RFID Access Control Insecurity

2,344 views
2,127 views

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,344
On SlideShare
0
From Embeds
0
Number of Embeds
37
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

RFID Access Control Insecurity

  1. 1. RFID Access Control Insecurity<br />Albert Hui, GCFA, CISA<br />albert.hui@gmail.com<br />
  2. 2. RFID is Everywhere<br />Copyright © 2007 Albert Hui<br />Image from Wikipedia<br />
  3. 3. How RFID Works<br />Copyright © 2007 Albert Hui<br />Inductive<br />Coupling<br />Backscatter<br />Coupling<br />
  4. 4. RFID Tags / Cards / Transponders<br />Copyright © 2007 Albert Hui<br />Trossen Robotics EM4102 Tag Kit<br />
  5. 5. Ampoule Implant<br />Copyright © 2007 Albert Hui<br />Image from VeriChip<br />Image from New York Times story “High Tech, Under the Skin”<br />
  6. 6. RFID Implant Application<br />Copyright © 2007 Albert Hui<br />No more forgetting your keys!<br />Totally worth it.<br />Image from AmalGraafstra’sflickr.<br />
  7. 7. A Matter of Frequencies<br />Tradeoffs among:<br />cost (antenna length)<br />read distance<br />resilience to interference<br />Copyright © 2007 Albert Hui<br />
  8. 8. UHFID – Supply Chain Tracking<br />Pros:<br />very low cost tags (US$0.05 ea. in volumes of 100 mil)<br />long range (typical 20’ between 2 antennas)<br />anti-collision (for simultaneous tag reads)<br />Cons:<br />serious interference from liquids and human body<br />Copyright © 2007 Albert Hui<br />
  9. 9. 2.4GHz – Toll Payment System<br />Pros:<br />very long range (typically 30’)<br />Cons:<br />transponders are battery powered, hence have a lifespan (typically 5 years)<br />transponders are very expensive<br />Copyright © 2007 Albert Hui<br />
  10. 10. 2.4GHz – Singapore ERP<br />Image from Wikipedia<br />Traffic demand management system from Mitsubishi.<br />Copyright © 2007 Albert Hui<br />
  11. 11. LowFID<br />Pros:<br />signal less prone to metal/liquid interference<br />Cons:<br />high tag cost (due to longer copper antenna coil)<br />Copyright © 2007 Albert Hui<br />
  12. 12. LowFID – Animal Tracking<br />Myriad proprietary standards, a reader may not even recognize existence of an incompatible chip.<br />If your lost pet end up in a shelter without reader that can read your chip, God bless you.<br />Compatibility info here.<br />Copyright © 2007 Albert Hui<br />
  13. 13. LowFID – Access Control<br />“EM cards” (EM4102 / Unique)<br />HID ProxCard<br />Hitag 1/2/S<br />Q5<br />TI-RFID 64bit / 1088bit<br />...<br />Copyright © 2007 Albert Hui<br />
  14. 14. 8.2MHz – EAS (Anti-Theft)<br />1-bit tag (absent / present)<br />Detachable / deactivatable.<br />Copyright © 2007 Albert Hui<br />
  15. 15. HighFID<br />Pros:<br />low cost because antennas can be printed on labels / substrate<br />Cons:<br />serious interference from metals<br />Copyright © 2007 Albert Hui<br />
  16. 16. HighFID – Access Control<br />ISO 14443A<br />Mifare<br />ICAO passport<br />LEGIC<br />ISO 14443B<br />HID iCLASS<br />Calypso<br />ISO 15693 (“vicinity cards”)<br />Copyright © 2007 Albert Hui<br />
  17. 17. Compromising RFID-Based Security Systems<br />Copyright © 2007 Albert Hui<br />RFID Attacks<br />
  18. 18. #1: Defeating EAS<br />Jamming<br />Shielding<br />bag lined with 30 layers of aluminum foil (Faraday cage)<br />Detaching<br />most tags are detached with strong magnet<br />Deactivating<br />strong magnet<br />Copyright © 2007 Albert Hui<br />
  19. 19. #2: Skimming<br />HF tags are proved skimmable from a distance up to 25cm [KIRS06].<br />Copyright © 2007 Albert Hui<br />
  20. 20. Defense Against Skimming<br />One word: Metal coating.<br />Copyright © 2007 Albert Hui<br />
  21. 21. How Simple RFID Door Lock Works<br />Copyright © 2007 Albert Hui<br />DooRFID from RFID Toys<br />
  22. 22. “Unique ID”-Based Systems<br />Security premise: tag has unique ID<br />Copyright © 2007 Albert Hui<br />
  23. 23. #3: Cloning Attack<br />Custom-built RFID tag emulator.<br />Better yet, Q5 tags has EM4102 emulation built-in!<br />Copyright © 2007 Albert Hui<br />IAIK DemoTag<br />
  24. 24. Cloning Attack with Q5 Demo<br />Copyright © 2007 Albert Hui<br />
  25. 25. #4: Relay Attack<br />G.P. Hancke, “Practical Attacks on Proximity Identification Systems”, Proc. IEEE Symposium on Security and Privacy, May 2006.<br />Copyright © 2007 Albert Hui<br />
  26. 26. #5: Cryptanalysis<br />Exxon Mobile’s SpeedPass payment system has been compromised [BON05].<br />Weakness lies in TI’s flawed proprietary cipher.<br />Mifare Classic has been compromised [KON08].<br />Weakness lies in NXP’s flawed proprietary cipher.<br />Copyright © 2007 Albert Hui<br />
  27. 27. A Few Take-Homes:<br />Do not use an RFID access control that relies solely on the uniqueness of the card ID.<br />Use RFID access control that use modern, mathematically proven crypto, e.g. MifareDESfire.<br />Do not leave your access cards behind or lend them to other people.<br />Copyright © 2007 Albert Hui<br />

×