remarkably easy" to clone RFID cards. But until recently, few researchers have paid any attention to it. "Most computer geeks see the word 'radio' and think it's some kind of voodoo," says Paget, whose company is still at a silent standoff with HID Global after the RFID vendor threatened legal action over cloning research he was to present at Black Hat D.C. "It has gaping vulnerability holes that go unnoticed."
Any electronics hobbyist could clone an RFID badge, he says. "With the clone I built, I could replicate this with a $20 part. A Furby is more complicated."
The stakes have gotten higher with RFID security, though, as personal information increasingly becomes part of the equation. The bottom line is that RFID, or more accurately, RF, is merely a transport technology. "It's a way of communicating with a contactless card," Paget explains. "And you can use it in a secure or insecure way, depending on what you do with it."
Laurie says it's often used improperly and without the necessary security layers. "The main weakness is that it's been used inappropriately. An RFID token is not an authentication token," he says. "In addition, you need to authenticate to prove you are who you say you are. Having a PIN should be the very least you should have to operate one of these."
Part of the problem is that while RFID is simple, it's also misunderstood. Kathleen Carroll, director of government relations for RFID vendor HID Global, says there's a difference between RFID badges and smart cards, the second generation of RF-based cards that come with encryption and authentication. Smart cards, like e-passports, can only be read from within three- to four-inches away, she says, plus they come with the encryption and authentication layers.
It's the older, 125-kHz cards that have been cloned by hackers, she says. HID, which sells cards in this category called Prox, also offers next-generation 13.56 mHz iClass smart cards with encryption and mutual authentication, she says. "But that's not to say the systems in place today are not secure. You can make them more secure," she says, by keeping these Prox cards hidden and not out in the open, or ensuring security cameras and/or security guards augment them.
"99.9 percent of access control systems don't have personal information on the card. The only information being transmitted between the card and reader is a unique ID number, and that's no risk to privacy," she says. "HID absolutely would not suggest using that technology if you are going to have personal information on a card."
Still, the very real threat of hacking these first-generation and more pervasive cards is creepy, and unnerving. Laurie says he can discretely "sniff" a badge while walking just inches from someone with their card exposed, or in their pocket. "I now know your ID and can program my tag to have that ID number."
And imagine the consequences of someone using a duplicate version of your RFID card to commit a crime, and it getting traced back to you. Laurie is testifying in an upcoming trial in the U.K. where a storekeeper stands accused of burglary. "He's accused of letting himself in on a Sunday and emptying the safe. The only evidence against him is his RFID keyfob opened the door," says Laurie, an expert witness who will discuss the possibility of cloning the tag.
Being falsely accused of a crime because your card was used -- or a clone of it was, that is -- is one of the real dangers of RFID hacking, he says.
Newer RFID technology isn't untouchable, either. Aside from Laurie's hack of the U.K. e-passports, IOActive's Paget says even the VeriChip locater technology, including the implantable chips, can be cloned. "And lots of passports can be broken because the encryption in them is pretty weak."
Carroll contends it's more likely you'd get piggybacked than hacked, however. Piggybacking is good old social networking, where an intruder just follows behind you when you swipe your way into the building, or asks you to hold the door for him. "Going out and buying a reader or building one is easy for a techie to do, but not for the average person or criminal element," she says. "The risk is more that someone would piggyback or steal a card."
She says the user side of the problem is obvious each time she commutes on the Metro subway in Washington, D.C. "I see people all the time on the Metro with their ID badges clearly visible -- most have a picture, name, and their place of employment," Carroll says. "If you're going to worry about security and privacy and being tracked, put that card away. It amazes me how little people think about what they have in full view."
Kelly Jackson Higgins, Senior Editor, Dark Reading