Dan Kaminsky's Blog

This post was written in reaction to this Slashdot story about Gilette’s agreement to purchase half a billion RFID tags from the eminently fascinating and quite well named Alien Technology. I’d probably be rather annoyed at the name of the company if I hadn’t watched their video regarding Fluidic Self Assembly…but lets just say they earned the name. Building LCD screens, a pixel at a time. Whoa.

Interesting. I just started doing some preliminary research on the security of RFID badge readers, based off of hazy memories that somebody had shown they were absolutely trivial to capture and replay.

Haven’t been able to find that paper yet, but I can tell you what I’ve seen ain’t great. Here’s the story:

RFID stands for Radio Frequency Identification, and is essentially a Tesla-esque hack to allow contactless, bidirectional storage of small amounts of data on trivial circuits powered by the reader infrastructure itself. It’s most commonly deployed nowadays as a replacement for magnetic-swipe oriented systems, as the lack of an exposed data surface and the absence of contact during scanning make RFID astonishingly reliable. The functionality is quite compelling, as Gilette’s mass purchase shows — what if you never needed to do inventory? What if you could just have a few sensors throughout your warehouse do a “mass ping” and acquire from the mass of replies precisely what needs to be restocked?

And it would only take a few sensors, too. Badge readers may only provide a few inches range, but there was a pretty big fuss a while back about RFID becoming functional at nine meters. At that point, you’re quite a bit beyond the forklift knowing precisely what it’s carrying. It’s pretty clear that Gilette will make its $50M back within a year.

Oddly enough, Inventory Tracking is much, much better use of RFID than as a badging technology, even though the latter remains much more common than the former. Badging, like all trust management systems, attempts to differentiate the few who are trusted from the many that aren’t.

The problem is, the many that aren’t trusted aren’t trusted for a reason — they’ll spy, they’ll steal, they’ll break stuff. Against that backdrop, mounting an attack against the security system isn’t particularly unimaginable — and here’s where things get problematic.

You see, RFID tags make 802.11 look like Alcatraz.

Passive RFID systems are powered by the outside world — the evil demon of Cartesian yore is handing over the battery. Given a cooperative RF field, the chip spews the same bits, over and over and over again.

When an employee is standing in front of the legitimate badge reader, this is a good thing. When an employee is sitting on the subway on his way to work and some guy walks by with a power source and 13.56Mhz sniffer in his briefcase…well, I guarantee you that briefcase ain’t going to beep “Thank you for your access credentials, I’ll be you now.” All the attacker needs to do is forge a standard plastic badge and covertly trigger a transmitter when approaching the door — there’s no way for anyone to know the badge wasn’t the source of the RFID transmissions!

Just because your badge reader only works from a few inches away doesn’t mean anyone’s reader will. If all I need to do to get access to your entire corporate infrastructure is sit in the lobby “waiting for someone” as your CEO strolls by, you don’t actually have a security system. You just have doors 🙂

Now, I’ve got my suspicions of whether magnetic strips can be read at a distance, but to be honest, I’m more than willing to concede that it’s a longshot at best (and a hilariously laughable descent into paranoia at worst). But RFID is not the kind of technology people should be carrying around with them at all times, assuming that as long as they still have their card, they still have the value the card represents.

To be fair, it’s an extraordinarily difficult problem for TI et al to solve: The chips are necessarily trivial — they’re *powered* by the sensors, for crying out loud. Not only is it nearly impossible to build any kind of cryptosystem into a chip that small and weak, but the system itself would remain utterly defenseless against electrical skullduggery: Manipulating a chip’s power source is one of the definitive ways of divining its cryptographic secrets, as Satellite TV hackers have been pointing out for quite some time.

Security hasn’t been left completely unaddressed by the RFID industry; they’re well aware of the problems and have attempted some manuevers to compensate. As mentioned, some RFID systems can be both read and written to. This would be perfect for creating a “universal badge” that could spoof any identity without even a separate transmission system that could be examined and recognized. So what some companies have done is create a 64 bit region that cannot be modified and remains unique to the badge itself. So you use those 64 bits as a badge identifier that authenticates the rest of the data, and trust that your vendor will never release a badge that either a) repeats identifiers (unlikely, 2^64 is a very large number) or b) can have its identifier changed.

Of course, they can’t do anything about c) somebody hacks together their own badge that doesn’t play by the same arbitrary restrictions.

