evaluation of the feasible attacks against rfid tags for
play

Evaluation of the feasible attacks against RFID tags for access - PowerPoint PPT Presentation

Nov 22, 2023 •628 likes •847 views

Evaluation of the feasible attacks against RFID tags for access control systems Hristo Dimitrov & Kim van Erkelens University of Amsterdam February 4, 2014 1 / 20 Contents Introduction 1 Background 2 Methods 3 Findings 4

  1. Evaluation of the feasible attacks against RFID tags for access control systems Hristo Dimitrov & Kim van Erkelens University of Amsterdam February 4, 2014 1 / 20

  2. Contents Introduction 1 Background 2 Methods 3 Findings 4 Conclusion 5 2 / 20

  3. RFID and access control systems Proximity Integrated Circuit Card (PICC) 3 / 20

  4. Research questions Main question What should one focus on when performing a security testing of an implementation of an RFID access control system? Subquestions 1 Which are the known attacks against the tags for various implementations of RFID access control systems? 2 How feasible are those attacks and what kind of threat do they introduce? 3 What is the applicability of these attacks for different types of systems? 4 / 20

  5. Related work Previous Research Known attacks against RFID systems: Classification of RFID attacks Practical attacks against RFID systems A Framework for Assessing RFID System Security and Privacy Risks Our contribution Test and give an overview of the known attacks Advice about a practical approach for assessments 5 / 20

  6. Experimental setup System Description Supported tag types A External Company 1 MIFARE Classic B External Company 2 HID C Demo Kit 1 MIFARE Classic and DESFire D Demo Kit 2 EM410x Low Frequency (120 - 150 kHz) HID (ProxCard II) EM410x High Frequency (13.56 MHz) MIFARE Classic MIFARE DESFire MIFARE UltraLight 6 / 20

  7. Sector layout of MIFARE Classic 1K 7 / 20

  8. Tools Hardware Proxmark 3 NFC readers Software Proxmark client (revision 840) libnfc 1.7.0 Kali Linux 8 / 20

  9. Approach Measured specifications Time Knowledge and Skills Resources Success Rate Gain Additional requirements 9 / 20

  10. Findings Attacks: Key Retrieval Default Keys DarkSide Attack Snooping and MFKey Nested Attack Faking a valid tag Tag Emulation Tag Cloning Relay attack 10 / 20

  11. Relay attack Feasibility: Slow, Intermediate to Perform 11 / 20

  12. Default Keys Against MIFARE Classic tags Performed using the Proxmark Tool Tag Status 6 SUCCESSFUL 7 SUCCESSFUL 8 SUCCESSFUL 10 SUCCESSFUL 11 SUCCESSFUL 12 SUCCESSFUL 13 SUCCESSFUL 14 SUCCESSFUL 17 SUCCESSFUL 18 SUCCESSFUL 19 SUCCESSFUL 20 SUCCESSFUL 21 SUCCESSFUL 22 SUCCESSFUL 29 SUCCESSFUL Table: Results from the Default Keys attack for all MIFARE Classic tags. Feasibility: Fast, Easy to Perform, High Success Rate 12 / 20

  13. DarkSide Attack Against MIFARE Classic tags Performed using the Proxmark Tool Tag Status 6 NOT SUCCESSFUL (Hanging) 7 NOT SUCCESSFUL (Hanging) 8 SUCCESSFUL 10 NOT SUCCESSFUL (Hanging) 11 NOT SUCCESSFUL (Hanging) 12 SUCCESSFUL 13 SUCCESSFUL 14 NOT SUCCESSFUL (Hanging) 17 SUCCESSFUL 18 SUCCESSFUL 19 SUCCESSFUL 20 SUCCESSFUL 21 SUCCESSFUL 22 SUCCESSFUL 29 SUCCESSFUL Table: Results from the DarkSide attack for all MIFARE Classic tags. Feasibility: Fast, Easy to Perform, Rather High Success Rate 13 / 20

