!

"#"$%&

Talk for the 51st Annual INMM Meeting

Baltimore, MD, July 11-15, 2010

Why RFIDs Offer Poor Security

51st annual INMM Meeting

Baltimore, MD, July 12, 2010

Jon S. Warner, PhD. and Roger G. Johnston, Ph.D., CPP

Vulnerability Assessment Team
Argonne National Laboratory
jwarner@anl.gov

RFID: What is it?

“Radio frequency identification (RFID) is a generic term

that is used to describe a system that transmits the
identity (in the form of a unique serial Number) of an
object or person wirelessly, using radio waves.”*

RFID is basically a bar code that barks.

'(!"#$%&'%()*+,()&*+,-&./01234&& -- Robin Koh, MIT Auto-ID Lab&

$&
 !"#"$%&

RFIDs: Radiofrequency Identification Devices

•! RFID transponders transmit static serial numbers using radio waves.

•! Most RFIDs do not use batteries (passive), but some do (active). Some
are even “semi-passive.”
•! Passive RFIDs draw power from a rf pulse generated by the reader and
usually employ a “backscatter” modulation communication technique.

•! Common frequencies: low (~125 KHz), high (~13.56 MHz), ultra-high (433
& ~900 MHz), & microwave (2.45 & 5.8 GHz).

•! RuBees (< 450kHz) are NOT RFID devices.

There is a huge danger to customers using this (RFID)

technology, if they don't think about security.
-- Lukas Grunwald (creator of RFDump)&

What’s our concern?

- A system that makes a decision about theft based on a

fixed identification number is problematic because it is
generally easy for an adversary to spoof.

- This is true for any communication protocol, such as RFID,

radio frequency (RF), infrared, acoustical, or hardwired.

- RFIDs were designed and developed as inventory tools.

There’s nothing wrong in using them that way.

- But...RFIDs can create severe vulnerabilities in a security

application.

5&
 !"#"$%&

Inventory vs. Security

Inventory
•! Counting and locating stuff
•! No nefarious adversary
•! Does not understand the concept of theft or spoofing
•! May detect innocent errors by insiders, but not surreptitious attacks
by insiders or outsiders.

Security
•! Meant to counter nefarious adversaries (insiders and outsiders)
•! Watch out for mission creep: inventory systems that come to be viewed
as security systems!

Inventory vs. Security Misconceptions

•! An inventory system spots missing items, therefore it

detects theft.
Wrong!

•! We are encouraging people to ignore inventory data.

On the contrary.

•! I can just add security to my existing inventory system.

This almost never works well.

6&
 !"#"$%&

Inventory vs. Security Misconceptions (con’t)

•! Bad guys don’t really want to cover their tracks.

We disagree.

•! Nuclear Material, Control, and Accounting or

Accountability (MC&A) is an inventory function.
No! Monitoring for theft or diversion is a security function.

MC&A

“Material control means the use of control and monitoring

measures to prevent or detect loss when it occurs or
soon afterward.”*

“Material accounting is defined as the use of statistical and

accounting measures to maintain knowledge of the
quantities of SNM present in each area of a facility. It
includes the use of physical inventories and material
balances to verify the presence of material or to detect
the loss of material after it occurs, in particular, through
theft by one or more insiders.”*

*”Material Control and Accounting”, United States Nuclear Regulatory Commission

7&
 !"#"$%&

MC&A Blunders

•! Believing that MC&A is not security

•! Acknowledging that inventory and security are different,
then claiming that the inventory system can be counted on
to sound an alert if theft or diversion occurs
•! Not avoiding mission creep
•! Engaging in the ad hoc addition of technologies or sensors
onto existing inventory systems hoping for effective
security
•! Believing technology will automatically solve security
issues
•! Assuming that the inventory tag is permanently coupled to
the asset of interest

MC&A Blunders (con’t)

•! Not realizing that tags, including RFIDs, are easy

to counterfeit
•! Not realizing that the tag reader must be very carefully
protected from tampering
•! Not realizing that tags that are read in a remote, non-
contact manner are:
•! Easy to eavesdrop on
•! Easy to spoof from a distance
•! Not arranging for a through and independent
vulnerability assessment, early and often throughout the
design process and when the device is fielded.

8&
 !"#"$%&

RFIDs: fine for inventory, problematic for security

•! Easy to lift.

•! Easy to block or jam signals.

•! Easy to counterfeit. All needed information, software, &

parts are readily available.

•! Easy to eavesdrop on a RFID and record its signal. Free

software and information are on the Internet.

