While in Vancouver, Canada for CanSecWest we had a chance to catch up with [Marc]. He showed off a very simple Denial-of-Service attack that works for most commercial RFID reader systems. He worked out this physical DoS with [Adam Laurie], whose RFID work we featured last year.
17 thoughts on “RFID Reader Denial Of Service”
Leave a Reply
Please be kind and respectful to help make the comments section excellent. (Comment Policy)
that’s a hack? not really. he’s taped a non-valid a rfid key to a reader. wow. NEXT!
You can use this hack to lure out the security/tech ppl so you can access their place.
Another fun idea is to put a (strong) transmitter behind the door that is to be opened.
I’ve known about this for the last 8 years. This isn’t a hack. The reader can only intake one rfid signature at a time (at least this proximity reader used commonly for door access. More than one (crosstalk) results in it doing nothing. Remove one and it reads the other.
This is a prank at best.
I think its a hack, screw you man!
Scraping the bottom of the barrel now, are we? I can’t believe the guy actually put together a whole setup to demonstrate this. The fact that RFID readers can’t detect multiple devices is a current limitation of the technology and extremely well known.
This is like putting a piece of black tape over a barcode reader and calling it a DoS.
i thought there were some systems that could cope with multiple tags in the readers range (like warehouses would use, drive a truck through the reader and know the tag of every item in it)? it might require some intelligence on the tag though (ie listening to other tags, waiting random amount of time, then sending etc)
but wouldn’t an antenna with a strong resistor suffice to “suck the energy” out of the field produced by the reader, so there won’t be enough left to power legitimate tags? or, like when attacking ATM machines, simply add another case on top of the reader, made of lead :D
So, how can you use this to negate the RFID chip in your passport?
This has been a well know problem with HID and most other readers for years. People run in to the same problem when they carry two badges next to each other and wonder why they can’t open a door. If he was smart he would have popped off the cover (which is not fastened in any way, not even by screws on the ProxPro II) and taped or set it inside the reader housing. This way it wouldn’t be noticed at all.
Actually, most 13.56MHz RFID systems *can* read multiple tags in the field. This characteristic is probably not used in this system because:
– It could be 125kHz (I don’t know)
– It takes a whole lot more effort to implement
– In an access control situation, you don’t want to open the door when there are two tags in the field and one is set to ‘deny’.
You could also take a hammer to the reader. Same effect, less effort.
Re. 8: put another similar chip in the RF field of the reader. Or just hit your passport with a hammer. See all of those things that it says NOT to do? Do them.
hadak: sure, it’s easy: just get a fake rfid passport, get into the custom’s officer booth and tape the fake rfid passport under the officer’s passport reader. Of course you’ll get arrested, and if by miracle you manage to do this somehow, you won’t get through customs since your RFID passport will be detected as broken. Wow, what a hack! :-)
Interseting Topic
Nice. Thinking about replacing the coil with a bigger one. That may enable you DOSing from bigger distance…
Booring…This ‘hack’ happens to me most days that I travel on the London underground. The useless readers on the station gates can’t distinguish between my Oyster card and my university ID/smart card, both of which are in my wallet. The gates beep at me with error codes flashing up. Can’t be bothered to separate the cards though as it usually works on the second try.
Would be cool if you could actually use the energy in the field to power/charge something. Has anyone seen buffer overflow attacks or similar for these devices? I’m guessing the signature / hash that is sent back from the tag is of a fixed length though.
H
that’s really simple and woah not worth all that atention…
A good DoS on old fashion barcodes involves a UV marker and a bit of time – go to your friendly local grocer’s with your UV pen, and put a vertical slash through each of the barcodes – Invisible to the naked eye, but plenty visible to the scanners. If you want to step it up and have a multiple vector DDoS – get a few mates to help you out. :P