RFID Cards and Man-in-the-Middle Attacks
Recent articles about a proposed US-Canada and US-Mexico travel document (kind of like a passport, but less useful), with an embedded RFID chip that can be read up to 25 feet away, have once again made RFID security newsworthy.
My views have not changed. The most secure solution is a smart card that only works in contact with a reader; RFID is much more risky. But if we're stuck with RFID, the combination of shielding for the chip, basic access control security measures, and some positive action by the user to get the chip to operate is a good one. The devil is in the details, of course, but those are good starting points.
And when you start proposing chips with a 25-foot read range, you need to worry about man-in-the-middle attacks. An attacker could potentially impersonate the card of a nearby person to an official reader, just by relaying messages to and from that nearby person's card.
Here's how the attack would work. In this scenario, customs Agent Alice has the official card reader. Bob is the innocent traveler, in line at some border crossing. Mallory is the malicious attacker, ahead of Bob in line at the same border crossing, who is going to impersonate Bob to Alice. Mallory's equipment includes an RFID reader and transmitter.
Assume that the card has to be activated in some way. Maybe the cover has to be opened, or the card taken out of a sleeve. Maybe the card has a button to push in order to activate it. Also assume the card has come challenge-reply security protocol and an encrypted key exchange protocol of some sort.
- Alice's reader sends a message to Mallory's RFID chip.
- Mallory's reader/transmitter receives the message, and rebroadcasts it to Bob's chip.
- Bob's chip responds normally to a valid message from Alice's reader. He has no way of knowing that Mallory relayed the message.
- Mallory's reader transmitter receives Bob's message and rebroadcasts it to Alice. Alice has no way of knowing that the message was relayed.
- Mallory continues to relay messages back and forth between Alice and Bob.
Defending against this attack is hard. (I talk more about the attack in Applied Cryptography, Second Edition, page 109.) Time stamps don't help. Encryption doesn't help. It works because Mallory is simply acting as an amplifier. Mallory might not be able to read the messages. He might not even know who Bob is. But he doesn't care. All he knows is that Alice thinks he's Bob.
Precise timing can catch this attack, because of the extra delay that Mallory's relay introduces. But I don't think this is part of the spec.
The attack can be easily countered if Alice looks at Mallory's card and compares the information printed on it with what she's receiving over the RFID link. But near as I can tell, the point of the 25-foot read distance is so cards can be authenticated in bulk, from a distance.
From the News.com article:
Homeland Security has said, in a government procurement notice posted in September, that "read ranges shall extend to a minimum of 25 feet" in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the proposal says, "the solution must sense up to 55 tokens."
If Mallory is on that bus, he can impersonate any nearby Bob who activates his RFID card early. And at a crowded border crossing, the odds of some Bob doing that are pretty good.
More detail here:
If that were done, the PASS system would automatically screen the cardbearers against criminal watch lists and put the information on the border guard's screen by the time the vehicle got to the station, Williams said.
And would predispose the guard to think that everything's okay, even if it isn't.
I don't think people are thinking this one through.
Posted on April 25, 2006 at 7:32 AM • 58 Comments