Soylent Badges: An Attack Surface Analysis of RFID

1
Soylent BadgesAn Attack Surface Analysis of RFID

• Dan Kaminsky, Director ofPenetration Testing,
  IOActive

2
What is this talk about?

• Not a deep technical analysis of how to build an
  RFID cloner
  
• Not a recap of what went down in Washington DC a
  few months back
  
• This is an attempt to bridge the legal/technical
  boundry
  
• What is RFID?
• What are people trying to do with it?
• What are people trying to do to it?
• This is an industry of a lot of hope and a lot of
  hype, but not a lot of understanding about
  security risks.
  
• Lets fix that!

3
What is RFID?
4
RFID Its Just A Barcode.

• Radio is just low frequency light
• Variant Active RFID, has a battery in it
• Glow in the dark barcode
• Can encrypt

5
RFID Building A Better Barcode
6
Revolutions in Tagging Technology

• Barcodes
• Revolutionized commerce
• Retail (Supermarkets)
• Transport (UPS)
• Production Lines
• RFID
• Toll Roads (Speedpass)
• Train Systems (Tokyo)
• Corporate Access Control
• RFID is the better mousetrap.
• What about these pesky security issues?

7
Introduction to Attack Surface Analysis

• What could possibly go wrong?
• Identify what the system is doing, and why its
  doing it
  
• If you dont know what the system is supposed to
  do, youll never understand what its allowing
  you to do.
  
• Who says its just allowing you?
• Every system interacts with trusted people at
  certain points
  
• Gateways (Doors, Toll Booths, Train Stations)
• Tokens (Badges, Speedpasses, Tickets)
• But how do those same systems interact with
  untrusted users?

8
Through The Looking Glass
9
The Attacker Is Not The Customer

• Developers build things for customers.
• Customers pay for things to work.
• Attackers do not pay, for things to not work
• The consumer of security technology is the
  attacker being kept out!
  
• Customers do desire protection from attackers
• Enforcers (Gates, Police, Walls) enforce customer
  will
  
• Investment in enforcement is tied to the harm to
  customer in case of an attack
  
• Ah, but what if the attack harms someone else?
• Customer investment equal to legal liability
  times risk of attack
  
• No liability No investment

10
Classes of Use

• What an attacker can get by compromising RFID, is
  directly tied to what it is protecting
  
• Developers just build the technology ?
• Three major classes of RFID deployments
• Inventory What do I have?
• Attendance Who is here?
• Access Control Who isnt here?
• These classes do not describe the risk continuum

11
The Real Continuum 0

• What is the value of the resource that would be
  compromised if an attacker got through
  
• Attack surface How could an attacker get
  through?
  
• Risk What can they get by doing it?
• Inventory Control Use of RFID to do continuous
  or intermittent identification of physical
  objects at a location
  
• Shrinkage Management Attacker can make a store
  screw up its purchasing schedule, not recognize
  theft as its happening.
  
• Cargo Ship Manifest Auditing Attacker can add
  or remove items from the scanner manifest,
  facilitating smuggling.

12
The Real Continuum 1

• Attendance Management
• Tradeshow Monitoring An attacker could make a
  show think a particular speaker was popular, or
  not.
  
• Classroom Monitoring An attacker could make a
  student appear to be present or absent,
  potentially triggering harassment.
  
• Population Monitoring An attacker could use the
  RFID on a passport to target Americans for
  attack.
  
• Well return to this.

13
The Real Continuum 2

• Access Control
• Club Cards An attacker can impersonate
  another user, potentially getting access to sales
  only theyve earned.
  
• Credit Cards An attacker can spend someone
  elses money.
  
• Corporate Badges An attacker can achieve
  physical access to corporate facilities and labs,
  potentially committing espionage.
  
• Military Badges An attacker can achieve
  physical access to military facilities and
  storage depots, potentially destroying assets and
  killing people.

14
Out of sight, out of mind

• Nobody would suggest using barcodes to protect
  anything, let alone corporate resources, let
  alone lives
  
• Radio barcodes are invisible.
• Therefore, theyre OK.
• First Law of RFID Theyre always trying to make
  it do something scarier than you think.
  
