By Scott Lindley
For buildings, the security of access control systems is critical. If a card system is hacked, there can be major problems. For example, at a university, years of research can be tampered with or lost. At a hospital, federal and provincial security rules are stringent and the penalties for having them breached can be severe. No administrator wants to be ultimately responsible for causing injury to an employee or visitor because unauthorized entry was gained via the card system.
There are three main ways to assault a card-based electronic access control system—skimming, eavesdropping, or relay attacks. The first type occurs when the attacker uses an unauthorized reader to access information on the unsuspecting victim’s radio frequency identification (RFID) card or tag without consent. As a result, the attacker is able to read stored information or modify data by writing to the credential. From that point on, the attacker can control when and where unauthorized entries may occur.
An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. As a result, the attacker can recover and store the data of interest. The attacker can then use this stored data at will.
Lastly, RFID systems are potentially vulnerable to an attack in situations where the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he or she can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically, or encrypts the data, since the relay attack cannot be prevented by application layer security.
What is scary about this is the equipment used to perpetrate these types of attacks can be inexpensive and widely available. However, to fully understand how to stop such assaults, building and design professionals first need to understand how RFID cards and readers work.
Technology behind readers and cards
There are two basic contactless card-based technologies—proximity and smartcard. Proximity takes advantage of industry acknowledged norms, while smart card readers typically make use of the international standard for such cards, which is designated at International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 14443, Identification Cards–Contactless Integrated Circuit Cards: Proximity Cards.
In operation, proximity-readers typically generate an electromagnetic field that is tuned to 125 kHz—an internationally recognized radio frequency for low-power data communications. When a credential enters this field, then the credential’s internal RFIC is activated. The RFIC then transmits its unique data back to the reader as an encoded signal. The encoding of this signal typically comprises of a data algorithm that uses a byte-parity error-detection scheme.
A byte is a unit of data that is eight binary digits, or bits, long. A parity bit, or check bit, is a bit added to the end of a string of binary code (0s and 1s) indicating whether the number of bits in the string with the value one is even or odd.
There are two variants of parity bits—even and odd. In the case of even parity, the bits with a value of 1 in a given set are counted. If that total is odd, the parity bit value is set to 1, making the total count of 1s in the set an even number. If the count of 1s in a given set of bits is already even, the parity bit’s value remains 0. In the case of odd parity, the situation is reversed. Instead, if the sum of bits with a value of 1 is odd, the parity bit’s value is set to 0. If the sum of bits with a value of 1 is even, the parity bit value is set to 1, making the total count of 1s in the set an odd number.