[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )

There are a few different RFID companies that each have a unique form of authentication based on top of existing standards. For example, at the place I'm working we use these cards from HID. The standards they run off of pretty interesting but it seems to me that if you could gain enough data on a specific person's card then you could replicate them. Unfortunately there are a few problems. 1) you said are worried that someone sitting downstairs in the coffee shop could skim the transmissions? the range is only about 4-5 cm or so, I think someone's going to notice you running around shoving a radio antenna near their waist. The amount of power that a skimmer would have to generate to get the data from a distance would be enough to seriously damage the person holding it. I could be wrong on this though, Ilan Kirschenbaum and Avishai Wool from / Tel Aviv University /are presenting a paper at this year's USENIX Security Symposium in which they talk about building a low-cost, high-range skimmer.
What limit the range of HID cards is the fact the card is powered by the reader, while the card is powered the signal sent can be read from a bigger range. So when you actually use the card with the legitimate reader, someone sniffing the signal would't need to be at 4-5 cm...
Also you don't need to show your Antenna, you could easily hide this into a bag. I beleive elevator would be the best spot to go fish for Proximity card...
In my opinion a good trick to protect yourself from people trying to power your HID card is to put 2 RFID Cards next to eatch other. If they get powered, both card signal will combine and cause a conflict. For this I base myself on the fact if you present 2 HID cards at the same time to a HID reader, access will not be granted, there might be some way to isolate the two signals so don't take this for granted.
2) Encryption on top of the authentication. The chips themselves could be using a public key infrastructure just as Mike commented. You would then have to be able to mimic a card reader and know it's private keys.
While what you say is true, from my experience the most commonly installed system is the HID Prox card II and it's vulnerable to sniffing and reinjection. Note that HID also have a Smart Card base system but I have no experience with it and I have never saw it in production.
Jonathan Westhues did a very good presentation on RFID last year at Recon, you can get the slides and video there: http://2005.recon.cx/ recon2005/papers/Jonathan_Westhues/ 

Hugo
recon.cx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/