Packet Focus Security Research
RFID Access Card Vulnerabilities
Ok... so now I feel like I know a little more about RFID and how it works. I have been reading a lot of research lately about the hardware involved and some limitations.
Notes about RFID:
Each RFID tag has a unique UID burned and locked into the card. This is like the UID for network cards.
Most proximity and access control cards do not use encryption and are mostly identified by the UID.
The cards are powered by the readers when within operating range. Varies from vendor to vendor but generally close range.
The reader / card use a protocol to talk to each other. This is defined the ISO's / vendor docs.
ISO makes you pay for the documents. Donations? :)
Encryption and Key infrastructure can be used in recent implementations.
Collision protection has been implemented to assist when multiple cards are in the energy field.
Secure installations would use encryption and other methods like biometrics.
Theory:
Most every proximity or access card is vulerable to "session replay". This also applies to 100's of other types of ID cards used at grocery stores , libraries, and others...
Readers may be vulnerable to exploits used to compromise the box and allow access. This is much easier than cloning or session replay.
More to come:
Contact: Joshua Perrymon
PacketFocus
www.packetfocus.com
josh.perrymon@packetfocus.com
Thursday, June 29, 2006
Monday, June 26, 2006
Packet Focus Security Research
Packet Focus Security Research
A lot has been going on lately.... Work has been very busy as well as personal life ;)
Learning to Surf in Australia on my time off...
Eweek contacted us about RFID security at the Olympics and the World Cup. Nothing big here... Each ticket has an embedded RFID chip with a unique ID-
When people walk into the stadium the ticket is scanned and the ID is accosiated with the personell info provided when buying the tickets initially.
I don'thave problems with RFID when it's used effectivily ( US DoD for example-- Inventory Management )
But when using RFID for identification there are certain implied risks- This shouldn't be a problem for ticket ID's as long as the ID is unique and doesn't prvide an attacker with the ability to identify ticket holder information. The risk I see with this is input validation on the RFID scanners as the ticket holders walkthrough. In theory a SQL injection could be burned to an RFID chip and parsed by the backend database upon scanning. This would be a one=shot attempt and would be hard to gain outside / backdoor access with one shot.
However, RFID systems such as the one mentioned above should ensure proper input validation is performed on RFID input and integrate this into the SDLC.
The REAL risk;
The risk I see with RFID is mainly when used as physical access cards. It's trivial to sit outside a large downtown corp and sniff rfid ID's. This can then be burned to a generic ID card and used to access the building.
This is mostly theory but should easily be reproduced with commercial tools.
Josh Perrymon
CEO
PacketFocus
www.packetfocus.com
josh.perrymon@packetfocus.com
A lot has been going on lately.... Work has been very busy as well as personal life ;)
Learning to Surf in Australia on my time off...
Eweek contacted us about RFID security at the Olympics and the World Cup. Nothing big here... Each ticket has an embedded RFID chip with a unique ID-
When people walk into the stadium the ticket is scanned and the ID is accosiated with the personell info provided when buying the tickets initially.
I don'thave problems with RFID when it's used effectivily ( US DoD for example-- Inventory Management )
But when using RFID for identification there are certain implied risks- This shouldn't be a problem for ticket ID's as long as the ID is unique and doesn't prvide an attacker with the ability to identify ticket holder information. The risk I see with this is input validation on the RFID scanners as the ticket holders walkthrough. In theory a SQL injection could be burned to an RFID chip and parsed by the backend database upon scanning. This would be a one=shot attempt and would be hard to gain outside / backdoor access with one shot.
However, RFID systems such as the one mentioned above should ensure proper input validation is performed on RFID input and integrate this into the SDLC.
The REAL risk;
The risk I see with RFID is mainly when used as physical access cards. It's trivial to sit outside a large downtown corp and sniff rfid ID's. This can then be burned to a generic ID card and used to access the building.
This is mostly theory but should easily be reproduced with commercial tools.
Josh Perrymon
CEO
PacketFocus
www.packetfocus.com
josh.perrymon@packetfocus.com
Subscribe to:
Posts (Atom)