rfid: threats, failures, and fixes
TRANSCRIPT
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
1/43
RFID: THREATS, FAILURES, AND FIXES
BY
Rusty A. Deaton
A Significant Paper submitted in partial fulfillment of the Requirements for the Degree of
MASTERS OF Science in Business Information Technology
Troy, MIMarch, 2014
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
2/43
Revision History
Author Date: Reason For Changes
Rusty Deaton 3/4/2014 Original Draft #001
Julie (Stanley) Skidmore 3/14/2014 Draft revisions for grammar
Rusty Deaton 3/16/2014 Draft revisions for content
Julie (Stanley) Skidmore 3/17/2014 Final revisions for grammar
Rusty Deaton 3/17/2014 Final revisions for content
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
3/43
Table of Contents
II Literature Review ................................................................................................................... 2
LOGISTICS MANAGEMENT ................................................................................................ 2PHYSICAL SECURITY ....................................................................................................... 4INFORMATION STORAGE .................................................................................................. 8TRANSACTIONAL USE ...................................................................................................... 8POTENTIAL FIXES .......................................................................................................... 10QUESTIONS AND TAKEAWAYS ......................................................................................... 12
III Methodology and Approach ................................................................................................ 13
LOGISTICS MANAGEMENTWALMART AND RFIDROLLOUT............................................. 13INFORMATION STORAGEE-DOCUMENTS AND IDENTITY THEFT....................................... 15
PHYSICAL SECURITYRFIDIN TRANSIT ........................................................................ 17TRANSACTIONAL SECURITYCREDIT WHERE IT IS DUE ................................................... 19
IV Results ................................................................................................................................ 21
PROOF OF CONCEPTINTRODUCING THEARDUINO........................................................ 22BUILDING,FLASHING,AND TESTING THEARDUINO ............................................................ 23SIMPLIFYING THE EQUATION13.56MHZAPPLICATIONS ON SMARTPHONES..................... 27
V Summary and Conclusions .................................................................................................. 33
SUGGESTIONS FOR FURTHER RESEARCH....................................................................... 34
References ................................................................................................................................ 35
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
4/43
RFID: THREATS, FAILURES, AND FIXES 1
I Introduction/Background
One of the greatest objectives of technology is to make daily life more convenient
for the users of it. Much like ploughs used in lieu of hand tools to the eventual clustered
computing to detect anomalies in DNA to determine the state of genetic diseases in
humans; there is an undeniable drive to help make life easier and thus, more valuable.
Radio Frequency Identification (RFID) Systems are a part of this technological
cornucopia. In its modern implementation it may offer an unrivalled level of
transparency into positions of items as they move through an area, an ease of entry
(And subsequently access management) that makes keys a thing of the past, allows for
rapid transactions to occur between customer and business, and several other uses. In
its myriad implementations it no doubt meets the expectation that technology make life
easier.
There is, unfortunately, a darker side to making life easier. The same principles
that RFID uses may be used against it; its data captured freely, and used against those
systems where it is usable without an issue. If left unconsidered and its
misappropriated use uncontested, it could be ultimately disastrous.
This project seeks to outline cases where this unchecked diffusion of data, while
typically infinitesimal and static in nature, can be exceedingly useful in a well-designed
strategy to infiltrate an organization, commit fraud, or both.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
5/43
RFID: THREATS, FAILURES, AND FIXES 2
II Literature Review
In the realm of RFID, there are a number of benefits that may be associated with
it. It is commonly used as a means of logistics management, a layer of physical
security, a token for transactional applications; a static reference to a point in a
predefined database, and so forth. The information security discipline has wasted no
time in taking these models used for RFID, exploding them, and discussing their
findings. There is a wealth of knowledge that may be found for RFID that hails from
sources that range from the purely scholastic and research-oriented to the bombastic
and glory-minded. There is merit in discussing these findings, particularly as they relate
to the realm of information security, and the salient fixes (or lack thereof) that come
forward.
Logistics Management
There are a number of issues that make the logistics management angle of RFID
ripe for attack from an information security standpoint. The most basic example in
understanding the role of RFID in logistics management is to identify inventory in a
given shipment. There are of course other uses from a logistics management
standpoint, such as efficiency measurements e.g., determining when part A hit scan
station 1, scan station 2, etc., or heuristics analysis e.g., determining how often an
RFID-tagged ring is removed from its case and looked at, indicating potential interest. It
is at these most basic uses of RFID where some of the most egregious abuses of the
technology may occur.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
6/43
RFID: THREATS, FAILURES, AND FIXES 3
The first and perhaps most simply executed of all threats associated with RFID
are those associated with the physical RFID chip itself as discussed by Mitrokotsa,
Rieback, and Tanenbaum (2010), wherein a suitably-informed threat agent may commit
attacks that span across multiple layers of the chips architecture with very little
committed resources. Chawla and Robins (2013) discuss how a threat agent looking to
commit espionage might easily track an RFID chip or chips across locations, duplicate
those chips to knowingly introduce faulty items into a rivals production base, or modify
the RFID chips to redirect inventory flow. Another grim scenario would be disabling the
tags- whether through physical destruction or through KILL commands- or sending
mass amounts of false RFID requests through the attached monitoring systems to
obfuscate traffic or attempt to break them (as discussed in Mitrokotsa, Rieback,
Tanenbaum, 2010).
There are some possible fixes to the presented vulnerabilities. Cryptography
could be used with the RFID chip setup to help ensure that communications between
the chip and its ultimate destination are authentic. Temporary restraint mechanisms
could also be used, such as sleep/wake functions available on higher-end chips,
faraday cage constructs over sensitive transport items, or RFID re-writing stations
where all scanned items are re-written to meet a new set of criteria. Examples include a
new cryptographic key or new metadata to throw off spoofing/cloning attempts (as
discussed in Crispo, Rieback, Tanenbaum, 2006). Chawla and Robins (2013) posit
other ideas, including authentication requirements to modify tag metadata such as
passing a token or password (built into the EPC Gen2 RFID standard), pseudonym
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
7/43
RFID: THREATS, FAILURES, AND FIXES 4
generation to foil tracking, or the inclusion of RFID chips that possess Physically
Unclonable Functions (PUF) to generate authentication responses.
Without using sufficiently strong encryption models, the possibility of cracking the
encryption on a tag rises significantly. This is most especially important within the
scope of cryptographic key use or metadata reconstruction. Bono, Green, Juels, et al.
