Soylent Badges: An Attack Surface Analysis of RFID - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Soylent Badges: An Attack Surface Analysis of RFID

Description:

Returns data by absorbing or not absorbing radio waves ... Can copy with radio shack electronics. Cannot copy with office electronics ... – PowerPoint PPT presentation

Number of Views:107
Avg rating:3.0/5.0
Slides: 24
Provided by: csWash
Category:

less

Transcript and Presenter's Notes

Title: Soylent Badges: An Attack Surface Analysis of RFID


1
Soylent BadgesAn Attack Surface Analysis of RFID
  • Dan Kaminsky, Director ofPenetration Testing,
    IOActive

2
What is this talk about?
  • Not a deep technical analysis of how to build an
    RFID cloner
  • Not a recap of what went down in Washington DC a
    few months back
  • This is an attempt to bridge the legal/technical
    boundry
  • What is RFID?
  • What are people trying to do with it?
  • What are people trying to do to it?
  • This is an industry of a lot of hope and a lot of
    hype, but not a lot of understanding about
    security risks.
  • Lets fix that!

3
What is RFID?
4
RFID Its Just A Barcode.
  • Radio is just low frequency light
  • Variant Active RFID, has a battery in it
  • Glow in the dark barcode
  • Can encrypt

5
RFID Building A Better Barcode
6
Revolutions in Tagging Technology
  • Barcodes
  • Revolutionized commerce
  • Retail (Supermarkets)
  • Transport (UPS)
  • Production Lines
  • RFID
  • Toll Roads (Speedpass)
  • Train Systems (Tokyo)
  • Corporate Access Control
  • RFID is the better mousetrap.
  • What about these pesky security issues?

7
Introduction to Attack Surface Analysis
  • What could possibly go wrong?
  • Identify what the system is doing, and why its
    doing it
  • If you dont know what the system is supposed to
    do, youll never understand what its allowing
    you to do.
  • Who says its just allowing you?
  • Every system interacts with trusted people at
    certain points
  • Gateways (Doors, Toll Booths, Train Stations)
  • Tokens (Badges, Speedpasses, Tickets)
  • But how do those same systems interact with
    untrusted users?

8
Through The Looking Glass
9
The Attacker Is Not The Customer
  • Developers build things for customers.
  • Customers pay for things to work.
  • Attackers do not pay, for things to not work
  • The consumer of security technology is the
    attacker being kept out!
  • Customers do desire protection from attackers
  • Enforcers (Gates, Police, Walls) enforce customer
    will
  • Investment in enforcement is tied to the harm to
    customer in case of an attack
  • Ah, but what if the attack harms someone else?
  • Customer investment equal to legal liability
    times risk of attack
  • No liability No investment

10
Classes of Use
  • What an attacker can get by compromising RFID, is
    directly tied to what it is protecting
  • Developers just build the technology ?
  • Three major classes of RFID deployments
  • Inventory What do I have?
  • Attendance Who is here?
  • Access Control Who isnt here?
  • These classes do not describe the risk continuum

11
The Real Continuum 0
  • What is the value of the resource that would be
    compromised if an attacker got through
  • Attack surface How could an attacker get
    through?
  • Risk What can they get by doing it?
  • Inventory Control Use of RFID to do continuous
    or intermittent identification of physical
    objects at a location
  • Shrinkage Management Attacker can make a store
    screw up its purchasing schedule, not recognize
    theft as its happening.
  • Cargo Ship Manifest Auditing Attacker can add
    or remove items from the scanner manifest,
    facilitating smuggling.

12
The Real Continuum 1
  • Attendance Management
  • Tradeshow Monitoring An attacker could make a
    show think a particular speaker was popular, or
    not.
  • Classroom Monitoring An attacker could make a
    student appear to be present or absent,
    potentially triggering harassment.
  • Population Monitoring An attacker could use the
    RFID on a passport to target Americans for
    attack.
  • Well return to this.

13
The Real Continuum 2
  • Access Control
  • Club Cards An attacker can impersonate
    another user, potentially getting access to sales
    only theyve earned.
  • Credit Cards An attacker can spend someone
    elses money.
  • Corporate Badges An attacker can achieve
    physical access to corporate facilities and labs,
    potentially committing espionage.
  • Military Badges An attacker can achieve
    physical access to military facilities and
    storage depots, potentially destroying assets and
    killing people.