•! Easy to spoof the reader from a distance, tamper with it,

or swap it out for a counterfeit. No access to the RFID
itself is needed.
Our first attempt at attacking RFIDs: Starting with zero knowledge, it
took 2 weeks, and < $20 in parts to demonstrate 5 different defeats.

A few RFID attacks:

!! 9/::02;<3=/2&>3?@AB&
C! DE;::;2FB&1@3A;2F&A3G3&/H&/I&?/:@/2@&@4?@J?&G132?K/2A@1&L;GM/0G&GM@;1&E2/L4@AF@&L;GM&3&1@3A@1&
NM/:@&O0;4G&/1&</::@1<;34PQ&
C! D2;R2FB&S4;?G@2;2F&;2(&G/&3&G3F"1@3A@1&</::02;<3=/2&?G1@3:Q&
C! -@2;34&/I&D@1T;<@B&-/D&K1@T@2G?&</::02;<3=/2&I1/:&/<<011;2FQ&
C! DK//I&G3F"1@3A@1&</::02;<3=/2B&UM@&3<G&/I&?@2A;2F&3&I34?@&NO0G&</11@<G4V&I/1:3W@AP&</::02;<3=/2&
?G1@3:&G/&GM@&G3F&/1&1@3A@1Q&
C! *@K43V&XW3<EB&*@</1A;2F&A3G3&/H&/2@&G3F&32A&K43V;2F&;G&O3<E&43G@1Q&
!! U3F&>3?@AB&
C! 94/2@B&&;:K@1?/23G@&3&G3F&N4@F;=:3G@"M/:@&O0;4GP&L;GM&?G/4@2&A3G3Q&
C! *@K1/F13::;2FB&<M32F@&A3G3&/2&3&G3F)&L/1E?&/2&?@4@<G&G3F?Q&
C! U13<E;2FB&U13<E&3&0?@1&/1&0?@1?&M3O;G?&0?;2F&*+,-&A3G3&/2&GM@;1&K@1?/2Q&
C! Y;10?&32A&Z/1:&,2[@<=/2B&\?@&*+,-&G3F&3?&3&<311;@1&I/1&3&</:K0G@1&T;10?Q&&
C! U3F&-@?G10<=/2B&-@?G1/V&G3F&?/&GM3G&;G&<322/G&</::02;<3G@Q&
!! *@3A@1&>3?@AB&
C! *@3A@1&]/A;^<3=/2B&3W3<E&GM@&1@3A@1&@4@<G1/2;<?Q&
C! ]32_,2_UM@_];AA4@"]32;K043G@_,2_UM@_];AA4@B&,2G@1<@KG)&^4G@1)&`&@A;G&A3G3&&

#&
 !"#"$%&

A Sampling of RFID Hobbyist Attack Kits

Available on the Internet
Commercial: $20 Car RFID Clone (Walmart) Commercial: Used for “faking RFID tags”, “reader development.”

RFID Skimmers, Sniffers, Spoofers, and Cloners; oh my! Documents, code, plans needed to build your own: Free online.

Optical Bar Code vs. RFID

RFID:

•! Typically easier to “lift” than the paper barcode

•! Easier to spoof the reader at a distance
•! Non-visible so harder for the user to spot attacks
•! Flakier " less secure

RFID is even less secure than paper bar codes!

!&
 !"#"$%&

Remote attack on reader:

•! The adversary needs access to a legitimate reader for a short period
of time (3 – 30 seconds).
•! The adversary places a pre-built RF circuit into the legitimate reader.
The pre-built circuit is powered by the reader.
•! When the adversary presses a button on his/her transmitter the:
–! Reader database can be modified/erased.
–! Tag registers as legitimate even if there is no tag.
–! Reader behaves normally/abnormally if adversary desires.
–! Reader displays to the user whatever the adversary wishes.
–! Entire reader database can be downloaded from reader to adversary.
–! Outcome of tampering is limited only by the imagination of the adversary.

Data Encryption/Authentication

Intended for public communication

between two secure points.

Provides reliable security if and only if

the sender and the receiver are physically
secure. (Usually not the case!)

The security of a cipher lies less with the cleverness of the

inventor than with the stupidity of the men who are using it.
-- Waldemar Werther

a&
 !"#"$%&

What about cryptographic RFIDs?

