Re: Sniffing RFID ID's ( Physical Security )

[Hugo Fortier <hfortier () recon cx>]

> There are a few different RFID companies that each have a unique  
> form of authentication based on top of existing standards.  For  
> example, at the place I'm working we use these cards from HID.  The  
> standards they run off of pretty interesting but it seems to me  
> that if you could gain enough data on a specific person's card then  
> you could replicate them.  Unfortunately there are a few problems.  
> 1) you said are worried that someone sitting downstairs in the  
> coffee shop could skim the transmissions?  the range is only about  
> 4-5 cm or so, I think someone's going to notice you running around  
> shoving a radio antenna near their waist.  The amount of power that  
> a skimmer would have to generate to get the data from a distance  
> would be enough to seriously damage the person holding it.  I could  
> be wrong on this though, Ilan Kirschenbaum and Avishai Wool from / 
> Tel Aviv University /are presenting a paper at this year's USENIX  
> Security Symposium in which they talk about building a low-cost,  
> high-range skimmer.
What limit the range of HID cards is the fact the card is powered by  
the reader, while the card is powered the signal sent can be read  
from a bigger range. So when you actually use the card with the  
legitimate reader, someone sniffing the signal would't need to be at  
4-5 cm...

Also you don't need to show your Antenna, you could easily hide this   
into a bag. I beleive elevator would be the best spot to go fish for  
Proximity card...	

In my opinion a good trick to protect yourself from people trying to  
power your HID card is to put 2 RFID Cards next to eatch other. If  
they get powered, both card signal will combine and cause a conflict.  
For this I base myself on the fact if you present 2 HID cards at the  
same time to a HID reader, access will not be granted, there might be  
some way to isolate the two signals so don't take this for granted.

> 2)  Encryption on top of the authentication.  The chips themselves  
> could be using a public key infrastructure just as Mike commented.   
> You would then have to be able to mimic a card reader and know it's  
> private keys.

While what you say is true, from my experience the most commonly  
installed system is the HID Prox card II and it's vulnerable to  
sniffing and reinjection. Note that HID also have a Smart Card base  
system but I have no experience with it and I have never saw it in  
production.

Jonathan Westhues did a very good presentation on RFID last year at  
Recon, you can get the slides and video there: http://2005.recon.cx/ 
recon2005/papers/Jonathan_Westhues/

Hugo
recon.cx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/