  14. Snooping and MFKey Against MIFARE Classic tags Performed using the Proxmark Tool Tag System Status 14 C SUCCESSFUL 22 A NOT SUCCESSFUL (Could not capture the entire authentication handshake) Table: Results from the Snooping and MFKey attack for MIFARE Classic tags. Feasibility: Rather Fast / Intermediate, Rather Easy to Perform 14 / 20

  15. Nested Attack Against MIFARE Classic tags Performed using the Proxmark Tool and the NFC reader Tag Proxmark3 NFC ACR122 Reader Status 6 Successful Successful SUCCESSFUL 7 Successful Successful SUCCESSFUL 8 Successful Error: I/O error SUCCESSFUL 10 Error: Sending bytes to proxmark failed Error: I/O error NOT SUCCESSFUL 11 Error: Sending bytes to proxmark failed Successful SUCCESSFUL 12 Successful Error: I/O error SUCCESSFUL 13 Successful Error: I/O error SUCCESSFUL 14 Error: Sending bytes to proxmark failed Error: I/O error NOT SUCCESSFUL 17 Successful Not Tested SUCCESSFUL 18 4K tag - finds the keys and hangs Not Tested SUCCESSFUL 19 4K tag - finds the keys and hangs Not Tested SUCCESSFUL 20 4K tag - finds the keys and hangs Not Tested SUCCESSFUL 21 4K tag - finds the keys and hangs Not Tested SUCCESSFUL 22 Successful Not Tested SUCCESSFUL 29 4K tag - finds the keys and hangs Not Tested SUCCESSFUL Table: Results from the Nested attack for all MIFARE Classic tags. Feasibility: Fast, Rather Easy to Perform, Rather High Success Rate 15 / 20

  16. Tag Emulation Performed using the Proxmark Tool MIFARE Classic tag: Directly after nested attack With help of dump file Successful on demo kit Not successful on External Company 2 (System A) HID Low Frequency tag: Only UID needs to be known Successful on External Company 3 (System 3) EM410x tag: Reading successful, but emulating not (System D) Feasibility: Fast, Easy to Perform, Intermediate Success Rate 16 / 20

  17. Tag Cloning Performed using the Proxmark Tool MIFARE Classic tag: Cards with writable UID Successful on real systems A and C MIFARE UltraLight tag: No special writable UID, Lock Bits and OTP bits was used Not Successful HID Low Frequency tag: Writable HID cards Successful on real system B Feasibility: Fast, Easy to Perform, High Success Rate 17 / 20

  18. Tested attacks feasibility overview Time Knowledge & Skills Resources Success Rate Requirements Default keys little easy Proxmark3 high Access to valid tag / NFC reader DarkSide little easy Proxmark3 rather high Access to valid tag Snooping average intermediate Proxmark3 - Access to a valid authentication handshake Nested attack little intermediate/easy Proxmark3 rather high Access to valid tag /NFC reader low Emulate tag little easy Proxmark3 intermediate Dump of a valid tag Clone tag little easy Proxmark3 high Dump of a valid tag / NFC reader A writable tag Relay attack * a lot intermediate 2x NFC reader - Simultaneous access to valid tag and reader * Attack can be performed without knowing the keys for tags that use encryption 18 / 20

  19. Conclusion RFID access control system assessment guidelines: Identify the type of the used tags. MIFARE Classic - Ensure that: no default keys used, encryption properly used MIFARE DESFire - Rather secure MIFARE UltraLight - Not suitable for access control systems HID or EM410x LF tags - Not secure Others - Not researched Ensure that no sensitive information is written on the tags Ensure security awareness of the employees Ensure that secure enclosures are used for the tags when they are not in use Ensure surveillance around the readers 19 / 20

  20. Questions? 20 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID Tags and Presentation of First Results Walter Hinz, Klaus Finkenzeller, Martin Seysen Barcelona, February 19 th , 2013 Agenda Motivation for

416 views • 26 slides
The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels Ron Rivest

