[ISN] E-Passport Hacker Designs RFID Security Tool

From: InfoSec News (alerts@private)
Date: Tue Apr 15 2008 - 00:33:21 PDT


http://blog.wired.com/27bstroke6/2008/04/e-passport-hack.html

By Kim Zetter 
Threat Level
Wired.com
April 14, 2008 

The team that produced the RFDump research/hacker tool for cloning and 
altering data stored on radio-frequency ID tags has now come out with a 
product to thwart RFID hackers.

German security researcher Lukas Grunwald, who made headlines two years 
ago for uncovering security vulnerabilities in new electronic passports 
being adopted by the U.S. and other countries, created RFDump with 
colleague Boris Wolf in 2004.

Now the two have created RF-Wall (shown on the lower shelf in the 
picture at right) to help thwart RFID fraud and attacks against 
e-passports, electronic access cards and payment cards -- such as the 
Mifare Classic card that is used in the London Underground and which 
security researchers recently cracked.

The device, which Grunwald and Wolf are producing for their new 
California-based company NeoCatena, is a hybrid firewall and 
intrusion-detection system that sits between an RFID reader and its 
back-end system. It's designed to detect counterfeit and cloned RFID 
chips and prevent an attacker from injecting malware into a back-end 
system with a rogue RFID chip. They'll be debuting the device this week 
at the RFID Journal Live conference in Las Vegas but gave me a 
demonstration of it this weekend.

The box can be loaded with virus signatures to detect known types of 
attacks and uses heuristics to detect other malicious activity, such as 
generic SQL-injection attacks (such as the one that appears in the 
screenshot above right). The device can be restricted to read only RFID 
cards that have specific serial numbers and reject all others. It also 
can be used to digitally sign chips so that any chips that are altered 
after being issued are rejected by the RFID reader. The system uses the 
HMAC algorithm for the digital signature. Grunwald and Wolf hold a 
patent on the use of HMAC with RFID technology.

Last year Grunwald revealed that he'd been able to sabotage the 
e-passport readers of two unnamed manufacturers by embedding a buffer 
overrun exploit in the JPEG2000 file of a cloned passport chip. The JPEG 
file contains a digital photo of the passport holder.

Recently other researchers cracked the encryption used in Mifare Classic 
chips that are used in door access systems around the world as well as 
in the London Underground's Oyster card.

It's long been known that RFID readers and chips are insecure, but 
trying to fix systems that have already been widely deployed has its 
challenges, particularly since there are a number of different types of 
chips and readers on the market, which work at different frequencies.

"A lot of people are thinking about on-tag security -- putting 
cryptography on the tag," Wolf says. "But those tags are limited in 
their computational power or even if you can get that worked out the 
more encryption technology you have on the tag, the more expensive it 
is. We're saying you don't have to worry about what's happening with 
your tag if you can verify whether there's data integrity or not."

Grunwald says they've shown the tool to a large pharmaceutical company 
based in Switzerland that is interested in using it to authenticate 
drugs and equipment -- such as dialysis machines -- from counterfeit 
products. He says an Asian country is also interested in using RF-Wall 
with its electronic passport system.

During a demonstration for me, Grunwald and Wolf used RFDump to alter 
the value on a digitally signed transportation card from $10 to $99. On 
a first pass without RF-Wall in place, the RFID reader accepted the 
card. After they connected the device, however, the system rejected the 
tag. The system also rejected a tag that was embedded with SQL injection 
code.

The screenshot at right shows the backend of an RFID inventory system 
after malware on a rogue chip has crashed it.

They currently only have a prototype, but the system, when produced, is 
expected to market at $25,000 to $60,000.

Paul Roberts, a security analyst with the 451 Group, says the approach 
Grunwald and Wolf are using -- to have a device sitting inline between 
the reader and the backend, rather than try to secure the reader and 
chips themselves -- is smart. He also sees value in watermarking RFID 
for products. But he wonders if companies would invest in a device like 
this to prevent intruders from gaining unauthorized access to buildings 
that use RFID cards or to prevent malicious attacks against back-end 
systems.

"The bottom line is cost," he says. "Unless you open the newspaper to 
find your company or your competitor on the pages -- like Hannaford -- 
companies aren't likely to put out the cost for a solution like this."

Roberts notes that even companies with sensitive security facilities, 
such as ones that deal with critical infrastructures, have been 
reluctant to upgrade RFID access systems to more secure ones due to 
cost.


-==-
Let identityLoveSock take your personal information into 
their wanting hands. http://www.identity-love-sock.com/ 
Because victims have money too. 



This archive was generated by hypermail 2.1.3 : Tue Apr 15 2008 - 00:44:27 PDT