New Generation Hacking: RFID Attacks
A little about RFID technology
RFID (Radio Frequency IDentification) is an automatic identification technology in which data is read and written by radio signals. Data is stored in a so-called RFID tag. The RFID system consists of a reader and a tag.
RFID tags are classified by operating frequency, memory type, and power source. Readers are stationary and mobile.
Types of attacks used in RFID technology
Reading interesting articles about RFID becomes uncomfortable with examples of possible attacks. Below is a small list of the attacks used:
- Dos attack
- RFID Zapper
- Substitution of the contents of the memory RFID tags
- Attacks through RFID tags
Scientists from the Australian University claim that the first generation RFIDs are subject to Dos-attack. The bottom line is that the chips of this generation use the range 902-938 MHz, divided into channels. The scanner can switch from one channel to another, and the chip due to its passivity cannot change the range. It is argued that this range can be silenced from a distance of 1 m using a simple radio transmitter. In this connection, a rather abstract comparison with a Dos-attack is given.
The next attack is the simple destruction of the tag. Two guys from the ranks of “Chaos” came to the conclusion that finding the chip in the microwave for a short time is the most effective way to destroy the label. In this regard, the RFID-Zapper device was developed. As a basis used a camera-soap box. After some updates, the device has learned to create a strong electromagnetic field that kills passive tags.
Jonathan Westhues – a student who created a device that allows you to clone tags. The device is called proxmark. It easily fit in your pocket and you can unnoticeably clone the tag at a close enough distance.
Substitution of the contents of the memory RFID tags
At the Defcon hacker conference that ended, German infosek expert Lukas Grunwald demonstrated how the contents of an e-passport can be easily transferred to any other radio tag. At the same time, Lucas used the RFDump prog developed together with his colleague Boris Wolf (Boris Wolf) a couple of years ago, which can read, edit, write (if possible) RFID tags. The first version of this program was a simple perl script, now RFDump is a convenient tool distributed under the GPL license. There are only versions for Linux yet. The program requires a RFID reader ACG Multi-Tag Reader or similar. Grunwald makes some adjustments to the software from time to time. For example, now it allows you to use the readout counter in the label (cookie function)
After creating their program, Lucas and Boris began to actively explore the possibility of hacking into various RFID systems. First of all, they studied the RFID-system of the local university cafe, where the data on the amount on the client’s account was stored directly on the card. Food there was free for them :). Further more: they stayed in hotels and hotels where proximity cards were used to enter the room. An interesting fact: none of the ten RFID systems they studied had any encryption, and after examining 2-3 cards, Grunewald could create a master card that opens any door. But it is also very easy to get around systems with encryption: either the key was selected by a simple search, or it was set by the manufacturer by default. Systems of supermarkets turned out to be vulnerable, where they began to use RFID as an alternative to bar codes. Hackers were able to use the handheld computers to change the labels of expensive goods to less expensive ones, thus “saving” their cash. According to Grünwald, 3/4 of all the RFID systems he studied were somehow vulnerable.
Attacks through RFID tags
In fact, by editing the label, you can gain access to a computer and thereby make various kinds of attacks. Vulnerabilities of RFID tags: SQL-Injection, web-interfaces, where the possibility of introducing malicious code is not excluded, as well as buffer overflow.
Suppose that the RFID system uses only tags with a memory capacity of 128 bytes. The programmer who wrote the application processing the contents of the tags was too lazy to check for the length of this content. As a result, there is an opportunity for buffer overflow, because a cunning hacker can slip a tag with more memory than 128 bytes to the system, injecting a shell code there as well.
Examples of real attacks
To make it clear what kinds of problems may arise from RFID hacking, consider the real attack scenario.
– “The Joker” goes to the supermarket, in which it scans products in baskets. The store’s products are equipped with RFID tags, not barcodes. Many supermarkets plan to introduce an RFID system, since scanning is much faster. “The Joker” chooses a product, for example, chocolate paste, scans and goes to the cashier to pay for it. When he gets home, he removes and destroys the RFID tag (you can destroy the tag using the methods described in RFID-Zapper). He then takes the empty RFID tags and writes an exploit on the computer, which later attaches to the tag. Next, the infected tag is attached to the chocolate paste and belongs to the store. The “Joker” buys it again, the cashier scans and at this sad moment infects the entire database of the supermarket.
– Games of our “joker” continue. Our hero has a cat that has a subcutaneous ID tag, which the “prankster” can overwrite on any exploit using commercially available equipment. Next, he goes to the vet with a complaint that the cat constantly asks for food. The veterinarian scans and the same thing happens as in the previous story – the database is infected and this action leads to chaos.
– And the scariest part. Airports also plan to introduce RFID tags that will be attached to the baggage. This is due to the fact that RFID tags can be read at a greater distance than the barcodes of the baggage. The principle of operation is the same – an evil traveler comes with an infected tag, he is scanned. Only the consequences are much more dangerous – hundreds of airports around the world can be infected.
Many companies currently claim that their software displays these types of attacks.
– Many companies publish code when creating new software so that third-party programmers can help them find the bugs that developers have made. It is recommended to do the same with RFID software.
– Remove unnecessary features.
Stop database attacks.
In order to avoid attacks of the SQL type – Injection, you should perform a thorough check of the data transmitted by the SQL query. There is also the concept of ORM – libraries, which are an intermediary between the base and the program. Some databases provide features that limit the likelihood of an attack. For example, both Oracle and MySQL allow only one request to be executed during API calls, although new versions of MySQL allow the programmer to include several requests.
Client scripts can be prevented by properly processing scripts. The languages used in web development usually provide functions that can do this for you. PHP can do this automatically for each line, using its own “magic quotes”. If a scripting language is not required, disabling it will avoid any possibility of its abuse. SSI injection can also be avoided using proper treatment. Or disable SSI.
Buffer overflow can also be avoided by properly checking the buffer boundaries. Tools like Valgrind and Electric Fence
will help you make the check. Of course, using a programming language that performs these checks would be much better. One such language is Java.