1

IP Note: Long-Range Radio Frequency Identification Hacking

January 31, 2014, 1300 EST

SCOPE

The Department of Homeland Security’s Integrated Analysis Task Force/Homeland

Infrastructure Threat and Risk Analysis Center (DHS/IATF/HITRAC) produces Infrastructure

Protection (IP) Notes to address issues affecting the infrastructure protection community.

This IP Note provides awareness of an emerging threat known as Long-Range Radio Frequency

Identification (RFID) hacking. RFID technology is widely deployed globally and commonly

used in building access cards as part of security control systems. Multiple critical infrastructure

sectors, including Government and Commercial Facilities, use RFID-enabled security

technology.

This IP Note utilizes reporting from open sources, the U.S. Department of State, the National

Institute of Standards and Technology, the DHS Intelligence and Analysis Counter Intelligence

Programs Division and the DHS Office of the Chief Security Officer’s Identity Management

Division.

KEY FINDINGS

RFID technology is widely deployed globally and commonly used for security

management and access control. This specific use of RFID technology is often found

in building access cards and identification cards.

New long-range RFID hacking devices transform previously impractical attacks on

RFID technology into effective covert means for collecting RFID tag data.

Compromise of RFID tag data could have serious security implication for multiple

critical sectors, including the Government and Commercial Facilities Sectors.

Many RFID technologies have little or no security, such as encryption, behind them,

thereby making interception of RFID tag information relatively simple.

Protective measures, such as radio-frequency blocking sleeves for RFID-enabled

identification cards, are recommended to maintain the integrity of security systems.

2

BACKGROUND

RFID technology uses radio-frequency electromagnetic fields to transfer data between an RFID

tag and a reader device. An RFID tag consists of an integrated circuit and antenna contained in a

protective material that holds the components together and shields them from environmental

conditions. A reader device converts the radio-frequency waves from the tag to a more usable

form of data, and transfers the data through a communications interface to a host computer

system, where the data can be stored in a database and analyzed to enable functions such as

location tracking or identity authentication.

RFID tags are manufactured in a variety of shapes and sizes and are either passive or active.

Passive tags, the most widely used, receive power from the reader via electromagnetic emissions

before they can transmit data. Passive tags need only to be within a very short distance of a

reader to authenticate the card. Active RFID tags have an embedded power source enabling them

to transmit data at all times.

RFID technology is employed by many sectors to perform such functions as:

Inventory Management

Asset Tracking

Personnel Tracking

Controlling access to restricted areas

ID badging

Supply-chain management

Counterfeit protection

RFID tags are widely used in identification badges, such as the badges issued by many

government agencies, replacing earlier magnetic stripe cards. The data held in these RFID tags

can contain sensitive personal information about the badge holder and authentication information

that enable access to secure buildings and spaces.

THREAT

The possibility of reading RFID tags on identification badges and similar devices without the

holder’s consent (RFID hacking) raises security concerns, especially when a badge or device is

utilized as part of a security management system. While the theft of RFID data is not new, long-

range hacking technology transforms a previously impractical attack into an effective covert

attack.1 Historically, RFID hacking tools were required to be within centimeters of a target to

work properly; new modified RFID readers can capture data from 125 KHz low frequency RFID

badges from up to 3 feet away. This new device fits inside a backpack and enables an attacker to

covertly capture RFID tag data without the need for close proximity to the reader. In a “target-

rich” environment (e.g., a Metro platform, or bus stop), a hacker can passively capture data from

anyone walking close enough to a hacking tool. Testing and demonstrations of this new device

1 (U) Open Source; Pub Date: 9 July 2013 DOI: 9 July 2013; Title: Emergency Alert System Vulnerable to Hackers, Report Finds; Class: Unclassified; Src Desc: http://www.pcmag.com/article2/0,2817,2421503,00.asp.

3

have shown it to be viable exploitation method.2 Because long range RFID hacking techniques

capture data to a database, the compromised information can be stored for later exploitation,

brute force decryption, or passed on to other individuals.

The prolific use of RFID technology in security systems by the government and private sector

partners presents significant challenges to security personnel. Security professionals within the

government and private sector must balance convenience and cost against security concerns

when considering vulnerabilities and mitigation factors.

