The unique characteristics of RFID and NFC have created an entirely new set of security challenges. In this video, you’ll learn about RFID and NFC attack types and how to protect yourself against them.
<< Previous Video: Bluejacking and Bluesnarfing Next: Wireless Disassociation Attacks >>
RFID, or radio frequency identification, is now used almost everywhere. If you have a badge to get into your office, it probably has RFID inside of the badge. If you’re working on an assembly line, or you work with inventory, it’s a great way to track where the inventory might be. And these days we’re even putting it inside of our pets, so if we lose our animals, we can track them back using RFID. These RFID chips are very small. You can see one here that’s put right next to a grain of rice. Makes it very easy to embed or put this chip wherever we might need it.
Much of the RFID technologies we use these days don’t have their own power source. Instead, we power the device externally by sending a radio frequency. It powers the RFID tag, which is then able to communicate the ID information back to us. There are some RFID formats that do have their own power source, and those active tags are always on and don’t require a radio frequency to power.
There are a number of attacks associated with RFID technologies. One is a simple data capture. If you can sit in the middle of that wireless communication, you can view what’s going back and forth between the RFID tag. Another thing you could do is to even spoof the reader. You write your own information to a tag and that’s what sent back to the original device. You could also jam the signal so that even if you’re trying to read that tag, there’s too much noise in the air and you’re not able to read anything from the RFID tag itself. And one of the challenges is that, although this communication is encrypted, a lot of the decryption keys are out on Google. You can simply find the decryption key for your technology out there available with a simple search of the internet.
A technology that built on RFID is NFC, near field communication. And it’s a technology that allows two-way communication between devices that are very close to each other. We see this often used with payment systems. We can simply use our phone, and we can easily pay for devices by waving our phone at these payment systems. This is something that can also be used to bootstrap other wireless devices. For example, NFC is often used to get a Bluetooth pairing going between two devices. NFC technology uses an access token that’s usually built into our mobile devices, like our phones, and we’re able to communicate with these payment systems over an encrypted channel.
The security concerns we have with NFC are very similar to those we have with RFID. You have traffic that’s going over a wireless network, so if there is someone in the local area, they could potentially capture that data. You also have the challenge of someone jamming the frequencies being used for NFC and causing all of your NFC devices to not operate. There might also be an opportunity for a relay, or a man in the middle attack, especially if someone has gained access to the encrypted data. And of course, if you lose your mobile device, someone now has access to that token and could potentially use it for an NFC based transaction.