Radio Frequency Identification (RFID) is a radio-based tag technology used across industries. RFID technology has many applications in daily life, including, but not limited to:
- Contactless payments
- Integrated seamlessly into casino chips
- Tracking luggage
- Point-of-sale solutions
- Intelligent transportation systems
- Access control
- Animal identification
- Tracking goods within supply chains, aerospace, defense, manufacturing, consumer packaged goods and pharmaceutical companies.
For a basic understanding, let’s subdivide RFID into low-frequency (125 kHz) and high-frequency (13.56 MHz).
- High-frequency devices face the deepest scrutiny from the security community because they are used for security-critical applications, like making payments. They typically support cryptographic operations and authentication, work over a short distance, and use more complex protocols than low-frequency devices.
- Low-frequency devices are typically used for less security-critical applications, like tracking luggage or toll systems, both of which require the longer transmitting distance.
Common Attack Scenarios
Common attack scenarios against RFID devices are cloning, traffic sniffing and manipulation, reverse engineering, data manipulation, denial of service, fault injection, and side channel analysis. So, how does one execute these attacks?
The list of ready-made security assessment tools that can execute these attacks are so numerous that we recommend checking out a recent discussion of them from SAINTCON 2023. While tools like the Proxmark and Chameleon have been known to penetration testers, developers, and hobbyists for years, newer tools like the Flipper Zero have been featured heavily on social media. This has led to public concern about their availability and ease of use, including a proposal to ban them in Canada.
How RFID Works
Let’s explore a little more about how RFID works. A common architecture consists of the RFID device, a reader it interacts with, and a backend that the reader communicates with. RFID devices may receive power in different ways depending on their application. In the case of a tracker, the RFID device may be powered internally, enabling it to continuously transmit data. When powered by a reader, the RFID device only operates and consumes power while being read. An attacker can step into any of these roles depending on their goals, impersonating the RFID device, the reader, or a backend service.
Security Implications
Imagine a scenario in which you want to access a building you aren’t authorized to enter. Access control is based on a badge system using low-frequency RFID badges. These badges respond when powered by a reader that opens a door lock. If you could identify someone with a badge and find a scenario in which you can get close to them, you could carry a malicious RFID reader to capture the data on the device. When you approach the badge holder, the malicious reader initiates communication with the badge as if the holder were presenting it to the door’s reader. When you present this data back to the reader at the locked door, it behaves as if you presented a legitimate badge. This attack could be performed locally if you capture the data and try to enter the building yourself, or the data could be sent to a collaborator who uses it to open the door in a relay attack. In this scenario, impersonating the reader and the RFID device have been combined to gain access to a locked facility.
Another attack of RFID involves a combination of DoS (denial of service) with a cloning attack. This may happen, for example, if a thief aims to steal a personal item with an RFID tracking tag. Since it draws power from a built-in battery, the attacker could look for ways to cut the power from the tag, remove the tag itself, or jam its signal. In case there is no possibility to remove the tag, the attacker may also want to give themselves time to get away with the personal item. They could read the tag using a malicious reader, clone it by putting the same data onto a second tag, put the personal item in a faraday bag, and walk away.
RFID has become a useful tracking technology in many industries, and one of the newer applications of RFID is found surprisingly in the gambling industry. To prevent counterfeiting casino chips, RFID allows the establishment to program chip detection, making it almost an impossible endeavor to replicate the chips. The key is not simply putting RFID into the chips; it’s programming the whole architecture to be secure against attacks on hardware. By implementing robust encryption protocols and authentication mechanisms, casinos can safeguard the integrity of their RFID systems and ensure that only authorized access is granted. This comprehensive approach to security minimizes the risk of potential exploits or vulnerabilities that could compromise the effectiveness of RFID technology in preventing counterfeiting and maintaining the integrity of casino operations.
Attacks on high-frequency devices like smart cards can be more complicated because these devices have faced a lot of scrutiny. Take for example the common scenario of paying for an item and removing your card before the transaction completes. Usually this invalidates the transaction and data transfer. In other words, the transaction failed, nothing was charged, and card data wasn’t altered. But in an insecure implementation, smart cards can be vulnerable to a type of fault injection known as tear-off attacks. Under the hood, when you make a card transaction, information is read from the card and written to the card. It’s known that the card is being powered by the reader, so if the card was removed at an improper time, the data being written to the card or critical security parameters stored on it can be corrupted. For details about the potential of this attack check out this in-depth blog post on tear-off attacks.
The truth is that there is no silver bullet to fix RFID security issues. Implementations vary across vendors and devices, and new attacks are found all the time. Security is an iterative process in which countermeasures and attacks evolve. It’s most important to avoid single points of failure and understand the strengths and weaknesses of the devices you use.
We specialize in security of embedded and connected devices, including IoT devices. To learn how we can help you achieve better security in your IoT devices, feel free to get in touch with us via inforequest@riscure.com.