#! Digital Signal Transponder (DST) – Beaten (2005)
–! The DST contains a secret, proprietary, cipher based on a 40-bit cryptographic key
–! These transponders are used in Vehicle Immobilizer, Electronic Payment, and other high
importance systems
–! ~130 Million RFID transponders currently in use are vulnerable to cloning or spoofing

#! Mifare Crypto 1 - Beaten (2008)

–! MIFARE has a market share of 80% in the automatic fare collection industry (Source: Frost &
Sullivan 2001)
–! Used in road tolling, airline ticketing, access management and phone cards, more than 1
billion smart cards sold
–! Can be beaten in 12 seconds on a laptop

#! Hitag2 – Beaten (2009)

–! Used extensively in the auto industry for vehicle immobilization
–! Used in proximity card readers

#! Machine Readable Travel Document aka Electronic Passports (ePassports)

#! US; Sniffing
#! UK; Complete counterfeit
#! Germany; Cloning

Some take away messages

•! RFIDs offer no better security than paper barcodes; in fact it can
be argued that RFIDs actually provide worse security.

•! RF (and RFID readers especially) can be spoofed from a distance. Try

doing that to an optical barcode reader!

•! But the main problem isn’t RF, it is the fixed static identification number!

•! RF can be used for security purposes but it represents certain challenges

(which spread spectrum or covert transmissions don’t solve).

&&&&X1F/22@&YXU&
*+&?@<01;GV&A@T;<@?&

b&
 !"#"$%&

Some take away messages (con’t)

•! Don’t confuse inventory with security!

•! Relying on luck for an inventory system to detect missing material isn’t the
best security strategy for ensuring nuclear materials haven’t been stolen,
diverted, or tampered with.

•! MC&A is about protecting nuclear materials from theft, diversion, sabotage,

etc. This is fundamentally a security application, not an inventory one!

•! To be effective, security systems usually must be designed with security in

mind from the beginning of the design process. Ad hoc, after the fact, band-
aid approaches to security don’t usually work well.

Chirping “Tag and Seal”

X2&@c3:K4@&/I&3&13A;/4/F;<34&G3F"?@34"1@34_=:@&:/2;G/1;2F&A@T;<@&&
A@?;F2@A&L;GM&?@<01;GV&;2&:;2A&I1/:&GM@&O@F;22;2F&

Z@A2@?A3V)&&.04V&$7)&8&d])&D@??;/2&e&

$%&
 !"#"$%&

Questions?

Vulnerability Assessment Team (VAT)!

Physical Security Projects
•! vulnerability assessments
•! consulting & training for private
companies
•! R&D for DHS, DoD, DOE, DoS,
IAEA, & intelligence agencies
•! research on security culture
•! human factors in security
•! tags, seals, & biometrics
•! tampering & counterfeiting
•! nuclear safeguards
•! cargo security A multi-disciplinary team of physicists,
engineers, hackers, & social scientists.!

The VAT has done detailed !

vulnerability assessments on! The greatest of faults, I should say,
hundreds of different security! is to be conscious of none.!
devices, systems, & programs. -- Thomas Carlyle (1795-1881)

$$&
 !"#"$%&

Radio Frequency Identification (RFID)

!! *+,-?&31@&3&L;1@4@??&;2T@2G/1V&A@T;<@&NGM;2E&S@4@<G1/2;<&O31&</A@(P&
!! D34@?&1@T@20@?&/I&f6%%&_&f8%6&];44;/2&;2&5%%7Q&
!! ]32V&?V?G@:?&31@&F/T@12@A&OV&K0O4;<&?G32A31A?&N,DgPQ&
!! D/:@&*+,-&3KK4;<3=/2?B&

d344@G&G3FF;2F& X0G/:3=<&G/44&O//GM?& X<<@??&</2G1/4&

9M;4A&G13<E;2F& d3V:@2G&DV?G@:?& U3:K@1_,2A;<3=2F&D@34?&
X0G/:/O;4@&,::/O;4;l3=/2& e3?/4;2@&?G3=/2?& dM31:3<@0=<34&32=_
d31E;2F&4/G&3<<@??&</2G1/4& d3??K/1G?& </02G@1I@;=2F&NG13<E&`&G13<@P&
>32E2/G@?&

*+,-&G3F?&31@&hgU&D@<01;GV&U3F?Q&&UM@V&31@B&
i!&&j3?V&G/&4;kQ&
i!&&j3?V&G/&</02G@1I@;GQ&&X44&?/kL31@)&K31G?)&`&;2I/1:3=/2&31@&1@3A;4V&3T3;43O4@Q&
i!&&j3?V&G/&G3:K@1&L;GM&GM@&1@3A@1Q&&h/&3<<@??&G/&GM@&G3F&;G?@4I&;?&2@@A@AQ&

DG31=2F&L;GM&l@1/&E2/L4@AF@)&;G&G//E&5&L@@E?)&32A&&
m&f5%&;2&K31G?&G/&A@:/2?G13G@&8&A;H@1@2G&?0<<@??I04&A@I@3G?&

Why High-Tech Devices & Systems Are Usually

Vulnerable To Simple Attacks

!! Many more legs to attack.

