RFID Security

Contributed by Joanne C. Kelleher

A co-worker sent me an article called Buggy ’smart meters’ open door to power-grid botnet: Grid-burrowing worm only the beginning (Thanks, Henry).

“For an embedded platform, they’re kind of scary,” said Mike Davis, a senior security consultant for IOActive about the buggy software running on meters for the Smart Grid.  “It’s really not designed from the ground up for security. Just imagine if somebody is outside your house and has the unique identifier that’s printed on your meter.”  The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse.

Davis is speaking about his hacks into Smart Meters at the Black Hat USA 2009 conference, being held at Caesars Palace, Las Vegas, NV on July 25-30. In looking at the list of speaker briefings there are several talks about the security, or lack thereof, around embedded systems including the smart grid and Advanced Metering Infrastructure (AMI), and smart parking meters. These talks include:

Recoverable Advanced Metering Infrastructure
Mike Davis
Smart Grid. Smart Meters. AMI. Certainly no one has escaped the buzz surrounding this potentially ground-breaking technology. However, equally generating buzz is the heightened threat of attack these technologies provide. Mike Davis and a team of IOActive researchers were able to identify multiple programming errors on a series of Smart Meter platforms ranging from the inappropriate use of banned functions to protocol implementation issues. The team was able to “weaponize” these attack vectors, and create an in-flash rootkit, which allowed them to assume full system control of all exposed Smart Meter capabilities, including remote power on, power off, usage reporting, and communication configurations.
In this presentation, Davis will discuss the broad, yet almost ubiquitous exploits and basic design flaws in today’s Smart Meter and Advanced Metering Infrastructure (AMI) technology. Typical attacker techniques such as buffer overflows, persistent and non-persistent root kits, and even self-propagating malicious software will be illustrated. Davis will even demonstrate a proof-of-concept worm attack and the general reverse engineering techniques used to achieve code execution. To show all is not hopeless, he will also cover the incident response impacts of possible worm attack scenario. Finally, building upon the analysis of the worm-able attack surface as well his hardware and software penetration testing research, Davis will suggest inherent design fixes that AMI vendors can implement to greatly mitigate these broad exploits.

Hacking the Smart Grid
Tony Flick
The city of Miami and several commercial partners plan to rollout a “smart grid” citywide electrical infrastructure by the year 2011. This rollout proceeds on the heels of news that foreign agents have infiltrated our existing electrical infrastructure and that recent penetration tests have uncovered numerous vulnerabilities in the proposed technologies. Simultaneously, the National Institute for Standards in Technology (NIST) has recently released a roadmap for producing Smart Grid standards. In this Turbo Talk, I will discuss the flaws with the current guidelines and map them to the criticisms of similar regulatory mandates, including the Payment Card Industry Data Security Standard (PCI DSS), that rely heavily on organizations policing themselves.

Embedded Management Interfaces: Emerging Massive Insecurity
Hristo Bojinov, Dan Boneh, Elie Bursztein
Over the last few years, the number of devices that embed user-friendly management interfaces accessible from the network has drastically increased. These interfaces can be found on almost every kind of device, from lights-out management systems for PCs, to small SOHO NAS appliances, to photo frames.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.

“Smart” Parking Meter Implementations, Globalism, and You
Joe Grand, Jacob Appelbaum, Chris Tarnovsky
Throughout the United States, cities are deploying “smart” electronic fare collection infrastructures that have been commonplace in European countries for many years. In 2003, San Francisco launched a $35 million pilot program to replace approximately 23,000 mechanical parking meters with electronic units that boasted tamper resistance, payment via smart card, auditing capabilities, and an estimated $30 million annually in fare collection revenue. Other major cities, including Atlanta, Boston, Chicago, Los Angeles, New York, Philadelphia, Portland, and San Diego, have made similar moves.
In this session, we will present our evaluation of electronic parking meters, including smart card protocol analysis and emulation, silicon die analysis, and firmware reverse engineering, all of which aided in successful breaches.

See all of the speaker briefings for the Black Hat Conference at http://blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html. It was interesting to see that as of 6/22/09, there were zero briefings scheduled about the security issues around RFID. In comparison, Black Hat USA 2008’s RFID topics included Mifare, toll systems and implantable wireless medical devices, but none about the Smart Grid or Smart Meters.

Contributed by Joanne C. Kelleher

I try to contribute to the RFID Security blog every week. Today is Friday and I realized it has been over 2 weeks since my last entry. Why? Recently the news from the RFID industry has been slow and kind of boring (or for some, depressing) while the topic of cybersecurity has been hot.

