Radio-Frequency Identification Exploitation

Max “RIVAL”
www.siteofmax.com
[email protected]

Abstract it modulates a Radio-Frequency signal with the data

contained within the RFID chip. The signal is picked
The aim of this paper is to discuss the principles up by the reader and the information is checked for
behind Passive Radio-Frequency Identification and validity. Most of the time, this is done through an
the principles behind the exploitation, as well as the internet database or on a local database synchronized
practical methods that can be used to exploit RFID. from an external source. Below is a diagram of this
system.
1. Introduction
Tag Data Tag Data
RFID is everywhere. Most buildings that require RFID
Database Tag
Reader
people to authenticate themselves will use Radio-
Access
Frequency Identification in order to do so. A lot of
modern debit cards use it for quick and easy checkout
at shops. Even travel cards and lots of passports use Above: RFID Diagram
them. You would expect a large amount of
consideration when it comes to the security of such an 3. Principles of RFID Exploitation
authentication method, however this is not the case. As
you can imagine, RFID is of an interest to hackers for Exploiting RFID is not too far from how RFID
this exact reason and although many people are aware normally works. The concept is simple; all we need to
of the security risks associated with it, very few do is read the tag's data. To read the data we need an
vendors have designed a secure method of using RFID RFID reader. A long range RFID reader can be built
for authentication without the risk of a hacker with an Arduino Pro Micro 5V or bought pre-built.
eavesdropping or spoofing another individual's data. Once this is done, it is possible to use an RFID writer
Once you understand exactly how RFID works, you'll to write to your own RFID tag and create a tag clone.
understand why it's so simple to exploit and use for an This is known as a Replay Attack. However, there are
attacker's advantage. things to consider when doing this:
• If the target's tag has both read and write
2. Principles of Passive RFID capabilities then protection via a token may be
a possibility. An example is where a person's
RFID, as the name suggests, uses radio waves to tag is read by the reader and the token sent is
transmit data. There are two parts to a Passive RFID then changed and the current token is
system; a tag, and a reader. Passive RFID tags, unlike overwritten on the tag.
active RFID tags, do not have their own power source, • Some tags also have a built in method that
such as a battery. In fact, they remain completely allows them to be shut down if the
powerless until they go within proximity to a source of manufacturer or owner wishes.
power such as an Active RFID reader. RFID tags • Remember that a lot of the time, data sent
contain two parts. These parts are the Antenna and the from the tag is actually secured via RSA
RFID Chip. Active RFID Readers emit electromagnetic Encryption or a Rolling Code.
waves which are picked up by the RFID tag's antenna.
The tag's antenna uses the collected energy from the For a full view of RFID exploitation, we can't just
wave to power the chip. When the chip receives power, look at the RFID tag itself, we have to look at the
reader. RFID readers have been known to suffer from SELECT id FROM users WHERE key='mark20''. This
Denial of Service Vulnerabilities and even Buffer alone would produce an error, however, changing the
Overflow Vulnerabilities that can be used to execute string to be mark'; would allow you to insert your own
code on the system connected to the RFID reader. code after the previous query in order to access the
database however you choose.
Denial of service attacks can be easy to execute.
The aim of a DoS attack on an RFID system is usually
to disrupt service to a target or a group of targets [1]. A 6. Buffer Overflows
simple example of an RFID attack is to attach a non-
working RFID tag's chip to the side of an RFID reader, Buffer Overflows are the single biggest problem
thus permanently creating an error. This means that when it comes to operating system exploitation. They
when a working RFID tag comes within proximity to occur when more data is read than expected. In this
the reader, the non-working chip is still causing the case the problem is that the program that interacts
reader to think that something's wrong. This can also be between the RFID reader and the software has a buffer
known as RFID Collision. for a very limited amount of data. This size is usually
determined by information written on the tag.
The main vulnerabilities that we will cover during However, the data that will be read could exceed this
this paper will not be to do with disrupting service, but amount and thus result in a buffer overflow. If we know
instead to exploit the computer behind the RFID how much data is required to fill the buffer, we can
reader. append additional data that can allow us to execute
code on the target machine. For example, once we have
filled up the buffer on the tag, we can append the return
4. RFID Website Exploitation address as the address +4 in order to jump to the data
held in the stack (that we want to execute from). Next
Some RFID tags contain URLs to user pages that
we can push the address of the command we want the
are checked via a web browser on the computer instead
system to execute to the stack and then call the system
of directly via a database. The web browsers used to
function to execute it. Following this should be the
view the URL result may be vulnerable to browser
command data with an appended null byte (The address
exploits or code injection. For example, getting the
of this is the address that you push to the stack).
browser to go to a web page containing exploit code
Remember that the bytes on the tag will generally be in
could be as simple as setting the tag's data to
reverse order due to the Little-Endian architecture.
<script>document.location='http://exploit/';</script>
Other RFID tags contain data that is used as an 7. RFID Malware
input into a web page. For example, the URL where the
user's tag data, or in this case, their user key, is input Malware is the most common threat to computer
could be something such as http://site/check.php? users. However, when the item that is infected is of
usr=user_key which could be vulnerable to XSS. The something such as a bank database, it becomes a much
XSS vulnerability could be used to attack the RFID bigger problem. RFID malware is possible because of
reader's machine via client-side Javascript injection. databases the readers are connected to. This in itself
Remember that SSI may also be used to exploit a links in with what we learned in the SQL Injection
server from the web interface by executing shell section. SQL Injection isn't just used to get information
commands. on another user but can be used for executing
commands from the reader's computer. Buffer
Overflows, as mentioned before, can do this however
5. RFID SQL Injection you may only have database access. The EXEC
command comes in handy for this use. An example of
Databases are the main method of checking whether
executing shell commands from the database would be
the user data is correct or not. Of course, because of
EXEC xp_cmdshell 'dir'; which will create a listing of
this, it means that SQL Injection could be a problem.
files on the computer. Knowing this, you can assume
The problem arises because the input is not properly
that it is now possible to use other tools on that
sanitized. For example, SELECT id FROM users
computer. For example creating a new user on the
WHERE key=%user_key% could cause an error if the
system and connecting to it via Remote Desktop
tag's data was edited from mark20 to mark20' because
Connection. If the computer running the database is
the apostrophe means the final query would be
using Linux, it is also possible to execute the wget
command in order to download a file from an external 3. Encryption – As mentioned before, encryption
file server. is the most obvious way to secure data between the tag
and the reader. This can be done well with an
8. Countermeasures against attackers asymmetric or symmetric key algorithm. For example,
the tag sends the reader it's unique ID. The reader then
1. Data Locking – Data Locking works by the tag sends a random number to the tag, encrypted with the
not sending it's real data until the reader provides the tag's unique encryption key. The tag then decrypts it
correct hash associated with the tag. Simply, the tag with the other key (asymmetric) or the same key
first sends out a hash that is detected by the reader. The (symmetric) and then sends it back to the reader. The
reader obtains the hash and compares it to a database of reader then checks that the decrypted number is the
hashes and keys. A key is then sent back from the original number and allows the tag's ID to be
reader to the tag and if it the associated key is correct, authenticated. The reason this works is because if an
the tag sends it's real data out. This works because attacker were to intercept the tag's ID, they would not
anybody scanning for RFID tag data will only receive be able to use it without obtaining the tag's private key
the tag's hash and when the tag does not receive a and the only way for an attacker to do that would be to
response back containing a correct key, the data is not physically obtain the tag and disassemble it in order to
sent out [2]. read the area of memory the private key is stored in.

