IP Note: Long-Range Radio Frequency Identification Hacking

January 31, 2014, 1300 EST

SCOPE
The Department of Homeland Securitys Integrated Analysis Task Force/Homeland Infrastructure Threat and Risk Analysis Center (DHS/IATF/HITRAC) produces Infrastructure Protection (IP) Notes to address issues affecting the infrastructure protection community. This IP Note provides awareness of an emerging threat known as Long-Range Radio Frequency Identification (RFID) hacking. RFID technology is widely deployed globally and commonly used in building access cards as part of security control systems. Multiple critical infrastructure sectors, including Government and Commercial Facilities, use RFID-enabled security technology. This IP Note utilizes reporting from open sources, the U.S. Department of State, the National Institute of Standards and Technology, the DHS Intelligence and Analysis Counter Intelligence Programs Division and the DHS Office of the Chief Security Officers Identity Management Division.

KEY FINDINGS
RFID technology is widely deployed globally and commonly used for security management and access control. This specific use of RFID technology is often found in building access cards and identification cards. New long-range RFID hacking devices transform previously impractical attacks on RFID technology into effective covert means for collecting RFID tag data. Compromise of RFID tag data could have serious security implication for multiple critical sectors, including the Government and Commercial Facilities Sectors. Many RFID technologies have little or no security, such as encryption, behind them, thereby making interception of RFID tag information relatively simple. Protective measures, such as radio-frequency blocking sleeves for RFID-enabled identification cards, are recommended to maintain the integrity of security systems.

BACKGROUND
RFID technology uses radio-frequency electromagnetic fields to transfer data between an RFID tag and a reader device. An RFID tag consists of an integrated circuit and antenna contained in a protective material that holds the components together and shields them from environmental conditions. A reader device converts the radio-frequency waves from the tag to a more usable form of data, and transfers the data through a communications interface to a host computer system, where the data can be stored in a database and analyzed to enable functions such as location tracking or identity authentication. RFID tags are manufactured in a variety of shapes and sizes and are either passive or active. Passive tags, the most widely used, receive power from the reader via electromagnetic emissions before they can transmit data. Passive tags need only to be within a very short distance of a reader to authenticate the card. Active RFID tags have an embedded power source enabling them to transmit data at all times. RFID technology is employed by many sectors to perform such functions as: Inventory Management Asset Tracking Personnel Tracking Controlling access to restricted areas ID badging Supply-chain management Counterfeit protection

RFID tags are widely used in identification badges, such as the badges issued by many government agencies, replacing earlier magnetic stripe cards. The data held in these RFID tags can contain sensitive personal information about the badge holder and authentication information that enable access to secure buildings and spaces.

THREAT
The possibility of reading RFID tags on identification badges and similar devices without the holders consent (RFID hacking) raises security concerns, especially when a badge or device is utilized as part of a security management system. While the theft of RFID data is not new, longrange hacking technology transforms a previously impractical attack into an effective covert attack.1 Historically, RFID hacking tools were required to be within centimeters of a target to work properly; new modified RFID readers can capture data from 125 KHz low frequency RFID badges from up to 3 feet away. This new device fits inside a backpack and enables an attacker to covertly capture RFID tag data without the need for close proximity to the reader. In a targetrich environment (e.g., a Metro platform, or bus stop), a hacker can passively capture data from anyone walking close enough to a hacking tool. Testing and demonstrations of this new device
1

(U) Open Source; Pub Date: 9 July 2013 DOI: 9 July 2013; Title: Emergency Alert System Vulnerable to Hackers, Report Finds; Class: Unclassified; Src Desc: http://www.pcmag.com/article2/0,2817,2421503,00.asp.

have shown it to be viable exploitation method.2 Because long range RFID hacking techniques capture data to a database, the compromised information can be stored for later exploitation, brute force decryption, or passed on to other individuals. The prolific use of RFID technology in security systems by the government and private sector partners presents significant challenges to security personnel. Security professionals within the government and private sector must balance convenience and cost against security concerns when considering vulnerabilities and mitigation factors.

