The Cure For InSecure RFID Applications

Guidelines for the IT Professional

Michael McCartney

Chairman, RFID Security Alliance

your logo here

your logo here

RFID Security Alliance• We are a resource for the RFID industry, driving

market education and discussion about security and

privacy issues surrounding the use of RFID

technologies, solutions and applications.

• 120 Companies Globally-200+ members Linkedin

• Sources For Slides Come from Members specifically,

Lukas Grunwald(NeoCatena Networks, Inc,

http://www.neocatena.com), Karsten Nohl

• www.RFIDSA.com

• http://rfidsa.blogspot.com/

your logo here

RFID-Security An Issue?

• 2009 August 6th at the same time as the annual

Defcon hacker convention-Twitter Falls Victim to

Hacker

• 2010 March 28th - Christopher Scott of Miami was

sentenced Monday to three years of supervised

release after pleading guilty in September 2008 to

conspiracy, unauthorized access to computer

systems, access device fraud and identity theft.

• Scott's expertise was hacking wireless networks

your logo here

The SoupNazi-$200M-4.3 Cards

• Authorities said Albert Gonzalez and two foreign co-defendants

would drive past retailers with a laptop computer, tapping into

those with vulnerable wireless Internet signals. They would

then install "sniffer programs" that picked off credit and debit

card numbers as they moved through a retailer's computers

before trying to sell the numbers overseas

• He became a Secret Service informant after he was first

arrested for hacking in 2003.

• Even as he helped the government nail other hackers,

prosecutors said, he kept breaking into retailers' computer

systems, amassing $2.8 million he used to buy a Miami condo,

a car, Rolex watches and a Tiffany ring for his girlfriend

your logo here

RFID Security By Obscurity

your logo here

All RFID Systems Are Insecure• Why? It is not because the technology is poor rather

it is the way design decisions are made

• All proprietary systems lack public reviews (Mifare)

• Reliance on obscurity leads to major breaks (Legic)

• Time-to-market often trumps security concerns (EPC)

• Even when designing security, prepare for failure

• The weakest point of the most secure systems is the

storage of secret keys ”security by obscurity”

• New public-key cryptography can strengthen security

See http://www.instructables.com/id/Stupid-Simple-

Arduino-LF-RFID-Tag-Spoofer/

your logo here

In-Security Can Be Exploited1. Man in the Middle

2. Cloning

3. Data Manipulation

4. Scanning

5. Code Rejection

6. Denial of Service

7. RFID Malware

8. NFC Vulnerabilities

9. Physical Tag Security

your logo here

Man-in-the-Middle

your logo here

Man-in-the-Middle

• Sniffing of communication between

transponder and reader

– Faking the communication between peers

– Obtain UID, user data and meta data

– Basis for subsequent attacks

– Replay / relay attacks to fool access control

systems

your logo here

Cloning

your logo here

Cloning

• Duplication of tag data to create identical copies

of RFID tags that will be accepted by an RFID

application as valid

– Gain illegal access to restricted area

– Inject counterfeit products into digital supply

chain

– Change price tags at Point of Sale (Cyber

Shop Lifting)

your logo here

Manipulation of Data

your logo here

Scanning

your logo here

Scanning• Passive Scanning

– Attacker sniffs the communication with his own antenna

– Energy for the tag is provided by legitimate reader

– Obtain user-data and meta-data

• Active Scanning

– Emulating legitimate reader for unauthorized read/write operations

– Attacker uses own reader / antenna environment

– Energy for the tag is provided by attacker

your logo here

Code Injection

your logo here

Code Injection

• Insertion of executable code fragments into tag data– SQL injection

– Shell-Code

– String format attack

– Buffer overrun

• Attack edge servers, middleware and back-ends via manipulated data structures

• Non-spreading attack (compare Malware Injection)

your logo here

Denial-of-Service (DoS)• Jamming of RFID frequencies

– Use “out-of-the-box” police jammer

(broadband jamming transmitter)

• Attack against anti-collision (RSA attack)

– Prevent reading of any tags

• Shut down

– Production

– Sales

– Access

your logo here

RFID Malware

your logo here

Basic Threat Model1. The infected RFID Tag first feeds the tag reader with

malicious data.

2, The malicious data are used to exploit the

vulnerabilities of RFID middleware or database

system.

3. If the middleware or database is successfully

compromised, the malware can be spread by

updating tag values with malicious data during

regular tag updating.

4. They can also infect other enterprise systems when

they retrieve the malicious data from the database.

your logo here

Basic Threat Solution

your logo here

NFC-How Not to ProceedJonathan Main, Chair of NFC Technical, Committee:

“NFC Forum's role is not to define the [security] requirements

[because] a mandatory „one-size fits-all‟ approach…is not

viable.

Many applications use smart card security specified in other

consortia. On top of these many security measures, users [can]

set their own security parameters and preferences.”

• 14.443 and other RFID frequencies need to be secured from the

tag to the reader

Press for a standardized approach, secret codes and yesterday’s

security paradigms lead to proprietary systems i.e. Mifare, Legic

etc.

your logo here

your logo here

your logo here

The time to fix the roof is

before it rains

• What to do now?

– Assess where you are?

– Take immediate corrective actions

– Learn from others

• We need a minimum RFID Security

Standard

your logo here

Questions?

your logo here

Thank You

RFID Security Alliance

www.RFIDSA.com

http://rfidsa.blogspot.com/

http://www.linkedin.com/groups?gid=62849

Twitter: RFIDSecurity

your logo here

Michael McCartneyPrincipal

QLM Consulting

m@qlmconsulting.com

415 331 9292

www.qlmconsulting.com