(2008) shows how the 40-bit encryption used by Texas Instruments Digital Signature
Transponder can, in the worst case, be cracked in an hour by reconstructing a key from
two arbitrary challenges.
Physical Security
As a physical security device, RFID lends itself to having the capacity of a key in
that it can act as a trigger to open doors while having the manageability attributed to a
directory or entitlement system. Many vendors that offer RFID-based solutions are
based off of Wiegand swipe card technology; that is to say a specific format in which
data is to be placed on the RFID chip. ZHLab.com (2011) discusses how this is most
commonly done with 26 bits, but may be up to 64 bits with some systems. For the
purposes of the literature in this area of RFID study, it is not necessary to understand
the exact specifications of the Wiegand format, nor the thousands of permutations of bit
structures used with it. In fact, many attacks disregard these issues entirely.
The attack surface for physical security devices are small, possibly out of the way
and often directly related to the physical system. There is often no consideration for
application proxies or mechanisms connected to these physical systems to root out
potentially harmful data pushed through the interface, thus making them ripe for attack.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
8/43
RFID: THREATS, FAILURES, AND FIXES 5
An example of a standard physical environment infrastructure used along-side RFID
can be seen in Figure 1:
Figure 1: RFID use in Physical Environment Security
There are three primary paths to attack RFID in the realm of physical defense. There
are brute force techniques such as slamming as much Wiegand-appropriate data as
possible at a system until the door unlocks. Another technique is cloning, which
consists of creating a direct copy of the card for later use. The third method is attacking
the system that runs the physical security system through its interfaces- often times, this
is done by using a specifically designed RFID card.
In a brute forcing scenario, the attacker sends values that are potentially valid as
fast as possible until a correct value is found. However, brute force can take an
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
9/43
RFID: THREATS, FAILURES, AND FIXES 6
incredibly long time. For instance, a 26-bit Wiegand system would have over
67,000,000 different combinations. Antoniewicz (2011) demonstrated how under one
attempt a second, which is what the Proxmark III (A noted RFID capture/store/replay
tool) performs at, exhausting the 26-bit space would take over two years. In perfectly
ideal circumstances, Byers, Lofton, Vangari-Balraj, et al. (2007) showed that the
average time to brute force an EPCglobal UHF Class-1 Generation-2 RFID tag is 29
days, which means that this route of physical security mitigation is far too lengthy to be
of genuine value. What emerges is that as with a password of suitable length, breaking
into a building using RFID as physical security through brute force takes time.
Cloning bypasses the problems that might be seen with brute-forcing a given
system and gets to the root of the issue; copying keys, especially physical keys, will
always be a valid path into a building. At its most basic, there are RFID cloning devices
that may capture a single card and emulate it for future use, such as the open-source
RFID tag developed by Ramiro Pareja (2011). At its most complex, there are devices
that are designed to capture, store, and replay RFID tags from up to three feet away
using a weaponized off-the-shelf RFID reader- Francis Brown (2013) described and
provided a how-to for such a device. The problem with cloning as an attack vector is
that it relies upon access to a valid card in order to create a duplicate of it; without
access to the card, this method becomes worthless to a potential attacker.
A final direction of research into bypassing RFID physical security mechanisms is
to attack the backend systems controlling the RFID security device through the interface
itself. Because of the intricate nature of systems and their interactions, RFID as a
transmission medium can be extremely devious. For example, Rieback, Simpson,
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
10/43
RFID: THREATS, FAILURES, AND FIXES 7
Crispo, et al (2006) wrote an article on how an RFID tag could be coded to inject
shutdown commands into a Structured Query Language (SQL) server. Figure 2
demonstrates an example of this.
Figure 2: RFID as an Attack Surface
Additionally, RFID tags could be used to stage RFID-pathed malware if the backend
server connects to the internet, such as using SQL Injection Attack-based methods to
execute a Trivial File Transfer Protocol-based connection to a host server to download
and execute malware (as additionally shown by Rieback, Crispo, Tanenbaum, 2006). In
the event that an RFID backend server connected to the internet and allowed such an
attack, it could be a gateway for a host of other, deeper attacks- not the least of which
unlocking all doors.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
11/43
RFID: THREATS, FAILURES, AND FIXES 8
Information Storage
RFID tags can be used to store information presented upon activation, that being
the basis for the majority of uses. A very high-profile use of RFID as an information
storage device are passports. Nogueira and Greis (2009) outline how RFID chips may
be embedded into passport documentation, and how those chips contain several data
entries, including name, date of birth, a digital photograph of the person, and so forth.
Research into the implementation of these documents shows that they fall victim to
many of the issues that are endemic to the technology itself. Research done by
Koscher, Juels, Brajkovic, and Kohno (2009) suggests that it is currently feasible to
clone the data contained within these RFID tags. Further research suggests that even if
sensitive e-documents applied the currently established standards presented by the
International Civil Aviation Organization regarding encryption that it would not be of
particular worth; it has such low entropy that a laptop could crack the key encrypting an
e-document in a few hours (as presented by Juels, Molnar, Wagner, 2005).
Transactional Use
As evidenced previously by Bono, Green, Juels, et al. (2008), there are
transactional systems that rely upon RFID. There may be a number of very steep
problems with this given the sensitivity of data involved and the risks associated with
leaked data related to financial transactions. There are a number of articles on issues
associated with RFID as a transactional exchange medium, and the challenges
associated. Garfinkel, Juels, Pappu (2005) outlined a number of threats that matter to
all RFID systems- one example includes issues regarding the metadata of the token,
such as the token being sensed in a given location at a given time. Another issue is
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
12/43
RFID: THREATS, FAILURES, AND FIXES 9
the consequence of association, such as having your identity tied to a token that may be
removed from your presence and again of cloning the device. Kaspar, Silbermann, and
Parr (2010) showed that one may create counterfeit cards that appear legitimate to a
poorly-devised transactional system. In this, there is a capacity to set up cards to have
no value associated with them or conversely, have the capability to set them to a high
value.
