If you've dropped in to grab coffee from a downtown Starbucks on a weekday morning, you've probably noticed that seemingly everyone has a small, white plastic badge attached to their clothing somewhere. These are otherwise known as Radio Frequency Identification (RFID) badges, and are widely deployed by organizations around the world to control physical access to buildings, data centers, and other sensitive areas. Unbeknownst to many however, is that RFID is a rather simple technology that facilitates tracking, logging and identification via radio waves.

RFID badge systems allow organizations to reduce the cost of replacing lost keys, generate automated electronic access logs, and restrict access based on variable factors such as the time or day of the week. It's no wonder why the use of this technology has been adopted in almost every industry; it is cost effective, modular, and a potentially powerful method of access control. However, are these systems giving organizations all over the world a false sense of security? How secure would you feel if I told you that with a wireless device the size of a deck of cards, it's possible to clone a badge and gain access to a building secured with standard RFID technology within seconds?

Typically, there are three components within an enterprise RFID badge access system. There are the badges, the readers, and the backend controller. When a badge is presented to a reader, the reader's radio energy field energizes the RFID chip on the badge at which point the badge transmits its value to the reader. There are three frequencies that RFID typically operates at:

NameFrequencyReadable Distance
Low Frequency (LF)120 kHz – 140 kHz<3 ft. (usually ~1.5 ft.)
High Frequency (HF)13.56 MHz<2.5 ft. (usually ~1.5 ft.)
Ultra-High Frequency (UHF)860 MHz – 960 MHz+/- 30 ft.

Once read, the reader then transmits the badge value to the backend controller to either approve or deny access. The reader does this by transmitting the badge value via the Wiegand protocol to the controller. The Wiegand protocol is a very simple (i.e. plain text, easily intercepted and replayed) technology that consists of two wires: DATA1 and DATA0. When the reader needs to send a "1" it lowers the voltage on the DATA1 wire and alternatively, when it needs to send a "0" it lowers the voltage on DATA0. The controller takes this information and decides whether or not the badge value has access to the specific door where it was read.

The most popular RFID badge system in use at enterprise facilities is the HID ProxCard. These low frequency (125 kHz) badges are known to be easily compromised, yet organizations are still deploying them to secure their sensitive locations around the world. These HID badges have a 44-bit value passively stored on the badge. This value is made up of a couple different sets of numbers; the most important of which, being the facility code and the actual unique badge number which together make up 26 bits. It is only these 26 bits that are used to identify the badge to the controller. Beyond this, there is no other form of authentication, encryption or hashing that takes place.

What this means is that 70% - 80% (1) of organizations using RFID physical access control systems are relying upon an easily intercepted and replicated 26 bit value with no authentication or encryption which is then sent over two, easily tapped (2) physical wires to secure their facility's most sensitive areas. I'm willing to bet that false sense of security is starting to fade away right about now.

There are many different attacks that could be leveraged against RFID systems. In my next post, I'll outline two easily executed attacks which can exploit RFID technology and can be launched using a simple device known as the Proxmark III.

(1) Fransis Brown, "Live Free or RFID Hard" Black Hat 2013 presentation
a. https://media.blackhat.com/us-13/US-13-Brown-RFID-Hacking-Live-Free-or-RFID-Hard-Slides.pdf
(2) Zac Franken "Physical Access Control Systems" Black Hat 2008 presentation
a. https://www.blackhat.com/presentations/bh-dc-08/Franken/Presentation/bh-dc-08-franken.pdf
(3) Brad Antoniewicz "ProxBrute: Taking ProxCard Cloning to the Next Level"
a. http://www.mcafee.com/us/resources/white-papers/foundstone/wp-proxbrute.pdf