RFID Access Vulnerability

Undisclosed

It's July. Which means the press is saturated with pre-Black Hat vulnerability announcements. Like this one on RFID:

LONG-RANGE RFID HACKING TOOL TO BE RELEASED AT BLACK HAT

So... this says you can do PROX from a meter away, and PROX is an unencrypted number, and PROX is clonable. Is that all correct? Oh, and urban legend is that if I ever breath while thinking about this, an HID patent attorney will threaten me. I say that to respectfully document the urban legend, I don't mean to be rude here.

Comments? Is it really this bad? Do physical security directors really not know about this stuff? Is this really news?

Show oldest first Show newest first

Brian Rhodes

IPVMU Certified | 07/29/13 02:00am

Saying 'low frequency prox (125 kHz) is unsecure' is like saying 'The Beatles are a successful band'.

Even HID agrees! I don't think the swarms of black helicopters are going to buzz you or these guys at Black Hat for thinking/talking/YouTubing about it.

In fact, HID will use the opportunity to tell you this is why it's a great time to switch to iClass (13.56 MHz) instead.

Check our Prox vs. iClass Explained post for a rundown of the differences. (Surprise! It's primarily encryption!)

Undisclosed Manufacturer #1

07/29/13 07:32pm

The urban legend is also growing that all of your credit / ATM cards can be read through your wallet

Of course as soon as the legend spread a cottage industry sprang up for secure wallets

If paying $49.99 for that piece of mind isn't your thing, you can always make your own out duct tape

Tin foil hats are a nice way to accessorize

Margarita Castillo

07/30/13 03:53pm

This is old news actually and not really an urban legend. The issue is you still have to be fairly close to read the card... duct tape does work. Identity Stronghold has been around for over 10 years I believe.

I took an RFID class moons ago while working on my masters in computer science at New Mexico Tech. The application of the technology was so amazing that I purchased the sleeves for my credit cards...did I mention my degree focused on information assurance?

Mark McRae

Inaxsys Security Systems
08/03/13 01:02am

125 KHz is very simple to copy/clone. It is a passive technology and is truly not secure.

In general, smart cards (13.56 MHz) are much more secure but some of the smart card technologies have been hacked/cracked already.

The 2 most common platforms that have been cracked are Mifare Classic and iClass. Online guides exist that explain very clearly how to copy and reproduce both of these card platforms.

Stay away from passive cards like 125 KHz and steer towards secure smart-card technology like DESFire EV1. Many manufacturers offer DESFire EV1 smart cards and readers.

Discussion	Posts	Latest
New Ukraine's 'Suicide Drone' Footage Shows Drones Attacking Vehicles, Soldiers, And Other Drones (6) Started by Carl Stoffers	6	less than a minute by Jerome Miller
Has PoE Voltage Drop On IP Cameras Been A Problem For You? (4) Started by Brian Rhodes	4	less than a minute by Jerome Miller
How Similar Are Car Dealers And Security Integrators? (20) Started by John Honovich	20	about 10 hours by Undisclosed Integrator #7
High Vulnerability Severity (CVSS) Or What Can Actually Be Achieved (2) Started by bashis mcw	2	less than a minute by Undisclosed Integrator #1
Design Tool Question (1) Started by John Saunders	1	less than a minute by John Saunders

Discussion

Posts

Latest

New

Ukraine's 'Suicide Drone' Footage Shows Drones Attacking Vehicles, Soldiers, And Other Drones (6)

Started by Carl Stoffers

less than a minute by Jerome Miller

Has PoE Voltage Drop On IP Cameras Been A Problem For You? (4)

Started by Brian Rhodes

less than a minute by Jerome Miller

Started by John Honovich

about 10 hours by Undisclosed Integrator #7