In those transactional systems that store the relative worth of the token on a
backend server, the relative security of the token could be increased but research
suggests there are still a number of issues that must be addressed. First generation
contactless cards appeared to have many of the issues that a backend-less system
had. Heydt-Benjamin, Bailey, Fu, et al. (2009) indicated how these issues included
unmitigated replay attacks, the capacity to capture cards through a number of means
such as skimming, eavesdropping, etc., as well as privacy invasion issues due to user
data being stored within the card on the RFID chip. Kristina Paget (2012), during their
Shmoocon presentation, expounded further on the flaws inherent within using RFID as
a financial transaction medium. While each component such as the cards, the readers,
and the transaction protocol, is relatively secure, the system is expected to talk to the
point of sale system. Therefore, it has to effectively dumb itself down to communicate
to these systems. Figure 3 demonstrates this graphically:
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
13/43
RFID: THREATS, FAILURES, AND FIXES 10
Figure 3: Findings from Pagets 2012 Shmoocon Analysis
Potential Fixes
Given the current implementation of RFID chips and the constraints placed on
them by the nature of their uses, traditional fixes might be taken to securitize fall flat.
However, there is a lot of research dedicated to authentication protocols between
readers and tags as well as encryption methods to prevent the simple eavesdropping of
data between tag and reader. Indeed a good deal of the research texts out there
acknowledge that one of the major failings of RFID is that anyone, with any reader, may
read the data off of a given RFID chip and then use that data for whatever they need to.
The authentication protocol research about RFID has to deal almost exclusively
with mutual authentication schemes. This research primarily deals with using areas
within the RFID tag to store a key. Changes are allowed at the tag level so long as the
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
14/43
RFID: THREATS, FAILURES, AND FIXES 11
expected response is entered (as shown by the work of Peris-Lopez, Hernandez-
Castro, Tapiador, and Ribagorda, 2006). An example that sums up much of the
research done at a conceptual level can be seen in a paper by Yijuan Luo et al. (2010),
wherein pseudo-random numbers are used to facilitate secure updates between tag and
backend. This in turn reduces the likelihood of bad actors performing tasks on the
tags, e.g., editing data. When it comes to data, the tag will only allow editing by a
reader that presents the proper key to decrypt based on the mutual authorization
schema or tracking them by means of remembering the data they present since the
data changes at each authorization step. A graphical representation of this workflow
can be seen in figure 4:
Figure 4: Overview of WG-7 Cipher
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
15/43
RFID: THREATS, FAILURES, AND FIXES 12
There are, of course, issues within these proposed resolutions. In 2012, a rather
compelling analysis was done of the stream cipher authentication process presented by
Luo et al. in 2010. Determined by Orumiehchiha, Pieprzyk and Steinfeld (2012), the
mutual authentication schema along with the encryption schema used by Luo et al.
(2010) could be broken with relative ease due to flaws in the protocol itself. Additional
analyses from other teams have shown similar findings with other protocols. A paper
presented by Avoine and Carpent (2013) has shown that these ultralight protocols are
lacking and with one proposed ultralight protocol, the LMAP protocol (as proposed by
Peris-Lopez, Hernandez-Castro, Tapiador and Ribagorda, 2006), an attacker need only
eavesdrop for around 18 sessions on average in order to recover enough of the secret
key to mutually authenticate and begin effectively communicating with the back end
server.
Questions and Takeaways
There are a few questions that must be asked from the standpoint of a security
professional in regards to RFID. For starters, has a focus on cheap technology rendered
a genuinely inferior product for any purpose? Can the issues outlined by researchers
overcome short of re-engineering the product? Further, does its lack of security
necessarily debase it as a tool, provided the understanding of its inherently insecure
nature?
Some very key points to take away from the research is how easy it is to copy
RFID data. Every discussed use of RFID had the same issue, and indeed it could be
argued that every physical system will have this flaw. Another point is that RFID is a
viable attack surface. Several researchers in various fields have shown whether it is
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
16/43
RFID: THREATS, FAILURES, AND FIXES 13
corporate espionage or malware, without securitizing and streamlining business
processes, misuse and abuse can occur to these systems.
III Methodology and Approach
Logistics Management Walmart and RFID rollout
An article by Violino (2003) cited that Walmart made a bold declaration: to have
its top 100 suppliers place RFID tags on pallets and cases by 2005, meaning roughly 1
billion cases a year would be tagged. Figure 5 shows an example of the style of RFID
tags to be used- passively powered, built in antennas, made to be relatively small and
inexpensive.
Figure 5: Flexible RFID Transponder, taken by Andre Nitsche (2009)
This was a massive change in the process as it was and not only did suppliers have a
tough time meeting this change; Walmart did, as well. An article by Matt Malone (2012)
detailed the pains witnessed on both sides:
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
17/43
RFID: THREATS, FAILURES, AND FIXES 14
Not only hadn't adoption spread quickly to other retailers and suppliers, Wal-
Mart faced its own issues with implementation, including pushback from suppliers
and technical problems. In the early days, the company's database wasn't big
enough to handle the volume of data generated by the new system. By late 2005,
its ambitions had already been scaled back. Wal-Mart announced that the "next
300" of its top suppliers would begin tagging by 2007-- a far cry from the full
compliance the company spokesman had touted just two years earlier.
The technical challenges presented by RFID implementation are very real. Walmart saw
at the very beginning a key issue with RFID; it generates a lot of data very quickly that
can be difficult to scale. A smart attacker could have used denial of service attacks on
the newly-minted RFID infrastructure itself. As outlined by Mitrokotsa, Rieback, and
Tanenbaums (2010) research on RFID attacks, the intent would be to wreak havoc. If
the RFID application isnt segmented from the standard network, it could lead to a
denial of service across the entirety of the organizations local infrastructure.
Another problem at the time of Walmarts decision to roll out was that the
standards behind RFID and systems to reliably work with the standard were still in a
very formative state. As written in a retrospective piece on Walmarts RFID woes by
Sharon Gaudin (2008), Part of the problem was that the plan was unveiled before the
RFID industry was ready for it, users and analysts said. There were no standards, the
technology was in its infancy, prices were high, and fly-by-night vendors and
consultants littered the industry. With such a large gap in familiarity, it is easy to see
potential issues that could arise in the implementation, such as leaving middleware
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
18/43
RFID: THREATS, FAILURES, AND FIXES 15
servers vulnerable to SQL injection attacks via RFID as outlined by Rieback, Crispo,
and Tanenbaum (2006) in their work on the subject.
