[Infowarrior] - E-Passport Hacker Designs RFID Security Tool

Richard Forno rforno at infowarrior.org
Tue Apr 15 03:45:45 UTC 2008


E-Passport Hacker Designs RFID Security Tool
By Kim Zetter EmailApril 14, 2008 | 1:13:55 PMCategories: Hacks and Cracks
Product_tag_with_sql_injection


http://blog.wired.com/27bstroke6/2008/04/e-passport-hack.html

The team that produced the RFDump research/hacker tool for cloning and
altering data stored on radio-frequency ID tags has now come out with a
product to thwart RFID hackers.

German security researcher Lukas Grunwald, who made headlines two years ago
for uncovering security vulnerabilities in new electronic passports being
adopted by the U.S. and other countries, created RFDump with colleague Boris
Wolf in 2004.

Now the two have created RF-Wall (shown on the lower shelf in the picture at
right) to help thwart RFID fraud and attacks against e-passports, electronic
access cards and payment cards -- such as the Mifare Classic card that is
used in the London Underground and which security researchers recently
cracked.

The device, which Grunwald and Wolf are producing for their new
California-based company NeoCatena, is a hybrid firewall and
intrusion-detection system that sits between an RFID reader and its back-end
system. It's designed to detect counterfeit and cloned RFID chips and
prevent an attacker from injecting malware into a back-end system with a
rogue RFID chip. They'll be debuting the device this week at the RFID
Journal Live conference in Las Vegas but gave me a demonstration of it this
weekend.

Rfwall_5 The box can be loaded with virus signatures to detect known types
of attacks and uses heuristics to detect other malicious activity, such as
generic SQL-injection attacks (such as the one that appears in the
screenshot above right). The device can be restricted to read only RFID
cards that have specific serial numbers and reject all others. It also can
be used to digitally sign chips so that any chips that are altered after
being issued are rejected by the RFID reader. The system uses the HMAC
algorithm for the digital signature. Grunwald and Wolf hold a patent on the
use of HMAC with RFID technology.

Last year Grunwald revealed that he'd been able to sabotage the e-passport
readers of two unnamed manufacturers by embedding a buffer overrun exploit
in the JPEG2000 file of a cloned passport chip. The JPEG file contains a
digital photo of the passport holder.

Recently other researchers cracked the encryption used in Mifare Classic
chips that are used in door access systems around the world as well as in
the London Underground's Oyster card.

It's long been known that RFID readers and chips are insecure, but trying to
fix systems that have already been widely deployed has its challenges,
particularly since there are a number of different types of chips and
readers on the market, which work at different frequencies.

"A lot of people are thinking about on-tag security -- putting cryptography
on the tag," Wolf says. "But those tags are limited in their computational
power or even if you can get that worked out the more encryption technology
you have on the tag, the more expensive it is. We're saying you don't have
to worry about what's happening with your tag if you can verify whether
there's data integrity or not."

Grunwald says they've shown the tool to a large pharmaceutical company based
in Switzerland that is interested in using it to authenticate drugs and
equipment -- such as dialysis machines -- from counterfeit products. He says
an Asian country is also interested in using RF-Wall with its electronic
passport system.

During a demonstration for me, Grunwald and Wolf used RFDump to alter the
value on a digitally signed transportation card from $10 to $99. On a first
pass without RF-Wall in place, the RFID reader accepted the card. After they
connected the device, however, the system rejected the tag. The system also
rejected a tag that was embedded with SQL injection code.

The screenshot at right shows the backend of an RFID inventory system after
malware on a rogue chip has crashed it.

Inventory_backend_hacked

They currently only have a prototype, but the system, when produced, is
expected to market at $25,000 to $60,000.

Paul Roberts, a security analyst with the 451 Group, says the approach
Grunwald and Wolf are using -- to have a device sitting inline between the
reader and the backend, rather than try to secure the reader and chips
themselves -- is smart. He also sees value in watermarking RFID for
products. But he wonders if companies would invest in a device like this to
prevent intruders from gaining unauthorized access to buildings that use
RFID cards or to prevent malicious attacks against back-end systems.

"The bottom line is cost," he says. "Unless you open the newspaper to find
your company or your competitor on the pages -- like Hannaford -- companies
aren't likely to put out the cost for a solution like this."

Roberts notes that even companies with sensitive security facilities, such
as ones that deal with critical infrastructures, have been reluctant to
upgrade RFID access systems to more secure ones due to cost.




More information about the Infowarrior mailing list