[Full-disclosure] RFID Attack theory

["Josh L. Perrymon" <joshuaperrymon@xxxxxxxxx>]

I have read more since the initial post in regards to RFID hacking.

"session replay" would probably be the best approach if you wanted to clone
the contents of an RFID Proximity Card, Access Card, so on..  Basically
anything that uses static data on the card for identification. I have been
informed that each RFID chip/card has a UID burned in similar to MAC's on
network cards.. so it's easier to replay this than to locate a blank card
and burn the data.

So most of the research has been done here already.. Which brings me to the
work done by www.rfidvirus.org
They have some really good ideas about attacking the middleware using SQL
injections, SSL includes, and buffer overflows on the reader to middle ware
interface. Some really good stuff.

What about attacking the reader itself and not the middleware... you
wouldn't have to worry about "cloning" or "session-replay" at this point.
The ISO defines the protocol used to communicate from the reader to the
card. Then the reader to the middleware so on...  What if you would attack
the reader and exploit it directly before even going to the middleware to
the app logic...??

I'm thinking that the middleware will send some type of confirmation to open
a door for instance. So if you could reproduce this by exploiting the
communication between the card and the reader you could open the door.

My thinking was more along the lines of when certain types of authentication
of encryption is used.. that if you could exploit the communication protocol
itself then you could bypass the proposed layers of security.

JP
www.packetfocus.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/