The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels Ron Rivest

The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels Ron Rivest Mike Szydlo MIT CSAIL RSA Laboratories RSA Laboratories What is a R adio- F requency Id entification (RFID) tag? In terms of appearance Chip

678 views • 26 slides
Item Level RFID Tags Extend Memory Not Just an ID Need More Than

Item Level RFID Tags Extend Memory Not Just an ID Need More Than

Item Level RFID Tags Extend Memory Not Just an ID Need More Than Just an ID Expanded memory capacity Transaction history (e.g., pharmaceutical medicine) Extended ownership

461 views • 7 slides
TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown & Blaine McDonnell Using RFID for Model Railroad Operations What is RFID? How does RFID Work? RFID Frequencies and Type of Tags

853 views • 25 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Countermeasures and Evolved Frauds

633 views • 40 slides
Smar Smart Tags of Tags of the Futur the Future Faydalar What is Taglette? Taglette is

Smar Smart Tags of Tags of the Futur the Future Faydalar What is Taglette? Taglette is

Smar Smart Tags of Tags of the Futur the Future Faydalar What is Taglette? Taglette is the worlds first and the only RFID based microchip tag which has its own smart device application . Taglette tags makes it possible to get the

588 views • 10 slides
Long Range and Low Powered RFID Tags with Tunnel Diode F. Amato, C. W. Peterson, M. B. Akbar, G.

Long Range and Low Powered RFID Tags with Tunnel Diode F. Amato, C. W. Peterson, M. B. Akbar, G.

Long Range and Low Powered RFID Tags with Tunnel Diode F. Amato, C. W. Peterson, M. B. Akbar, G. D. Durgin School of Electrical and Computer Engineering Georgia Institute of Technology This work was supported, in part, by NSF Grant ECCS

526 views • 33 slides
Item Level RFID Tracking IT Architecture 1 In Intr troducti tion An RFID solution has

Item Level RFID Tracking IT Architecture 1 In Intr troducti tion An RFID solution has

Item Level RFID Tracking IT Architecture 1 In Intr troducti tion An RFID solution has several components, namely: Hardware -comprising readers, handhelds, tags etc Network infrastructure which connects these devices to the system

497 views • 14 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Distance Bounding Protocols Conclusion

666 views • 53 slides
Initial SRAM State as a Fingerprint and Source of True Random Numbers for RFID Tags Daniel E.

Initial SRAM State as a Fingerprint and Source of True Random Numbers for RFID Tags Daniel E.

Initial SRAM State as a Fingerprint and Source of True Random Numbers for RFID Tags Daniel E. Holcomb, Wayne P. Burleson, and Kevin Fu University of Massachusetts, Amherst MA 01002, USA, { dholcomb, burleson } @ecs.umass.edu, kevinfu@cs.umass.edu

433 views • 12 slides
Strong Crypto for Tiny RFID Tags Challenges and Design Issues 11-13 July 2007, Malaga, Spain

Strong Crypto for Tiny RFID Tags Challenges and Design Issues 11-13 July 2007, Malaga, Spain

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Strong Crypto for Tiny RFID Tags Challenges and Design Issues 11-13 July 2007, Malaga, Spain Martin Feldhofer IAIK Graz University of

842 views • 39 slides
Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jrn-Marc Schmidt,

Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jrn-Marc Schmidt,

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jrn-Marc Schmidt, Thomas Plos ECCTD 2009 Institute for Applied

514 views • 16 slides
Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c

Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c

Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c {ton.vandeursen, sasa.radomirovic}@uni.lu University of Luxembourg Financial support received from the Fonds National de la Recherche (Luxembourg) Ton van Deursen

144 views • 12 slides
Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of

Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of

Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of Information Systems y Singapore Management University 2010/12/6 1 Introduction RFID tags are low-cost electronic devices, from which

547 views • 17 slides
Persistent Security for RFID Mike Burmester and Breno de Medeiros Computer Science Department

Persistent Security for RFID Mike Burmester and Breno de Medeiros Computer Science Department

