RFID reader denial of service


While in Vancouver, Canada for CanSecWest we had a chance to catch up with [Marc]. He showed off a very simple Denial-of-Service attack that works for most commercial RFID reader systems. He worked out this physical DoS with [Adam Laurie], whose RFID work we featured last year.

Comments

  1. happy gilmore says:

    that’s a hack? not really. he’s taped a non-valid a rfid key to a reader. wow. NEXT!

  2. DarkFader says:

    You can use this hack to lure out the security/tech ppl so you can access their place.
    Another fun idea is to put a (strong) transmitter behind the door that is to be opened.

  3. halld says:

    I’ve known about this for the last 8 years. This isn’t a hack. The reader can only intake one rfid signature at a time (at least this proximity reader used commonly for door access. More than one (crosstalk) results in it doing nothing. Remove one and it reads the other.

    This is a prank at best.

  4. Liam says:

    I think its a hack, screw you man!

  5. Tom says:

    Scraping the bottom of the barrel now, are we? I can’t believe the guy actually put together a whole setup to demonstrate this. The fact that RFID readers can’t detect multiple devices is a current limitation of the technology and extremely well known.

    This is like putting a piece of black tape over a barcode reader and calling it a DoS.

  6. pascal says:

    i thought there were some systems that could cope with multiple tags in the readers range (like warehouses would use, drive a truck through the reader and know the tag of every item in it)? it might require some intelligence on the tag though (ie listening to other tags, waiting random amount of time, then sending etc)

    but wouldn’t an antenna with a strong resistor suffice to “suck the energy” out of the field produced by the reader, so there won’t be enough left to power legitimate tags? or, like when attacking ATM machines, simply add another case on top of the reader, made of lead :D

  7. HaDAk says:

    So, how can you use this to negate the RFID chip in your passport?

  8. digitalfx says:

    This has been a well know problem with HID and most other readers for years. People run in to the same problem when they carry two badges next to each other and wonder why they can’t open a door. If he was smart he would have popped off the cover (which is not fastened in any way, not even by screws on the ProxPro II) and taped or set it inside the reader housing. This way it wouldn’t be noticed at all.

  9. Ian says:

    Actually, most 13.56MHz RFID systems *can* read multiple tags in the field. This characteristic is probably not used in this system because:
    - It could be 125kHz (I don’t know)
    - It takes a whole lot more effort to implement
    - In an access control situation, you don’t want to open the door when there are two tags in the field and one is set to ‘deny’.

    You could also take a hammer to the reader. Same effect, less effort.

  10. Ian says:

    Re. 8: put another similar chip in the RF field of the reader. Or just hit your passport with a hammer. See all of those things that it says NOT to do? Do them.

  11. Ed says:

    hadak: sure, it’s easy: just get a fake rfid passport, get into the custom’s officer booth and tape the fake rfid passport under the officer’s passport reader. Of course you’ll get arrested, and if by miracle you manage to do this somehow, you won’t get through customs since your RFID passport will be detected as broken. Wow, what a hack! :-)

  12. JoeyVee says:

    Interseting Topic

  13. Harvie says:

    Nice. Thinking about replacing the coil with a bigger one. That may enable you DOSing from bigger distance…

  14. McDave says:

    Booring…This ‘hack’ happens to me most days that I travel on the London underground. The useless readers on the station gates can’t distinguish between my Oyster card and my university ID/smart card, both of which are in my wallet. The gates beep at me with error codes flashing up. Can’t be bothered to separate the cards though as it usually works on the second try.

  15. Heath Jones says:

    Would be cool if you could actually use the energy in the field to power/charge something. Has anyone seen buffer overflow attacks or similar for these devices? I’m guessing the signature / hash that is sent back from the tag is of a fixed length though.

    H

  16. simple says:

    that’s really simple and woah not worth all that atention…

  17. Annon says:

    A good DoS on old fashion barcodes involves a UV marker and a bit of time – go to your friendly local grocer’s with your UV pen, and put a vertical slash through each of the barcodes – Invisible to the naked eye, but plenty visible to the scanners. If you want to step it up and have a multiple vector DDoS – get a few mates to help you out. :P

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,825 other followers