Your SlideShare is downloading. ×
0
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
30 Minutes of RFID - Analysis, Applications and Attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

30 Minutes of RFID - Analysis, Applications and Attacks

724

Published on

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
724
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
42
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 30 Minutes of RFID Analysis, Applications and Attacks Presented By Dan Cornforth
  • 2.
    • What is RFID
    • How does the technology work
    • Identify some of the forces behind progress to date
    • Who is using RFID currently & for what
    • What might RFID be useful for & by whom
    • Some potential weaknesses, attack vectors and fixes
    Overview
  • 3.
    • Smartcode EPC passive RFID tag
    What is RFID
  • 4.
    • Radio Frequency Identification
    • Typical RFID infrastructure
    What is RFID
  • 5.
    • Types of tag
      • Passive
      • Active
    • The air interface (operating frequency)
      • LF 125khz
      • HF 6.78mhz, 13.56mhz, 27.125mhz, 40.680mhz
      • UHF 433.920mhz, 869mhz, 915mhz
      • Microwave 2.45ghz, 5.8ghz, 24.125ghz
    • Communication modes
      • Full duplex
      • Half duplex
      • Variant half duplex
    • Coupling
      • Backscatter
    RFID Characteristics & Differentiators
  • 6.
    • ISO 14443
      • Defines 2 card types (A & B)
      • Modulation methods
      • Coding schemes
      • Protocol initiation procedures
    • ISO 15693
      • Defines vicinity cards
    • Emergence of the EPC (Gen2) standards
      • Electronic Product Code
    • No single global body, for RFID governance and standards… yet
    Governing Specifications
  • 7.
    • Transmit standard serial ID
      • UNIQUE
      • VeriChip
      • Most animal tags
      • HID Prox II
    • Requires a password authentication prior to ID transmission
      • Q5
      • Titan
      • EM4469
    • Challenge response, PKI and encrypted transmission of ID
      • DST (40 bit key)
      • MiFare
      • HiTag (48 bit key)
      • SmartMX (128 bit AES, 4096 bit asymmetric key)
    Security Features of Common Tags
  • 8.
    • Perceived speed, security and simplicity of the cashless society
      • The Hong Kong Octopus Card
      • Estimated 63% time saving – Amex (ExpressPay)
    • Asset, warehouse and stock management traditionally seen as drivers
    • US TREAD Act 2004 (Trans, Recall, Enhance, Acc, Doc)
    • Wal-Mart, FDA and US DoD mandates
    • Keyless entry
      • Centralised access management
      • Key duplication perceived more difficult ~ dependant
    • EPCglobal network
    • Ever decreasing size and price of the hardware
    Influences & Drivers
  • 9.
    • Payments
      • Amex Bluecard products & ExpressPay,
      • Mastercard PayPass
    • Public transport & ticketing
      • The Hong Kong Octopus card
      • London transports Oyster card
      • Many more throughout Europe, US and Asia
    • Industrial automation
      • Stock and asset management through the supply chain
    • Electronic immobilisation
    • Physical access control
    • ePassport
    • Animal identification
    • Various medical applications
    Current Applications
  • 10. Current Applications
  • 11.
    • A potentially limitless marketing resource (e.g Tagged clothing items that may be tracked throughout a shopping mall)
      • What are the shopping behaviour patterns of our customers?
      • What else did they buy from who?
      • Was our store their first choice for the product they bought?
      • Where did they eat?
      • Who are they shopping with?
      • Which family member(s) appear to be driving the shopping experience?
      • OK this may appear a little far fetched but technically feasible
    • EPCglobal network
    • Potential applications appear to be limited only by
      • Privacy legislation
      • Public perception
      • Implementers imagination
    Future & Potential Applications
  • 12.
    • Tag destruction & read prevention
    • The kill command
    • The RFID “virus”
    • Device cloning & replay attacks
    • The relay attack
    • Attacking weak crypto
    • Side channel attacks (power analysis)
    Attack Vectors
  • 13.
    • Nothing particularly sophisticated or glamorous here
    • Home made strong electro magnetic field generator
      • The “RFID-Zapper”
      • Non FCC compliant
      • https://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN)
    • Foil & duct tape RFID shielded wallet for the privacy enthusiast
      • http://www.rpi-polymath.com/ducttape/RFIDWallet.php
    Tag Destruction & Read Prevention
  • 14. Physical Read Prevention
  • 15. Physical Read Prevention
  • 16.
    • Primarily a privacy and anti-counterfeiting mechanism
