could somebody ELI5 the threat vector here? I'm not skeptical, I just don't know what to imagine.
backdoor implies somebody can "get in" to my rfid, but rfid's spend most of their time "off the grid". So when my rfid powers up, does the "host" who powered it up also need to be insecure or on an insecure/compromised net?
then... what capabilities would suddenly become possible; unlocking the door is already unlocked, my credit card is already all ready to spend...
or does it simply allow people passing me on the sidewalk to make a copy of my card?
Most RFID card systems in the world uses MIFARE Classic due to its cost and long history.
MIFARE (not just the Classic family) have a UID (32 bits) and x blocks of encrypted data (12 for Classic). Each block is protected by a A key and a B key.
The earliest card system only uses UID for authentication ie. if the card says the right UID the card passes authentication.
Obviously, anyone can forge a card with said UID, so the latter system start to use the 12 encrypted fields for authentication. The card reader would challenge the card to encrypt the nonce plus stored identification. Only cards with the correct key can respond with the correct encrypted data + nonce.
The authentication uses symmetric encryption. Depending on how the system is setup, A key is used for Read only, Read Write, or A is used for read and B is used for write, or both A/B is need for read write.
The original Mifare Classic uses a proprietary crypto crypto-1. Due to various reasons (eg. weak PRNG, collisions, etc.) , it can be trivial to crack a traditional Mifare Classic key. However there are harden keys that still could not be cracked due to various countermeasures.
The paper seems to found a hardcoded A/B key A396EFA4E24F for a particular brand of RFID cards (I just skimped the paper and its been years since I worked on RFID. I might be wrong on the detail).
> The paper seems to found a hardcoded A/B key A396EFA4E24F for a particular brand of RFID cards (I just skimped the paper and its been years since I worked on RFID. I might be wrong on the detail).
Actually, if I understood the paper well, the same key worked also on older, non-Chinese cards like those produced by NXP. Why, that's a big question.
Would you happen to know of a good reference for this? I have a Proxmark and I'd like to learn how the encryption works so I can play around with (and maybe clone) some of my cards.
These systems usually do mutual authentication, and that's as much a side effect of the cryptographic primitives used as it is an intentional feature:
They're often using symmetric cryptography (even ECC is orders of magnitude more complex than a simple block cipher), and you get mutual authentication "for free" that way, in exchange for having to guard the keys on both the card and the reader to prevent a total compromise.
The idea is that by spending a few minutes with your card, someone can now clone it and impersonate you. Yes, they could already steal your card, but you might notice that. But if you leave it on your desk for a few minutes in your wallet, or IT “borrows” it to re-encode it, or any thousand of other ways to get a hold of your RFID card… it can be dumped, cloned, and you can be impersonated.
In the case of this attack, somewhere between 40s and 30min of physical access, depending on how the card was set up. In the case of a hotel, the spicy card to clone would be the cleaning staff's, which conveniently also admits a reasonable explanation for the card going temporarily missing (e.g. abandon it one corridor over, oops must have dropped it while doing the rounds).
Depending on the specifics of a deployment, I'm guessing you could also use the card secrets to mint new cards that authenticate correctly to facility readers, but contain different information? But I don't know nearly enough about how these cards get used to know how much flexibility you get there.
> But I don't know nearly enough about how these cards get used to know how much flexibility you get there.
A lot of systems still just use the UID.
Physical security/door access control is still completely disconnected from IT security, despite these systems relying on software for the last 20 years. As such, there is generally no knowledge in the buyers of such systems as to the risks and how to test for any vulnerabilities.
I bet systems which rely on the UID only (something even the card manufacturer specifically warns against in their datasheet) are still being sold, and lots are definitely still out there. This is trivial to clone and requires only a single read of the card, no cracking needed because the UID isn’t designed to be private to begin with.
I know only one access system that is built on Mifare and does not use UID, and that thing uses a file on the card as a bitfield of what doors it can open.
Great question; not to my knowledge. There would be many false positives, especially as people bring in guests. Sometimes guests get a temp badge; at many companies, they get a sticker to put on their shirt and get tapped in by their host, who is responsible for them.
Rather than building a SOC to look at logs and flag unbalanced entries or similar (which would be very expensive), companies tend to rely on their employees’ vigilance.
