The Hidden Threat of Multi-Card Readers

RFID (Radio-Frequency Identification) and NFC (Near Field Communication) technologies have become ubiquitous in our daily lives. They're used in everything from credit cards and passports to building access controls and ticketing systems. These technologies offer convenience and improved security over traditional methods, but like all technologies, they have vulnerabilities.

One such vulnerability is the 'downgrade attack'. This type of attack occurs when a system is configured to accept both high-security and low-security tags. This is often the case in organizations that are in the process of upgrading their security systems, as they want to ensure continuity of access for all users. However, this can inadvertently create a security loophole that malicious actors can exploit.

The Downgrade Attack Explained: Multiple Card Types Vulnerability

A key component in understanding the downgrade attack within the context of RFID and NFC technologies is recognizing the role of card readers that are capable of reading multiple card types.

Understanding Card Types: MIFARE DESFire EV2 vs. MIFARE Classic

To provide a clearer picture, let's delve into two types of commonly used RFID cards: MIFARE DESFire EV2 and MIFARE Classic.

MIFARE DESFire EV2: This is considered a high-security card. With AES encryption, it offers advanced protection against cloning, eavesdropping, and other sophisticated attacks. It is widely recognized for its robust security features and is thus preferred by organizations aiming for a high level of security.

MIFARE Classic: On the other hand, MIFARE Classic, while pioneering in its time, has now been exposed to several vulnerabilities. It uses Crypto1 encryption, which over the years, has proven to be susceptible to attacks, making card cloning feasible for determined adversaries.

If a card reader is able to read both types of cards above, than if the same data is present on both, the controller (the logic of the access control system) will see the above to cards as identical.

Think of it like this, two men who speak different languages are going to tell you their ID number, and if that ID number is 123, you let them inside.

Man A speaks French

“Ma carte d'identité est le 123”

Man B speaks German,

“Meine ID ist 123”

If you only spoke German, than Man B has ID 123 and Man A you simply don’t understand and therefore won’t be given access to anything.

If you speak both languages, than you will see both men have the same ID number (123) and are therefore identical and both will be granted access.

How Downgrade Attacks Exploit Multi-Read Capabilities

Card readers designed to support multiple card types, for example, both MIFARE DESFire EV2 (high security card) and MIFARE Classic (low security card), can become the weak link in an organization's security chain. Here's how:

1. Backward Compatibility: Organizations often employ multi-read card readers to ensure backward compatibility. This can be due to various reasons, such as cost-saving, gradual transitioning, or simply to cater to a wider range of users (e.g., visitors, contractors, etc.) who might still carry older card types.

2. The Exploitation: A malicious actor, aware of this backward compatibility, might target employees or individuals with the older, less secure MIFARE Classic cards. By cloning these cards, they can gain unauthorized access to premises that accept both card types, even if the primary security measure in place is the more secure MIFARE DESFire EV2.

3. False Sense of Security: Organizations might assume that having high-security cards like MIFARE DESFire EV2 protects them from unauthorized access. However, as long as their card readers are also reading low-security cards, they remain exposed.

Why Do Organizations Do This?

Photo by Etienne Martin on Unsplash

This is a very common occurrence, especially in larger organizations. If an organization has 50 buildings, upgrading every card reader and replacing every employees ID badge can take months or even years depending on the organizations budget and priorities.

Suppose you have 50 buildings which need 20 new card readers each and 1,000 employees, all who need new ID cards. Your contractor has told you this project will take around 2 weeks per building and you only have enough funds in the budget to do 15 buildings per year. This means it could take around 3 years to complete the entire project, and in that time your organization may be vulnerable to downgrade attacks.

The above hypothetical is a very common situation companies and organizations find themselves in. During the time of all this upgrading such organizations are often exposed to downgrade attacks.
If building A has been upgraded to the new high security ID cards, but employees in building B, who are still using older less secure cards need access to building A, than building A will have to accept both the high and low security cards until everyone has the new high security badges.

The Branch Bank Scenario: A Real-World Example

Imagine a large banking corporation, BankCorp, with numerous branches and a central headquarters. The bank has recently invested in high-security access controls for its headquarters, using state-of-the-art RFID technology. These badges cannot be cloned, and they are using OSDP on the backend. You may think that since we cannot attack the card (cloning) nor can we attack the backend (eg ESP key) this is where the RFID part of the pentest ends, but not necessarily.

Understanding that a complete overhaul takes time, the bank's security system at its HQ is set to accept both the new high-security tags and the older, less-secure tags that are still in use at some branch offices.

A malicious actor, seeing an opportunity, visits a branch office. Perhaps they 'accidentally' bump into an employee at a coffee shop or use a concealed device to skim an employee's older, less-secure RFID badge. Now armed with the cloned badge's information, they have a potential ticket into the bank's headquarters.

The attacker then goes to the bank's HQ, presents the cloned badge, and due to the downgrade compatibility, they're granted access. Even though the bank HQ primarily uses high-security badges, the system allows for low-security ones, making it vulnerable to intrusion.

Thus, even high security cards and readers may still be vulnerable to attack, and allow yet another avenue of entry.

The Underlying Issue

The key problem with downgrade attacks is that they exploit a card readers ability to read multiple cards, and the topic of this post, the transitional phase of technology upgrades. When organizations introduce new tech but still need to support the old, they inadvertently provide an entry point for malicious actors. In the above scenario, BankCorp’s mistake was not in upgrading their security measures; it was in failing to recognize and mitigate the potential risks of supporting both technologies simultaneously.

Safeguarding Against Downgrade Attacks

1. Timed Transition: Organizations can set a clear and stringent timeline for transitioning from the old system to the new one. For instance, after introducing the high-security badges, they could give employees a set period (say, three months) to switch over. Post that period, the system should only accept the new badges.

2. Layered Security: Do not rely solely on badge access. Implement multi-factor authentication, like a combination of a badge and a unique PIN or biometric verification.

3. Regular Audits: Conduct regular security audits to identify potential vulnerabilities, especially during transitional phases.

4. Employee Training: Ensure that employees are aware of the risks of skimming and are trained to report any suspicious activity. They should also be educated about safe practices, like not leaving their badges unattended.

5. Upgrade All Access Points: When introducing new security technologies, try to upgrade all access points simultaneously or disable specific vulnerable points temporarily.

Conclusion

RFID and NFC technologies provide enhanced security, but as with all systems, they come with their vulnerabilities. As organizations upgrade, it's crucial to understand the potential risks of transitional phases and implement strategies to safeguard against them. A proactive approach, combined with awareness and timely action, can prevent the exploitation of downgrade attacks and ensure the physical security of premises.

In a future post I will be discussing how downgrade attacks may still be viable even without an organization upgrading their card readers.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.

• Private one on one Instruction - Book time to get private and personalized instruction on physical penetration testing