Re: Re: Radio Signal Pent test (RFID)

From: contact_jamie_fisher@yahoo.co.uk
Date: Tue Dec 20 2005 - 08:49:25 EST


('binary' encoding is not supported, stored as-is) Two types of RFID. Passive and Active.

Passive tags are generally read-only, meaning the data they contain cannot be altered or written over and can be read upto 20 feet away.

Passive RFID tags are powered by the radio signal of a RFID reader, which "dehibernates" them to request a reply.

Active RFID tags, act as transponders and are designed for communications up to 100 feet from the RFID reader.

These puppies are read/write, so once you figure out which type of tag you are talking to, try and write over the data on the tag.

As I understand it, the tags wont talk to you unless you talk to them first. Here's something I pulled out of the spec that might help you understand:

[quote]
Proper RFID system design suggests that a reader would be commanded by a host (or timed
internally) to address a population of tags, for either a read of all tag Ids or a confirmation read of specific tags. Before and after this polling process, the reader is not emitting RF energy. This allows other readers and other 900 MHz ISM band devices to operate. The negotiation between the reader and tags can be divided into three categories: start up signals, tree traversal negotiations, and command communication.
[/quote]

[quote]
Start up signals are sent at the beginning of the addressing of the population of tags, and
after a frequency hop. During this process, the reader will emit signals to power the tags,
calibrate the tag oscillator, and train the tag to interpret the three reader-to-tag data symbols. After the setup, the reader and tags will communicate digitally, the reader with
three symbols, and the tags with two symbols.
[/quote]

[quote]
ID1 is a static pseudo-random number that is contained on chip, and is used in tag singulation, and sometimes in recalling an already established tag identity. ID0 is a fully randomized number that is generated on chip as needed, and will be rerandomized at each address by the reader of the full population of tags. ID0 may be used in tag singulation, but must always follow with the reading the EPC data for establishing a tag identity. Under interrogator command, any one of ID2, ID1, or ID0 may be used for singulation.
[/quote]

Something else you might like to consider is the secure reader command - it's supposed to render RFID tags unreadable. Might be a nice way to do a blanket DoS against the shops RFID tags.

I've searched through various implementation, specification and technical option papers but have yet been able to find any more on the "secure reader command". If anyone else has come across detailed information on the command I'd certainly like to have a look at it.

Some useless information so you know where to stand:

* 125 - 14813.56 MHz broadcast/receive up to 3 feet
* 915 MHz 25 feet broadcast/receive up to 25 feet
* 2.45GHz broadcast/receive up to 100 feet

You might like to read: http://www.epcglobalinc.org/standards_technology/Secure/v1.0/UHF-class0.pdf

The document specifies the communications interface and protocol for 900 MHz Class 0 operation. It includes the RF and tag requirements and provides operational algorithms to enable communications in this band.

Particularly concentrating on sections 12 through 14.

Not sure if this has helped or hindered, but its my take on it and certainly where I'd begin my research into laying a big juicy one on the chest of RFID.

Bon Voyage ;-)

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:17 EDT