With the increasing amount of RFID technology creeping into everyday life. Just how much data can be obtained from your wallet? At Pentura we undertook a small experiment where using standard off-the-shelf products, we would attempt to obtain personal information leaked from RFID enabled devices:
- UK Passport
- UK Bank Cards Debit/Credit
- Access Control Tokens
Our experiment used standard unmodified off-the-shelf RFID equipment:
- 13.56MHz ACR-122U Reader
- Proxmark3 with LF antenna
- Proxmark3 with HF antenna
- Parallax LF EM4x Reader
Our experiment would also collect information on the effectiveness of various defensive technologies, where RFID data exfiltration was not possible:
- Various paper wallets from eBay
- Stainless-Steel Wallet(s) from Electronics providers
Our experiment found that the average distance to read HF (Mifare type) cards was approximately 2cms. Whereas the average distance to read LF (HID,EM4x) cards was more generous at 4inches (10cm).
Pentura observed an almost balance sample of : 49% LF ( 35% HID, 14% EM4x), 51% HF (47% Mifare (45% Mifare 1K or 4K, 2% Mifare DESFire), 4% other).
The 49% of LF cards are easily clone-able using the Proxmark3 and Atmel’s programmable AT55x7 cards, easily affordable from eBay.
Out of the 45% Mifare 1K or 4K cards, 40% used default keys meaning the cards contents could be fully extracted within 5 secs, this time was significantly decreased as the majority of Access Control Data is usually stored in sector 14. Where 5% of Mifare cards use non-default keys the initial ‘cracking time’ increased to 45secs. However, once all keys were recovered, they were added to a database that facilitated future cracks of cards containing the same key in under 5 secs.
Only 6% of cards were uncrackable, due to obscure unfamiliar data formats, or the use of Mifare DESFire with a sufficient secret key.
Note: All data was securely destroyed at the end of our experiment!
We found from our sample that 96% of people have RFID enabled devices in either their devices or pockets. From this sample of people with RFID enabled devices 99.6% are vulnerable to attack. Our study actually found that 96% used no protection. It was found that 6% used (or thought they used) adequate protection, but in reality the protection offered was merely a simple paper shield, offering no real benefit. Further studies into the paper-based shields available at affordable prices on eBay revealed that some shields (possible manufacture error) offered no protection (so be careful what you buy). Other shields from highly approved sellers offered more protection but circumstances prevail:
- If at least a 1/3 of a Credit Card is unprotected it can be scanned
- If at least 1/2 a passport is unprotected it can be scanned.
- If the paper-wallet is damaged (creases etc) its protection is ultimately weakened.
So what technology were the most savvy security conscious people utilising? Turns out that some Electronic retailers/re-sellers offer stainless-steel wallets. Back at our Lab under strict testing conditions, it proved hard to extract RFID data from these wallets. Again we used standard off-the-shelf equipment, referred to above. Even if these wallets were open; fully open, half open, ajar. It still proved difficult to extract any meaningful data for any emanating RF signals. It was confined that these wallets held up stronger when compared to their paper-based counter parts and are more durable to normal wear and tear.
Stress testing the stainless-steel wallets, with random impacts and excessive wear weakened the integrity of the wallet; meaning they are not impervious. However, they still provided more protection when compared to paper-based protection. It is important to know that wear and tear, age is a natural progression that will affect the security of these products over time. But in the short-fall these more durable wallets offer longer term benefits, as opposed to paper-based solutions which are relatively short term.
Note: The more durable and slightly more expensive wallets may have come up trumps in our research. But paper-based solutions are cheaper and work well in the short-term; if you use paper-based protection we advise replacing the wallet as soon as it shows signs of wear or damage, this may mean replacing them every 3-6months.
IMPORTANT: If you use NO PROTECTION, we advise implementing one of the above methods to shield your RF data from potential attackers/prying eyes!