RFID Hacking: An overview
Radio-frequency identification (RFID) is a technology that is commonly used in our daily lives. Most of our College ID Cards, Employee ID cards, hotel’s mastercards use RFID as their primary method for authentication. Several technologies like NFC(Near Field Communication) are based on RFID with additional benefits/add-ons like peer-to-peer communication, card emulation mode, etc. RFID and NFC both are types of wireless short range communication systems.
RFID systems consist of a reader with an antenna, and a transponder (tag). There are two different RFID tags possible. Either they are active, meaning they have their own power source or they are passive. Passive tags have no own power source and have to be supplied with energy via an electromagnetic field produced by the reader.
Uses of RFID:
Access control, hotels, car keys, attendance monitoring
Contactless payments, passports
E-Wallets, Library/College ID Cards
Types of RFID Cards:
low frequency RFID : ~125 kHz; examples: EM4XX (Unique), HID Prox,
Indala, Honeywell
high frequency NFC (upgradation of RFID): ~13.56MHz ; examples : Mifare/DESFire, iCLASS, Legic, Calypso, contactless payments
Ultra High Frequency: ~868MHz ; examples: Vehicle tracking cards
How RFID Cards Work:
Mostly the RFID cards uses a UID, which is an unique identifier embossed by the manufacturing factory and cannot be altered (claimed by a lot companies). Only vendor knows how to make a tag. RFID tags contain an integrated circuit and an antenna, which are used to transmit data to the RFID reader (also called an interrogator). The reader then converts the radio waves to a more usable form of data.
Attacks possible on RFID Cards/objects:
1)Brute-forcing the UID stored on it
2)RFID Cloning
3)RFID Card Emulator
4)RFID UID Cracking
=> How to hack RFID Card: {RFID UID Cracking}
- Install the necessary libraries (PN532 + libnfc):
sudo apt install libnfc-examples
sudo apt install libnfc-bin
The above commands installs Libnfc open source library, which helps in exploiting “hidden” raw mode of NXP PN532 — useful for emulation, relay, cloning, cracking, etc.
PN532 bare modules : Around $5 cost (RFID readers)
Magic RFID Card: Empty/Factory Version RFID Card that has one-time write access ($5 cost)
2. Place original card on the reader
root@kali:~# nfc-list
nfc-list uses libnfc 1.7.1
NFC device: pn532_uart:/dev/ttyUSB0 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 3c 3d f1 0d
SAK (SEL_RES): 08
3. Place Magic card on the reader, set new UID
root@kali:~# nfc-mfsetuid 3c3df10d
NFC reader: pn532_uart:/dev/ttyUSB0 opened
Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: 0c 5c ee 0d b3
Sent bits: 93 70 0c 5c ee 0d b3 5c c2
(…)
=> How to hack RFID Card: {RFID UID Cloning}
Its pretty simple and you just need a RFID Cloner device (20–100$, depending if you are buying original or chinese copy), then clicking the “read” and “write ” button does the rest of the work. Latest RFID cloner devices works for both low and high frequency ranges(till 13.96MHz)
=> RFID Card Emulator
Emulators like Chameleon mini can emulate multiple-high frequency tags. Other more popular and commercial emulators like proxmark3 are slightly better than chameleon mini but they come with its additional benifits. These emulators require external battery for power supply. Most of these finished ready-to-use products are available online at a somewhat high cost.(around 100$)
- Read just about any RFID tag
- Pretend to be a reader or a tag
- Sniff communications between a reader and tag
- Operate in standalone mode without a PC (USB battery required)
=> Brute-forcing the UID on the RFID Devices
Some low frequency RFID cards have sequential UID. These kinds of RFID systems can be bruteforced example — Prox II, etc.
How to prevent RFID Attacks:
- Tamper protection in readers
- Encrypt/sign/hash card content (beware of relay attacks that can be done on this security mechanism)
- One way counters, timestamps, special access rights
- Migrate to more secure RFID Systems like Mifare Plus, DESFire (use heavy encryption)
