1 / 22

Practical Attacks on a Proximity Card

Practical Attacks on a Proximity Card. Jonathan Westhues jwesthues@cq.cx June 18 2005. Introduction. How do RFID tags work? Signals sent over the air A naïve attack works perfectly Better-than-naïve attacks work even better Security is possible if you are willing to pay for it.

sarila
Download Presentation

Practical Attacks on a Proximity Card

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Attacks on a Proximity Card Jonathan Westhues jwesthues@cq.cx June 18 2005

  2. Introduction • How do RFID tags work? • Signals sent over the air • A naïve attack works perfectly • Better-than-naïve attacks work even better • Security is possible if you are willing to pay for it

  3. How the tags work • The reader transmits a powerful carrier (a signal that carries no information) • Reader “excites” or “illuminates” tag • This carrier powers the circuitry on the tag • So the tag does not need an internal power source (battery)

  4. Information over the air • Tag returns an information-bearing signal to the reader • Same frequency, same antenna • Bi-directional communication also possible • e.g. to write information to a tag instead of just reading

  5. Example: TI tag capacitor(s) antenna coil (microchip on other side)

  6. Example: 13.56 MHz tag antenna coil microchip capacitor

  7. Signals over the air + 1 0 1 1 0 tag: weak, carries information reader: powerful, no information

  8. Result: the signals add 1 0 1 1 0 (signal seen at the reader)

  9. Motorola/Indala Flexpass • Card transmits its ID code to the reader • Reader checks ID against its list to see if it should open the door • That’s it; no attempt at security

  10. Basic replay attack

  11. Basic replay attack • Read a legitimate card to get its ID code • Store the ID in memory • Replay the ID to a legitimate reader

  12. Basic replay attack • Hardware design: nothing fast, no need for anything custom • Easy • Other people have done this

  13. What kind of read range? • Depends on the power of the carrier that the reader transmits • Practical limits: • TX power • Legalities (FCC, Industry Canada) • Input power • Technical limits (heat etc.) • Antenna size

  14. Practical read range • “A few feet”

  15. Even better attacks • The read range goes up when the card is already powered • Thus, even more vulnerable if the eavesdropper sets up near a legitimate reader • The signal goes through sheetrock walls

  16. DSP refinements • FlexPass cards: repeat their ID over and over as long as they are powered • Opportunity to use DSP techniques to “average together” multiple copies and improve sensitivity

  17. Solution • But surely we can do better… http://members.core.com/~jeffp/

  18. FlexPass FlexSecur • Encrypt ID before programming it onto card • Replay attack: • Doesn’t help, eavesdropper unlikely to notice that is present • Not useless though

  19. Challenge/Response • Fixes everything, and cards are available that use it • Drawbacks: • Complexity: crypto circuitry on the card • Bi-directional communication with reader is now required

  20. Alternative: Rolling codes • Also fixes everything • Used e.g. in auto keyless entry • Advantage: • No bi-directional communication required • Disadvantage: • Needs non-volatile storage

  21. Conclusion • ID-only cards are not in any mathematical sense secure • Secure alternatives exist • Depending on the application, they might not be better • It would be nice if the vendors would tell you what you’re getting

  22. Thank you

More Related