Digital Bond has started backing Kickstarter projects in order to build up our rack of security assessment and research tools. One of our recent deliveries is the RFIDler, a low-cost 125khz and 134khz RFID tool. RFIDler is an interesting project because it combines an easy-to-use command line interface with a software defined radio, at roughly 1/4th the cost of the Proxmark3. As a tool, it can be used to both easily clone low-security cards and to explore as-yet-unsupported card formats so that you can clone or attack new kinds of proximity card.
For testing the RFIDler, we in the Labs used a handful of unknown tokens, purchased a long, long time ago — so long ago that we didn’t even know what kind of tags they were (let alone where we bought them from). The tags, along with a bare-board unlabeled reader, were originally going to be used as an RFID garage door opener, as a replacement for a standard pinpad. The RFIDler is such a nice tool because now we can find out what kind of reader these badges use, and help us determine whether the project can even be done securely.
The RFIDler contains some nice token exploration commands. The most basic of these is the command-line, ‘autotag’ command, which attempts to read your token using all of the currently supported formats.
‘autotag’ output
‘autotag’ of course attempts all of the format types, many of which produce data. So, what is the actual type of our tag?
It appears likely that it is either an EM4x02 or a Q5, although it could be some unknown tag type that uses Amplitude Shift Keying as its communication mechanism (a somewhat wild guess, although the data read under ASKRAW mode repeats which suggests that mode is correct, but the frequency and other settings may be wrong). If we want to explore the tag’s actual RF characteristics under the ASK mode, we’ll simply need to install pyserial, and matplotlib, and run the ‘rfidler.py’ script from the RFIDLer software repository. The script helps a great deal by visualizing the RF output of a tag. Aperture Labs already has a nice tutorial on exploring the RF characteristics of tags using their tools. An improvement (imho) in the more recent releases of the RFIDler software is copying the logic analyzer plot above the raw RF signal, making it easier to read.
When determining our tag type, we encounter a helpful hint on the tag itself: it is badge # 0012781359, as printed on the tag. In hexadecimal, this is 0xc3072f, which nicely matches the last few octets read from it in EM4x02 mode. In order to copy the tag, we first set the tag to em4x02 mode (note tag modes must be entered in lower-case on the command-line interface), then ‘copy’ the tag, and enter ’emulator’ mode (which constantly replays the tag data to any reader that will listen).
Copying the tag and entering emulator mode. Sometimes the badge will fail to copy on the first try.
The RFIDler will now grant you access to whatever the original badge would.
RFID is an interesting security problem, and the vendors of RFID technology do a lot to muddy the waters. If we read the up on the EM4x02 badge type, for example, we find out that it is often advertised under the brand name, “Trovan Unique”. If we go ahead and read the marketing literature on these badges, we might be led to believe that they’re pretty secure. After all, the badge IDs are programmed with lasers (yes, LASERS!), and patents somehow protect them from third-party cloning.
Of course, patent protections protect the vendor, not their customers. In fact, since patents are public documents, the fact that the RFID system is patented actually makes an attacker’s life easier. Read another way, patent protection can mean, “You can’t duplicate your own badges, you have to pay us to do it.” (Or, optionally, you could buy an RFIDler, since this tag type can be replayed by the device).
Other tags behave similarly and suffer the same Bad Marketing. For example HID sells a legacy badge type, the Indala series. Reading over their marketing literature we see all the right buzzwords: these badges feature encrypted passwords, and use an exclusive site ID. They, “prevent fraudulent entry attempts,” using these features. However the encrypted data on the badge is played verbatim each time the badge is activated, meaning that the RFIDler can clone this type of card too. In fact, writing the data from these badges to a blank card is also possible.
For a simple yet effective attack, a crafty hardware assembler such as our own Stephen Hilt (of PLCPwn fame) could cobble together a neat “MITM” badge skimmer. I imagine a Raspberry Pi with two RFIDlers: one disguised to look like the badge reader, and the other hovering over the *actual* badge reader. When an employee swipes their badge, the Pi records the badge ID and immediately replays it onto the internal RFIDler. The door unlocks after a very short delay, and the attacker gets yet another cloned badge for malicious purposes.
There are ‘quick and easy’ ways to fix your badging system if you are using a cloneable badge type. The simplest solution is to replace scanning pads in key security areas with ones that support a PIN entry. Even if the PIN entry only needs to take place during unstaffed hours, it makes a cloned badge a lot harder to use. An avenue of exploration is detection — building an entry server log monitor that can alarm when a badge is being used in geographically distant places in too short a time. If the same badge is used within minutes in buildings that are several miles apart, for example, it might make sense to alert security staff. Finally, staff can help by removing badges in public places, and using RFID blocking sleeves when not at work.
Of course, the ‘best’ (and also most expensive) solution is to replace cloneable badge types with badges that perform true challenge-response. The badge is loaded with a private key (as is the reader), . The reader can quickly determine whether the card is allowed. While this provides a lot more security than classic replayable badge types, even these may have issues. RFIDler, at least, will let you explore what those issues are in 125-134khz cards.
Radio tower image by polandmfa.