RFID Security – Have You Left Your Doors Open? Part Two: Types of Attacks
The ProxMark III is the de facto device for attacking RFID-based physical access control systems. Originally created by Jonathan Westhues for his master’s thesis, both the software and the hardware has been continually developed by an active online community (www.proxmark.org). This very flexible and powerful device is the size of a deck of cards and is able to read, simulate and clone both high frequency and low frequency RFID devices. Anyone with $399 and a moderate amount of technical ability will have a viable platform to gain access to your facilities.
In order to better understand this device and to facilitate consulting with clients on these type of attacks, we got our hands on a ProxMark III. What we found was rather concerning. I was able to scan my company badge with the device, simulate it and use it to gain access to our building in about 15 seconds. The ProxMark’s ability to be hidden in an innocuous location due to its small form factor and its abilities to read badges from a distance and run off a battery, makes sniffing badges from a public location shockingly easy. Recorded badges can then be cloned to blank badges and used to gain access to secured locations all while being indistinguishable from the authentic badge in the electronic logs.
Another attack that can be carried out using the Proxmark III and some code is a brute force attack. Brad Antoniewicz at McAfee recently wrote a whitepaper exploring the viability of different brute force attack methods on the popular HID RFID systems. Because these system only use the 26 bits that are made up by the static facility code and the unique badge number, the entire 44 bits on a valid badge do not have to be brute forced. The key space for the 26 bit value is 2^8 (facility code) * 2^18 (badge value), leaving us with 67,108,864 possible keys (3). According to Mr. Antoniewicz’s estimations, this would take around two years to brute force outright. However, there is another characteristic of HID badges that further reduce their effective security.
When HID badge cards are ordered, organizations must provide their facility code and an acceptable range for the new badge numbers. Because of this, badges are sequential and predictable. This further reduces the key space to the attacker’s advantage. While a viable external attack, this attack can be leveraged by an internal disgruntled employee to cause a lot of harm while being digitally untraceable in the logs. Using a device like the ProxMark III, an employee could read their own badge and retrieve the facility code and their badge number. With the knowledge that other employee’s badges have the same facility code and that their badge values are sequentially from their own, the employee could easily brute force another employee’s badge and create a copy for themselves. Antoniewicz found that once a single valid badge number was known, he could solve for another valid card within five minutes (3).
Delap LLP is one of Portland’s largest local tax, audit, and consulting accounting firms, located in Lake Oswego, Oregon.
(1) Fransis Brown, “Live Free or RFID Hard” Black Hat 2013 presentation
(2) Zac Franken “Physical Access Control Systems” Black Hat 2008 presentation
(3) Brad Antoniewicz “ProxBrute: Taking ProxCard Cloning to the Next Level”