RFID Skeleton Key

What do Amazon.com, a college dorm, and a top-secret government facility have in common? They all use Radio Frequency IDentification devices to track the movement of important objects. RFIDs consist of a tag that broadcast identifying data to a receiver when it moves within range. Businesses use them to track inventory throughout a supply chain. Institutions use them to grant certain people access to resources and track their use.

RFID used in product identification. Note the small size of the coil and chip.

Johns Hopkins uses RFID technology embedded in ID cards as the primary means of restricting access to student dorms and other buildings. As a Resident Advisor, I use this technology every day. Not only is it critical to student security to restrict access to the dorms to authorized persons, but in crisis situations it is critical that the university be able to track the whereabouts of students when they are on campus. On more than one occasion that I have seen, card access records have been used to locate students who were believed to be a danger to themselves or others. Maintaining the one-to-one mapping of RFID tags to users is critical to maintaining the safety and security of students on campus.

Unfortunately, RFID technology (particularly older versions) is vulnerable. According to several articles, it is actually pretty easy to spoof an RFID card using off-the-shelf technology. Using an Arduino, a toilet paper roll, and a handful of simple components, it's possible to create a transmitter that spoofs an existing card.

This in itself would not be too scary, since in order to spoof a card it is generally considered prohibitively difficult to get close enough to skim the ID code. However, it is not difficult to imagine an RFID skimmer planted behind a legitimate receiver that could not only spoof the ID cards of every resident of a building, but also track their movements over the course of days or weeks. Even without skimming card numbers, it would even be possible to brute-force many older RFID systems, given an attacker knew some basic information about the system in question.

Most modern RFID access control systems utilize more robust protocols to guard against these kinds of vulnerabilities. For example, there might be two-way communication between card and receiver used to authenticate the user. Or the card could use a one-time-pad system to encrypt data. Nevertheless, given the ubiquity of RFID systems, not all of them state-of-the-art, the vulnerabilities of the technology cannot not be ignored.

UPDATE: I realize that this post doesn't cover a current vulnerability in an OS, however this issue is something that affects systems that I use on a daily basis.