Transcript Slide 1
30 Minutes of RFID Analysis, Applications and Attacks Presented By Dan Cornforth Copyright Security-Assessment.com 2006 Overview • • • • • • What is RFID How does the technology work Identify some of the forces behind progress to date Who is using RFID currently & for what What might RFID be useful for & by whom Some potential weaknesses, attack vectors and fixes Copyright Security-Assessment.com 2006 What is RFID Smartcode EPC passive RFID tag Copyright Security-Assessment.com 2006 What is RFID • Radio Frequency Identification • Typical RFID infrastructure Copyright Security-Assessment.com 2006 RFID Characteristics & Differentiators • • • • Types of tag – Passive – Active The air interface (operating frequency) – LF 125khz – HF 6.78mhz, 13.56mhz, 27.125mhz, 40.680mhz – UHF 433.920mhz, 869mhz, 915mhz – Microwave 2.45ghz, 5.8ghz, 24.125ghz Communication modes – Full duplex – Half duplex – Variant half duplex Coupling – Backscatter Copyright Security-Assessment.com 2006 Governing Specifications • ISO 14443 – Defines 2 card types (A & B) – Modulation methods – Coding schemes – Protocol initiation procedures • ISO 15693 – Defines vicinity cards • Emergence of the EPC (Gen2) standards – Electronic Product Code • No single global body, for RFID governance and standards… yet Copyright Security-Assessment.com 2006 Security Features of Common Tags • • • Transmit standard serial ID – UNIQUE – VeriChip – Most animal tags – HID Prox II Requires a password authentication prior to ID transmission – Q5 – Titan – EM4469 Challenge response, PKI and encrypted transmission of ID – DST (40 bit key) – MiFare – HiTag (48 bit key) – SmartMX (128 bit AES, 4096 bit asymmetric key) Copyright Security-Assessment.com 2006 Influences & Drivers • Perceived speed, security and simplicity of the cashless society – The Hong Kong Octopus Card – Estimated 63% time saving – Amex (ExpressPay) • Asset, warehouse and stock management traditionally seen as drivers • US TREAD Act 2004 (Trans, Recall, Enhance, Acc, Doc) • Wal-Mart, FDA and US DoD mandates • Keyless entry – Centralised access management – Key duplication perceived more difficult ~ dependant • EPCglobal network • Ever decreasing size and price of the hardware Copyright Security-Assessment.com 2006 Current Applications • • • • • • • • Payments – Amex Bluecard products & ExpressPay, – Mastercard PayPass Public transport & ticketing – The Hong Kong Octopus card – London transports Oyster card – Many more throughout Europe, US and Asia Industrial automation – Stock and asset management through the supply chain Electronic immobilisation Physical access control ePassport Animal identification Various medical applications Copyright Security-Assessment.com 2006 Current Applications Copyright Security-Assessment.com 2006 Future & Potential Applications • • • A potentially limitless marketing resource (e.g Tagged clothing items that may be tracked throughout a shopping mall) – What are the shopping behaviour patterns of our customers? – What else did they buy from who? – Was our store their first choice for the product they bought? – Where did they eat? – Who are they shopping with? – Which family member(s) appear to be driving the shopping experience? – OK this may appear a little far fetched but technically feasible EPCglobal network Potential applications appear to be limited only by – Privacy legislation – Public perception – Implementers imagination Copyright Security-Assessment.com 2006 Attack Vectors • • • • • • • Tag destruction & read prevention The kill command The RFID “virus” Device cloning & replay attacks The relay attack Attacking weak crypto Side channel attacks (power analysis) Copyright Security-Assessment.com 2006 Tag Destruction & Read Prevention • Nothing particularly sophisticated or glamorous here • Home made strong electro magnetic field generator – The “RFID-Zapper” – Non FCC compliant – https://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN) • Foil & duct tape RFID shielded wallet for the privacy enthusiast – http://www.rpi-polymath.com/ducttape/RFIDWallet.php Copyright Security-Assessment.com 2006 Physical Read Prevention Copyright Security-Assessment.com 2006 Physical Read Prevention Copyright Security-Assessment.com 2006 The Kill Command • Primarily a privacy and anti-counterfeiting mechanism • Technical implementation left to device manufacturer • Achieved via – Blowing an embedded fuse, following issue of correct “kill” string – Set a “killed” value in memory, disabling the protocol state