I suppose the expense, and the risk in relying on employees, is gonna be quite relative to the organization and its priorities. I wouldn’t imagine setting up a log monitor with some basic monitoring should be that expensive. As someone above mentioned, it’s kind of odd that these systems are so utterly disconnected to the broader IT protocols in so many places. I use a few different RMM solutions that could almost certainly handle the log collection, analysis, and real-time monitoring with alerts and I don’t think it’d take much time/effort to set up. The most critical point would simply be maintaining healthy access controls and avoiding the potential for new potential vulnerabilities.
> I suppose the expense, and the risk in relying on employees, is gonna be quite relative to the organization and its priorities.
Of course. If you work in a SCIF, you're going to have a very different set of rules and experiences than if you work at LiftMaster, if you know what I mean.
> I use a few different RMM solutions that could almost certainly handle the log collection, analysis, and real-time monitoring with alerts and I don’t think it’d take much time/effort to set up.
Right! But someone's gotta watch it. All day, and all the time. If it's sending alerts, who is it sending them to? The same security guard can't be responsible for both watching security monitors and watching or responding to access log issues.
The expense is in the people and maintenance, not in the initial buildout, as is true for many large enterprise initiatives.
> As someone above mentioned, it’s kind of odd that these systems are so utterly disconnected to the broader IT protocols in so many places.
My greatest realpolitik lesson at uni was being assigned parking in an "odd" building's gated parking lot. It was close to my dorm, but required carrying your permit to them, so they could enter you into their system for access.
Cue realization they weren't connected to the main university parking registry.
Cue my not buying a parking pass (a substantial cost, as this was an urban campus) for the next few semesters... as my prior auth continued to work on the gate.
And why would parking police think to check for unregistered parkers in a gated lot?
(As far as I can remember, I still had access ~2 years after graduation, then they finally cleaned up their DB)
Yes, locking people into buildings (which is what you are doing if you need a key to get out, whether it's an RFID badge or a skeleton key) has been illegal since the Triangle Shirtwaist Factory Fire
As I mentioned in a sibling comment, you don't lock them in, you just set off major alarms and send an armed response if the door ever opens without badge activation. This presupposes some things about the facility and the facility operator, though.
But places that actually take access control seriously do implement bidirectional badging, and just opening the door to leave without badging out will send a group of people bearing guns in your direction right away.
You'd think that, but, as someone who did a phyiscal pentest on a prison recently, that's 1000% not the case.
You can set up your access controllers for anti-passback, but, most folks don't, because companies don't want to pay the costs associated for an 'in' reader and and 'out' reader and implement that level of security.
Well, the costs for the 'in' and 'out' reader are really not the major issue for most companies, as you could conceivably set a particular perimeter that cordons of 'secure' from 'not secure' and would only have to configure anti-passback for that perimeter. The real trick (and therefore problem) is in making sure that people do not walk through doors together, that is, making sure that only a single person passes the perimeter for a single access request. Single-person passages are way more costly than the readers, and have the additional problem of not allowing all that many people to pass per hour. That means that you may even need multiple for a given people flow. And that's leaving aside the convenience issues.
I used to work on such systems in another life, we could setup antipass back for a gate or area. I believe we could also put a temporal restriction but my memory is a bit fuzzy.
I don't think the contention was that the feature or ability doesn't exist, but rather that companies choose not to do it. When you worked on those systems - did you set up anti-passbacks?
Yes, it was in France and related to security, we had to ensure that the area antipass back was working properly, there were several areas where "random" entry was highly prohibited (let's say live shows).
Recently I worked for a bank where they had different types of entry airlocks, it was a bit a pain, especially the multiperson ones.
That would be a terrible user experience. Most places are not diligent about ensuring each employee separately badges past a barrier. Common to hold the door for Bob while he is juggling a coffee. Boom, missed badge swipe and now things are forever imbalanced.
Notably Apple expects each person to badge in. Google does not, and it is pretty easy to follow a group of people in to a building, but you cannot do that at Apple.
Because nobody has ever jumped over one of those or triggered the motion sensor on the other side of those paddle gates or gone around the side or underneath...
I know many companies I worked for in CA and CO did that at least for their parking garage gates but NOT for their building control readers, even though it was the same badge.
backdoor implies somebody can "get in" to my rfid, but rfid's spend most of their time "off the grid". So when my rfid powers up, does the "host" who powered it up also need to be insecure or on an insecure/compromised net?
then... what capabilities would suddenly become possible; unlocking the door is already unlocked, my credit card is already all ready to spend...
or does it simply allow people passing me on the sidewalk to make a copy of my card?