Radio frequency ID security

2011-03-09

in Geek stuff, Internet matters, Rants, Security

Contact-free cards and authentication tokens have become common. These are the sort of things that you put close to a reader on the wall in order to open a door or perform a similar function. People use them to get into parking garages and offices, and even credit cards now allow you to pay without swiping or inserting your card. Of course, all this creates new security risks. All of these cards can be read at a moderately long distance with inexpensive hardware, which is one reason why it is a bit crazy that these chips are being put into passports. Furthermore, cloning these radio frequency identification (RFID) tags is often quite easy.

Your standard RFID tag is just a little chip with an antenna. When it receives a signal on a particular frequency, it chirps out its name. The card reader says: “Any RFID tags out there?” and it says: “12345678abc” or whatever string it contains. The string is transmitted in clear text, and it is always the same. Anyone with a device that can program RFID tags can easily copy it. These sorts of tags exist all over the place. An office tower might have a database listing the code inside the RFID tags used by each employee. It would then check the database each time someone used a card, to make sure the number was on the list.

This system can easily be attacked. Just stand outside a building with an appropriate antenna and recording equipment and you can capture the code from each person’s tag as they go in. You can then copy whichever you like to make your own access card.

More sophisticated tags use a challenge-response authentication protocol. That means they take an input value, perform a mathematical operation on it, and generate a response which they transmit. For instance, an absurdly simple rule would be something like ‘multiply input by two’. Then, the reader would say: “3” and any card that replied “6” would be accepted as valid. These tags tend to require a battery to run their computing hardware, so they are relatively rare.

This is harder to attack. You need to figure out what the rule is, and they are often cryptographic. That being said, the cryptography used is often either proprietary (which usually means ‘bad’) or out of date. With access to a few tags and some knowledge, it may well still be possible to reverse-engineer the algorithm being used and clone tags.

In addition, this kind of system can be attacked in real time, using a man-in-the-middle attack. Suppose I am in line at the grocery store, about to pay. I take out a dummy wireless credit card, while I have an antenna concealed in my jacket sleeve. The clerk’s RFID reader sends a challenge request, which my antenna picks up. I then re-broadcast that request with more power, so that all the tags nearby chirp up. Suddenly, everyone in line who has a wireless card is offering to pay for your groceries. Re-broadcast one of those responses back to the clerk’s card reader and you suddenly have free groceries. I suspect something similar would work with the more high-security access cards used by some offices.

Not all cloning is necessarily malicious. Phones are increasingly sophisticated radio transmitters and receivers. They can transmit voice calls on various frequencies, as well as access WiFi networks and interface with Bluetooth devices. Somebody should make a phone that can transmit and receive on the common frequencies used by RFID cards. Software could then be used to record the contents of a person’s existing cards. Instead of carrying one fob for your car, one card for work, one embedded in your transit pass, and a credit card, you could just program the functionality of all those RFID tags into one device.

Of course, doing such a thing would reveal how easy it is to copy RFID cards in the first place. That’s all it would be doing, however – making it obvious. Anybody who is malicious and capable can already copy these cards, though consumers often assume that they are secure (like they assume their cell phone calls cannot easily be intercepted by moderately resourceful crackers). By revealing how insecure most wireless authentication technologies are, this cell phone software could play an important role in raising awareness, and maybe even lead people to pressure politicians to get rid of those stupid wireless passports.

I mean really, does that have any non-evil uses at all? A passport clerk can easily scan a barcode or swipe a magnetic strip. Making them readable at a distance only helps spies and criminals. How easy would it be to build a bomb and connect it to a machine that constantly scans the vicinity for wireless-equipped passports? You could program it to explode when more than a set number of nationals of any country you dislike are within a particular distance. Alternatively, criminals could take advantage of chatty radio passports to identify promising targets for mugging.

Report a typo or inaccuracy

{ 5 comments… read them below or add one }

EK March 9, 2011 at 4:54 pm

I had no idea that’s how these work. This seems like a situation where convenience is trumping common sense.

Milan March 16, 2011 at 11:09 pm
. February 3, 2012 at 11:01 am

“[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) … A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses.”

. July 3, 2012 at 3:53 pm

“An Android application capable of siphoning credit card data from contactless bank cards has appeared on the Google Play store. The app was developed by a security penetration tester for research purposes and will steal card numbers and expiry dates, along with transactions and merchant IDs. It requires a near field device capable phone, or accessory.”

http://it.slashdot.org/story/12/06/21/1232228/android-app-lets-you-steal-contactless-credit-card-data

Peggy March 9, 2013 at 8:46 pm

MasterCard sent me one of their new contact free payment cards Is it safe to use? As you are an expert in this field please email me.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

{ 1 trackback }

Previous post:

Next post: