RFID: Is it Secret? Is it Safe?
Category
Awareness, Cybersecurity Fundamentals, Physical Security
Risk Level
“What is RFID and what is it used for?”
Radio-Frequency Identification (RFID) is not a new technology. In fact, it’s been around since the 1940s. You’ve probably been using it for years and didn’t even realize it. So what is RFID?
RFID uses electromagnetic fields in the form of radio waves to establish communication links between an RFID tag or transmitter and an RFID reader or receiver. Pieces of information are transmitted through the link that the reader uses to establish authenticity of the tag or transmitter and authorize access. Access is then authorized through a direct communication channel with a central system (computer) that stores a database of approved credentials associated with the tags or transmitters. The system verifies the information from the tag matches what is in the database and approves or declines accordingly..
RFID and modern standards associated with it such as Near-field Communication (NFC) (which supports two-way communication vs RFID’s more common one-way communication) are fairly pervasive in our lives these days, more than you probably realize. Most commonly, you probably interact with RFID when you use your debit or credit card to check out at the store and use the “tap here” functionality to perform contactless payment. Other common use cases you may be familiar with are when you badge into a physical location such as a hotel room, a secure office building or floor in an office building, an apartment or condo complex, or maybe a dorm or school building on a college campus. Beyond credit cards and building physical access use cases, more modern application include your smart digital car key fob that allows you to unlock your doors or start your car by touching the handle while the keys are in your pocket, theft prevention tags on merchandise at retail stores, and consumer smart locks and deadbolts used to secure homes. RFID, or its modern variants, are everywhere it seems!
“Is RFID secure? Am I at risk?”
This is a bit of a loaded question. The short answer is, in most cases, yes, you are safe. Much of modern NFC or RFID devices use secure methods of storing and transmitting the data between the tag or chip and the readers. For example, credit card RFID chips are considered secure because they use one-time codes to complete each transaction. Every time you use your card via the RFID chip (tap or hover over the reader), a unique code is created that helps protect your information transmitted to the reader and ultimately on to the processor. They are considered replay resistant (a hacker who captures this information cannot then replay the same transaction since it requires a new, unique one-time use code).
For things like car remote fobs used to unlock or start your car without having to press a button, these use encrypted communications over high frequency channels. In most cases, the standard applied makes it difficult for attackers to clone or intercept the communication and replay them to fool the receiver. Similarly, most secure facilities like data centers use secure standards for RFID implementation that include encryption and other schemes to protect against cloning or man-in-the-middle (MiTM) / replay type attacks.
“Ok, so what do I actually have to worry about?”
That is the golden question. In an era of work from home and telecommuting, smart homes, and products of convenience, the biggest question marks when it comes to RFID technology are office security systems, apartment/condo security systems, and home security. That’s not to say you shouldn’t take care with RFID enabled credit cards, it is just more likely an attacker will disable RFID functionality since it is much more difficult to attack, and use a skimmer to attack the stripe or chip methods instead. For those attacks, always check the reader to make sure a skimmer hasn’t been placed over the legitimate reader (a quick inspection and tug will usually do the trick), especially for publicly accessible readers like at ATMs, gas pumps, etc.
Office Building Security
As an employer or business owner, facility security (not just for data centers or co-location providers) is important. Gaining access to an office building or a floor in a building usually grants access to IT hardware and computers, paper records, and other sources or storage locations for data the company may deem sensitive or important. Typically when a business leases office space they inherit the controls the property or facilities management provide, including physical access security. In some cases, these readers (usually sourced from a provider of RFID access control technologies like HID Global) are somewhat of an afterthought. Sometimes these are set up on a cost-basis rather than a security-basis and a lower security low-frequency, unencrypted communications RFID standard is used. In these cases, the badges, tags, or fobs issued are at risk for cloning and MiTM type attacks with some cheaply available equipment from Amazon.
As a business owner leasing space, you should always be aware of the level of physical access security provided by the facilities or property management company, and ensure secure standards are deployed. Otherwise you may need to negotiate installation of your own secure readers and manage the enrollment and distribution processes yourself.
Apartment / Condo Security
Many apartment and condominium complexes utilize RFID for either common area and building exterior access, or as in many new constructions, direct apartment / condo access via smart lock systems. The problem here is unless you are leasing from a large property management company, many times local or small scale apartment or condo management companies bid on physical access systems with a cost-first mentality. Similar to the office building scenarios above, what this results in is often the use of lower security RFID readers leveraging unencrypted communication and authorization. Access authorization usually relies solely on verifying a unique ID (UID) and several pieces of information that can be easily replayed or cloned by an attacker.
Smart Locks
Smart locks are all the rage these days as apartments and condos move away from hardware keys that can be easily lost and take up a lot of space on a keyring, to RFID or mixed RFID and WIFI enabled smart locks. Some smart locks leverage tags and fobs like apartment / condo common areas, possibly the same fob if a dual chip fob is issued by the property manager. Other smart locks leverage NFC utilizing an app on your phone, or WiFi enabled lock/unlock from a similar app.
In the case of RFID-based smart locks, again the similar issue arises where security is not at the forefront of decision making in what technology to deploy and impose on residents. In cases where cost is a factor, often property managers will take lower cost over higher security, mostly because they don’t understand the risks. Many of the smart locks we personally have tested in our area do not enable the higher secure functionality (encryption) because it requires additional hardware purchases, more expensive tags or fobs, or additional support from the provider. What this leaves residents with is a cool smart lock that feels modern, but puts them at risk of being a victim of burglary because of the ease with which the fobs or tags can be cloned or replayed to gain access.
“How is RFID Compromised?”
There are several ways in which insecure RFID implementations are potentially compromised by a motivated threat actor: Cloning attacks, Man-in-the-Middle Attacks, and Brute force attacks.
Cloning Attacks
Cloning attacks require an attacker to either have physical access to an RFID tag / fob / card or be in proximity such that they can clone or copy the data and information sent from the tag / fob / card and clone it to a blank device of the same standard or what is colloquially known as a “magic card.” Attackers can utilize homemade readers with long range antennas to read RFID chips in a proximity without having to actually physically hold the card in their possession. Or if an attacker does obtain physical possession, even for a short period of time, they can use a number of reader and cloning tools available on the market to capture and clone the device’s information.
A popular open source security testing tool called the Proxmark3 can be used to test the vulnerability of a tag / fob / card to all sorts of attacks including cloning attacks, and can also be used to clone or copy RFID low and high frequency chips with wide ranging support for various standards and implementations. Unfortunately as great a security tool as this is, it is also a very popular tool amongst attackers, who can leverage its ease of use and active community of research and support to execute attacks on many RFID systems.
Man-in-the-Middle (MITM) Attacks
MITM attacks often use a piggy-backed hardware device that captures and decodes the communication between an RFID tag/fob/card and the reader. The hardware device is usually battery-powered and placed on the reader in such a way as to be minimally noticeable, often as a dummy plate placed over the reader that looks very similar to the unaltered reader. This device then sits “in between” the tag / card / fob and the reader and decodes the information on the fly and either directly transmits it to the attacker or stores it in memory for the attacker to retrieve later. This allows the attacker to replay (retransmit the handshake and data transmission) the data to the reader and gain access to the building at any time. In most cases, the attacker will make sure their malicious device also relays the information it is capturing through to the reader when the valid user attempts to gain access, so as to avoid suspicion.
Brute force Attacks
On the big screen you might see a wiley hacker stick a card to a reader with a cable from it to a device that is cycling through numbers until a magic code is found that turns the reader green and unlocks the very important door. While highly dramatized for effect, that is the basic premise of the brute force attack. In a brute force attack, similar to an attacker trying to guess your password on a website, a device is used to transmit random guesses of unique IDs and data combinations to essentially guess the right combination to gain access via the reader. Brute force attacks are less common attacks on RFID systems. For one, they usually require direct access or close proximity to a reader which tends to look a bit suspicious. Additionally, most modern readers have safeguards against brute force attacks with time delayed entries and lockout thresholds (e.g. the reader will stop responding if bombarded with tag information). In many scenarios, tags and fobs are protected from this using additional unique information added to the verification workflow including facility identifiers or other codes to prevent brute forcing.
“How can I protect myself?”
There are a few basic ways to protect yourself from RFID security risks and the attacks mentioned above.
If you’re an employer, property manager, or business owner leasing space, you should opt for higher security for RFID reader systems even if there is a higher associated cost. This will prevent you from having to rely on employees or tenants following good security practices and policy, since the human element is always the weakest element in any security posture.
Individuals should keep their RFID tags / fobs / cards secure. Do not take them to public places (like out for lunch) if it can be avoided. If it cannot be avoided, RFID shields are an option but they are not a magic bullet and do not prevent against every attack vector, nor are they all created equal.
If you live in a condo or apartment with RFID common area or exterior access readers, talk to your property manager about the security. Propose to your HOA or resident council or group that there are real risks associated with weak RFID security and provide them a link to this post if it helps. Urge the property manager to implement higher security controls such as encryption.
Do a quick visual check and physical check of readers if you think something may be off. Often devices used to MITM attack are loosely secured so they can be removed in a hurry, so give it a jiggle or a push and see if something comes off. Don’t pry at it too hard or you might break the actual reader if there is no malicious device attached.
If you’re interested in adding smart locks to your home as a homeowner and DIYer, you should familiarize yourself with the options available and the security measures each provides. Companies like Schlage, Kwikset, Saflok, and August publish their security specifications, and some quick research can let you know whether it is safe or easily compromised. Preferably, find a smart lock / deadbolt that supports encrypted communications.
If you live in an apartment or condo with a smart lock or deadbolt system, inquire of your property manager similar to the exterior or common access RFID system. Discuss it with your HOA or in your residential groups and raise the issue to your property manager.
For RFID / smart lock or deadbolt systems, keep your fobs close at all times. Most operate in a passive state such that they require the reader to activate them via electromagnetic fields before they will transmit information. That helps mitigate the risk of an attacker cloning or intercepting transmission from a distance, but you should always keep your home fob / tag on your person or securely locked away where it cannot be physically accessed by anyone you don’t want to have access to it.