The obvious attack vectors for most locks are the authentication medium. RFID’s are notoriously easy to clone, generally up to 10 meters under practical conditions. Their entire functionality is based off modulated backscatter. A burst of radio frequency is generated, and a portion of it is reflected back at the reading device. This portion is modulated into useful information, usually in the form of a unique number. This unique number is most often tied into a central database for authentication. RFID by itself has absolutely no built in security, which must be provided by an ancillary mechanism. The obvious and most common example of an ancillary authentication mechanism is a personal identification number (PIN) entered into a keypad connected to the RFID reader. Many RFID reader manufacturers offer this as an integrated component.
Unfortunately, ancillary mechanisms are likely not enough to provide adequate security. Most networked building access systems do not use encrypted network traffic, rely on persistent TCP sessions and employ predictable sequence numbering. Most push the applicable data sets down to individual readers, which can be compromised en route. Events are often transmitted back to the central control system, which can allow an intruder to intercept employee traffic. Additionally, in some cases, forged commands can transmitted over the network to lock or unlock doors without the need to know any identification.
No publically known building access system currently encrypts its traffic between the door readers and the control system. This would significantly prevent tampering and would prevent intercepted data. It would also prevent all TCP sequence prediction attacks.
Virtually all modern operating systems use means of avoiding TCP sequence prediction. Many embedded systems, especially building access systems, have not yet resolved this issue. This issue was first significantly documented in April 1989 and many solutions were codified into RFC1948 published in May 1996. Transmission control protocol (TCP) is a protocol that attempts to be reliable and is connection oriented. If a number of TCP packets are received, the sequence number is used to reorder the packets into the correct format. If this sequence is easily guessed, a third party could intercept the traffic and quite easily manipulate both original parties into believing the induced traffic is legitimate. This is known as a “man in the middle” (MITM) attack.
The practical example of attacking a door controller is straight forward.
- All door controllers typically have the same first four octets of their MAC address, which can be generally located in vendor documentation or through an internet search.
- Once a controller with a matching MAC address is located, poison the ARP cache to redirect traffic through the attacking computer
- Use wireshark (or other utility) to monitor packets
- Open a packet, observe hex stream payload (which is the open or deny command)
- Repeat until confident the payload is an open command. Open commands are significantly more common than deny commands. Statistical analysis should be able to differentiate between an open and deny command relatively quickly. Once this payload is known, this step never has to be repeated.
- When you wish to open the door, intercept any packet between the control server and door controller. This does not have to be an open or deny command. It can be a Keep Alive or status transmission sent on a regular basis to monitor for network connectivity.
- Use a packet forger, add constant to the sequence bits, and send with hex payload for open.
This command will not be logged by the administrative server, as it is sent directly to the door controller.
Additionally, there have been many other generalized developments in the RFID security field as of late. Of which two are rather significant and worthy of attention. A useful device is scheduled for release at the end of August 2009. The ProxPick, developed by Chris Paget and H4RDW4RE, LLC., offers many useful features for 125-134KHz RFID tags. It can selectively act as a reader, a passive sniffer, play back stored RFID data, or jam a reader. This is more advanced and user friendly than the previous preferred RFID reading tools (primarily ProxMark3 and OpenPCD). This tool was discussed by Chris Paget at the RSA and Defcon conferences. Another interesting development is the development of faraday caged apparel. A company called DIFRwear has made a line of wallets, passport cases, and badge holders that block unwanted RF traffic while the apparel is closed. This was brought to significance by potential and/or alleged security vulnerabilities in RFID enabled credit cards. The products are FIPS 201 certified. Other companies have started developing similar clothing or apparel with built in RF blocking properties.
Countermeasures:
Migrate all building access devices onto a dedicated network isolated from all other traffic. A less secure solution is to migrate all building access devices to a separate VLAN. An attacker can only cause a “Man in The Middle” attack if they can get physical access to the network. Monitor for MITM attacks and related occurrences such as ARP poisoning, which can be accomplished by most intrusion detection systems.
Sources:
Picking Electronic Locks using TCP Sequence Prediction – Ricky Lawshae, Defcon 17 presentation
“Security Problems in TCP/IP Protocol Suite” (http://portal.acm.org/citation.cfm?id=378444.378449) – ACM SIGCOMM Computer Communication Review, Vol 19, Issue 2, April 1989
“Defending Against Sequence Number Attacks” (http://tools.ietf.org/html/rfc1948) – RFC# 1948, S. Bellovin (AT&T Research), May 1996
H4RDW4RE (http://www.h4rdw4re.com) – Manufacturer of multifunctional ProxPick
OpenPCD (http://www.openpcd.org) – RFID development tool
Proxmark (http://www.proxmark.org) – RFID development tool
DIFRwear (http://www.difrwear.com) – Maker of faraday caged apparel, useful in securing RFID communication.