Now, I could get up and say “Oh my god! You just can’t do this, it’s horrifyingly insecure, just use IPSec/SSH er wait wrong wireless technology…”

But that wouldn’t be useful. Maybe this might be:

There are some techniques that can minimize the exposure from insecure RFID badge authentication systems. Exploiting the Read/Write capacity is moderately elegant and requires only a badging infrastructure that supports RW. Essentially, every time somebody attempts to enter the secure facility and provides a valid bitstream from their badge, upload a new unique bitstream and verify the badge accepted it. This reduces the window of opportunity for an attacker and significantly increases their risk of discovery, since now the bits they steal today will stop working the moment the legitimate employee uses their badge next. Furthermore, if the attacker does manage to get to a badge reader before the employee returns for another update cycle, he has two major problems: First, his equipment must be minorly more complex, because it must inform the system that it has completed updating its internal RAM with the new (possibly cryptographically signed) bitstream. This is only a minor deterrent; having the equipment to spoof the badge reader means you likely have the equipment to read from one too. Second, and more importantly, because the interloper cannot control the bitstream submitted by the reader and expected upon next examination, the legitimate card will possess an out-of-date bitstream, allowing Security to discover the unauthorized entry.

That works OK. Not great — especially if badge access translates into an ability to hack the central authentication server to accept whatever bits the legitimate card originally had — but OK. Really, once the attacker gets access to the card’s bitstream, it’s game over.

So, lets prevent that. RFID may be contactless but that doesn’t mean the badges themselves are — they’re attached to a living, breathing, thinking human being. One with fingers. Fingers that, for the last hundred thousand years or so, have had the ability to pinch two things together, like contacts inside a card. “Pinch here to activate badge”, if you will. Just embed a cheap “squeeze sensor” into the card such that two contacts need to be forced together for the card to respond to the RF power source. It’s cheap, it’s easy, and it can be designed to fail towards functionality or security (i.e. the contacts either can’t be separated or can’t be attached).

I did see some mention of work to embed cryptographic constructs into Passive RFID systems; one paper pointed out that hash algorithms can be made using very little silicon, so having the card read some value from the badge reader and return a that value hashed with a shared secret can be a valid solution. As I pointed out earlier, these things are *so* vulnerable to power assult that any shared secret inside of them wouldn’t last for long. (It’s the kind of thing where you run some data through and you look at which gates are glowing — thus you see which memory blocks are 1 and which are 0.) But this type of analysis usually requires physical access to the security card much greater than simply walking past the mark, so there’s a definite win. Plus the system is inherently immune to replay attack because the output of the card is dependant upon the particular input of a given badge reading. Excellent — if it works(and the hash is cryptographically secure, not CRC-32!).

Of course, this is all mildly off topic. Gilette’s security posture is vastly different; they’re more worried about five finger discounts and overly optimistic projections than they are about a rogue batch of razor blades sneaking in the back door! But since we’re only a precious little amount of time away from the definitive displays of RFID remote compromise, I thought it worthwhile to go into some depth about the security concerns of RFID.

I quickly added the following addendum:

Small update.

Alien is using 915mhz/2.45ghz. I assumed they were using the tech described here:

13.56 MHz Frequently Asked Questions [ti.com]

There’s no shortage of equipment that can capture and transmit on these frequencies; cordless phones do analog work in this domain all the time. But, again — Alien is not trying to do badging, they’re trying to do inventory control.

Very, very different problems. Worst case scenario is that a competitor drives by your facility and gets the same realtime updates of your inventory that you do.

The post brought on several interesting replies; the thread is worth reading. Notably, one anonymous
poster described how to build a low power, surprisingly high security system provided relatively
large amounts of storage. (NOTE: I didn’t write the following.

The chips are necessarily trivial — they’re *powered* by the sensors, for crying out loud. Not only is it nearly impossible to build any kind of cryptosystem into a chip that small and weak

I’m not an electrical engineer, but it seems like without using too much power (and I believe power is the only significant limiting factor for some applications), you could throw a shift register (for decoding serial data) and a ROM onto the RFID chip. You fill the ROM with random data, and you have the scanner transmit an address. Then look up the address and transmit the data you find there. Basically, it’s a single-use password. As I understand it, you can build a ROM without any transistors at all, and thus presumably with very low power consumption. (Power consumption not proportional to the capacity of the ROM, that is.)

