6_rfid

18
RFID RFID Erik Poll Digital Security Radboud University Nijmegen 1

description

rfid

Transcript of 6_rfid

  • RFID RFID

    Erik PollDigital Security

    Radboud University Nijmegen

    1

  • RFID tags

    RFID = Radio-Frequency IDentification RFID devices are called tags or transponders

    M f l RFID t l ll d More powerful RFID tags also calledcontactless smartcards

    Inductive coupling is used for energy transfer to card transmission of clock signal transmission of clock signal data transfer

    simple tags only support data transfer f h dfrom the tag to reader

    2

  • Various kinds of RFID tags

    Animal identification RFID tags (ISO 11784 & 11785) only transmit permanently programmed id code

    Advanced transponders (ISO 14223) have more data and support writing & write-protection

    compatible with ISO 11785 compatible with ISO 11785 Contactless smartcards

    close coupling: a few mm (ISO 10536) close coupl ng a few mm (ISO 0536) proximity: less than 10 cm (ISO 14443) vicinity: more than 10 cm (ISO 15693)

    Many of these contactless smartcards are not very smart:memory cards instead of microprocessor cards

    3

    y p

  • Various kinds of RFID tags

    Container identification (ISO 10374) active battery-operated - transponder

    Anti-theft systems (VDI 4470) only one bit of information

    Item management (ISO 18000 + others) Item management (ISO 18000 + others) essentially RFID bar codes GTAG (Global Tag), joined effort of EAN (European Article ( g) j ( p

    Numbering Association) and UCC (Universal Code Council)

    4

  • stupid memory transpondersd l read-only

    ie tag just shouts its serial number communication one way onlyy y

    writable, no write-protection 1 byte to 64 Kbyte, in fixed blocks, eg 16 bit, 4 byte,..

    i i i no protection on writing writable, some write-protection

    password/key or more complicated authentication procedurepassword/key or more complicated authentication procedure state machine operating system possible offering segmented memory

    h i h i k each memory segment with its own key important standard: MIFARE (Classic) othersothers: DESfire, Calypso, ATMEL CryptoMemory, Legic,

    5

    , yp , yp y, g ,

  • smart microprocessor transponders

    like normal smartcard, ie smart, but (also) wireless but with a lot less power

    ISO 14443 5 mW GSM 11.11 50 mW ISO 7816 300 mWISO 7816 300 mW

    NB reduced resources for serious crypto or countermeasures

    Dual contact cards can allow different functionality via contacts and contactless

    6

  • NFC = Near Field Communication NFC = Near Field Communication

    Implemented in mobile phonesp p compatible with ISO14443 proximity cards Phone can act as reader (active mode)

    or as a tag (passive mode)or as a tag (passive mode) The next big thing in the mobile phones?

    First trial with payments with NFC mobile phones in Leiden now

    Erik Poll SoS - Radboud University Nijmegen

    7

  • pros & cons of contact vs contactless?

    pros contactless easy of use

    & f d d l no wear & tear of contacts on card and terminal less maintenance less susceptible to vandalismless susceptible to vandalism

    cons contactless easier to eavesdrop on communication?

    terminal communication easier to eavesdrop than tag communication communication possible without owner's consent

    for replay or relay man-in-the-middle attacks cheap tags have limited capabilities to provide security

    (eg amount of data, access control model, crypto)

    8

  • passive vs active attacks on RFIDpassive vs active attacks on RFID

    passive attacks eavesdropping on

    active attacks unauthorised access to tag pp g

    communication between passport & reader

    possible from several

    gwithout owner's knowledge

    possible up to 25 cmactivatin RFID ta possible from several

    meters activating RFID tag

    requires powerful field!

    aka virtual pickpocketing variant: relay attack

  • Anti-collision

    Additional complexity of contactless cards: several cards may be activated by readery y anti-collision protocol needed for terminal to

    select one card to talk to

    10

  • MIFARE

  • MIFARE

    widely used proprietary standard by NXP (formerly Philips) closely related to and basis for - ISO 14443 several versions, incl.

    MIFARE Ultralight, provides only memory with some write restrictions (locking)( g)

    MIFARE standard 4k, also provides authentication and communication encryption by proprietary CRYPTO-1 algorithm

    Crypto-1 was logically reverse-engineered and broken by Nijmegen cryptanalysis researchers

    12

  • Other RFID tags with (broken) propietary cryptoOther RFID tags with (broken) propietary crypto

    Other cards investigated and broken by the Nijmegen g y jm gcryptanalysis team (Flavio Garcia, Gerhard de Koning Gans, and Roel Verdult):ATMEL SecureMemory CryptoMemory and CryptoRF ATMEL SecureMemory, CryptoMemory and CryptoRF

    HID iClass, iClass Elite Hitag2 (used in car keys)Hitag2 (used in car keys) Megamos crypto (used in car immobilisers)

    Moral of the story: dont use propietary crypto, obviously

  • google for MIFARE & youtube

    14

  • Common weakness, irrespective of crypto used

    75% of MIFARE RFID applications use default (transport) keys or keys used in examples in documentationdocumentation[Source: Lukas Grunwald, DEFCON14, 2007]

    A0A1A2A3A4A5 is an initial transport key that many tags ship with. Googling for A0A1A2A3A4A5 produces links to documentation with other produces links to documentation with other example keys to try!

    15

  • MIFARE UltralightMIFARE Ultralight

    No keys or crypto to protect memory access Relies on read-only and write once memory for security Memory organised in 16 pages of 4 bytes

    f d l first part is read-only includes 7 byte serial number

    second part is One Time Programmable (OTP)second part is One Time Programmable (OTP) you can write 1's, not 0's includes data for lockingg

    third part is readable & writable

    NB it l id d b OTP b l ki d h i NB security only provided by OTP, by locking pages, and having signed/encrypted data in pages, where crypto is done by terminals, not the tag

    16ad

  • Fundamental weaknessFundamental weakness

    No way to protect against spoofing of tags.y p g p f g f g

    Ghost device for spoofingRFID signals

    17

  • MIFARE Ultralight memory layoutMIFARE Ultralight memory layoutPage byte 0 byte 1 byte 2 byte 30 sn0 sn1 sn2 checksum serial noread 0 sn0 sn1 sn21 sn3 sn4 sn5 sn62 checksum ??? lock 0 lock1

    only

    OTP3 OTP 0 OTP 1 OTP 2 OTP 34

    OTP

    5

    6application

    dataread/ 6

    7

    8

    dataread/write

    8

    9

    1810

    11


Daniel Zanella and Alexander Weygers

Daniel Zanella and Alexander Weygers

How Computer Keyboards Work

How Computer Keyboards Work

Who Killed God

Who Killed God

Iron Mills Essay

Iron Mills Essay

Cakes Recipes

Cakes Recipes

Physical Modelling Synthesis Overview

Physical Modelling Synthesis Overview

I Am a Holocaust Denier and I Am Unafraid

I Am a Holocaust Denier and I Am Unafraid

Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Tragic Heroes

Tragic Heroes

Barclays1

Barclays1

Compressing And Decompressing Folders

Compressing And Decompressing Folders

Star Wars Trivia!

Star Wars Trivia!

Heidegger Kritik

Heidegger Kritik

How Computer Monitors Work

How Computer Monitors Work

Acetone Peroxide

Acetone Peroxide

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Chapter 24

Chapter 24

Chapter 23

Chapter 23