Unfortunately, there are no quick alternatives in the arena of logistics
management. A massive motivator in the use of RFID as a tracking tool continues to be
cost. Palmer (2004) noted a 2004 case study done by the ARC Advisory Group that
determined the average cost for a passive RFID tag was 57 cents, which is what
Walmart wanted instituted. When one takes into consideration the average price for an
RFID tag at that time may very well have been half of the profit from a given crate of
goods, it is easy to see why the adoption of RFID stagnated amongst Walmarts
suppliers. Even today, with prices for possible alternatives such as low-powered
Bluetooth transponders coming down, they cannot meet the significant cost advantage
provided by current RFID chip costs, which RFID Journal (2014) places anywhere
between 7 and 15 cents, depending on volumes ordered. As for the baseline security of
these older deployments of RFID technology, security researchers agree that the focus
was not as much on security as it should have been. According to Craig Schmugar, a
noted threat researcher regarding RFID rollouts around Walmarts time frame, In
general, the impression the companies have is slightly skewed to things being more
secure than they've been proven to be! The emphasis is first on getting the
technology widely deployed, and then security is secondary" (As quoted by Zappone,
2007).
Information Storage E-Documents and Identity Theft
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
19/43
RFID: THREATS, FAILURES, AND FIXES 16
It is no secret that the United States has become incredibly concerned with
security since the events of September 11, 2001. One such aspect of security is
ensuring that people are whom they say they are, particularly when entering and exiting
the country. It was under this rationale that, in 2007, the United States began issuing e-
passports. In addition to the standard passport, it possesses a small RFID-enabled chip
that stores various information about the individual as well as a digital copy of the
individuals photograph so that it can be ran through facial recognition software at points
of entry (per the U.S. Department of State, 2014). The United States is not the only
country that has adopted the use of RFID-enabled passports. Clary (2012) outlines in
an article that per the International Civil Aviation Organization, 93 of 193 U.N. member
states in 2012 used e-passports with an additional 21 countries deploying the
technology for RFID-enabled passports in the next four years.
It seems at odds that a technology proven to be insecure would be implemented
across the globe. Chris Paget (2009), at Shmoocon V, provided proof of the concept
wherein he was able to pull data from a portion of these e-documents such as
enhanced drivers licenses, at a range of 250 feet and readily clone them. Passports
are a harder to access set of e-documents that often have additional security measures
built into them. As previously shown, these security measures often have such low
entropy that they may be defeated in a matter of hours by a laptop. Cem Paya (2012),
a security researcher, noted how easily one could read the United States passport with
an Android Smartphone. If one were to pay attention to the pages of another persons
passport while they looked it over, for instance, the information contained therein could
be retrieved without issue and the contents harvested. Of further interest is the
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
20/43
RFID: THREATS, FAILURES, AND FIXES 17
traceability of RFID technology. Chothia and Smirnovs (2010) study indicated that the
data sent back from as well as the time taken to respond to a challenge for each
countrys passport differs. This means that one can determine the nationality of an
individual by passively reading the passport tag.
Physical Security RFID in Transit
Given the speed data is processed via RFID for logistics, which is what drove
Walmart to implement RFID in the previous case, it only makes sense that
organizations would seek to implement it for other mobile bodies, such as people. It
stands to reason that by being able to track access; to know when to let a turnstile
activate and let someone through that the costs of system monitoring could be reduced.
The time needed to process individuals could likewise reduce. One would not need to
look any further than city streets to see RFID in action.
A particularly major rollout of RFID as physical access may be found in Europe.
As of 2011, the Netherlands moved entirely to an RFID-based system for public transit
called OV-Chipkaart (per Trans Link Systems, 2011). Per publically released
documents cited by Martin (2008), the OV-Chipkaart system uses the MIFARE Classic
chipset, which does have cryptographic features that protect it from out-and-out
tampering. These cards are then used to check-in at gates by deducting a boarding
fare. The cards then check-out either after completing the transit or after moving to
another form of transportation. The cards then refund the boarding fare, minus the
amount travelled on the service. The goal is to charge people a rate that is fair based
on the use while offering incentive to users to disclose traffic data (Per Trans Link
Systems, 2014).
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
21/43
RFID: THREATS, FAILURES, AND FIXES 18
The security community, for lack of a better description, has turned this system
on its head. Before the system rolled out extensively across the Netherlands, Nohl and
Pltz (2007) reported on the cryptographic failings of the MIFARE classic card during
the 2007 Chaos Communication Conference. While Nohl and Pltz did not directly
release the low-level elements of the MIFARE classic card, their work was foundational
for the programmatic defeat of MIFARE classic security features. These failings on
behalf of MIFAREs creator, NXP Semiconductors, allowed for what little security that
the card had to be ripped apart. The Chipkaart-OV system relies on trusted
components to perform authentication and authorization; therefore, an evil actor can
wreak havoc by exploiting systemic weaknesses.
As previously discussed, there are three real inroads on a physical security
system; brute forcing the system, cloning valid access into the system, or attacking the
infrastructure surrounding the RFID system. With the security compromised on the OV-
Chipkaart system, these attacks became not only possible, but extremely well-
documented. Gans, Hoepman, and Garcia (2008) presented within their research that
while brute-forcing is, traditionally, a poor method with regards to bypassing RFID-
based physical security, it was offline brute-forcing where thousands of attacks can be
done per second- as opposed to a few per second- that enabled the attack and damned
the chipset as a whole. As for cloning strategies, there are a number of applications
reported by bloggers such as The Linkielist (2011) that allow for filling up anonymous
Chipkaards once, generating a copy of it, and reverting back to the copy occasionally.
Per the Linkielists (2011) anecdotal coverage of the issue, this is undetectable by the
service. The worst case scenario behind the cloned RFID chip information being
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
22/43
RFID: THREATS, FAILURES, AND FIXES 19
blacklisted is loss of initial payment. If the system takes too long to catch on to the
clone, it may be irrelevant and long since spent. Another impressive feat is the capacity
to work around the system entirely using the compromised RFID card. Per an article by
Brenno de Winter (2011), an application was made available to edit the data on the
RFID card in order to check-in automatically for a specific time and date. With the use
of this application, the attacker never has to deal with the back end of the infrastructure.
With the information on the card appearing entirely valid, even to conductors who see
the check in time when scanning the card, the fraud is entirely undetectable. Even
more interesting is the escalation and abstraction of these attacks into devices outside
of the OV-Chipkaard, by way of using RFID-capable phones and possibly pulling the
data of legitimate users cards at range (Johnson, 2013).
Transactional Security Credit Where it is Due
With the number of flaws already pointed out in RFID as a technology, it is not
surprising that as a transactional token that RFID makes a less than optimal choice.
