Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
From: Andre Gagne (gagne.andregmail.com)
Date: Tue Jun 27 2006 - 15:56:57 CDT
Josh L. Perrymon wrote:
> I'm just looking to validate if this is the case.
> Are most RFID access control cards susceptable to interception? I can
> see the security features built into something like RFID Credit
> Cards.. but I'm betting this is not the case with RFID access cards.
> Obviously, I can't validate this until I get a RFID reader/writer.
> If this is the case then it's a global problem. Not only for accessing
> a building illegally-- but this is a form of stealing a users
> identify. A lot of companies use the backend data from the card
> readers to trend workers in/out time and areas accessed. blah blah blah.
> Plus, I'd like to try this on my next on-site hack.
> On 6/27/06, *mikeiscool* < michaelslistsgmail.com
> <mailto:michaelslistsgmail.com>> wrote:
> On 6/27/06, Josh L. Perrymon < joshuaperrymongmail.com
> <mailto:joshuaperrymongmail.com>> wrote:
> > My post was based more on *existing* RFID implementations used
> for physical
> > security access cards.
> > I know that non-contact cards such as RFID Credit Cards use
> encryption so
> > on... But are still vulnerable to non-authorized transactions..
> I'm mean..
> > there is no green button you push to authorize the transaction.
> > But I just don't believe that the RFID access-card I use to
> access client
> > premeises use any type of encryption or only communicate with
> > readers.
> > IF* this is the case then an attacker should have no problems
> powering the
> > card and making a "copy" of the contents.
> so what's your question then? how your card works? or how to make
> it secure?
> > JP
> > PacketFocus
> > www.packetfocus.com <http://www.packetfocus.com>
> > josh.perrymonpacketfocus.com <mailto:josh.perrymonpacketfocus.com>
> -- mic
> CMLRA, Mirios
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
There are a few different RFID companies that each have a unique form of
authentication based on top of existing standards. For example, at the
place I'm working we use these cards from HID. The standards they run
off of pretty interesting but it seems to me that if you could gain
enough data on a specific person's card then you could replicate them.
Unfortunately there are a few problems.
1) you said are worried that someone sitting downstairs in the coffee
shop could skim the transmissions? the range is only about 4-5 cm or
so, I think someone's going to notice you running around shoving a radio
antenna near their waist. The amount of power that a skimmer would have
to generate to get the data from a distance would be enough to seriously
damage the person holding it. I could be wrong on this though, Ilan
Kirschenbaum and Avishai Wool from /Tel Aviv University /are presenting
a paper at this year's USENIX Security Symposium in which they talk
about building a low-cost, high-range skimmer.
2) Encryption on top of the authentication. The chips themselves could
be using a public key infrastructure just as Mike commented. You would
then have to be able to mimic a card reader and know it's private keys.
It's still possible though (as anything is), you would have to do more
elaborate attacks, such as tapping the communication between the reader
and the Database, or re-engineer the reader itself to do whatever you want.
As for the idea of requiring an addition pin number, I consider this to
be a bad idea. if you're going to require the pin then why not put a
biometric/code lock on the doors? To elaborate I ask that we remember
the Three levels of security, its' about who you are, what you have, and
what you know. Requiring a pin on top of this is stronger but it
completely defeats the usability of the system. having to remember and
punch in a pin# every time is only going to increase the cognitive
burden of the user, which is one thing that these systems are very good
at avoiding. It all gets back to the policy of the companies that are
using these systems. A good policy will lead to a more trustworthy system.
I am not an expert so I could be entirely off base :P Cheers
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/