Persistent Security for RFID Mike Burmester and Breno de Medeiros Computer Science Department Florida State University Tallahassee, FL 32306 { burmeste,breno } cs.fsu.edu Abstract. Low-cost RFID tags are being deployed to support smart

513 views • 12 slides
RFID attacks and proxmark hands-on @ KirilsSolovjovs +4fd9 About me Programming sysad

RFID attacks and proxmark hands-on @ KirilsSolovjovs +4fd9 About me Programming sysad

RFID attacks and proxmark hands-on @ KirilsSolovjovs +4fd9 About me Programming sysad networking IT security for the past 10+ y Owner and Lead Researcher at Possible Security Hacking and breaking things

946 views • 19 slides
Basketball with RFID Alfred Zhong, Vincent Lee Project Description Inspired by the

Basketball with RFID Alfred Zhong, Vincent Lee Project Description Inspired by the

Basketball with RFID Alfred Zhong, Vincent Lee Project Description Inspired by the HomeCourt app recently demoed at the iPhone XS release Project Description Instead of machine vision like Homecourt, use wireless and RFID Why?

651 views • 27 slides
Engineering RAI N RFI D Solutions Chris Diorio RAIN Chairman Impinj CEO Agenda Reason for

Engineering RAI N RFI D Solutions Chris Diorio RAIN Chairman Impinj CEO Agenda Reason for

Engineering RAI N RFI D Solutions Chris Diorio RAIN Chairman Impinj CEO Agenda Reason for this presentation Describe technical requirements for solutions Accelerate industry adoption Understand the physics Topics this

846 views • 22 slides
Mobile Data Entry for RFID RFID MRR NCDOT Materials and Tests Unit Welcome Transportation 2

Mobile Data Entry for RFID RFID MRR NCDOT Materials and Tests Unit Welcome Transportation 2

Mobile Data Entry for RFID RFID MRR NCDOT Materials and Tests Unit Welcome Transportation 2 WELCOME Transportation 3 Introduction The final link in the RFID program is the receiving of the project onto the project site. The producer

508 views • 30 slides
Entering Samples Using RFID Jessica Earley, PE Topics How to Enter a Sample Using a Scanner

Entering Samples Using RFID Jessica Earley, PE Topics How to Enter a Sample Using a Scanner

December 2015 Entering Samples Using RFID Jessica Earley, PE Topics How to Enter a Sample Using a Scanner How to Enter a Sample Using the Ipad How to Tag Your Sample Before Delivering to the Lab Precast Lookup in the Field

556 views • 22 slides
Beta Presentation Mobile RFID Inventory Tracking System The Capstone Experience Team Quicken

Beta Presentation Mobile RFID Inventory Tracking System The Capstone Experience Team Quicken

Beta Presentation Mobile RFID Inventory Tracking System The Capstone Experience Team Quicken Loans Keyur Patel Josh Rasor Jake Riesser Department of Computer Science and Engineering Michigan State University Spring 2014 From Students

653 views • 9 slides
Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Honeywell is Making Industrial Wireless Real Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless Exciting Opportunities/Benefits from Wireless Choosing a Wireless Solution Why Honeywell?

851 views • 38 slides
RFID from Farm to Fork Piero Filippin p.filippin@wlv.ac.uk RFID from Farm to Fork Funded by

RFID from Farm to Fork Piero Filippin p.filippin@wlv.ac.uk RFID from Farm to Fork Funded by

RFID - From Farm to Fork Strengthening SME competitive advantage through RFID implementation RFID from Farm to Fork Piero Filippin p.filippin@wlv.ac.uk RFID from Farm to Fork Funded by the EU as part of the Competitiveness and Innovation

356 views • 9 slides
Network Connected RFID Security System ECE 4600/Fall 2016 Group 1 Mohamed Alkhadashi Mike

Network Connected RFID Security System ECE 4600/Fall 2016 Group 1 Mohamed Alkhadashi Mike

Network Connected RFID Security System ECE 4600/Fall 2016 Group 1 Mohamed Alkhadashi Mike Kaminski Benjamin Puninske

427 views • 31 slides

More recommend