Black Hat 2007 : Day 2 : Adam Laurie
During the first part of his talk, Adam Laurie demonstrated some of his new research on hotel safes in which he opened a hotel safe using only a paperclip and multi tool in under a minute. He had a member from the audience read the marketing hype from the safe manufacturer while he opened the safe and recovered his previously "safe" beer.
His talk was actually about RFID chips, which are Radio Frequency IDentification systems. They are passive chips that are activated by a radio signal. There are two types of chips, smart and dumb, the smart ones have circuitry that processes input and return a signal. Dumb chips just respond with a code when lit up with radio frequency. The dumb chips are used in everything from hotel keys to car keys to pet implants. RFID plants are also being implanted in humans for military access control, mental patient tracking, and even as a digital wallet for beach-goers.
The point that the manufactures always drives home is that the chips are unique and can't be duplicated. In actuality, RFID chips can be easily cloned with a device that costs under $20, which you can get plans and parts to build here. There are numerous other kits available to clone RFIDs. The RFID industry's response to the ability to clone chips was they they aren't true clones because they don't have "the same form factor." Laurie took this as a challenge and decided to to clone an RFID chip using the same form factor.
He researched RFID tag types, and found two that are multi-format configurable and that can be loaded with user selectable data. He happened to be in possession of a Q5 [pdf download] reprogrammable tag from the office where he works. Using a simple keyboard wedge he read the ID of the chip he wanted to clone. He then used a program he wrote in python, called rfidiot, to reprogram the chip with the cloned ID. He demoed the whole thing in about 1 minute and it work as designed, good show.
He then demoed a clone of the animal implant chip, and rewrote the chip in his wrist (watch) to the same chip ID. Verichip uses the same type of chip for identification, but the difference is that they use a 4 digit country code instead of a 3 digit code and being that no commercial software can write a 4 digit country code. Luckily Laurie wrote software that can write any code, no matter how long, to the card, thus defeating the "security" of the Verichip.
The next part of his talk focused on "smart" RFID cards, which most notably are being used in passports, including those from the US and UK. These chips can use a combination of a psuedo-random UID, strong authentication (3DES) and content encryption. So far no countries are using encrypted content, mostly because there is no published standard as of yet.
The key happens to be printed on the passport, which to me anyway, defeats most of the benefit of having strong auth. Although the passports have the shared key printed inside the front cover, it is still possibly to brute force the key, as there is no brute force prevention built in to the passport RFID.
Although cloning the passport is trivial and just a matter of copying the files, modifying the data should not be possible because of the use of a Certificate Authority and public key infrastructure. The possibility of signing the passport with your own key has recently been avoided due to a public repository of keys, but this only came out in April, so until then it has been possible to modify passports.
The amount of systems that are implementing RFID for "secure" purposes is growing everyday. Clearly this technology has many vulnerabilities and major changes are needed to ensure the security of these systems. I'm glad I recently got a passport last year, and that it doesn't have an RFID chip in it.