Consider the EasyCard system, implemented by the city of Taipei. The EasyCard acts
as a payment card for public transit, which as previously demonstrated by the OV-
Chipkaard system, is insecure. The differentiating factor between the OV-Chipkaard
system and EasyCard is that EasyCard has become significantly more than a transit
card. An article by Mo Yan-chih (2011) describes how the EasyCard may also be used
as an electronic wallet and indeed, the article expresses its expansion from
convenience stores and restaurants to fast food chains and gas stations. Harald Welte
(2010), at the 27thChaos Communication Congress, clearly demonstrated methods by
which values on the card could be increased, decreased, or otherwise, altered by an
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
23/43
RFID: THREATS, FAILURES, AND FIXES 20
attacker. Financial transactions have far more visibility; for instance, an article by Mo
Yan-chih (2011) describes how an attacker was caught by monitoring transactions and
tracking them down. This goes to show that while the processes by which people
attempt to steal may change, their patterns may not.
A more sophisticated attacker might elect to target credit cards. Given the
research done by Kristina Paget (2012) presented during Shmoocon, a suitably
motivated attacker could hop on a crowded subway with a weaponized card reader and
copy several RFID-enabled credit cards without issue. Once captured, there is a myriad
of things the attacker can do with the information. On the low-end of technical
requirements, the card could be cloned for later use and applied to a single transaction
requiring a CVV. On the technically intricate side of things, Eddie Lee (2012) during
Defcon 20 was able to demonstrate how an attacker could use one smartphone to skim
transactions, transmit that data to another smartphone directly, and use that
smartphones NFC capabilities to activate a genuine card reader to execute a purchase.
A graphical representation of this can be seen in Figure 6.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
24/43
RFID: THREATS, FAILURES, AND FIXES 21
Figure 6: Workflow of NFCProxy Application
IV Results
As has been demonstrated in both academic research and reported cases
throughout the world, RFID as a technology is insecure. It is assumed that individuals
perpetrating these crimes are technically savvy. Solutions required to abuse such
systems necessitate experience-building hardware, programming knowledge to make
the hardware act as required, and systems data in order to act on the information
gleaned by the attack.
It has become incredibly easy to perpetrate these attacks, regardless of technical
expertise. In an attempt to debunk the idea that it takes true technical brilliance to
exploit these systems, two paths were taken to achieve the same result. The first path
was the creation of a proof of concept device to scan passive RFID tags. The second
was to see if off-the-shelf technology could present this same effect.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
25/43
RFID: THREATS, FAILURES, AND FIXES 22
Proof of Concept Introducing the Arduino
In order to present proof of concept for capturing RFID, an entire technological
base needed to be determined. What voltage should be used? Should it be portable?
How should the device interface for transmitting RFID data from the capturing
component to a computer? How would the antenna for receiving and/or transmitting
RFID data be designed? Fortunately, these questions are easily answered by a wide
range of single-board microcontroller, breakout board, and attached component kits that
have come out in recent years, in the hobbyist sphere. There are too many choices and
configurations for the scope of this discussion, but it should be noted that many
microcontrollers could do everything as required within the above questions.
For the project, an Arduino Uno was selected as the microcontroller base. The
Uno could be powered off of multiple sources such as a USB, a 9V battery, or a
standard 120V wall plug. It could be portable if required and can connect via USB to a
computer to offload data received from components attached to it. A few examples
include breakout boards or stackable attached components commonly referred to as
shields. As for the RFID component, the Adafruit PN532 RFID/NFC shield was chosen.
Firstly, the Adafruit shield operates in the 13.56MHz frequency; this is the same
frequency that all ISO/IEC 14443 compliant contactless cards operate under, which
happens to be the same exact frequency that MIFARE classic and contactless credit
cards operate. This frequency is commonly used for Near Field Communications
(NFC). Secondly, the stackable nature of the shield means that it could be paired with
other shields, such as when a GPS shield determines where a card was scanned or a
Wifi card in a static installation clones cards when they pass a predetermined area and
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
26/43
RFID: THREATS, FAILURES, AND FIXES 23
pass that data forward. Thirdly, an integrated antenna allowed for testing without
having to design, construct, and integrate an antenna into a proof of concept. An
example of the workflow can be seen below in Figure 7.
Figure 7: POC Use Case
Building, flashing, and testing the Arduino
Courtesy the procurement source, the Arduino came pre-assembled. The shield,
too, came pre-assembled. The real problem was getting the two components joined
together. Fortunately, the components were easily soldered together using techniques
and reading the instructions available on the Adafruit website (Courtesy Adafruit, 2013).
For the sake of keeping the proof of concept on a surface that was non-conductive to
ensure components were not damaged during the various moving, packing, and
unpacking the device might see, it was mounted onto an acrylic base. The finished
result of the soldering and mounting effort can be seen in Figure 8.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
27/43
RFID: THREATS, FAILURES, AND FIXES 24
Figure 8: Completed soldiering of POC
Now that the device was assembled, and all components powered on when
plugged in, the next step was to program the microcontroller to do its intended purpose.
One of the key reasons Arduino was chosen for this project was the incredibly robust
Integrated Development Environment (IDE) that is available for it. The development
environment allows the microcontroller on the Arduino to be properly programmed to
our needs. The Adafruit team was even kind enough to provide a sample code for
MIFARE classic card reading. Figure 9 displays an example of the IDE, and an
example of the programming language used on the Arduino itself.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
28/43
RFID: THREATS, FAILURES, AND FIXES 25
Figure 9: Arduino IDE
Since the code was provided via the hobbyist community, the next thing to do
was to upload it to the device. The Arduino has an onboard, flashable ROM that is used
to operate the various components of the device. Properly written, it is then compiled
into machine language and uploaded via USB onto the device. Once this is done, the
device becomes usable. Figure 10 shows the expected output from a successful
compile and upload to the device.
Figure 10: Compilation and Uploading to Arduino
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
29/43
RFID: THREATS, FAILURES, AND FIXES 26
Once the compilation and uploading of the project to the device are complete,
now is the time to test it. The problem with testing is that there is a necessary process
to interface with the Arduino, which turns out to be surprisingly easy. The information
that comes over the Arduino is easily accessible. One option is through the IDEs built-
in serial monitor; a dedicated serial port logging application in the event of using
Windows as your development environment. Another is by using the Linux command
TAIL in a terminal session to capture data from the relevant serial port. It is
recommended to use something other than the built-in serial monitor, as it lacks the
capacity to save results. Once a monitoring/logging method has been chosen, the
device can be adequately tested. Figure 11 displays results from the Arduino running a
Memory Dump application that seeks to pull all of the relevant data off of an MIFARE
card for later cloning.
