RFID Information Can Be Stolen from Three Feet Away
Security consultant Fran Brown has created a hacking tool that can capture data from RFID badges from up to three feet away—a worrying development considering that up to 80 percent of US companies that use RFID access control systems still employ the vulnerable technology hacked by Brown.
What is RFID?
Radio frequency identification, or RFID for short, is used in a wide variety of everyday applications from the tracking of animals and humans to motorway toll collection and contactless payment systems. While some people may not know much about RFID, the chances are they have more than likely used it at one stage or another without even knowing it. If your dog has a microchip implant or you use an ID card to gain access to work then, whether you knew it or not, you have used RFID technology.
RFID uses radio waves to transfer data in order to automatically identify objects, or people or animals associated with those objects. An RFID system consists of at least one tag and one reader and there are several variations of both but one of the most common types of tags, and the type that is discussed in this blog and Brown’s research, is the 125KHz tag. Readers are two-way radio transmitter-receivers that send a signal to the tag and read the response. The tag contains a radio frequency transmitter and receiver that receives the signal from the reader and responds by sending back whatever information is stored on it, such as a unique code for accessing a secure building for example. Tags are very small and can be placed inside ID cards, passports, DVD or CD cases, or even just under the skin.
Long-range hacking tool
125KHz tags are some of the most common and need to be placed in close proximity, 10cm or less, to the reader in order to receive and send a signal. In order to skim and then clone one of these cards, a malicious actor would need to either have access to the card or be extremely close to it which makes it a difficult thing to do. However, Brown has managed to modify an RFID reader so that it can read RFID tag data from a relatively long distance—up to three feet. What this basically means is that anyone with one of these readers could place it in a pocket and take a walk around a company car park for instance, collecting data from workers’ ID badges as they walk by. The badges could then be cloned and the attacker would have the same access as the owner of the cloned badge.
The customization of the RFID reader was done by creating a small printed circuit board that can be inserted into most commercial readers. The stolen tag information is stored on a micro SD card. The code Brown wrote, as well as all the details of the hack tool and customization will be made available after this year’s Black Hat security conference in Las Vegas, where Brown will present his research.
While this idea has been around for some time, Brown says that his method “is the difference between a practical and impractical attack.” Past research has consisted of theories and ideas with little if any actual working tools. He also states that, in tests, his tool has a hundred percent success rate.
125KHz tags are considered out of date these days and have no security guarding the information they contain. The data sent is not encrypted so once it is received by an attacker, all they have to do is clone a new tag. While there are newer options available that encrypt the data stored on the tag and also secure the communication between the tag and reader or use challenge response authentication methods, organizations are slow to migrate to the new technology. This may be due to cost and/or organizations not being aware of the security risks associated with 125KHz tags.
Brown says that his long-range RFID reader is “targeted toward the Fortune 500 security professional” but that “[a]s with any penetration testing tool, this […] can be turned malicious.”
Given this development, organizations using RFID access control solutions may want to look again at their existing systems and think about upgrading or introducing additional access control measures such as biometrics