There were no RFID enabled badges at the DEF CON security conference in Las Vegas last weekend. Instead the badges were old-school vinyl records. That’s probably a good thing, given all the new tools used to hack and abuse RFID signals, some of which were spotlighted at the event.
In the event’s vendor area, the open source RFIDler RFID reader/writer was among multiple tools being sold and discussed. Francis Brown, partner at security firm BishopFox, had a session at DEF CON called “RFID Hacking: Live Free or RFID Hard.”
This wasn’t Brown’s first time talking about RFID at a Las Vegas security convention. He talked about security weaknesses of RFID at the Black Hat USA conference in 2013.
While two years ago he spoke about low frequency RFID, his DEF CON presentation focused on high-frequency RFID that is found in credit cards and passports, as well as the near field communications (NFC) implementations used in Apple Pay and Google Wallet.
“Most people when they think of RFID hacking are typically not the things they really need to worry about,” Brown said. “Most people think of RFID in credit cards and mobile payments, and those really aren’t huge risks.”
The more dangerous risks involve attacking physical security systems. Brown said he has long distance RFID reader tools that can be used to clone an entry card and then gain access.
Other RFID security tools integrate biometric tools, including fingerprint readers. While you might think it’s not possible to defeat the fingerprint reader, Brown showed it can be done.
“Basically what the system does is it checks your RFID card information to see if you belong in the building, and then it checks to see if the finger you are using is the same fingerprint that is stored on the card,” Brown explained. “So if I stole your card, I’d make a copy of your card, then I’d switch out your fingerprint with my fingerprint, and then the system would just verify my fingerprint with the stolen copied card.”
Going a step further, Brown discussed how some RFID readers are improperly connected to the Internet – and thus are easily discoverable.
“With some RFID badge readers that talk to Internet controllers, basically you can send a signal to them and open a door in a building,” Brown said. “There were a few college campuses in Arizona where I could send a signal and unlock all the doors remotely over the Internet.”
From a defense standpoint, Brown suggests that RFID cards as well as readers should be physically protected to prevent cloning theft and tampering.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.