Subject: [vel] RFID risks
http://www.wired.com/threatlevel/2009/08/fed-rfid/
Feds at DefCon Alarmed After RFIDs Scanned
??? By Kim Zetter
??? August 4, 2009 ??|??
??? 9:30 am ??|??
LAS VEGAS ??? It???s one of the most hostile hacker environments in the
country ???- the DefCon hacker conference held every summer in Las Vegas.
But despite the fact that attendees know they should take precautions to
protect their data, federal agents at the conference got a scare on Friday
when they were told they might have been caught in the sights of an RFID
reader.
The reader, connected to a web camera, sniffed data from RFID-enabled ID
cards and other documents carried by attendees in pockets and backpacks as
they passed a table where the equipment was stationed in full view.
It was part of a security-awareness project set up by a group of security
researchers and consultants to highlight privacy issues around RFID. When
the reader caught an RFID chip in its sights ??? embedded in a company or
government agency access card, for example ??? it grabbed data from the card,
and
the camera snapped the card holder???s picture.
But the device, which had a read range of 2 to 3 feet, caught only five
people carrying RFID cards before Feds attending the conference got wind of
the project and were concerned they might have been scanned.
Kevin Manson, a former senior instructor at the Federal Law Enforcement
Training Center in Florida, was sitting on the ???Meet the Fed??? panel when a
DefCon staffer known as ???Priest,??? who prefers not to be identified by his
real name, entered the room and told panelists about the reader.
???I saw a few jaws drop when he said that,??? Manson told Threat Level.
???There was a lot of surprise,??? Priest says. ???It really was a ???holy
shit,???
we didn???t think about that [moment].???
Law enforcement and intelligence agents attend DefCon each year to garner
intelligence about the latest cyber vulnerabilities and the hackers who
exploit them. Some attend under their real name and affiliation, but many attend
undercover.
Although corporate- and government-issued ID cards embedded with RFID
chips don???t reveal a card holder???s name or company ??? the chip stores only
a
site number and unique ID number tied to a company or agency???s database where
the card holder???s details are stored ??? it???s not impossible to deduce the
company or agency from the site number. It???s possible the researchers might
also have been able to identify a Fed through the photo snapped with the
captured card data or through information stored on other RFID-embedded
documents
in his wallet. For example, badges issued to attendees at the Black Hat
conference that preceded DefCon in Las Vegas were embedded with RFID chips that
contained the attendee???s name and affiliation. Many of the same people
attended both conferences, and some still had their Black Hat cards with them at
DefCon.
But an attacker wouldn???t need the name of a card holder to cause harm. In
the case of employee access cards, a chip that contained only the employee???s
card number could still be cloned to allow someone to impersonate the
employee and gain access to his company or government office without knowing the
employee???s name.
Since employee access card numbers are generally sequential, Priest says
an attacker could simply change a few digits on his cloned card to find the
number of a random employee who might have higher access privileges in a
facility.
???I can also make an educated guess as to what the administrator or ???root???
cards are,??? Priest says. ???Usually the first card assigned out is the test
card; the test card usually has access to all the doors. That???s a big
threat, and that???s something [that government agencies] have actually got to
address.???"
In some organizations, RFID cards aren???t just for entering doors; they???re
also used to access computers. And in the case of RFID-enabled credit
cards, RFID researcher Chris Paget, who gave a talk at DefCon, says the chips
contain all the information someone needs to clone the card and make fraudulent
charges on it ??? the account number, expiration date, CVV2 security code
and, in the case of some older cards, the card holder???s name.
The Meet-the-Fed panel, an annual event at DefCon, presented a target-rich
environment for anyone who might have wanted to scan government RFID
documents for nefarious purposes. The 22 panelists included top cybercops and
officials from the FBI, Secret Service, National Security Agency, Department of
Homeland Security, Defense Department, Treasury Department and U. S. Postal
Inspection. And these were just the Feds who weren???t undercover.
