IoT Hacking: RFID Basics for Hackers

Cybersecurity Cyberwarrior InfoSec

Welcome back, my aspirational cyberwarriors!

IoT devices are increasing at an exponential rate in our digital world.

These IoT devices vary by protocol, operating system, firmware, and communication methods. One of the most common of these communication protocols is RFID or Radio Frequency Identication. This communication protocol is used in access cards and badges as well as asset tracking. As a hacker/pentester, it is critical to test the vulnerability of RFID as RFID badges/access cards as they are the gatekeeper of physical access. Once the attacker has physical access, game over!

Before we delve into RFID hacking, let’s learn the basics of RFID and RFID based access cards.

RFID (Radio Frequency Identification) is a technology that uses radio waves to identify and track objects, animals, or people. It involves the use of small devices called RFID tags, which can be attached to or embedded in items. These tags contain a microchip that stores information about the item and an antenna that communicates with RFID readers.

Components of RFID Technology

  1. RFID Tag

    • Active Tags: These have their own power source (like a battery) and can transmit signals over longer distances, typically up to 100 meters.

    • Passive Tags: These do not have their own power source and rely on the electromagnetic field generated by the RFID reader to power the chip and transmit information. Their range is typically much shorter, around a few centimeters to a few meters.

    • Semi-passive Tags: These have a battery to power the microchip but rely on the reader’s signal to communicate, offering a middle ground between active and passive tags.

  2. RFID Reader: A device that emits radio waves and receives signals back from the RFID tags. It can read multiple tags simultaneously and does not require a direct line of sight, unlike barcode scanners.

  3. Antenna: Part of both the tag and the reader. In the tag, the antenna receives the signal from the reader and powers the chip (in passive tags), while in the reader, it sends out and receives signals.

How RFID Works

  1. The RFID reader sends out a radio frequency signal.

  2. When an RFID tag comes into the range of the reader, it is activated (if passive) or simply transmits its stored data (if active).

  3. The reader receives the data transmitted by the tag and processes it for further use, such as tracking inventory, verifying identity, or managing assets.

Applications of RFID:

  • Inventory Management: Automating the tracking of products in warehouses and retail stores.

  • Access Control: Managing entry to secure areas using RFID-enabled ID cards.

  • Supply Chain Management: Tracking goods as they move through the supply chain.

  • Animal Tracking: Identifying and tracking livestock or pets. Your pet may have an RFID chip embedded under their skin to track them.

  • Contactless Payments: Enabling payment systems like contactless credit/debit cards.

Advantages of RFID

  • Speed: RFID can scan multiple items at once and does not require a direct line of sight.

  • Durability: RFID tags can be embedded in various materials and are generally more durable than barcodes.

  • Security: Tags can be encrypted, making them more secure than traditional barcodes.

Challenges of RFID

  • Cost: RFID systems can be more expensive to implement than traditional barcode systems.

  • Interference: Metal and liquids can interfere with RFID signals, affecting performance.

  • Privacy: Since RFID tags can be read without line of sight, there are concerns about unauthorized tracking and data collection.

RFID in Access Control Systems

RFID cards are commonly used in access control, identification, and payment systems. They come in various types, categorized based on their;

(1) frequency,

(2) power source,

(3) memory,

(4) form factor.

Here’s an overview of the main types of RFID cards:

Based on Frequency

RFID cards operate at different frequency ranges, each with its own characteristics.

  • Low Frequency (LF) Cards (125-134 kHz):

    • Range: Typically a few centimeters to about half a meter.

    • Characteristics: Slower data transfer rates and shorter reading distances but are less susceptible to interference from metal or liquids.

    • Common Uses: Animal tracking, access control, and some industrial applications.

    • Example: EM4100, HID Proximity cards.

  • High Frequency (HF) Cards (13.56 MHz):

    • Range: Usually up to about 1 meter.

    • Characteristics: Faster data transfer rates and moderate reading distances; can store more data than LF cards.

    • Common Uses: Contactless payment cards, access control, library systems, and public transport cards.

    • Example: MIFARE, iCLASS, NFC cards.

  • Ultra-High Frequency (UHF) Cards (860-960 MHz):

    • Range: Typically up to 12 meters, depending on the environment and reader.

    • Characteristics: Longer reading distances and faster data transfer rates; more susceptible to interference from metal and liquids.

    • Common Uses: Supply chain management, inventory tracking, and toll collection systems.

    • Example: EPC Gen 2, UHF Gen 2 cards.

2. Based on Power Source

RFID cards can be categorized by how they are powered.

  • Passive RFID Cards:

    • Power Source: No internal battery; powered by the electromagnetic field generated by the RFID reader.

    • Range: Shorter, typically a few centimeters to a few meters.

    • Cost: Less expensive and more commonly used.

    • Common Uses: Access control, contactless payment, and transportation cards.

  • Active RFID Cards:

    • Power Source: Contains an internal battery that powers the card’s microchip and antenna.

    • Range: Longer, typically up to 100 meters.

    • Cost: More expensive than passive cards.

    • Common Uses: Asset tracking, toll collection, and vehicle identification.

  • Semi-Passive RFID Cards:

    • Power Source: Contains a battery to power the chip but relies on the reader’s electromagnetic field to transmit data.

    • Range: Intermediate between passive and active RFID cards.

    • Common Uses: Specialized applications where longer range is needed but with the lower cost of passive systems.

3. Based on Memory and Functionality

RFID cards can also differ in terms of the amount of memory and functionality they offer.

  • Read-Only RFID Cards:

    • Memory: Pre-programmed with a unique identifier or data that cannot be altered after manufacture.

    • Common Uses: Basic access control and identification where no data changes are needed.

  • Read-Write RFID Cards:

    • Memory: Allows data to be written and rewritten multiple times.

    • Common Uses: Applications requiring updates or changes to the stored data, such as in library systems or transportation cards.

  • Cryptographic (Secure) RFID Cards:

    • Memory: Enhanced with encryption capabilities for secure data transmission.

    • Common Uses: High-security environments such as government IDs, banking, and secure access control systems.

    • Example: MIFARE DESFire, HID iCLASS SE.

MIFARE developed by NXP Technologies (formerly Phillips Corporation of the Netherlands) is probably the most common of these cryptographic RFID cards. Unfortunately, the cryptography and credentials are vulnerable to compromise.

Here is a table of the many and most common MIFARE type cards.

4. Based on Form Factor

  • Standard Cards: Typically credit card-sized, used for access control or identification.

  • Key Fobs: Smaller, portable, often used for access control in places like offices and parking garages.

  • Wearables: RFID embedded in wristbands or badges, commonly used in events, amusement parks, and conferences.

Each type of RFID card is designed to suit specific applications, with varying levels of security, range, and cost depending on the technology used.

Summary

IoT devices are growing at an exponential rate and with this growth comes additional security concerns. RFID cards or badges are used throughout industry for access control but if these cards/badges can be compromised, your phyical security can be compromised. When your physical security is compromised…GAME OVER! Any reasonably skilled hacker can take down or otherwise compromise your network (ransomware?) once they are physically inside your network. This is physical security is SO important.

Look for our upcoming courses on IoT Hacking and Physical Security