Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:49 AM
Connect Directly

RFID Under Attack Again

RFID hacking isn't rocket science, but the risk depends on proper use, deployment

Hacking some RFID-based technology is so frighteningly simple that it has even surprised the researchers who have recently demonstrated things like how it's possible to clone RFID cards, or to insert malware that dupes an unsuspecting -- and apparently, relatively unsophisticated -- card reader into unlocking the building for an intruder. (See Black Hat Cancels RFID Demo, HID, IOActive Butt Heads Again, and New RFID Attack Opens the Door.)

Take indie researcher Adam Laurie, who demonstrated at Black Hat Europe in Amsterdam late last month how he reprogrammed RFID tags and could duplicate a legitimate user's building cardkey. He wrote code based on his RFIDIOt tools and has released the source code. "I can take an existing door tag and reprogram it to believe it's a different one, and I can also make cards pretend to be another manufacturer's card."

And it didn't take much effort, says Laurie, who recently cracked one of the U.K.'s new biometric passports. "I didn't have to do much reverse-engineering: I just read the [RFID] manufacturers' data sheets."

Chris Paget, director of R&D for IOActive, says it's "remarkably easy" to clone RFID cards. But until recently, few researchers have paid any attention to it. "Most computer geeks see the word 'radio' and think it's some kind of voodoo," says Paget, whose company is still at a silent standoff with HID Global after the RFID vendor threatened legal action over cloning research he was to present at Black Hat D.C. "It has gaping vulnerability holes that go unnoticed."

Any electronics hobbyist could clone an RFID badge, he says. "With the clone I built, I could replicate this with a $20 part. A Furby is more complicated."

The stakes have gotten higher with RFID security, though, as personal information increasingly becomes part of the equation. The bottom line is that RFID, or more accurately, RF, is merely a transport technology. "It's a way of communicating with a contactless card," Paget explains. "And you can use it in a secure or insecure way, depending on what you do with it."

Laurie says it's often used improperly and without the necessary security layers. "The main weakness is that it's been used inappropriately. An RFID token is not an authentication token," he says. "In addition, you need to authenticate to prove you are who you say you are. Having a PIN should be the very least you should have to operate one of these."

Part of the problem is that while RFID is simple, it's also misunderstood. Kathleen Carroll, director of government relations for RFID vendor HID Global, says there's a difference between RFID badges and smart cards, the second generation of RF-based cards that come with encryption and authentication. Smart cards, like e-passports, can only be read from within three- to four-inches away, she says, plus they come with the encryption and authentication layers.

It's the older, 125-kHz cards that have been cloned by hackers, she says. HID, which sells cards in this category called Prox, also offers next-generation 13.56 mHz iClass smart cards with encryption and mutual authentication, she says. "But that's not to say the systems in place today are not secure. You can make them more secure," she says, by keeping these Prox cards hidden and not out in the open, or ensuring security cameras and/or security guards augment them.

"99.9 percent of access control systems don't have personal information on the card. The only information being transmitted between the card and reader is a unique ID number, and that's no risk to privacy," she says. "HID absolutely would not suggest using that technology if you are going to have personal information on a card."

Still, the very real threat of hacking these first-generation and more pervasive cards is creepy, and unnerving. Laurie says he can discretely "sniff" a badge while walking just inches from someone with their card exposed, or in their pocket. "I now know your ID and can program my tag to have that ID number."

And imagine the consequences of someone using a duplicate version of your RFID card to commit a crime, and it getting traced back to you. Laurie is testifying in an upcoming trial in the U.K. where a storekeeper stands accused of burglary. "He's accused of letting himself in on a Sunday and emptying the safe. The only evidence against him is his RFID keyfob opened the door," says Laurie, an expert witness who will discuss the possibility of cloning the tag.

Being falsely accused of a crime because your card was used -- or a clone of it was, that is -- is one of the real dangers of RFID hacking, he says.

Newer RFID technology isn't untouchable, either. Aside from Laurie's hack of the U.K. e-passports, IOActive's Paget says even the VeriChip locater technology, including the implantable chips, can be cloned. "And lots of passports can be broken because the encryption in them is pretty weak."

Carroll contends it's more likely you'd get piggybacked than hacked, however. Piggybacking is good old social networking, where an intruder just follows behind you when you swipe your way into the building, or asks you to hold the door for him. "Going out and buying a reader or building one is easy for a techie to do, but not for the average person or criminal element," she says. "The risk is more that someone would piggyback or steal a card."

She says the user side of the problem is obvious each time she commutes on the Metro subway in Washington, D.C. "I see people all the time on the Metro with their ID badges clearly visible -- most have a picture, name, and their place of employment," Carroll says. "If you're going to worry about security and privacy and being tracked, put that card away. It amazes me how little people think about what they have in full view."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • IOActive
  • HID Global Corp. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Windows 10 Migration: Getting It Right
    Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
    Artist Uses Malware in Installation
    Dark Reading Staff 5/17/2019
    Baltimore Ransomware Attack Takes Strange Twist
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-05-20
    In GoHttp through 2017-07-25, there is a stack-based buffer over-read via a long User-Agent header.
    PUBLISHED: 2019-05-20
    eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web r...
    PUBLISHED: 2019-05-19
    There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
    PUBLISHED: 2019-05-18
    MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
    PUBLISHED: 2019-05-17
    Typora (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.