It???s not known if any Feds were caught by the reader. The group that set
it up never looked closely at the captured data before it was destroyed.
Priest told Threat Level that one person caught by the camera resembled a Fed he
knew, but he couldn???t positively identify him.
???But it was enough for me to be concerned,??? he said. ???There were people
here who were not supposed to be identified for what they were doing ??? I was
[concerned] that people who didn???t want to be photographed were photographed.
???
Priest asked Adam Laurie, one of the researchers behind the project, to ???
please do the right thing,??? and Laurie removed the SD card that stored the
data and smashed it. Laurie, who is known as ???Major Malfunction??? in the
hacker community, then briefed some of the Feds on the capabilities of the RFID
reader and what it collected.
The RFID project was a collaboration between Laurie and Zac Franken ???
co-directors of Aperture Labs in Great Britain and the ones who wrote the
software for capturing the RFID data and supplied the hardware ??? and Aries
Security, which conducts security-risk assessments and runs DefCon???s annual
Wall of
Sheep project with other volunteers.
Each year the Wall of Sheep volunteers sniff DefCon???s wireless network for
unencrypted passwords and other data attendees send in the clear and
project the IP addresses, login names and truncated versions of the passwords
onto
a conference wall to raise awareness about information security.
This year they planned to add data collected from the RFID reader and
camera (below) ??? to raise awareness about a privacy threat that???s becoming
increasingly prevalent as RFID chips are embedded into credit cards, employee
access cards, state driver???s licenses, passports and other documents.
Brian Markus, CEO of Aries Security who is known in the hacker community
as ???Riverside,??? said they planned to blur the camera images and superimpose
a sheep???s head over faces to protect identities before putting them on the
wall.
???We???re not here to gather the data and do bad things with it,??? he said,
noting that theirs likely wasn???t the only reader collecting data from chips.
???There are people walking around the entire conference, all over the
place, with RFID readers [in backpacks],??? he says. ???For $30 to $50, the
common,
average person can put [a portable RFID-reading kit] together???. This is why
we???re so adamant about making people aware this is very dangerous. If you don
???t protect yourself, you???re potentially exposing your entire [company or
agency] to all sorts of risk.???
In this sense, any place can become a hostile hacker environment like
DefCon, since an attacker with a portable reader in a backpack can scan cards at
hotels, malls, restaurants and subways, too. A more targeted attack could
involve someone simply positioned outside a specific company or federal
facility, scanning employees as they entered and left and cloning the cards. Or
someone could even wire a coil around a door frame to collect data as people
pass through the door, which Paget demonstrated at DefCon.
???It takes a few milliseconds to read [a chip] and, depending on what
equipment I???ve got, doing the cloning can take a minute,??? says Laurie. ???I
could
literally do it on the fly.???
Paget announced during his DefCon talk that his security consulting
company, H4rdw4re, will be releasing a $50 kit at the end of August that will
make
reading 125-kHz RFID chips ??? the kind embedded in employee access cards ???
trivial. It will include open source software for reading, storing and
re-transmitting card data and will also include a software tool to decode the
RFID encryption used in car keys for Toyota, BMW and Lexus models. This would
allow an attacker to scan an unsuspecting car-owner???s key, decrypt the data
and open the car. He told Threat Level they???re aiming to achieve a reading
range of 12 to 18 inches with the kit.
???I often ask people if they have an RFID card and half the people
emphatically say no I do not,??? says Paget. ???And then they pull out the
cards to
prove it and ??? there has been an RFID in their wallet. This stuff is being
deployed without people knowing it.???
To help prevent surreptitious readers from siphoning RFID data, a company
named DIFRWear was doing brisk business at DefCon selling leather
Faraday-shielded wallets and passport holders (pictured above right) lined with
material that prevents readers from sniffing RFID chips in proximity cards.
(Dave Bullock contributed some reporting to this piece.)_______________________________________________
NetBehaviour mailing list
[email protected]
http://www.netbehaviour.org/mailman/listinfo/netbehaviour
