1. RFID Access Control Insecurity Albert Hui, GCFA, CISA albert.hui@gmail.com

2. RFID is Everywhere Copyright © 2007 Albert Hui Image from Wikipedia

3. How RFID Works Copyright © 2007 Albert Hui Inductive Coupling Backscatter Coupling

4. RFID Tags / Cards / Transponders Copyright © 2007 Albert Hui Trossen Robotics EM4102 Tag Kit

5. Ampoule Implant Copyright © 2007 Albert Hui Image from VeriChip Image from New York Times story “High Tech, Under the Skin”

6. RFID Implant Application Copyright © 2007 Albert Hui No more forgetting your keys! Totally worth it. Image from AmalGraafstra’sflickr.

7. A Matter of Frequencies Tradeoffs among: cost (antenna length) read distance resilience to interference Copyright © 2007 Albert Hui

8. UHFID – Supply Chain Tracking Pros: very low cost tags (US$0.05 ea. in volumes of 100 mil) long range (typical 20’ between 2 antennas) anti-collision (for simultaneous tag reads) Cons: serious interference from liquids and human body Copyright © 2007 Albert Hui

9. 2.4GHz – Toll Payment System Pros: very long range (typically 30’) Cons: transponders are battery powered, hence have a lifespan (typically 5 years) transponders are very expensive Copyright © 2007 Albert Hui

10. 2.4GHz – Singapore ERP Image from Wikipedia Traffic demand management system from Mitsubishi. Copyright © 2007 Albert Hui

11. LowFID Pros: signal less prone to metal/liquid interference Cons: high tag cost (due to longer copper antenna coil) Copyright © 2007 Albert Hui

12. LowFID – Animal Tracking Myriad proprietary standards, a reader may not even recognize existence of an incompatible chip. If your lost pet end up in a shelter without reader that can read your chip, God bless you. Compatibility info here. Copyright © 2007 Albert Hui

13. LowFID – Access Control “EM cards” (EM4102 / Unique) HID ProxCard Hitag 1/2/S Q5 TI-RFID 64bit / 1088bit ... Copyright © 2007 Albert Hui

14. 8.2MHz – EAS (Anti-Theft) 1-bit tag (absent / present) Detachable / deactivatable. Copyright © 2007 Albert Hui

15. HighFID Pros: low cost because antennas can be printed on labels / substrate Cons: serious interference from metals Copyright © 2007 Albert Hui

16. HighFID – Access Control ISO 14443A Mifare ICAO passport LEGIC ISO 14443B HID iCLASS Calypso ISO 15693 (“vicinity cards”) Copyright © 2007 Albert Hui

17. Compromising RFID-Based Security Systems Copyright © 2007 Albert Hui RFID Attacks

18. #1: Defeating EAS Jamming Shielding bag lined with 30 layers of aluminum foil (Faraday cage) Detaching most tags are detached with strong magnet Deactivating strong magnet Copyright © 2007 Albert Hui

19. #2: Skimming HF tags are proved skimmable from a distance up to 25cm [KIRS06]. Copyright © 2007 Albert Hui

20. Defense Against Skimming One word: Metal coating. Copyright © 2007 Albert Hui

21. How Simple RFID Door Lock Works Copyright © 2007 Albert Hui DooRFID from RFID Toys

22. “Unique ID”-Based Systems Security premise: tag has unique ID Copyright © 2007 Albert Hui

23. #3: Cloning Attack Custom-built RFID tag emulator. Better yet, Q5 tags has EM4102 emulation built-in! Copyright © 2007 Albert Hui IAIK DemoTag

24. Cloning Attack with Q5 Demo Copyright © 2007 Albert Hui

25. #4: Relay Attack G.P. Hancke, “Practical Attacks on Proximity Identification Systems”, Proc. IEEE Symposium on Security and Privacy, May 2006. Copyright © 2007 Albert Hui

26. #5: Cryptanalysis Exxon Mobile’s SpeedPass payment system has been compromised [BON05]. Weakness lies in TI’s flawed proprietary cipher. Mifare Classic has been compromised [KON08]. Weakness lies in NXP’s flawed proprietary cipher. Copyright © 2007 Albert Hui

27. A Few Take-Homes: Do not use an RFID access control that relies solely on the uniqueness of the card ID. Use RFID access control that use modern, mathematically proven crypto, e.g. MifareDESfire. Do not leave your access cards behind or lend them to other people. Copyright © 2007 Albert Hui