25C3: Many RFID cards poorly encrypted
Karsten Nohl, the security investigator who had a big hand in cracking NXP's Mifare Classic chips, says many RFID smartcards from other manufacturers are also vulnerable to a simple hacker attack. He told the 25th Chaos Communication Congress (25C3) in Berlin that "Almost all RFID cards use weak proprietary encryption systems" and only the latest types were any better. For example, several generations of Legic, HID and Atmel cards have holes in their armour.
RFID cards are used today to control access to buildings, rooms, cars or electronic devices. Mifare chips are also widely used in payment systems, such as those in short-distance public transport. The general expectation is that such RFID tags, all operating on the same frequency of 13.56 MHz, will evntually be used as generic identifiers for products and people, and they are already in use in passports and credit cards. However, said Nohl, the chip manufacturers have so far criminally neglected the standard of encryption used by these chips and the standard of the reading systems, which ought to satisfy the requirements of both data protection and system security.
Using as an example the Mifare Classic card, he and his comrade-in-arms in the Chaos Computer Club (CCC), Henryk Plötz, demonstrated that its encryption could be compromised by simple proxy or relay attacks. In principle, he said, an attacker need only determine, say with an emulator, that an appropriate SmartCard was within range. All doors would then be open to him.
For example, freely available OpenPICC hardware, a counterpart to the OpenPCD RFID reader, could be used for hacking these cards. This emulator, said Nohl, can be carried in a trousers pocket, and can generate and send a suitable RFID tag identification number. All that is needed is to eavesdrop on a legitimate authentication, initiate the same routine later on, and respond with the recorded communication. Random numbers are also required, but as a rule these tiny radio chips have insufficient processing power to generate them reliably. In the case of many RFID cards, therefore, these supposedly random sequences of digits have proved to be easy to predict. A further weakness, added Plötz, is that readers do not use existing protocols to check the distance between themselves and a nearby chip. Such protocols require a measurement of the time taken for the radio signals to travel out and back which would add considerably to the cost of card readers.
Nohl reported that many RFID cards do not put up much resistance to more sophisticated cryptographic attacks, such as algebraic, statistical or brute force attacks. It is usually sufficient to determine the purely statistical vulnerabilities in the encryption applications. In order to help hackers make further tests on the security of radio chips, the two researchers have published the TI EVM tool, which, they say, supports various protocols. They have also announced OpenPICC2 as a further powerful emulator, which doubles as an e-book reader. Nohl recommended that the makers of RFID solutions use standardised encryption algorithms and protocols and not to prescribe the use of their radio systems for tagging humans. Tested norms should furthermore be worked out for "secure RFID".
For more from 25C3, see also:
- 25C3: SMS "killer application" for many Nokia mobiles
- 25C3: MD5 collisions crack CA certificate
- 25C3: More light shed on "denial of service" vulnerabilities in TCP
- 25C3: Reliable exploits for Cisco routers
- 25C3: Cracks in the iPhone security architecture