• Electronic Voting, Secured With RFID
• Inevitable
• Maybe this will be the shark-jumping moment?

15
Privacy

• Original Attack Surface Analysis So what?
• Entire population carries around high powered
  transponders that identify their nation of
  origin
  
• Cell phones!
• But the First Law of RFID holds.
• Cell phones emit whats useful for cell phone
  carriers.
  
• Credit cards emit whats useful for merchants and
  credit carriers
  
• Limit for RFID Credit Card 50
• Minimum Claim for Credit Card Fraud 50
• Passports emit whats useful for customs agents
• RFID is a barcode. Some people are tempted to
  turn it into a T-Shirt with your SSN printed on
  it.
  
• There actually was a school that did barcodes
  that equaled SSNs!

16
A Prediction

• Supermarket loyalty cards start getting RFIDs
• A private firm pays stores to put RFID monitors
  in doorways that are capable of reading the
  loyalty cards as people walk through
  
• Said private firm resells demographic data
  regarding whos going where at what time
  
• Cell phone cant provide the door check of
  RFID
  
• Cell phone carriers couldnt risk the business
  hit
  
• The above scenario is pretty likely in the next
  few years.
  
• May be able to replace supermarket loyalty cards
  with any card type people can be expected to have
  on them at all times. This will accelerate the
  timeline.

17
Where are the security people?

• Very few physical attackers in the real world
• Breaking into buildings is risky to the attacker
  youre physically throwable into a jail cell.
  
• Flip side Very high success rate if an attacker
  is determined
  
• An attacker can always drive a car into an office
  wall.
  
• This leaves a car-shaped hole.
• Physical Security has not realized RFID attacks
  fail to leave car-shaped holes.
  
• Attackers thus have much less risk of being
  caught.
  
• Still, some demands have been made

18
What is Secure RFID?

• Create a special relationship between a reader
  and a badge, so that an attacker cant clone a
  card just by pretending to be a reader
  
• RFID may provide a different signal each time
  its queried
  
• Ignition Key systems
• Blink Credit Cards
• Signal may be cryptographically infeasible to
  clone from
  
• Presumption The risk is cloning.
• Reality One attack is cloning. The risk is
  unauthorized access. There may be other attacks
  that result in this risk occuring.

19
Proximity Cards

• RFID badges were originally called proximity
  cards
  
• So called because they powered up when in close
  proximity to a reader
  
• Presumption User badge near reader, user near
  door.
  
• Reality User badge near a reader.

20
Ghost-Leech

• Ghost-Leech Attacks
• Picking Virtual Pockets using Relay Attacks on
  Contactless Smartcard Systems
  
• Attacker doesnt clone the card
• Attacker is near the reader (ghost), accomplice
  is near the victim (leech).
  
• Attacker transmits the query from the reader to
  an accomplice
  
• Accomplice is near the badge, transmits the
  reader signal to the badge, returns the badge
  response to the attacker
  
• Attacker and Accomplice proxy signals until the
  door opens
  
• Works against arbitrarily high quality
  cryptography

21
Defending Against Ghost/Leech 0

• Normally suggested solution Use two factor
  authentication
  
• Combine something you have with something you
  know
  
• Enter a PIN whenever using your badge.
• Very rarely seen.
• The physics solution Rely on the speed of light
  being constant
  
• An attacker must reply in 50 picoseconds in order
  to be legitimately within a few dozen feet
  
• Not feasible with present technology

22
Defending Against Ghost/Leech1

• Best Practice Dont always provide credentials
  to anyone who asks
  
• Always-On nature of RFID in authentication
  scenarios is a bug
  
• Would you show your ID to anyone that asks?
• If its RFID, you do.
• Should require removing RFID from a sleeve, or
  squeezing the badge.
  

23
Summary

• Recognize all the cool things theyre giving the
  good guys.
  
• Look at them from the bad guys perspective.
• Distributed liability is creating a firestorm
• Hugely important systems are being built on
  fundamentally broken technology
  
• There are ways to make them less broken, but
  nobodys making sure they get deployed
  
• Opaque technology gets away with stuff.
• Sunshine is good.