Tag Hash Tag Hash

9. Conclusion
RFID
Database Tag Key Tag Key Tag In this paper we have shown that Radio-Frequency
Reader
Identification can be a larger security risk than most
Tag Data Tag Data corporations and individuals realize. Even the methods
of protection such as Data Locking can still allow
direct access to the database, meaning that SQL
Above: Data Locking Diagram
Injection and remote command execution is definitely
2. Singulation (Selective Blocker) – Singulation still a possibility. Not only can these vulnerabilities be
protocols are used to combat the RFID collisions a problem for the systems behind the RFID readers, but
mentioned earlier that can cause Denial of Service also a risk for the users who have their private
problems. A common protocol for singulation is the information stored within that database. The most
Silent Tree Walking Protocol [3]. Instead of the important point in this paper is that RFID exploitation
database being stored in tables and rows, it is stored as has been shown to be a broad subject, and one that we
a tree of 1s and 0s. The tag's data is read bit by bit by have only just touched upon. Hopefully, in time, RFID
the RFID reader and the computer system behind it vulnerabilities will become an obsolete problem for
traverses the tree. When multiple tags are within the users and companies.
range, the RFID reader queries all the tags about the
next bit in the pattern. For example, there may be two 10. References
tags that start with 0. The reader may ask which tag
starts with 01 and one of the tags may respond. A [1] MohammadHassan Habibi, Mahmud Gardeshi, Mahdi R.
problem with this method is that the RFID reader can Alaghband, “Practical Attacks on a RFID Authentication
leak a considerable amount of information on the tag, Protocol Conforming to EPC C-1 G-2 Standard”,
however a researcher at MIT has produced a modified International Journal of UbiComp (IJU), January 2011, pp.
form of the silent tree walking protocol that solves this 1-3.
problem. 0 1
[2] Vaibhaw Dixit, Harsh K. Verma, Akhil K. Singh,
“Comparison of various Security Protocols in RFID”,
Internation Journal of Computer Applications (0975 - 8887),
June 2011, pp. 3-4.

[3] Smart Border Alliance, “RFID Security and Private

00 01 10 11 White Paper”, pp. 8

Above: Tree-Walking Diagram