VULNERABILITY
Commercial RFID-enabled systems often have little or no security, such as encryption, behind them, making successful long-range hacking techniques relatively simple. Demonstrations have shown that attacks are capable of capturing card data, transferring that data onto a new card, and using the new card to gain access to a secured facility.3 This vulnerability directly affects sector partners, due to the prolific use of RFID tags as a physical security measure at various facilities. Government-issued RFID cards utilize mitigation strategies making them more difficult to hack. Electronic passports utilize radio frequency blocking material in their cover, as well as basic access control encryption to authenticate readers prior to the release of data.4 Although harder to hack, government-issued RFID cards are not immune to compromise. Forty-eight hours after the United Kingdom issued their version of the RFID passport, hackers were able to crack the encryption on the passport and exploit the data.5

CONSEQUENCES
The cost to implement security measures to protect RFID technology-enabled systems is the greatest consequence of this long-range hacking threat. The demand for digital inventory tracking and personal identification systems will likely expand the annual market for RFIDs from $2.7 billion, in 2006, to as much as $26 billion by 2016.6 Most commercial RFID technology does not include security, due to the associated expense involved. Typical passive RFID tags cost about 25 cents, whereas one with encryption capabilities cost about 5 dollars. For most private-sector applications, it is currently not viewed as cost-effective to invest in secure RFID technology. For most sectors, physical security teams typically manage RFID cards and readers and generally operate on a 20-year product lifecycle. This further complicates expense concerns, RFID technology security management, and logistics issues,

(U) Open Source, Pub Date: 23 July 2013; DOI: 23 July 2013; Title: Long-Range RFID Hacking Tool to be Released at Black Hat; Class: Unclassified; Src Desc: http://threatpost.com/long-range-rfid-hacking-tool-to-be-released-at-black-hat/101448. 3 (U) Open Source, Pub Date: 23 July 2013; DOI: 23 July 2013; Title: Long-Range RFID Hacking Tool to be Released at Black Hat; Class: Unclassified; Src Desc: http://threatpost.com/long-range-rfid-hacking-tool-to-be-released-at-black-hat/101448. 4 (U) U.S. Department of State, Pub Date: N/A ; DOI: 15 Aug 2013; Title: U.S. Electronic Passport Frequently Asked Questions; Class: Unclassified; Src Desc: http://travel.state.gov/passport/passport_2788.html#Twelve. 5 (U) Open Source, Pub Date: 17 November 2006; DOI: 17 November 2006; Title: Guardian Hacks New UK Passports; Class: Unclassified; Src Desc: http://www.theinquirer.net/inquirer/news/1011076/guardian-hacks-new-uk-passports. 6 (U) Open Source, Pub Date: May2006; DOI: May 2006; Title: The RFID Hacking Underground; Class: Unclassified; Src Desc: http://www.wired.com/wired/archive/14.05/rfid.html.

since most organizations do not budget for continual updating of systems as new threats and vulnerabilities are identified.7

PROTECTIVE MEASURES
Use of encrypted RFID technology, encryption of data within the RFID tag, and implementation of protective measures, such as use of protective sleeves that contain radio-frequency blocking material, can help to reduce compromise of data and physical security. Frequent audits of security logs for unusual or duplicate entries may alert security managers to compromised cards. Implementation of multi-layer security measures such as visual identification checks or use of personal identification numbers used in conjunction with RFID cards may help mitigate vulnerabilities.

The Integrated Analysis Task Force Homeland Infrastructure Threat and Risk Analysis Center (IATF/HITRAC) produces Infrastructure Protection Notes, which scope the infrastructure protection communitys risk environment from terrorist attacks, natural hazards, and other events being reviewed and highlight the analytic capabilities required to produce infrastructure protection related risk analytic products. The information is provided to support the activities of the Office of Infrastructure Protection, and to inform the strategies and capabilities of Federal, State, local, and private sector partners. For more information, contact risk@hq.dhs.gov. For more information about the Office of Infrastructure Protection, visit www.dhs.gov/criticalinfrastructure.
7

(U) Open Source, Pub Date: 31 July 2013; DOI: 31 July 2013; Title: Hacking RFID Tags Is Easier Than You Think: Black Hat; Class: Unclassified; Src Desc: http://www.eweek.com/security/hacking-rfid-tags-is-easier-than-you-think-black-hat.