VULNERABILITY

Commercial RFID-enabled systems often have little or no security, such as encryption, behind

them, making successful long-range hacking techniques relatively simple. Demonstrations have

shown that attacks are capable of capturing card data, transferring that data onto a new card, and

using the new card to gain access to a secured facility.3 This vulnerability directly affects sector

partners, due to the prolific use of RFID tags as a physical security measure at various facilities.

Government-issued RFID cards utilize mitigation strategies making them more difficult to hack.

Electronic passports utilize radio frequency blocking material in their cover, as well as basic

access control encryption to authenticate readers prior to the release of data.4 Although harder to

hack, government-issued RFID cards are not immune to compromise. Forty-eight hours after the

United Kingdom issued their version of the RFID passport, hackers were able to crack the

encryption on the passport and exploit the data.5

CONSEQUENCES

The cost to implement security measures to protect RFID technology-enabled systems is the

greatest consequence of this long-range hacking threat.

The demand for digital inventory tracking and personal identification systems will likely expand

the annual market for RFIDs from $2.7 billion, in 2006, to as much as $26 billion by 2016.6 Most

commercial RFID technology does not include security, due to the associated expense involved.

Typical passive RFID tags cost about 25 cents, whereas one with encryption capabilities cost

about 5 dollars. For most private-sector applications, it is currently not viewed as cost-effective

to invest in secure RFID technology. For most sectors, physical security teams typically manage

RFID cards and readers and generally operate on a 20-year product lifecycle. This further

complicates expense concerns, RFID technology security management, and logistics issues,

2 (U) Open Source, Pub Date: 23 July 2013; DOI: 23 July 2013; Title: Long-Range RFID Hacking Tool to be Released at Black Hat; Class:

Unclassified; Src Desc: http://threatpost.com/long-range-rfid-hacking-tool-to-be-released-at-black-hat/101448. 3 (U) Open Source, Pub Date: 23 July 2013; DOI: 23 July 2013; Title: Long-Range RFID Hacking Tool to be Released at Black Hat; Class: Unclassified; Src Desc: http://threatpost.com/long-range-rfid-hacking-tool-to-be-released-at-black-hat/101448. 4 (U) U.S. Department of State, Pub Date: N/A ; DOI: 15 Aug 2013; Title: U.S. Electronic Passport Frequently Asked Questions; Class:

Unclassified; Src Desc: http://travel.state.gov/passport/passport_2788.html#Twelve. 5 (U) Open Source, Pub Date: 17 November 2006; DOI: 17 November 2006; Title: Guardian Hacks New UK Passports; Class: Unclassified; Src

Desc: http://www.theinquirer.net/inquirer/news/1011076/guardian-hacks-new-uk-passports. 6 (U) Open Source, Pub Date: May2006; DOI: May 2006; Title: The RFID Hacking Underground; Class: Unclassified; Src Desc: http://www.wired.com/wired/archive/14.05/rfid.html.

4

since most organizations do not budget for continual updating of systems as new threats and

vulnerabilities are identified.7

PROTECTIVE MEASURES

Use of encrypted RFID technology, encryption of data within the RFID tag, and implementation

of protective measures, such as use of protective sleeves that contain radio-frequency blocking

material, can help to reduce compromise of data and physical security.

Frequent audits of security logs for unusual or duplicate entries may alert security managers to

compromised cards. Implementation of multi-layer security measures such as visual

identification checks or use of personal identification numbers used in conjunction with RFID

cards may help mitigate vulnerabilities.

7 (U) Open Source, Pub Date: 31 July 2013; DOI: 31 July 2013; Title: Hacking RFID Tags Is Easier Than You Think: Black Hat; Class: Unclassified; Src Desc: http://www.eweek.com/security/hacking-rfid-tags-is-easier-than-you-think-black-hat.

The Integrated Analysis Task Force Homeland Infrastructure Threat and Risk Analysis Center (IATF/HITRAC) produces

Infrastructure Protection Notes, which scope the infrastructure protection community’s risk environment from terrorist

attacks, natural hazards, and other events being reviewed and highlight the analytic capabilities required to produce

infrastructure protection related risk analytic products. The information is provided to support the activities of the Office of

Infrastructure Protection, and to inform the strategies and capabilities of Federal, State, local, and private sector partners.

For more information, contact risk@hq.dhs.gov. For more information about the Office of Infrastructure Protection, visit

www.dhs.gov/criticalinfrastructure.