!! Users don’t understand the device.

!! The “Titanic Effect”: high-tech arrogance.

!! Still must be physically coupled to the real world.

!! Still depend on the loyalty & effectiveness of user’s personnel.

!! The increased standoff distance decreases the user’s attention to detail.

!! The high-tech features often fail to address the critical vulnerability issues.

!! Developers & users have the wrong expertise and focus on the wrong issues.

$5&
 !"#"$%&

What encourages RFID attacks?

1. High-Tech Security Maxim: The amount of careful, critical security
thinking that has gone into a given security device, system, or program
is inversely proportional to the amount of high-technology it uses.

2. Low-Tech Security Maxim: It’s easy to defeat most security devices

and features (including high-tech ones) with low-tech attacks.

3. Familiarity Security Maxim: Any technology becomes more

vulnerable to attacks when it becomes more widely used, and when
it has been used for a longer period of time.

4. Payoff Security Maxim: The more money that can be made from
defeating a technology, the more attacks & attackers will appear.

There are two kinds of fools: One says, “This is old, therefore it is good.”
The other one says, “This is new, therefore it is better.”
-- William R. Inge (1860-1954)

What encourages RFID attacks?

5. Vehement Opposition: RFIDs face a lot of opposition, for both
legitimate & wacky reasons:
• rf interference
• failure-to-read rates
• anti-technology attitudes
• desire to shoot down the hype
• privacy & “Big Brother” concerns
• international standards problems
• cost, delays & hassles to implement
• paranoia (health risks, fear of alien abductions, etc.)
• increasing recognition that they are not security devices

6. RFIDs and rf technology has been around for decades & are
now widely used in many applications, including by home hobbyists
for robotics and home automation.

7. Counterfeits don’t have to work very well because rf is flakey anyway.

$6&
 !"#"$%&

What encourages RFID attacks?

8. Passive short-range RFIDs aren’t really rf devices.

9. RFIDs and Readers are inexpensive & readily available

for cannibalizing. (High-tech cuts both ways).

10. RFID manufacturers are eager to provide technical support, free

samples, and cheap evaluation kits, thus revealing vulnerabilities.

11. RFID manufacturers are not security companies.

12. The Internet & patents are full of RFID design & attack information.

13. Programmable Read/Write RFIDs can often be made to look

like Read-Only RFIDs (because they are often the same product).

Never buy beauty products from a hardware store. -- Miss Piggy

What encourages RFID attacks?

14.! Radio frequency signals are invisible to the user

(bad for security), and not very directional (which an adversary
can exploit).

15. Security does not happen by accident. RFIDs are not

security devices, & it’s difficult enough to have good security
even when security is designed in from the start.

Blink your eyelids periodically to lubricate your eyes.

-- Hewlett-Packard’s Environmental, Health, and
Safety Handbook for Employees

$7&
 !"#"$%&

Factoid: Fake Counterfeits"

9/02G@1I@;=2F&?@<01;GV&A@T;<@?&;?&0?0344V&@3?;@1&
GM32&A@T@4/K@1?)&T@2A/1?)&`&:320I3<G01@1?&<43;:Q&

gk@2&/T@14//E@AB&&UM@&O3A&F0V?&0?0344V&/24V&
2@@A@A&G/&:;:;<&GM@&?0K@1^<;34&3KK@3132<@&32A&
-#./0&GM@&3KK31@2G&K@1I/1:32<@&/I&GM@&?@<01;GV&
A@T;<@)&2/G&GM@&A@T;<@&;G?@4IQ&

Sincerity is everything. If you can fake that,

you’ve got it made.
-- George Burns (1885-1996)

Some thoughts:
!! U13<E;2F&32A&4/<3=2F&</2G3;2@1?&/I&20<4@31&:3G@1;34?&L/04A&/?G@2?;O4V&K1/T;A@&
0?@I04&;2I/1:3=/2&/2&GM@k&32A&A;T@1?;/2Q&

!! >0G)&G13<E;2F&3&</2G3;2@1&;?&2/G&GM@&?3:@&3?&G13<E;2F&;Gn?&</2G@2G?Q&

]/1@/T@1)&;I&GM@1@&31@&2/&</02G@1:@3?01@?&G/&?K//^2F)&V/0&<32nG&G10?G&GM@&A3G3&3O/0G&
GM@k&32A&A;T@1?;/2Q&

!! ,G&;?&2/G&@3?V&G/&A@G@<G&?K//^2FQ&&D@<01;GV&:0?GQ&&

$8&