Saturday, February 06, 2010

Question: What about RFID security?

A good colleague of mine asked me if i could write something about RFID security. Sure! :-)

First of all; I'm not an expert on RFID, so if any readers of this blogpost should disagree, please tell me asap at per - at - thorsheim DOT net. Thanks! :-)

First of all, there are *many* sources on RFID, and security surrounding the technology, its use for various purposes, and of course the vulnerabilities that are known in the technology. Reading a little bit of the Wikipedia article on RFID is of course recommended (...), but the very short version:

1. It's used "everywhere", from tracking cows to payment cards, asset tracking in warehouses to identification of YOU in your new passport. You have probably also used it at some places to get physical access by just holding the card close to a proximity reader, or paid for your lunch in the canteen. Summarized; even if you don't think you are using it, you probably do.

2. An important feature of RFID is the contactless operation. Instead of a magnetic stripe that you will have to swipe through a reader, or a chipcard which must be inserted into a reader, RFID is radio frequency based. This reduces wear & tear to the equipment, reducing cost. Just as important is making it easier to use while increasing the throughput; instead of one person after another swiping a magstripe card through a reader, many RFID "tags" can pass by a proximity reader very quickly.

Lets move on to the insecurities of RFID. I'm not going to explain all the possible excellent uses of RFID, I'll leave that to those selling such systems. Again the Wikipedia article has lots of useful links on many subjects related to RFID.

One of the people who really has done some amazing work in RFID is Adam Laurie. On one of his sites,, you will find tools that he has developed in order to "play around" with various RFID standards and associated  tools. One of the many things Adam has demonstrated through his work is the successful "cloning" of a person with an implanted RFID tag in his body, thus successfully unlocking his computer using the cloned tag. More serious stuff like the possibility of cloning passport information etc is also described on his page. The encryption used initially by RFID tags in British passports was cracked in less than 48 hours... A word of warning though, his web page looks a little "under construction", and it is definitely NOT for the non-technical among us to understand! :-) (Sorry Adam!)

Obviously a key issue on RFID insecurity is the simple fact that it is contactless, it uses various radio frequencies. In December a TV show named "Tiger Team" aired for the first time on CourtTV. The show got cancelled after just 2 episodes, with CourtTV saying it was just a special airing, and was not supposed to be a running TV show. In the second show they demonstrated how they used RFID reading equipment to clone the access card from the "target" by following after a person in order to read and clone the RFID tag. This way they got physical access to a building, since the access system didn't require any other authentication (pin, password, username..) in order to allow access through a door.

There are also (of course) those who claim that the radio frequencies  used by RFID (and other systems as well) are dangerous to people, recommending all of us to protect ourselves. Personally i recommend the "Heavy Duty Faraday Canopy" from EMF... :-D

On a side note on emissions; there are discussions on how long distances an attacker might be able to read off your RFID tag. This reminds me of another similar topic: that of  TEMPEST.The easy way to describe this is the remote wireless reading of emanations from your screen and electronic equipment and assembling this back into sound, an image or even live video. You can see some example videos here (Tempest using radio) and an article with images here about video snooping. However the exact details on the capabilities of Tempest are classified information. As you see what this is really about, you might imagine the risk...

What is the risk with RFID then?
I don't want to scare anyone from using RFID. First of all, there's a HUGE difference between random and targeted attacks. If somebody wants to attack YOU, they will succeed, sooner or later. Becoming the victim of a random attack is of course not something you want to happen, but i hardly doubt that your current use of RFID would be the point of entry today. There are just too many other ways of easily obtaining illegal access, be it physical or logical.

I've said it before, I'll say it again: If somebody can break into a firewall, they are probably quite skilled (unless the firewall is configured by a complete idiot). However there's no point in breaking into a firewall, it doesn't contain any information that you can gain any direct value from, it's just a stepping stone for further access towards something useful. Why attack the hardest point?

The same thing applies to the use of RFID. I would say that illegally reading and cloning RFID tags today requires a lot of time & patience, a bit of money and a bit of luck, where luck is based on bad configurations, such as allowing access form the "outside" using an RFID tag, into a building without any monitoring of the entrance. A simple access system for a building could blindly let people in and out using RFID. A bit smarter would be to disallow access IN for somebody who is already registered to be on the inside, and vice versa. Many people tend to forget about simple risk analysis (probability, consequences) when faced with technically advanced possibilities - and vulnerabilities.

I hope this works as an answer from me on your question about RFID.

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.