Figure 11: Results of MIFARE memdump program
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
30/43
RFID: THREATS, FAILURES, AND FIXES 27
Simplifying the equation 13.56MHz Applications on Smartphones
The amazing thing about technology is a constant push for the integration of
devices. As such, the smartphone has become such a platform for integration. The
phone was once a means to communicate verbally. Now it is used for internet access,
photography, basic computing tasks, video games, and fairly recently-the ability to read
NFC. Googles Android platform was crucial for the implementation of NFC on
smartphones. This was primarily due to the creation of Google Wallet, a digital wallet
that securely store payment information and allows for NFC-based payments
reminiscent of a standard credit card (Per Google, 2014). What this means to a
dedicated attacker is that instead of having to carry around a laptop with attached
antennas, or weaponized reading devices, an attacker need only use their phone to
skim data from potential targets.
With NFC technology integrated into the smartphone, it stands to reason that
there would be a number of applications that would allow for at the very least,
interaction with the medium and at the very most abuse of those real world systems that
rely on NFC. As it turns out, this is true. Eddie Lees (2012) NFCProxy was developed
on Android. For the sake of argument, however; the applications that will be targeted
are those freely available on the Google Play store, meaning no special access is
needed to software or hardware components to use them. While there are a rather
large number of applications that are on the Google Play store that deal with NFC, there
are a few that offer very strong capabilities given the topic at hand.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
31/43
RFID: THREATS, FAILURES, AND FIXES 28
At a basic level, there are applications that allow for the creation, reading,
updating, and deletion of data within a given RFID tag. Perhaps the most robust is NFC
Tools by Wakdev (2014). The application quickly reads a given tag and determines
some simple information about it. Figures 12 and 13 demonstrate the base read UI of
NFC Tools, and what happens when the application encounters a tag.
Figures 12, 13: NFC Tools UI
While NFC tag allows for a simple hobbyist to explore NFC and perform tasks, such as
an RFID tag automatically opening a site, it does not give the depth required to capture
and clone RFID.
Enter the Mifare Classic Tool (MCT), developed by IKARUS Projects (2014).
MCT is specifically built to capture anything that an interested party might want from an
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
32/43
RFID: THREATS, FAILURES, AND FIXES 29
MIFARE classic card, and effectively replaces the Arduino proof of concept for purposes
of capturing, storing, and cloning those stored elements to other cards. The workflow
for cloning cards is relatively simple, as evidenced in figures 14 and 15- choose the
read option, and select the option to read the tag.
Figures 14, 15: MCT Card Mapping Workflow
It is in this way that stealing MIFARE classic data (Such as that used in the previously
mentioned OV-Chipkaard case) becomes a lot like pickpocketing as opposed to what is
traditionally thought of as a technologically-enabled heist.
Once the data has been successfully scanned, the scan results are displayed on-
screen as raw hexadecimal. No decoding need occur, as a full clone of the data on the
RFID chip has been taken- since there are no authentication mechanisms to stop this, it
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
33/43
RFID: THREATS, FAILURES, AND FIXES 30
is no different from copying a key to a lock. Figures 15 and 16 demonstrate what the
raw hexadecimal output looks like in the application, as well as how the save interface
should appear.
Figures 15, 16: MCT Data Saving
It is through the ability to save the fully dumped MIFARE card that one of the true
exploitive properties of RFID becomes apparent. When a system relies on the RFID
token for subtracting value or to determine the initial status, and the user is able to
create a copy of when the token was valid or had a high value, the entire system
becomes broken and worthless.
The final step of using MCT to clone an MIFARE card is to transfer the data
copied onto another card, or the same card-but after the card has been used and the
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
34/43
RFID: THREATS, FAILURES, AND FIXES 31
resources tracked have been expended. In order to do this, the Write Tag function of
the software is used; figures 17 and 18 outline this process, which is fairly similar to the
reading process except the need to select the cloned data.
Figures 17, 18: MCT Data Writing
It is with this final step that the flaw of RFID without a challenge and response system,
or any authentication/authorization system becomes apparent. Data is data, and by its
very nature can be copied as many times as desired. One need only a rudimentary
grasp of the application, not even the technologies behind it, to be able to commit theft
and fraud.
These sorts of reading or cloning applications need not be restricted to public
transportation cards. Squareless is an application that allows for the reading of the NFC
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
35/43
RFID: THREATS, FAILURES, AND FIXES 32
elements inside credit cards (Stephen, 2011). While the user may have needed some
amount of expertise to navigate MCT, Squareless requires very little by comparison.
The application has two real windows, as evidenced by figures 19 and 20, which come
courtesy of the developer (Stephen, 2011), so as not to reveal any genuine card data.
Figures 19, 20: Squareless UI
While the application itself does not have a direct saving feature, the Android OS allows
for easy screenshots. Once a clean scan of the card is taken, the resulting data can be
saved for later use. Whether it means abusing the one-time CVV from RFID-based
transactions through creating a clone later, or using the data to create an amazon
account and purchase goods, the application offers up everything on the card. The
ability to change the distance one needs to be to steal from someone, is remarkable.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
36/43
RFID: THREATS, FAILURES, AND FIXES 33
V Summary and Conclusions
There is an abundant amount of evidence that RFID, in its current
implementations across a number of industries, is insecure. In logistics management,
what it provides in convenience of tracking, it takes away in potential for espionage and
operational failure. As a physical token, it has been revealed that RFID offers not only
the ease of cloning, but also allows smart attackers to passively capture new physical
tokens. This effectively allows them to remain anonymous and hard to trace within the
system. As a transactional token, the counter-measures that are currently in place have
substantial weak points that, with a few simple applications that are publically available,
may be exploited.
As a research and case study of RFID as a transactional token showed, the
focus on cheap technology has not rendered a genuinely bad technology. The protocol
transmitted by a given credit card to a card reader is secure; both the card and the
reader are secure elements. As recalled, the failing is in the aforementioned legacy
infrastructure conflicting with the newer technology. What needs to be understood is
that in having to connect to legacy infrastructures, any hope of security is obliterated.
Without removing or reinforcing the legacy infrastructure, which will be of significant cost
to retailers, the loophole that enables credit card skimming will be available for the
foreseeable future.
