Getting Attuned to RFID Vulnerabilities
Here we go again; a different technology, but a similar story. RFID (radio frequency identification) has reached a point of large popularity. It is being used today everywhere from tracking library books, retail items and military inventory to personal identification and security access cards. It is also found in remote automobile access, toll payment transponders, basic smart cards and cell phones. The U.S. government is now using a combination of RFID and smart card technology in the E-Passport.
A little while ago you may recall an article I did on the art of key bumping — a method of opening locks that for years had been kept buried in the secret archives of locksmiths and their apprentices. With the possession of about a dozen of these master bump keys and a little bit of training, anyone can easily open more than 80 percent of all the standard (and even some high security) door locks in the United States. 
When this knowledge was kept in the guarded hands of the locksmith trade it never became a major problem. Then along came the Internet and media channels such as Google and YouTube. Suddenly, making and acquiring these bump keys became commonplace and inexpensive, with hours of detailed “how-to” tutorials, seminars and demo videos available free of charge via download. I have since heard that law enforcement agencies have seen increases in this technique and it has become a problem, especially as it produces minimal forensic evidence. The good news is new locks have come on the market to counter this simple intrusion methodology.
I have recently noticed a similar yet somewhat more sophisticated technology compromising pattern associated with RFID. When I say recently, it has actually been emerging for a couple of years. However, I believe some of this compromising knowledge and technology has reached a point that everyone in the security trade should be alerted to the latest dangers.
Methods Of Attack
The attack and invasion of information on RFID cards is a concern in both the theft of personal information and system information for security and access control. Below are the five basic RFID security scenarios.
Tracking — This is a concern when abused by enthusiastic retailers, corporations or governments. With today’s sophisticated RFID chips, vendors in some cases are being required by large merchants to embed RFID tags in clothing, shoes and accessories such as belts for the purpose of tracking inventory and shoplifting. This data could be cross-referenced with other databases and/or personal RFID cards to allow for extensive tracking of personnel, location and habits.
Skimming — A method that can be as simple as the “bump-and-run” attack when reading a card in close proximity of a wallet or purse, to the extended ranges of reading RFID smart cards and transponders up to 50 meters. Even information that is considered encrypted can be hacked with often minimal technology and determination. Many current methods of attack are demonstrated by both amateurs and professionals at events such as the DEFCON conference each summer in Las Vegas.
Even hobbyist attacks have been successful and are often displayed as how-to videos on Web sites such as YouTube. Check out videos at www.difrwear.com.
Eavesdropping — In this method the information between a legitimate RFID device and a reader is recorded via an antenna for reception. This information again can be recorded covertly through walls and at a considerable distance.
Replay and relay — Many RFID-type smart cards have encryption security that makes them more difficult to directly skim or clone. Cards with hash-type encryption will only talk to readers for which they are designed and will typically ignore all other devices. This is where the art of relaying comes in. This method will include a middleman who, in close proximity to an unknown “mark” who possesses an RFID card (e.g. someone sitting in a mall bookstore), will remotely relay a smart card data session with another person in a nearby location and make a monetary transaction with the card device relaying to a legitimate reader. Since both the legitimate card of the unknown suspect and the legitimate reader are properly communicating and decoding the transaction will take place, encryption and all.
Security Industry Response
How does the security industry in general respond to these observations and security concerns from the public? It varies from “no position” to “we have taken some measures.”
I see the security industry now going through the same period of denial the locksmith industry went through when key bumping was widely and publicly introduced. The vendors finally responded to the scrutiny and modified their products to give the customer a choice to counter those compromise methods.
Some RFID access system vendors have put out basic position statements with reference to RFID hacking methods. GE has publicly stated that some of its systems use proprietary and encrypted communications. This was in response to publicly disclosed methods at a DEFCON conference on how to build a $10 device called the Gecko that would compromise Wiegand readers. But other manufacturers like HID were recently upset with a planned disclosure at last year’s Black Hat DC conference in which RFID-compromising technology was to be shown by IoActive.
I am constantly reminded by the proliferation of information on the Internet that the public is much more knowledgeable about what our security technology does. Young, smart technology-savvy people enjoy the challenge of finding often simple methods to compromise technology that we for years took for granted. Security associations and vendors should take on this challenge and capitalize in a way to make our systems better and more reliable.
Remember, we have the terrorist element that may be a little more determined about using this public information than we would like. We should not ignore it as it will not go away.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
About the Author
Bob Dolph, SSI Contributor
Bob is currently a Security Sales & Integration "Tech Talk" columnist and a contributing technical writer. Bob installed his first DIY home intercom system at the age of 13, and formally started his technology career as a Navy communication electronics technician during the Vietnam War. He then attended the Milwaukee School of Engineering and went on to complete a Security Management program at Milwaukee Area Technical College. Since 1976, Bob has served in a variety of technical, training and project management positions with organizations such ADT, Rollins, National Guardian, Lockheed Martin, American Alarm Supply, Sonitrol and Ingersoll Rand. Early in his career, Bob started and operated his own alarm dealership. He has also served as treasurer of the Wisconsin Burglar and Fire Alarm Association and on Security Industry Association (SIA) standards committees. Bob also provides media and training consulting to the security industry.
Related Content
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.
A FREE subscription to the top resource for security and integration industry will prove to be invaluable.
