6

I'm attempting to do some RFID and NFC cloning and replaying research, as I'm hoping to be able to demo physical security as an attack vector to a few of out clients and prospects.

The downside (ironically) is that from what I can tell, RFID and NFC as a means of physical security (read: office / server room door locks) is relatively secure at this point.

The most recent relevant info I could find was BishopFox's Blackhat 2014 demo.

Yet, their hardware approach seemed more "heavy-duty" than I was planning to have to set up. I was hoping for something less overt.

I was also desperately hoping that the XDA-forums would have some obscure Android NFC exploit I could use, since that seemed "new" enough to be relevant in 2016, but I was shocked to read an overwhelming number of posts saying that current iterations of NFC ID cards aren't even susceptible to cloning.

Even Adam Laurie's most recent public exploit was apparently all the way back in 2010.

So, is RFID and NFC no longer a relevant threat to companies in terms of physical security (read: door locks, ID badges, etc.)?

  • If so, what current tech has mitigated that risk?
  • If not, what am I missing / am I living under a rock?
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
WorseDoughnut
  • 761
  • 5
  • 18
  • RFID attacks are more common than ever. We had a superb demonstration at ISF Congress this year. NFC attacks likewise, which is why wallets with metal shielding are more and more popular – Rory Alsop Dec 10 '17 at 20:16

1 Answers1

1

Most proximity card based systems use some variation of ISO 14443 to communicate between the card and the reader, but are not necessarily based on NFC. (RFID is a rather all-encompassing term, itself covering almost any use of radio waves to identify a target.) Beyond that, there has been significant evolution in what is sent across the RF.

Many people think of RFID tags that send a single static number when they're interrogated, and these tags do exist -- they're often used for inventory tracking or similar functions. They're not, however, generally used for access control. Systems for access control involve challenge-response and cryptography in their operations.

Even the long-broken MIFARE Classic uses cryptography, but it uses an only 48-bit key, and some weaknesses were identified that allow for ciphertext-only attacks or active attacks when talking to the reader. Since 2015, NXP has recommended new installations not use MIFARE classic.

More modern systems like DESFire EV2 have not yet shown cryptographic weaknesses, but that is no guarantee of long-term strength, it's just not currently possible to clone such a card. (As you don't have the right keys to talk to the card.) Of course, if you can get your hands on a legitimate reader with the keys baked in, you can read them, but I believe NXP recommends a per-site key.

Over in the HID side of things, they use a slightly different technology. HID proxcards (iClass and so forth) have actually been remarkably resilient in general. iClass was problematic because of a globally shared key -- IIRC, it was originally extracted from a reader that did not use a secure element to store the key. iClass SE rotated the key and allowed individual sites to reprogram readers to use custom keys. iClass SEOS actually runs a full JavaCard so can do a number of things with the embedded chip. At the very least, it will be able to emulate iClass SE (and I believe they've licensed DESFire EV2 and can emulate it as well).

Despite all of that research, very many sites are still using HID iClass, classic Proxcard, or MIFARE Classic for access control. In the consulting world, you'll see no shortage of opportunities for badge cloning.

David
  • 15,814
  • 3
  • 48
  • 73