Does RFID require re-engineering? In many implementations, that answer is yes
due to the focus many institutions have placed on getting costs of individual tags down
over implementing security measures between the tags and the server. That is not to
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
37/43
RFID: THREATS, FAILURES, AND FIXES 34
say that systems could not be designed with security in mind; using newer tags and
technologies, such as those outlined by Chawla and Robins (2013). The issue comes
down to risk, and the mitigation thereof. It may not be worth it to the business to spend
money securing the entire RFID process. It is in this case that an organization would be
wise to understand the potential failings of the system as-is so that if the system is
compromised; there is a starting point for analysis and possible discovery.
Suggestions for Further Research
RFID as a current platform severely lacks in a secure, low-overhead method by
which authentication of individual tags can be made. Great inroads could be taken in
devising a system that fixes the current challenges faced by modern stream cipher
implementations such as WG-7, or more traditional, but ultra-lightweight authentication
protocols such as LMAP. A particular challenge would be ensuring the standard works
with the EPC Gen 2 standard, which is severely constrained on what it can do,
particularly in terms of space for holding encrypted data of any substantial length.
Further research into the current wave of NFC transactional tokens is another
option. The limits of their protocols and encryption should be tested, and the results
reviewed by the larger community. Kristina Paget (2012), during their Shmoocon talk
on the relative ease of cloning credit cards using NFC as an attack surface due to the
lack of encryption at the last mile. Should this hole be patched, Paget (2012) also
identified the possibility of the protocol being a point of potential exploits in her report. It
is through this analysis, this systemic approach and testing of each link in the chain,
which allows for a protected environment.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
38/43
RFID: THREATS, FAILURES, AND FIXES 35
References
Antoniewicz, B. (2011). Proxbrute: taking proxcard cloning to the next level. [e-book]McAfee. http://www.mcafee.com/us/resources/white-papers/foundstone/wp-
proxbrute.pdf [Accessed: 25 Feb 2014].
Avoine, G. & Carpent, X. (2013). Yet another ultralightweight authentication protocol
that is broken. Springer, pp. 20--30.
Bono, S., Green, M., Stubblefield, A., Juels, A., Rubin, A. & Szydlo, M. (2005). Security
analysis of a cryptographically-enabled rfid device. 1 p. 16.
Byers, M., Lofton, A., Vangari-Balraj, A. K. & Thompson, D. R. (2007). Brute force
attack of epcglobal uhf class-1 generation-2 rfid tag. pp. 386--390.
Chothia, T. & Smirnov, V. (2010). A traceability attack against e-passports. Springer, pp.
20--34.
Clary, R. (2012). E-passports spread to half the globe - secureidnews. [online]
Retrieved from: http://secureidnews.com/news-item/e-passports-spread-to-half-the-
globe/ [Accessed: 10 Mar 2014].
De Koning Gans, G., Hoepman, J. & Garcia, F. D. (2008). A practical attack on the
mifare classic. Springer, pp. 267--282.
De Winter, B. (2011). Nieuwste ov-chipkraak maakt zwartrijder onzichtbaar. [online]
Retrieved from: http://webwereld.nl/beveiliging/46076-nieuwste-ov-chipkraak-
maakt-zwartrijder-onzichtbaar [Accessed: 10 Mar 2014].
Duc, D. N., Lee, H. & Kim, K. (2006). Enhancing security of epcglobal gen-2 rfid against
traceability and cloning.Auto-ID Labs Information And Communication University,
White Paper.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
39/43
RFID: THREATS, FAILURES, AND FIXES 36
Gaudin, S. (2008). Some suppliers gain from failed wal-mart rfid edict. [online] Retrieved
from:
http://www.computerworld.com/s/article/317207/Some_suppliers_gain_from_failed
_Wal_Mart_RFID_edict [Accessed: 15 Mar 2014].
Google.com. (n.p.). Faq google wallet. [online] Retrieved from:
http://www.google.com/wallet/faq.html [Accessed: 10 Mar 2014].
Hern & Ribagorda (2006). "LMAP: A real lightweight mutual authentication protocol for
low-cost RFID tags", p. 6.
Heydt-Benjamin, T. S., Bailey, D. V., Fu, K., Juels, A. & OHare, T. (2007).
Vulnerabilities in first-generation rfid-enabled credit cards. Springer, pp. 2--14.
Johnston, C. (2013). Dutch public transportation may be hackable with an android
smartphone. [online] Retrieved from: http://arstechnica.com/security/2013/06/dutch-
public-transportation-may-be-hackable-with-an-android-smartphone/ [Accessed: 10
Mar 2014].
Journal, R. (n.d.). Rfid frequently asked question - rfid journal. [online] Retrieved from:
http://www.rfidjournal.com/faq/show?85 [Accessed: 10 Mar 2014].
Juels, A., Molnar, D. & Wagner, D. (2005). Security and privacy issues in e-passports.
Security And Privacy For Emerging Areas In Communications Networks, pp. 74--
88.
Kasper, T., Silbermann, M. & Paar, C. (2010). All you can eat or breaking a real-world
contactless payment system. Financial Cryptography And Data Security, pp. 343--
350.
Koscher, K., Juels, A., Brajkovic, V. & Kohno, T. (2009). Epc rfid tag security
weaknesses and defenses: passport cards, enhanced drivers licenses, and
beyond. pp. 33--42.
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
40/43
RFID: THREATS, FAILURES, AND FIXES 37
Learn.adafruit.com. (n.d.). Shield wiring | adafruit pn532 rfid/nfc breakout and shield |
adafruit learning system. [online] Retrieved from: http://learn.adafruit.com/adafruit-
pn532-rfid-nfc/shield-wiring [Accessed: 10 Mar 2014].
Lee, E. (2014). Def con 20 - nfc hacking the easy way - eddie lee. [online] Retrievedfrom: https://www.youtube.com/watch?v=55vU9imDMZ4 [Accessed: 10 Mar 2014].
Luo, Y., Chai, Q., Gong, G. & Lai, X. (2010). A lightweight stream cipher wg-7 for rfid
encryption and authentication. pp. 1--6.
Malone, M. (2012). Did wal-mart love rfid to death?. [online] Retrieved from:
http://www.smartplanet.com/blog/pure-genius/did-wal-mart-love-rfid-to-death/
[Accessed: 10 Mar 2014].
Martin, Z. (2008). Nohl: nxp making terrible decision' - secureidnews. [online] Retrieved
from: http://secureidnews.com/news-item/nohl-nxp-making-terrible-decision/
[Accessed: 10 Mar 2014].