Here are a few topics that have caught my eye recently:

Susan Lyon wrote a piece for Sustainable Industries called Privacy challenges could stall smart grid. This was the first article I have seen that has addressed the privacy issues around these embedded devices.
http://www.sustainableindustries.com/technology/46274897.html

On 6/1, the Department of Homeland Security expanded its use of electronic passports, enhanced drivers licenses and other RFID-enabled identification documents at US border crossing points. This is really old news but privacy concerns about the technology have resurfaced.
http://fcw.com/articles/2009/06/01/dhs-expands-rfid-use-at-borders-today.aspx

A new working group “aims to take a subset of the Air Transport Association’s format for low-memory tags and develop guidelines on using RFID that can be ready by year-end. They will include minimum requirements for data, read range and security, as well as instructions on how to mount tags on parts.”  Aircraft manufacturers don’t want to store detailed records on the RFID tags due to concerns “about the complexity of synchronizing the data” with back office systems.  But if I were them, I would also be concerned about privacy issues too.  Do they want competitors or the public reading their aircraft part maintencence records?  A properly secured tag would solve this problem.
http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=mro&id=news/RFID6049.xml&headline=Airlines%20Develop%20Guidelines%20For%20RFID%20on%20Parts

John Burnell wrote a nice article for RFID Update which provides an analysis of vendor activity in the smart label market. See Slowing Sales Bring Change to RFID Smart Label Suppliers - http://www.rfidupdate.com/articles/index.php?id=1804. On a related note Zebra is implementing layoffs - http://www.chicagotribune.com/business/chi-biz-zebra,0,4812801.story.

The Chinese government has announced they implanted RFID chips in Manchurian tigers at the King Palace Zoo. This topic isn’t security related, but I questioned why you would need to do this when there are only 3 tigers on the property and 30 Manchurian tigers left in the entire world. Don’t they all have unique markings? “The move is in response to a national campaign launched by the State Forestry Administration last year that called on all zoos to implant digital ID chips in 17 precious species of animals, including tigers, pandas, golden monkeys, cranes and swans.”
http://news.xinhuanet.com/english/2009-05/31/content_11463868.htm

Happy Birthday to the UPC bar code which turns 35 this month, according to an announcement from GS1 US.  When bar code technology was implemented it also triggered privacy concerns.
http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090601005784&newsLang=en

Contributed by Joanne C. Kelleher

Louis Parks, SecureRF’s CEO, wrote an article for PharmaTech.com’s Equipment and Processing Report titled Pharmaceutical Packaging and ePedigree Requirements.

The article includes a list of questions the pharmaceutical industry must answer before it can select and implement an ePedigree solution. Due to space limitations parts of the article were edited out.  Because these are important issues I wanted to share the full list from the original submission.  You are invited to submit your comments about how these should be addressed. 

• As a drug product moves through the supply chain, where will the ePedigree information generated at each ownership transfer be stored; in a central database or in the RFID tag on the product itself?
• Who would own, manage, maintain, and protect the data in a centralized database of ePedigrees? How would participants in the supply chain access this information securely? What would happen if the database becomes inaccessible? The current consensus is that although a packager starts each record, an industry association or third party would most likely manage the database.
• If the ePedigree information is stored on the RFID tag, what security will be implemented to protect it from unauthorized readers? Authentication to ensure an authorized access, data encryption, digital signatures, tag anti-counterfeiting and physical security to prevent the tags from being moved should all be considered.
• Should anyone be allowed to access and use ePedigree information for purposes such as marketing? Should a manufacturer or packager be able to monitor how its drug is distributed? How is consumer privacy affected by ePedigree systems?
• What scanning equipment or network access will be required at each point in the supply chain, including pharmacies, hospitals, and clinics? How will this affect the shipping, receiving, and distribution processes?
• How will the costs to establish a system to record and read ePedigree data be shared among members of the pharmaceutical supply chain?

Although there has been lots of discussion about the use of bar codes vs. RFID tags within an e-Pedigree system, we haven’t seen anyone address these other major issues.

Read the rest of the article, originally published on May 20, 2009 at http://pharmtech.findpharma.com/pharmtech/article/articleDetail.jsp?id=598569

Contributed by Joanne C. Kelleher

Louis Parks, President and CEO of SecureRF, spoke last month with eg3.com about security in the growing world of M2M (machine-to-machine) applications, especially in RFID, the RFID Security Alliance and SecureRF’s new SecureM2M SDK (software development kit) for developers. Anyone interested in embedded wireless, RFID, M2M, and of course security against hacking as well as cryptography would benefit from this podcast.

 eg3.com, the oldest and largest web resource devoted to electronic design, specifically embedded systems, realtime, and dsp, posted the podcast this week.  View it at http://www.eg3.com/etc-awards/20090512-securerf.htm

Contributed at Joanne C. Kelleher

Chris Corum, executive editor at SecureID News wrote an interesting article about enforcing license agreements for crypto in the Smart Card industry (Monday, May 4, 2009).  Smart card vulnerability, license fees and patent law, discusses how Cryptography Research won a legal settlement against Visa and is now collecting licensing fees.