14
Out of sight, out of mind
  • Nobody would suggest using barcodes to protect
    anything, let alone corporate resources, let
    alone lives
  • Radio barcodes are invisible.
  • Therefore, theyre OK.
  • First Law of RFID Theyre always trying to make
    it do something scarier than you think.
  • Electronic Voting, Secured With RFID
  • Inevitable
  • Maybe this will be the shark-jumping moment?

15
Privacy
  • Original Attack Surface Analysis So what?
  • Entire population carries around high powered
    transponders that identify their nation of
    origin
  • Cell phones!
  • But the First Law of RFID holds.
  • Cell phones emit whats useful for cell phone
    carriers.
  • Credit cards emit whats useful for merchants and
    credit carriers
  • Limit for RFID Credit Card 50
  • Minimum Claim for Credit Card Fraud 50
  • Passports emit whats useful for customs agents
  • RFID is a barcode. Some people are tempted to
    turn it into a T-Shirt with your SSN printed on
    it.
  • There actually was a school that did barcodes
    that equaled SSNs!

16
A Prediction
  • Supermarket loyalty cards start getting RFIDs
  • A private firm pays stores to put RFID monitors
    in doorways that are capable of reading the
    loyalty cards as people walk through
  • Said private firm resells demographic data
    regarding whos going where at what time
  • Cell phone cant provide the door check of
    RFID
  • Cell phone carriers couldnt risk the business
    hit
  • The above scenario is pretty likely in the next
    few years.
  • May be able to replace supermarket loyalty cards
    with any card type people can be expected to have
    on them at all times. This will accelerate the
    timeline.

17
Where are the security people?
  • Very few physical attackers in the real world
  • Breaking into buildings is risky to the attacker
    youre physically throwable into a jail cell.
  • Flip side Very high success rate if an attacker
    is determined
  • An attacker can always drive a car into an office
    wall.
  • This leaves a car-shaped hole.
  • Physical Security has not realized RFID attacks
    fail to leave car-shaped holes.
  • Attackers thus have much less risk of being
    caught.
  • Still, some demands have been made

18
What is Secure RFID?
  • Create a special relationship between a reader
    and a badge, so that an attacker cant clone a
    card just by pretending to be a reader
  • RFID may provide a different signal each time
    its queried
  • Ignition Key systems
  • Blink Credit Cards
  • Signal may be cryptographically infeasible to
    clone from
  • Presumption The risk is cloning.
  • Reality One attack is cloning. The risk is
    unauthorized access. There may be other attacks
    that result in this risk occuring.

19
Proximity Cards
  • RFID badges were originally called proximity
    cards
  • So called because they powered up when in close
    proximity to a reader
  • Presumption User badge near reader, user near
    door.
  • Reality User badge near a reader.

20
Ghost-Leech
  • Ghost-Leech Attacks
  • Picking Virtual Pockets using Relay Attacks on
    Contactless Smartcard Systems
  • Attacker doesnt clone the card
  • Attacker is near the reader (ghost), accomplice
    is near the victim (leech).
  • Attacker transmits the query from the reader to
    an accomplice
  • Accomplice is near the badge, transmits the
    reader signal to the badge, returns the badge
    response to the attacker
  • Attacker and Accomplice proxy signals until the
    door opens
  • Works against arbitrarily high quality
    cryptography

21
Defending Against Ghost/Leech 0
  • Normally suggested solution Use two factor
    authentication
  • Combine something you have with something you
    know
  • Enter a PIN whenever using your badge.
  • Very rarely seen.
  • The physics solution Rely on the speed of light
    being constant
  • An attacker must reply in 50 picoseconds in order
    to be legitimately within a few dozen feet
  • Not feasible with present technology

22
Defending Against Ghost/Leech1
  • Best Practice Dont always provide credentials
    to anyone who asks
  • Always-On nature of RFID in authentication
    scenarios is a bug
  • Would you show your ID to anyone that asks?
  • If its RFID, you do.
  • Should require removing RFID from a sleeve, or
    squeezing the badge.

23
Summary
  • Recognize all the cool things theyre giving the
    good guys.
  • Look at them from the bad guys perspective.
  • Distributed liability is creating a firestorm
  • Hugely important systems are being built on
    fundamentally broken technology
  • There are ways to make them less broken, but
    nobodys making sure they get deployed
  • Opaque technology gets away with stuff.
  • Sunshine is good.
Write a Comment
User Comments (0)
About PowerShow.com