Re: Sniffing RFID ID's ( Physical Security )

[Andre Gagne <gagne.andre () gmail com>]

Josh L. Perrymon wrote:
> I'm just looking to validate if this is the case.
> Are most RFID access control cards susceptable to interception? I can 
> see the security features built into something like RFID Credit 
> Cards.. but I'm betting this is not the case with RFID access cards.
>
> Obviously, I can't validate this until I get a RFID reader/writer.
>
> If this is the case then it's a global problem. Not only for accessing 
> a building illegally-- but this is a form of stealing a users 
> identify. A lot of companies use the backend data from the card 
> readers to trend workers in/out time and areas accessed. blah blah blah.
>
> Plus, I'd like to try this on my next on-site hack.
>
>
> JP
> PacketFocus.com
>
> On 6/27/06, *mikeiscool* < michaelslists () gmail com 
> <mailto:michaelslists () gmail com>> wrote:
>
>     On 6/27/06, Josh L. Perrymon < joshuaperrymon () gmail com
>     <mailto:joshuaperrymon () gmail com>> wrote:
>     > My post was based more on *existing* RFID implementations used
>     for physical
>     > security access cards.
>     >
>     > I know that non-contact cards such as RFID Credit Cards use
>     encryption so
>     > on...  But are still vulnerable to non-authorized transactions..
>     I'm mean..
>     > there is no green button you push to authorize the transaction.
>     >
>     > But I just don't believe that the RFID access-card I use to
>     access client
>     > premeises use any type of encryption or only communicate with
>     specific
>     > readers.
>     >
>     > IF* this is the case then an attacker should have no problems
>     powering the
>     > card and making a "copy" of the contents.
>
>     so what's your question then? how your card works? or how to make
>     it secure?
>
>
>     > JP
>     > PacketFocus
>     >
>     > www.packetfocus.com <http://www.packetfocus.com>
>     > josh.perrymon () packetfocus com <mailto:josh.perrymon () packetfocus com>
>
>     -- mic
>     CMLRA, Mirios
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
There are a few different RFID companies that each have a unique form of 
authentication based on top of existing standards.  For example, at the 
place I'm working we use these cards from HID.  The standards they run 
off of pretty interesting but it seems to me that if you could gain 
enough data on a specific person's card then you could replicate them.  
Unfortunately there are a few problems. 
1) you said are worried that someone sitting downstairs in the coffee 
shop could skim the transmissions?  the range is only about 4-5 cm or 
so, I think someone's going to notice you running around shoving a radio 
antenna near their waist.  The amount of power that a skimmer would have 
to generate to get the data from a distance would be enough to seriously 
damage the person holding it.  I could be wrong on this though, Ilan 
Kirschenbaum and Avishai Wool from /Tel Aviv University /are presenting 
a paper at this year's USENIX Security Symposium in which they talk 
about building a low-cost, high-range skimmer.
2)  Encryption on top of the authentication.  The chips themselves could 
be using a public key infrastructure just as Mike commented.  You would 
then have to be able to mimic a card reader and know it's private keys.

It's still possible though (as anything is), you would have to do more 
elaborate attacks, such as tapping the communication between the reader 
and the Database, or re-engineer the reader itself to do whatever you want.

As for the idea of requiring an addition pin number, I consider this to 
be a bad idea.  if you're going to require the pin then why not put a 
biometric/code lock on the doors?  To elaborate I ask that we remember 
the Three levels of security, its' about who you are, what you have, and 
what you know.  Requiring a pin on top of this is stronger but it 
completely defeats the usability of the system.  having to remember and 
punch in a pin# every time is only going to increase the cognitive 
burden of the user, which is one thing that these systems are very good 
at avoiding.  It all gets back to the policy of the companies that are 
using these systems.  A good policy will lead to a more trustworthy system.

I am not an expert so I could be entirely off base :P  Cheers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/