Obviously, it would be possible to eventually uncover the contents of the ROM just by pinging it wirelessly, but that would take quite a while if the ROM contains a few megabits of random data. Especially if build in a delay that only allows one scan response every minute. (You could pull that off not with a clock but with some kind of hardware-based delay, like a capacitor.)

Still, you might say, someone might spend 20 minutes next to you on the train and discover 10% of the ROM’s contents, and then they’d have an 0.1 (10%) probability of being able to use your ID to gain access to something. If this not good enough, then have the scanner transmit 15 random addresses in a row and require 15 correct responses from the ROM. If you know 10% of the ROM’s contents, your chances of getting all 20 right are 0.1 ^ 15, or about 0.0000000000001%. Seems safe enough to me. Even if you have 50% of the contents of the ROM, your chances are still only about 0.003%. For extra added protection, it might be feasible to have the device track which random data has/hasn’t been broadcast so that the device is eventually “used up”.

He’s right — and the use of a capacitor is an amusing “poor man’s lockout”. But it does require
a decent amount of storage capacity.
“Ellbee” describes the standard method by which the industry trades unavailable storage capacity
for difficult but feasible computational power:

Protecting against replay attack will become easy as the technology improves. The standard technique is to bury a “secret” (serial number) on the RFID tag, then use a series of yes/no challenges which the tag has to answer correctly using its secret until the reader is convinced of the tag’s authenticity – the more questions asked, the more sure the reader is. The “secret” is never transmitted.

This requires slightly more complicated circuitry on the tag, but nothing out of the realm of near-future possibility.

There’s quite a bit of cryptography that operates like Ellbee describes; certainly it could be
pressed into service. Above is a reference to some of the ways that Zero Knowledge systems work;
the protocol is chatty but leaks very little to no information about the secret. An alternative
approach allows for offline attacks that shouldn’t be relevant in this context: CHAP. The reader
provides a random value called a nonce; the card hashes the nonce with the secret and broadcasts
the combined hash. It’s open to offline attack, which is a problem when this technique (used in CHAP)
is meant to secure passwords — the limited capacity of the human mind to recall complex entropy
amongst arbitrary characters means that offline brute force attacks become reasonable, even
trivial. Badges, however, can trivially remember the 16 to 20 bytes needed to obviate the offline
brute force.

There’s a major push to deploy RFID’s as a replacement for UPC barcodes, referred to as ePC.
Barcodes save supermarkets dump trucks of cash; there’s a real attempt to move beyond even the need
to scan an item via Line of Sight. Alien’s working on different tech, but here’s what’s being suggested:

The Auto-ID system that Alien Technology is (ed: NOT) implementing supports 96 bits of data, apparently read only. They are attempting to deploy the next generation of UPC Barcodes, something they’re calling ePC. Some good information about the tech can be found here:

Introduction to Auto-ID.

The 13.56mhz spec that appears to be used for badge reading supports 2048 bits, with 64 being read-only. It’s irrelevant to encrypt this data, not because the space is small (encryption does not necessarily expand the size of your data) but because you don’t need to understand what you’re replaying in order to replay it.

I walk next to you on a train, spit out power, sniff some bits, and spit out the bits when I’m nearby your badge reader. Poof. I win.

Again, I need to emphasize that while this use of RFID — inventory control — does have some creepy personal and corporate privacy issues, it’s nothing at all like the situation with badges.

There is the Legitimate Counterfeit issue, though. Large US currency now contains a magnetic strip to authenticate its validity. People were talking about using that strip to detect whether or not a bill was real. Well, there’s a problem — the strip is almost invisible to the naked eye, but can be easily removed without rendering the actual bill in any way, shape, or form visibly molested. So you’ve got this disturbing corner case where an attacker can strip the value from a twenty, attach it to a counterfeit bill, and still have a completely legitimate looking original on his hands. So, end result has been that as far as I know nobody uses the strip as a final arbiter of whether currency is real or not.

The equivalent problem with ePC is that you can tell when a UPC has been rendered inoperable, because it’s just a visual series of stripes on paper. We’re good at seeing stripes — we’re *not* good, however, at seeing RF bitstreams. At the end of the day, people are buying goods, not codes — but the issue of the two being separated can be problematic.

It was pointed out that the strip is not magnetic, merely plastic w/ UV reflectance. My mistake.