Pentesting RFID
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Radio Frequency Identification (RFID) is the most popular short-range radio solution. It's usually used to store and transmit information that identifies an entity.
An RFID tag can rely on its own power source (active), such as an embedded battery, or receive its power from the reading antenna using the current induced from the received radio waves (passive).
EPCglobal divides RFID tags into six categories. A tag in each category has all the capabilities listed in the previous category, making it backward compatible.
Class 0 tags are passive tags that operate in UHF bands. The vendor preprograms them at the production factory. As a result, you can’t change the information stored in their memory.
Class 1 tags can also operate in HF bands. In addition, they can be written only once after production. Many Class 1 tags can also process cyclic redundancy checks (CRCs) of the commands they receive. CRCs are a few extra bytes at the end of the commands for error detection.
Class 2 tags can be written multiple times.
Class 3 tags can contain embedded sensors that can record environmental parameters, such as the current temperature or the tag’s motion. These tags are semi-passive, because although they have an embedded power source, such as an integrated battery, they can’t initiate wireless communication with other tags or readers.
Class 4 tags can initiate communication with other tags of the same class, making them active tags.
Class 5 tags can provide power to other tags and communicate with all the previous tag classes. Class 5 tags can act as RFID readers.
An RFID tag’s memory usually stores four kinds of data: the identification data, which identifies the entity to which the tag is attached (this data includes user-defined fields, such as bank accounts); the supplementary data, which provides further details regarding the entity; the control data, used for the tag’s internal configuration; and the tag’s manufacturer data, which contains a tag’s Unique Identifier (UID) and details regarding the tag’s production, type, and vendor. You’ll find the first two kinds of data in all the commercial tags; the last two can differ based on the tag’s vendor.
The ISO standard specifies the Application Family Identifier (AFI) value, a code that indicates the kind of object the tag belongs to. Another important register, also specified by ISO, is the Data Storage Format Identifier(DSFID), which defines the logical organization of the user data.
Most RFID security controls have mechanisms that restrict the read or write operations on each user memory block and on the special registers containing the AFI and DSFID values. These lock mechanisms use data stored in the control memory and have default passwords preconfigured by the vendor but allow the tag owners to configure custom passwords.
Low-frequency tags are often used in systems that do not require high security: building access, intercom keys, gym membership cards, etc. Due to their higher range, they are convenient to use for paid car parking: the driver does not need to bring the card close to the reader, as it is triggered from further away. At the same time, low-frequency tags are very primitive, they have a low data transfer rate. For that reason, it's impossible to implement complex two-way data transfer for such things as keeping balance and cryptography. Low-frequency tags only transmit their short ID without any means of authentication.
These devices rely on passive RFID technology and operate in a range of 30 kHz to 300 kHz, although it's more usual to use 125 kHz to 134 kHz:
Long Range — lower frequency translates to higher range. There are some EM-Marin and HID readers, which work from a distance of up to a meter. These are often used in car parking.
Primitive protocol — due to the low data transfer rate these tags can only transmit their short ID. In most cases, data is not authenticated and it's not protected in any way. As soon as the card is in the range of the reader it just starts transmitting its ID.
Low security — These cards can be easily copied, or even read from somebody else's pocket due to the protocol's primitiveness.
Popular 125 kHz protocols:
EM-Marin — EM4100, EM4102. The most popular protocol in CIS. Can be read from about a meter because of its simplicity and stability.
HID Prox II — low-frequency protocol introduced by HID Global. This protocol is more popular in the western countries. It is more complex and the cards and readers for this protocol are relatively expensive.
Indala — very old low-frequency protocol that was introduced by Motorola, and later acquired by HID. You are less likely to encounter it in the wild compared to the previous two because it is falling out of use.
In reality, there are a lot more low-frequency protocols. But they all use the same modulation on the physical layer and may be considered, in one way or another, a variation of those listed above.
You can attack these Tags with the Flipper Zero:
FZ - 125kHz RFIDHigh-frequency tags are used for a more complex reader-tag interaction when you need cryptography, a large two-way data transfer, authentication, etc. It's usually found in bank cards, public transport, and other secure passes.
High-frequency 13.56 MHz tags are a set of standards and protocols. They are usually referred to as NFC, but that's not always correct. The basic protocol set used on the physical and logical levels is ISO 14443. High-level protocols, as well as alternative standards (like ISO 19092), are based upon it. Many people refer to this technology as Near Field Communication (NFC), a term for devices operating over the 13.56 MHz frequency.
To put it simply, NFC's architecture works like this: the transmission protocol is chosen by the company making the cards and implemented based on the low-level ISO 14443. For example, NXP invented its own high-level transmission protocol called Mifare. But on the lower level, Mifare cards are based on ISO 14443-A standard.
Flipper can interact with both the low-level ISO 14443 protocol, as well as Mifare Ultralight data transfer protocol and EMV used in bank cards. We're working on adding support for Mifare Classic and NFC NDEF. A thorough look at the protocols and standards that make up NFC is worth a separate article which we plan to have up later.
All high-frequency cards based on ISO 14443-A standard have a unique chip ID. It acts as the card's serial number, like a network card's MAC address. Usually, the UID is 4 or 7 bytes long, but can rarely go up to 10. UIDs are not a secret and they are easily readable, sometimes even printed on the card itself.
There are many access control systems that rely on UID to authenticate and grant access. Sometimes this happens even when RFID tags support cryptography. Such misuse brings them down to the level of the dumb 125 kHz cards in terms of security. Virtual cards (like Apple Pay) use a dynamic UID so that phone owners won't go opening doors with their payment app.
Low range — high-frequency cards are specifically designed so that they would have to be placed close to the reader. This also helps to protect the card from unauthorized interactions. The maximum read range that we managed to achieve was about 15 cm, and that was with custom-made high-range readers.
Advanced protocols — data transfer speeds up to 424 kbps allow complex protocols with full-fledged two-way data transfer. Which in turn allows cryptography, data transfer, etc.
High security — high-frequency contactless cards are in no way inferior to smart cards. There are cards that support cryptographically strong algorithms like AES and implement asymmetrical cryptography.
You can attack these Tags with the Flipper Zero:
FZ - NFCOr using the proxmark:
Proxmark 3Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)