Packet Focus Security Research

Packet Focus Security Research

RFID Access Card Vulnerabilities

Ok... so now I feel like I know a little more about RFID and how it works. I have been reading a lot of research lately about the hardware involved and some limitations.

Notes about RFID:
Each RFID tag has a unique UID burned and locked into the card. This is like the UID for network cards.

Most proximity and access control cards do not use encryption and are mostly identified by the UID.

The cards are powered by the readers when within operating range. Varies from vendor to vendor but generally close range.

The reader / card use a protocol to talk to each other. This is defined the ISO's / vendor docs.

ISO makes you pay for the documents. Donations? :)

Encryption and Key infrastructure can be used in recent implementations.

Collision protection has been implemented to assist when multiple cards are in the energy field.

Secure installations would use encryption and other methods like biometrics.


Theory:
Most every proximity or access card is vulerable to "session replay". This also applies to 100's of other types of ID cards used at grocery stores , libraries, and others...

Readers may be vulnerable to exploits used to compromise the box and allow access. This is much easier than cloning or session replay.

More to come:

Contact: Joshua Perrymon
PacketFocus
www.packetfocus.com
josh.perrymon@packetfocus.com