machine • Logical layout of tag memory as per EPC Class 0 &1 Gen1 standards Copyright Security-Assessment.com 2006 The RFID “virus” • Nothing particularly notable or new to see here • This is a PoC attack – Bad data written to tag – Middleware supporting the RFID infrastructure reads the bad data from the tag without sanitising the input – The potential for SQL injection attack against a backend database exists • Not strictly an RFID specific attack • Not an ideal SQL injection scenario • Knowledge of backend database construct and product is a prerequisite Copyright Security-Assessment.com 2006 Device Cloning & Replay • Effective against ID only and symmetric devices • Reprogram another tag to emulate another device ID – Certain models of HiTag can be programmed to emulate other devices serial numbers • Reproduction and replay of the tag transmission – http://cq.cx/verichip.pl – Off the shelf parts – 125 khz & 13.56 mhz – Sniff, behave as a reader and behave as a device – The USRP (Universal Software Radio Peripheral) http://ettus.com Copyright Security-Assessment.com 2006 Device Cloning & Replay Copyright Security-Assessment.com 2006 The Relay Attack • • • • • Effective against challenge response, cryptographically & non cryptographically sound devices For those who have read Ross Andersons “Security Engineering” think “MiG in the middle” attack The scenario – An RFID enabled point of sale for good or services – Using a contactless smartcard – Employing a cryptographically sound communication channel between the device and the reader How the attack works – At the checkout the POS issues a challenge to the card in customer A’s wallet, which is waved before the reader – Our customer relays this challenge via an RFID proxy to another card holders wallet elsewhere (Cardholder B) – Card holder B’s card responds to the valid proxied challenge – The response from B’s card is relayed to A’s card in answer to A’s purchase at the POS. The hardware for this attack cost the Cambridge based researchers approximately $250 Copyright Security-Assessment.com 2006 Attacking Weak Encryption • Texas Instruments DST (Digital Signal Transponder) – Basis for the SpeedPass payments system primarily used at petrol stations in the US – Uses a proprietary 40 bit undisclosed algorithm • The attack involved three distinct stages – Reverse engineering of the algorithm – Brute force key cracking – Tag simulation Copyright Security-Assessment.com 2006 Attacking Weak Encryption Copyright Security-Assessment.com 2006 Power Analysis Attacks • What is it? – Side channel cryptanalysis attack against the chip – Generally aimed at the implementation rather than the algorithm – Focuses on the relation of changes within the power consumption across the chip with operations within the cryptosystem – Requires logic analysis equipment • Goals – Extraction of cryptographic key material • Peter Gutmann quote: “You simply cannot make a credit-card form factor device robust, capable, or secure.” Copyright Security-Assessment.com 2006 Mitigation • • • • Ensure real cryptography is used – AES & friends ~ good – Snake oil infinity bit proprietary algorithm ~ bad Greater device tamper resistance – Help place side channel attacks outside the realms of a moderately funded attacker – Equates to a more expensive device Pressure device manufactures for the development & implementation of a distance bounding protocol within high security devices – Equates to a more expensive device Ensure appropriate device selection and testing from project outset – Recalling devices issued to a nations dairy herd or passport holders may prove costly Copyright Security-Assessment.com 2006 References & Resources • • • • • • • • • • Fundamentals and Applications in Contactless Smartcards & Identification Klaus Finkenzeller Python library for exploring RFID devices http://rfidiot.org Practical Relay Attacks Against ISO 14443 Proximity Cards Gerhard Hancke & Dr Markus Kuhn Low Cost Attacks on Tamper Resistant Devices Ross Anderson & Markus Kuhn A New Approach to Hardware Security Analysis in Semiconductors Sergi Skorobogatov RFID Essentials O’Reilly Texas Instruments DST attack http://www.jhu.edu/news_info/news/home05/jan05/rfid.html RFID relay attacks http://www.cl.cam.ac.uk/~gh275/relay.pdf RFID virus http://www.rfidvirus.org/papers/percom.06.pdf Smartdust http://en.wikipedia.org/wiki/smartdust Copyright Security-Assessment.com 2006 Questions http://www.security-assessment.com [email protected] Copyright Security-Assessment.com 2006