“In 1998 a cryptographer named Paul Kocher, founder of Cryptography Research, figured out that information, such as security keys, could be obtained from certain integrated circuits (ICs) by measuring the chip’s power consumption during processing. At the most basic level, a transistor in a chip uses a different amount of power to process a one than a zero. Using this fundamental idea, Kocher found that it was possible to crack the security of certain chips such as those used in smart cards.”

Cryptography Research advised the chip manufacturers on countermeasures that protect smart card chips from this specific hack attack called Differential Power Analysis (DPA). This was done under a NDA with an agreement that licensing fees would be collected when the patent was issued.

Once the patents were issued in 2004 you can guess what happened and why a lawsuit was filed. Read the rest of the details at http://www.secureidnews.com/2009/05/04/smart-card-vulnerability-license-fees-and-patent-law

Contributed by Joanne C. Kelleher

I was recently referred to this scientific web site: 

The RFID Security and Privacy Lounge references technical works related to security and privacy in RFID systems published in journals, conference proceedings, technical reports, thesis, eprints, and books. It is maintained and updated roughtly monthly by the Université catholique de Louvain’s Information Security Group in Belgium headed by Gildas Avoine.

I was impressed sheer volume of research papers, more than 300, that have been generated on the topic of RFID Security and Privacy.  They cover RFID hacking issues as well as potential solutions.  Here are some of the recent titles:

• Privacy Enhancing Technologies for RFID - A Critical Investigation of State of the Art Research.
• Wirelessly Pickpocketing a Mifare Classic Card.
• Serialized TID numbers - A headache or a blessing for RFID crackers?
• How to detect cloned tags in a reliable way from incomplete RFID traces.
• Security Considerations in the Design and Peering of RFID Discovery Services.
• Cryptography is Feasible on 4-Bit Microcontrollers - A Proof of Concept.
• Preserving RFID Data Privacy.
• ACTION: Breaking the Privacy Barrier for RFID Systems.
• The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime.
• Security analysis of RFID tags.
• Analysis of the Mifare Classic used in the OV-Chipkaart Project.
• EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond.

You can sign up for a newsletter that announces calls for papers and notifies when the list is updated.

Contributed by Joanne C. Kelleher

While talking to people about SecureRF’s security methods - which are small enough to secure RFID tags, microcontrollers, embedded systems or other low resource devices - we still run into people who don’t understand why this important.  They don’t know how easy it can be for someone with the right skill set to hack an unsecured RFID tag. 
Here is a collection of YouTube videos that show hackers at work.

Speed Pass Hacked
Originally on 20/20, posted June 20, 2006
RFID tags in Exxon Mobil Speed Pass can be read and duplicated.
http://www.youtube.com/watch?v=Tb4DgGm6JJw

RFID Security: Oh God No
From Kiro7 Eyewitness News in Seattle, May 12, 2006
Johns Hopkins researchers start a car without its RFID-enabled key and skim RFID credit card info.
http://www.youtube.com/watch?v=eU79c7kA_eA  

Cloning RFID Tags in Sacramento
From ABC7News in CA. Posted August 12, 2006
Jonathan Westhues, RFID hacker extraordinaire, demonstrates cloning of RFID tags used for building access at the California state Capitol.
http://www.youtube.com/watch?v=4jpRFgDPWVA

Mifare Hack
DigitalSecurityRUN, March 12, 2008
Security flaw in Mifare Classic RFID applications exposed. See http://www.ru.nl/ds/research/rfid/ for more information, including the paper “Dismantling MIFARE Classic” with all details.
http://www.youtube.com/watch?v=NW3RGbQTLhE

How to hack RFID-enabled Credit Cards for $8 (BBtv)
From boingboingtv, March 19, 2008
IT security expert, hacker and inventor Pablos Holman shows reporter Xeni Jardin of Boing Boing tv, how you can use gear bought on eBay to read personal data such as cardholder name and credit card number from an RFID enabled American Express credit card. 
http://www.youtube.com/watch?v=vmajlKJlT3U

This RFID Security blog has several additional entries about these and other RFID hacks - http://www.securerf.com/RFID-Security-blog/?cat=28. 

If you have any suggestions about other videos related to hacking RFID tags or embedded systems, please add them to the comments section.