Miri, A., Kirti, C. & Robins, G. (2013).Advanced security and privacy for rfid
technologies. Hershey, PA: Information Science Reference.
Mitrokotsa, A., Rieback, M. R. & Tanenbaum, A. S. (2010). Classification of rfid attacks.
Gen, 15693 p. 14443.
Nitsche, A. (2009). Transponder flexible. [online] Retrieved from:
http://www.123rf.com/photo_6868290_transponder-flexible.html [Accessed: 10 Mar
2014].
Nogueira, M. & Greis, N. (2009). Uses of rfid technology in u.s. identification
documents. Institute For Homeland Security Solutions, Retrieved from:
http://sites.duke.edu/ihss/files/2011/01/Greis_RFIDBrief1.pdf [Accessed: 25 Feb
2014].
Nohl, K. & Pltz, H. (2007). 24c3: mifare. [online] Retrieved from:
http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html [Accessed: 10
Mar 2014].
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
41/43
RFID: THREATS, FAILURES, AND FIXES 38
Orumiehchiha, M. A., Pieprzyk, J. & Steinfeld, R. (2011). Cryptanalysis of wg-7 (a
lightweight stream cipher for rfid encryption). IACR Cryptology Eprint Archive, 2011
p. 687.
Ov-chipkaart.nl. (n.p.). Ov-chipkaart - strippenkaart weg. [online] Retrieved from:
https://www.ov-chipkaart.nl/nieuws/nieuwsoverzicht/strippenkaart_weg?pagina=5
[Accessed: 10 Mar 2014].
Ov-chipkaart.nl. (n.p.). Ov-chipcard - how does travelling work?. [online] Retrieved from:
https://www.ov-chipkaart.nl/reizen/gebruikovchipkaart/?taal=en [Accessed: 10 Mar
2014].
Paget, C. (2009). Shmoocon 2009 - edl-paget.m4v. [online] Retrieved from:
https://www.youtube.com/watch?v=6xQ-iVvf91w [Accessed: 10 Mar 2014].
Paget, K. (2012). Shmoocon 2012: credit card fraud: the contactless generation. [video
online] Available at: https://www.youtube.com/watch?v=HRXb-FZ6WFM
[Accessed: 25 Feb 2014].
Palmer, W. (2004). Understanding the impact of rfid on retail. Loss Prevention, pp. 42-
48.
Pareja, R. (2009). Schematics and firmwares. [online] Retrieved from:
http://www.t4f.org/projects/open-rfid-tag/schematics-and-firmwares/ [Accessed: 25
Feb 2014].
Peris-Lopez, P., Hern, Ez-Castro, J. C., Est'Evez-Tapiador, J. M. & Ribagorda, A.
(2006). Lmap: a real lightweight mutual authentication protocol for low-cost rfid
tags. p. 6.
Play.google.com. (2014). Nfc tools. [online] Retrieved from:
https://play.google.com/store/apps/details?id=com.wakdev.wdnfc [Accessed: 10
Mar 2014].
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
42/43
RFID: THREATS, FAILURES, AND FIXES 39
Play.google.com. (2014). Mifare classic tool - mct. [online] Retrieved from:
https://play.google.com/store/apps/details?id=de.syss.MifareClassicTool
[Accessed: 10 Mar 2014].
Play.google.com. (2011). Squareless. [online] Retrieved from:
https://play.google.com/store/apps/details?id=com.noSquare [Accessed: 10 Mar
2014].
Rieback, M. R., Crispo, B. & Tanenbaum, A. S. (2006). Rfid malware: truth vs. myth.
Security & Privacy, IEEE, 4 (4), pp. 70--72.
Rieback, M. R., Crispo, B., Tanenbaum, A. S. & Others (2006). The evolution of rfid
security. IEEE Pervasive Computing, 5 (1), pp. 62--69.
Rieback, M. R., Simpson, P. N., Crispo, B. & Tanenbaum, A. S. (2006). Rfid malware:
design principles and examples. Pervasive And Mobile Computing, 2 (4), pp. 405--
426.
Robin.tripany.com. (2011). Ov chipkaart hacked, software available @ the linkielist.
[online] Retrieved from: http://robin.tripany.com/blog/hacks/ov-chipkaart-hacked-
software-available/ [Accessed: 10 Mar 2014].
Sachgau, O. (2013). Protect new passport from hackers: expert. [online] Retrieved from:
http://www.winnipegfreepress.com/local/protect-new-passport-from-hackers-expert-
222921521.html [Accessed: 03 Mar 2014].
SIMSON, L., Juels, A. & Pappu, R. (2005). Rfid privacy: an overview of problems and
proposed solutions. IEEE Security & Privacy, 3 (3), pp. 34-43.
Travel.state.gov. (2014). Frequently asked questions. [online] Retrieved from:
http://travel.state.gov/content/passports/english/passports/FAQs.html#ePassport
[Accessed: 10 Mar 2014].
Violino, B. (2003). Wal-mart expands rfid mandate - rfid journal. [online] Retrieved from:
http://www.rfidjournal.com/articles/view?539 [Accessed: 15 Mar 2014].
-
7/22/2019 RFID: THREATS, FAILURES, AND FIXES
43/43
RFID: THREATS, FAILURES, AND FIXES 40
Welte, H. (2010). Reverse engineering a real-world rfid payment system. [online]
Retrieved from: http://www.madchat.fr/bricolo/RFID/easycard.pdf [Accessed: 10
Mar 2014].
Yan-Chih, M. (2011). Taipei easycard corporation to expand use of cards - taipei times.
[online] Retrieved from:
http://www.taipeitimes.com/News/taiwan/archives/2011/04/08/2003500219
[Accessed: 10 Mar 2014].
Yan-Chih, M. (2011). Young engineer hacked into easycard, police say - taipei times.
[online] Retrieved from:
http://www.taipeitimes.com/News/taiwan/archives/2011/09/28/2003514388
[Accessed: 10 Mar 2014].
Zappone, C. (2007). Rfid backlash gains momentum, from states up - may. 21, 2007.
[online] Retrieved from: http://money.cnn.com/2007/05/21/technology/rfid/index.htm
[Accessed: 10 Mar 2014].
Zhu hun Technlogy Laboratory. (n.d.). Pyramid series wiegand data format. [online]
Retrieved from: http://www.zhlab.cn/technique/T0000006.htm [Accessed: 25 Feb
2014].