[IP] RFID access control tokens widely open to cloning[RISKS] Risks Digest 24.50

[David Farber <dave@xxxxxxxxxx>]

Begin forwarded message:


Date: Mon, 11 Dec 2006 17:57:55 +0000
From: Adam Laurie <adam.laurie@xxxxxxxxxxxxx>
Subject: RFID access control tokens widely open to cloning

Too many systems to itemize here rely on the 'unique ID' of an RFID  
token to
grant access to a system or building, and, in the case that these  
tokens are
based on 125kHz or 134.2kHz standard tags, many of them may be  
vulnerable to
relatively simple cloning attacks.

In a way this is nothing new - several researchers have previously  
presented
attacks whereby RFID tags were emulated by custom built circuits  
which were
able to fool readers into thinking that a genuine tag had been  
presented.
However, the industry response was normally that this was not a 'real'
threat, as it required specialist knowledge and equipment, and the  
resulting
device was not a 'true clone' as it didn't have the same form factor  
as the
original.

The difference here is that the 'clone' may actually follow the same  
form
factor as the original, and is therefore indistinguishable not just  
to the
reader, but also to the human eye. In addition, no specialist  
equipment or
custom circuitry is required, and the 'clones' can be produced using  
off the
shelf equipment, software and blank tags purchased perfectly legally  
over
the Internet. In fact, the tags are only doing what they were  
designed to do
in the first place: implement industry standards.

The problem is that many security system suppliers are integrating  
industry
standard tag readers, and promoting the 'uniqueness' of the tag ID as a
guaranteed certainty when it isn't, and thereby compromising the  
security of
the entire system.

The two specific tag types I've looked at are:

 * Trovan 'Unique', aka EM4x02
 * FDX-B, aka EM4x05 - ISO-11784/5 (animal tags)

The description of the 'Unique' tag, from the Trovan website is as  
follows:

"The TROVAN UNIQUE (c) Read-Only System is well-suited to  
applications that
require a high level of data security. Unlike other vendors' factory
preprogrammed lines, the protocol of the TROVAN UNIQUE (c) line is  
patented,
providing unmatched protection against unauthorised third-party
cloning. Each transponder is programmed with a unique 10-digit ID code
during manufacture. Comprehensive automatic test methods ensure that  
no code
exists in duplicate in any of the TROVAN UNIQUE (c) transponder  
types, and
that codes are programmed correctly in a readable manner. Once the  
code is
programmed at the time of the transponder's manufacture, it cannot be
counterfeited or tampered with.  A total of 550 billion unique ID  
codes is
available."

Q5 are general purpose, multi-standard tags, that are capable of  
emulating
other devices. I found that it was a standard feature of the Q5 chip to
emulate a 'Unique' tag, and it was trivial to program a duplicate ID  
into
one. The resulting tags were tested against three different systems  
that I
have access to, and all three systems were unable to distinguish  
between the
original and the 'clone'.

In response to my questioning the security of the Unique tags, the  
response
I got from Trovan was: "There are a variety of H4102 versions, some  
of which
can be emulated by a Q5 tag. Our tags are a custom version of the H4100
tag.".

It should be noted that I am not pointing the finger at Trovan  
devices here,
but the 'Unique' standard some of their tags implement and which are
generally available as a generic tag type - it is sometimes hard to tell
exactly who's devices or tags are used in a specific installation, but
suffice it to say that I have found 3rd party systems (one at a very  
recent
security systems show in London) that were vulnerable to EM4x02 style
cloning. The equipment required to do this was a laptop and off the  
shelf
RFID reader/writer, but it could just as easily have been a small  
handheld,
and so a credible threat exists of simply swiping an access tag ID in a
'walk-by' of someone leaving a building, and then producing a clone  
which
will give full access.

I am also able to produce what seem to be accurate clones of FDX-B tags
(such as the one in my dog), and also VeriChip tags, in as much as a
standard FDX-B reader such as you might find at your local vet will  
not be
able to tell the difference. I have not been able to test if a genuine
VeriGuard system would also be fooled, but VeriCorp's response when I  
took
it up with them was:

"You can take a write-once and re-writable chip and put the VeriGuard ID
number on this chip, and a lot of readers will read the ID and  
including the
VeriGuard reader. I can not tell you every but their three things  
that tell
are unit that it is a VeriChip 16 digits not 15, timing and one other
thing. We call it copying not cloning because the can't get all the
information need to send to the VeriGuard reader at the right  
time." [sic]

The latest release of the open source python library, RFIDIOt (v0.1h),
contains tools for programming both EM4x02 and EM4x05 tag IDs to Q5 or
Hitag2 tags, and I would suggest that if you own (or supply) systems  
based
on either of these standards, that you use them to audit for this
vulnerability.

Full details at http://rfidiot.org

Adam Laurie, The Bunker Secure Hosting Ltd., Ash Radar Station,  
Marshborough
Road, Sandwich Kent CT13 0PL UK +44 (0) 1304 814800 http:// 
www.thebunker.net

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/