    • Technical implementation left to device manufacturer
    • Achieved via
      • Blowing an embedded fuse, following issue of correct “kill” string
      • Set a “killed” value in memory, disabling the protocol state machine
    • Logical layout of tag memory as per EPC Class 0 &1 Gen1 standards
    The Kill Command
  • 17.
    • Nothing particularly notable or new to see here
    • This is a PoC attack
      • Bad data written to tag
      • Middleware supporting the RFID infrastructure reads the bad data from the tag without sanitising the input
      • The potential for SQL injection attack against a backend database exists
    • Not strictly an RFID specific attack
    • Not an ideal SQL injection scenario
    • Knowledge of backend database construct and product is a prerequisite
    The RFID “virus”
  • 18.
    • Effective against ID only and symmetric devices
    • Reprogram another tag to emulate another device ID
      • Certain models of HiTag can be programmed to emulate other devices serial numbers
    • Reproduction and replay of the tag transmission
      • http://cq.cx/verichip.pl
      • Off the shelf parts
      • 125 khz & 13.56 mhz
      • Sniff, behave as a reader and behave as a device
      • The USRP (Universal Software Radio Peripheral)
      • http://ettus.com
    Device Cloning & Replay
  • 19. Device Cloning & Replay
  • 20.
    • Effective against challenge response, cryptographically & non cryptographically sound devices
    • For those who have read Ross Andersons “Security Engineering” think “MiG in the middle” attack
    • The scenario
      • An RFID enabled point of sale for good or services
      • Using a contactless smartcard
      • Employing a cryptographically sound communication channel between the device and the reader
    • How the attack works
      • At the checkout the POS issues a challenge to the card in customer A’s wallet, which is waved before the reader
      • Our customer relays this challenge via an RFID proxy to another card holders wallet elsewhere (Cardholder B)
      • Card holder B’s card responds to the valid proxied challenge
      • The response from B’s card is relayed to A’s card in answer to A’s purchase at the POS.
    • The hardware for this attack cost the Cambridge based researchers approximately $250
    The Relay Attack
  • 21.
    • Texas Instruments DST (Digital Signal Transponder)
      • Basis for the SpeedPass payments system primarily used at petrol stations in the US
      • Uses a proprietary 40 bit undisclosed algorithm
    • The attack involved three distinct stages
      • Reverse engineering of the algorithm
      • Brute force key cracking
      • Tag simulation
    Attacking Weak Encryption
  • 22. Attacking Weak Encryption
  • 23.
    • What is it?
      • Side channel cryptanalysis attack against the chip
      • Generally aimed at the implementation rather than the algorithm
      • Focuses on the relation of changes within the power consumption across the chip with operations within the cryptosystem
      • Requires logic analysis equipment
    • Goals
      • Extraction of cryptographic key material
    • Peter Gutmann quote:
      • “ You simply cannot make a credit-card form factor device robust, capable, or secure.”
    Power Analysis Attacks
  • 24.
    • Ensure real cryptography is used
      • AES & friends ~ good
      • Snake oil infinity bit proprietary algorithm ~ bad
    • Greater device tamper resistance
      • Help place side channel attacks outside the realms of a moderately funded attacker
      • Equates to a more expensive device
    • Pressure device manufactures for the development & implementation of a distance bounding protocol within high security devices
      • Equates to a more expensive device
    • Ensure appropriate device selection and testing from project outset
      • Recalling devices issued to a nations dairy herd or passport holders may prove costly
    Mitigation
  • 25.
    • Fundamentals and Applications in Contactless Smartcards & Identification Klaus Finkenzeller
    • Python library for exploring RFID devices http://rfidiot.org
    • Practical Relay Attacks Against ISO 14443 Proximity Cards Gerhard Hancke & Dr Markus Kuhn
    • Low Cost Attacks on Tamper Resistant Devices Ross Anderson & Markus Kuhn
    • A New Approach to Hardware Security Analysis in Semiconductors
    • Sergi Skorobogatov
    • RFID Essentials O’Reilly
    • Texas Instruments DST attack
    • http://www.jhu.edu/news_info/news/home05/jan05/rfid.html
    • RFID relay attacks
    • http://www.cl.cam.ac.uk/~gh275/relay.pdf
    • RFID virus
    • http://www.rfidvirus.org/papers/percom.06.pdf
    • Smartdust
    • http://en.wikipedia.org/wiki/smartdust
    References & Resources
  • 26. Questions
    • http://www.security-assessment.com
    • [email_address]

×