[Full-disclosure] RFID Attack theory

---

• From: "Josh L. Perrymon" <joshuaperrymon@xxxxxxxxx>
• Date: Fri, 30 Jun 2006 13:01:54 +1000

---

I have read more since the initial post in regards to RFID hacking.

"session replay" would probably be the best approach if you wanted to clone
the contents of an RFID Proximity Card, Access Card, so on.. Basically
anything that uses static data on the card for identification. I have been
informed that each RFID chip/card has a UID burned in similar to MAC's on
network cards.. so it's easier to replay this than to locate a blank card
and burn the data.

So most of the research has been done here already.. Which brings me to the
work done by www.rfidvirus.org
They have some really good ideas about attacking the middleware using SQL
injections, SSL includes, and buffer overflows on the reader to middle ware
interface. Some really good stuff.

What about attacking the reader itself and not the middleware... you
wouldn't have to worry about "cloning" or "session-replay" at this point.
The ISO defines the protocol used to communicate from the reader to the
card. Then the reader to the middleware so on... What if you would attack
the reader and exploit it directly before even going to the middleware to
the app logic...??

I'm thinking that the middleware will send some type of confirmation to open
a door for instance. So if you could reproduce this by exploiting the
communication between the card and the reader you could open the door.

My thinking was more along the lines of when certain types of authentication
of encryption is used.. that if you could exploit the communication protocol
itself then you could bypass the proposed layers of security.

JP
www.packetfocus.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Follow-Ups:
  • Re: [Full-disclosure] RFID Attack theory
    • From: Michael Holstein

• Prev by Date: [Full-disclosure] Fw: [WEB SECURITY] Application Security Program
• Next by Date: [Full-disclosure] [SECURITY] [DSA 1104-1] New OpenOffice.org packages fix several vulnerabilities
• Previous by thread: [Full-disclosure] Fw: [WEB SECURITY] Application Security Program
• Next by thread: Re: [Full-disclosure] RFID Attack theory
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: RFID Flap Silences Security Researchers ... while - now it's down to credit card size. ... through a reader, just passed near it. ... RFID devices as people pass by. ... (comp.home.automation) Re: Citibank Kills The SmartCard ... Well, the idea was that with a reader at home, you would never enter your card ... >>cards no longer have the smart chip - they come with an RFID chip instead. ... When did they start shipping the RFID ones? ... (misc.consumers) Re: RFID Flap Silences Security Researchers ... makes them useless for RFID scanning. ... False both the skimmer and normal reader see the card.. ... the legitimate receiver too,RF is not sucked up by the skimmer receiver.. ... (comp.home.automation) Re: Broadcom Trusted Platform Module? ... >>why the slam for the smartcard reader? ... I've tried plugging in a couple of smart cards (credit card, ... >>much easier to use for smartcard applications ... Some uses require additional middleware to be installed before the ... (alt.sys.pc-clone.dell) Re: Smart card enrollment issues ... What version of middleware are you running ... What happens when you try and use the cards native tools to inspect the card? ... Having the same issue, where the reader etc is recognised, but the ... card cannot be found when inserting it. ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)