RFIDThief | Attacking RFID Access Control Protocols

Presentation Setup - 11/13 Hackathon
GUI Interface for displaying RFID readings, DoS settings and 2-factor Mode [ In this image the malicious device is DoS-ing a valid user ]
Good Data (In database) Bad Data (not in database) Hacker (not in database but gains access)
Fingerprint 2-Factor Authentication
RFID Reader - Used bit-banging to send data with Wiegand protocol
Left - Malicious Device | Right - Device to authenticate user in Cloud database
Planning Phase

Inspiration

Cybersecurity in a world of IoT and embedded devices is very difficult. Our group took a venue of ethical hacking to expose some of the vulnerabilities that are apparent in the devices that surround us.

What it does

We reverse-engineered Wiegand protocol using bit-banging. By creating a "middle man" adversary with malicious intent, we are able to demonstrate how given a couple minutes with an RFID reader, a hacker can sniff RFID tags before being sent to a local server. This allows the hacker to save authenticated data from users and "replay" it to gain remote access without having the correct RFID tag present.

In order to further secure a RFID reader with this vulnerability, we have utilized a two-factor authentication system by implementing a fingerprint reader. This reader is independent from the RFID reader and will send data into the Cloud to be analyzed with a RFID reading. The lack of physical connection between the fingerprint circuit and the RFID circuit allows for more security.

Other features include simulating DoS on the RFID reader, enabling, or disabling two-factor authentication modes, a full GUI interface to display RFID ID's, and simulating Replay attacks from the Cloud.

How we built it

In order to simulate the RFID attack, we created an RFID tag reader using an RFIDuino shield and Arduino Uno. The reader will send its data, in binary, as pulses using the Wiegand protocol. We simulated a hacker "sniffing" this data by writing code on an ESP8266 to read and interpret the pulses and store the resulting data, an RFID ID. This device is able to "replay" the data remotely to the Cloud and maliciously authenticate itself.

Our second-factor for authentication to prevent a malicious hacker from executing the above attack is by adding a biometric sensor, in this case, a fingerprint sensor. We interfaced the sensor with an ESP8266, and used Adafruit.io in the Cloud to collect and analyze the data. Both a user's fingerprint and RFID ID would be stored in a database to be retrieved, although in our implementation we did not have a database connected, and simplified the authentication process because of this.

Challenges we ran into

The most challenging aspect of the project was interfacing with many different sensors and MCU's to create one cohesive project. As well as reverse-engineering and deconstructing the 2-data line Wiegand protocol in software.

Accomplishments that we're proud of

Our group is proud of the ambitiousness of our project, and the real-life application that this project has in exposing security vulnerabilities.

What we learned

We learned to use many different sensors, implement interrupts, view data with oscilloscopes, use libraries, and debug like crazy!

What's next for RFID Thief

We plan to further improve our system by creating a robust database on the Cloud that indexes both RFID ID’s and fingerprint data together. This implementation would be indistinguishable to the systems that are used in roughly 50% of RFID readers in the world!