DN Systems has published a helpful overview of the considerable benefits that come with new ‘contactless’ technologies, and also some of the alleged associated risks for businesses keen to deploy this new technology. Firstly, it seems important to keep in mind that this is a relatively new sector, and therefore security policies are still in their infancy – so this is a shifting terrain. Whilst companies may have given much thought to the design of their RFID enabled devices (for instance door-access control cards, RFID tags, and ID cards) – their supporting ‘back-end’ IT systems may still have possible inherent flaws.
A spokesperson for DN Systems said, “…RFID tags are always an integral part of a larger IT system and should be seen in this context. Given a compatible RFID reader device, anyone can freely read and modify data stored on these RFID tags without the legitimate owner even being aware of it. RFID auditing tools like RFDump can be used to explore the weaknesses of existing RFID infrastructures.”
Is on-tag encryption – a cause for concern?
Certain RFID tags carry something called ‘on-tag encryption’. DN Systems argue that this approach is inherently vulnerable to unauthorised access and modification. ‘On-tag’ encryption simply means that the code used to access the RFID devices’ data is stored on the device itself. (In this respect, it would be a little like writing down the PIN code for a new credit card somewhere on the surface of the card – duh!)
Some suggest that with the right equipment it is possible to break the encryption on such devices. Using a software package such as ‘RFDump’, DN Systems suggest the information contained within the RFID device can be manipulated.
The ‘Mifare Classic’ chip (used in public transport systems and building access control across the globe – even today?) appears vulnerable to this sort of probing.
DN Systems have this to say on the matter, “At the Chaos Computer Congress 2007 Karsten Nohl from the University of Virginia presented the results of his research. Nohl had analyzed the Mifare chip layer by layer under an electron microscope and reverse engineered significant parts of its proprietary encryption logic revealing major design flaws showing how easy it is to break the chip’s security features. With the dollar amount of the ticket directly stored on the tag, ticketing systems based on this chip, like the Oyster Card in London or the Charlie Card in Boston, are at risk. An attacker could attempt to either clone a ticket or change its value to gain illegal access to the service provided. Similar cloning and tampering scenarios apply to other open loop applications as well, including hotel key cards, ski lift and event tickets, electronic payment systems and the electronic passport.”
But that was then – this is now…
The ‘Mifare Classic’ chip emerged way back in 1994 and has since been superseded by more improved products with so-called “light-weight cryptography” solutions for the RFID element.
Today’s RFID chips contain approximately 15,000 secure ‘gates’. Although DN Systems is keen to stress that, “…only a fraction of these are available to implement crypto functionality, the rest is required to implement the tag’s state. Strong private key crypto systems on the other hand require at least 20,000 – 30,000 gates alone when implemented in hardware.”
What the above would appear to suggest (to this layperson at least) is that in order to deliver a 100% secure solution a designer would require more ‘gates’ than are currently available with commercially available RFID tags. Therefore, whilst recent developments – i.e. since the ‘Mifare Classic’ – have made our ‘contactless’ experience far more secure – there is still further to go.
Some percieved RFID vulnerabilities
Ranked in no particular order of importance, what follows is an overview of common perceived RFID vulnerabilities:
- RFID Cloning: Here the target RFID device (often a tag) is probed for vulnerabilities, and once compromised a duplicate is made. This identical copy allows the perpetrator access to a secure area (i.e. cloned door-entry pass) or the prospect of introducing non-authorised products into an operations’ supply chain. Another tactic would be to manipulate the value of goods, via cloned item tags, when shopping. This phenomenon has been dubbed, “Cyber Shop-lifting”.
- Malicious Code Injection: In this scenario, the aim of the perpetrator is to introduce a virus into the RFID device, which once read seeks to corrupt or crash an associated ‘back-office’ IT support system. The main aim is to cause disruption or ‘hack’ into a secure area – such as a database. What, you don’t believe the databases of major corporations can be ‘hacked’ – well, here’s an overview of some of the more staggering database ‘hacks’ over the last decade.
- Man in the middle: Here the perpetrator seeks to trick users into presenting their RFID enabled device to a non-authorised reader. The goal is to decrypt certain information during this electronic transaction that might provide useful keys for performing other attacks in due course.
- Electronic eavesdropping / Skimming information: This subject has already been explored at length elsewhere on this blog:
The above vulnerabilities should not be read as proof that all RFID devices will be compromised in due course. Nor should we fear a new crime wave at this point in time. Rather, this article seeks to raise awareness that with any new technology come benefits and drawbacks – often in equal measures.
To learn even more about this fascinating subject or to view the original article visit: http://www.dn-systems.de/technology/risks/