So far, it seems that a number of known attacks on RFID devices can be generally sorted into  three broad categories, that is;

  • cloning an RFID tag,
  • unathorised modification of an RFID tag,
  • using an RFID tag to mount an attack on an RFID back end application,
  • attempting a blunt denial of service. 

Continuing the biological virus analogy, an RFID tag can act as a carrier affected by a dormant infection, and the RFID protocol and radio waves can act as a transmission medium (say, like a fine mist of water that carries an airborne biological virus). In turn, an RFID reader is the port of entry for the infection and a computer connected to an affected RFID reader is thus susceptible to system infection.

If the traffic between the RFID reader and the tag is not encrypted it appears that cloning a tag, in most cases, is a fairly straight forward procedure. An analogy can be made to a voice-activated security system where recording the genuine request - response exchange would generally allow imitating the response any time the request for such response is made. In the case of an RFID system, a device constructively similar to an RFID reader but more sensitive, with multiband capabilities and the ability to record and analyze recorded sessions, is placed close to an RFID tag during the exchange. The radio session is recorded, demodulated and stored for post processing. Once the response of an RFID tag is isolated, it can be played back to the reader, eventually retransmitting an exact copy of the response from a legitimate tag. The cloning is complete. Similarly interrogating a tag with a predominantly known original reader request recorded earlier could activate a tag and allow recording of the transmitted tag’s response away from the original reader. This allows cloning to occur simply by placing the session recording device in the operating proximity of the tag.

Would such a recording device be readily available to the general public? The answer is yes. The architecture of an RFID recorder would be generally based on a Software Defined Radio (SDR). This type of radio device was originally proposed for  use by the military in late 80’s and early 90’s and then made its way to the public sector for  use in cell phone, medical and measuring equipment. The SDR samples the RF signal directly into the digital domain allowing any post processing, including demodulation, decoding, and any signal transformations to be done by software. This configuration is extremely flexible and allows the use of different protocols, encoding, decoding and modulation schemes. This is possible because all the necessary processing is done in the supporting software, leaving hardware modules intact.

The advances in Very Large Scale Integrated (VLSI) chipsets and high frequency electronics have made  SDR solutions affordable. A number of designs have been created and made available for reproduction by anyone who is generally versed in electronics. One such device has been designed specifically for RFID security studies by Jonathan Westhues (http://cq.cx/proxmark3.pl) and is referred to by numerous RFID hacking communities. Another SDR implementation, which is not specifically tailored for RFID needs, but is extremely flexible since it has capabilities to cover beyond HF band of 13 MHz (possibly including 433Mhz, 865-956 MHz, and 2.45 GHz bands), is the collaborative work of several individuals and is currently being actively developed and supported. (http://hpsdr.org/).

Is it possible to modify an RFID tag with some arbitrary information? Yes it is. Acting as an RFID reader and following a defined protocol, an SDR device can relatively easily modify information stored on a tag. It is also possible that an SDR device acting as a tag could simply present desired information to an RFID reader. This last method even works for tags which cannot be written to - the tag is simulated by an SDR device and the actual tag is not even needed.  Several successful proofs of concept have already been reported. 

Some RFID system configurations can loosely be looked at as user-input web-based processing systems. An RFID reader could be compared to a web page which requires some user input, and the tag can be related to actual information provided by a user.  Such a system may be susceptible to vulnerabilities targeting various layers of back end software. For instance, an application responsible for acquiring a user’s input or processing it, or the database engine or the decision making application layer could be susceptible.  Most notoriously it seems that some database engine vulnerabilities found to affect web based input systems could be directly applied and exploited, thus affecting an RFID system as well.  It looks like most of the time the back end is similar, if not exactly the same, for both of these system configurations.

There’s the possibility of crafting an attack where an exploit would allow the execution of malicious code stored on a tag. This could lead to an attacker gaining control of the back end infrastructure and possibly lead to the retrieval, loss or modification of sensitive information and costly down time. It is also possible to have such an attack propagate itself either through previously unaffected tags or by any other conventional means (such as mass mailing, shared drives or any other removable media). Some basic proof of concepts have already been circulated through the web, and while they are still in their infancy and only work in a controlled lab environment, the development of such techniques might pose a real treat in the future.

Because of physical restrictions on the number of tags which can be placed in the proximity of an RFID reader, generally, most RFID systems are not robust enough to defend against input information overloads. Although certain algorithms exists which are used to process multiple tags placed in the proximity of the reader,  such as walking a tree of tags id’s or a randomized poll for a bounced tag request, there is still a number of ways to disrupt an RFID service through RF interference. Creating interference on the carrier frequency of a reader will generally disrupt a radio frequency communication affecting the quality of the modulated signal.  Such an effect can be observed on a conventional radio when trying to tune to a weaker station which happens to share a carrier frequency with a more powerful station. Also because of automatic gain control of radio receivers aimed at protecting their input circuits from signal overloads, the sensitivity of the receiver will be tuned down to accommodate the stronger signal thus masking the weaker signal out.

In the case of encrypted RFID tags most of the attacks are not as trivial and require cryptanalysis in order to retrieve the key and the session’s data. To make it somewhat viable could require  substantial computer power. Because of the cost restrictions associated with tags, which affects their computational abilities, the key length is kept low, usually in the vicinity of 40 bits, and the encryption algorithm is generally kept obscure in the hopes of thwarting cryptanalysis. But using obscure encryption algorithms unfortunately most of the time works to the advantage of an attacker. Unknown or specifically tailored encryption algorithms are unlikely to have been tested by the broader cryptanalyst community. Often, when these algorithms are later exposed, they are discovered to be weak or may contain flaws which can be exploited.

It appears that in most of these case scenarios the security aspect of RFID designs is still a tradeoff between the cost of implementation or replacement, and the probability of attacks carried out on any particular RFID solution. A practice which may be acceptable today might become very costly in terms of down time and data loss once RFID solutions become widely adopted by industries and economically lucrative to attackers.
 
There are certain steps which might be taken to fortify RFID security.

  • Keep RFID tags RF shielded or disabled until actual use with the reader, essentially limiting exposure of the tag to the possibility of cloning or a cipher attack.
  • Use proven encryption algorithms - It is viable in the long run, despite the cost, to have all access control tags encrypted using proven encryption algorithms with larger keys (DES, RSA and so forth). While it might keep you at a door for a bit longer during an authentication process it is definitely worth it, considering the potential toll of a security breach.
  • Use a testing platform utilizing the SDR devices mentioned above to assess different configurations and possible security issues associated with an RFID solution - why wait until someone else uncovers and possibly uses a vulnerability in your design?
  • Provide robust input validation. This is the first and very important line of defense against vulnerabilities.
  • If security is paramount, combine RFID solutions with other means of access control, for instance biometric.
  • Have an RF SDR scanner listening in on a tag reader exchange and validating the data and protocol according to its internal database. Having a database of known attacks against such a configuration can act as an RFID intrusion detection system, and possibly block off malicious tags.

While the technology may be relatively novel, its adoption by various industries should be considered with security in mind.
 
--Oleg Petrovsky