Understanding the Behavior of RFID-based Locks

Abstract

In this project, an attempt is made to break the security of RFID locks by taking the locks of Building 39 as a case study since they use the same technique. I tried to analyse how RFID locks work and how the RFID cards work. RFID or Radio Frequency IDentification is a technique used in order to avoid the physical contact between two modules. It is used in locks, and it works just by approximating the card to the lock without any physical contact. The same technique is used for payments. The new trend of cards do not need necessary the physical contact to pay which made research in security issues in this rich field a necessity. I tried to find the mechanism that those locks are using and compare it with we have been discussing in computer communications class. And I will be sharing in this report my findings and the way that I used to break down the security of the locks.

Introduction

This project will is about Radio Frequency IDentification based locks. I tried to break the security of RFID keys by identifying the Unique ID and clone it in another empty key. This case study will be about the rooms locks in Building 39 which use the same technique. I will be focusing on how to use parity checks and checksum to break the security of the keys. In addition, we will try to explain how RFID works by showing the original, modulated signals, and Manchester encoding. We will use an Arduino UNO and an RC 554 RFID reader to simulate the signals and the electric circuit. I tried to implement what we have learned in this course to show how it is important in networks security field.

Theory

RFID Working Concept:

RFID, or Radio Frequency IDentification is the term used to depict a wide assortment of measures that permit information put away inside electronic “labels” to be perused by a peruser without utilizing wires. There are various gauges, encoding arrangements, and frequencies in like manner utilize. In this venture, I will portray the 125 kHz standard that is basic for get to control instruments.

125 kHz RFID labels are generally encased in a business card measured bit of plastic, or a round circle. The label comprises of a curl of wire, associated with a microchip. At the point when the tag is conveyed into nearness to a peruser, vitality is coupled inductively from the peruser to the microchip inside the tag.

The vitality from the peruser has double utilize; right off the bat, it gives energy to run the card, and also, it gives a correspondence medium to information to be transmitted. Once fueled up, the tag adjusts the bit design that is customized into the label utilizing a flag that the pursuer can distinguish. The peruser then peruses this bit example, and passes it onto the entryway controller. On the off chance that the bit design matches one that is approved, the entryway will be opened. In the event that the bit design does not coordinate an approved one, then the entryway won’t open.

In the RFID system that we are discussing in this example has this format:

1111111110010111000000000000001111100010111110111101001111010000

Manchester Encoding:

One interesting feature of the data transfer between the card and the reader, is that data is encoded using Manchester Encoding, which is a way of encoding data so that it can be transmitted over a single wire ensuring that the clock information is able to be recovered easily.  With Manchester encoding, there is always a transition in the middle of a bit.  If you want to transmit a 1, the transition would be from low to high, and if you want to transmit a 0, the transition would from from high to low.  Because the transitions are in the middle of each bit, you can ensure that you have locked onto valid data.

f2jqpyuggpfbgik-large
Figure 1: Data and Modulated Signal in 125Khz RFID Card

Simulations

We defined an RFID card with the unique ID 10 D3 9A 7C and another card with another unique ID. The white card has an authorized access and the black one it has not. We gave to the reader the UID that we want to give access to and we got the following results.

Screen Shot 2017-05-05 at 12.41.16 AM
Figure 2: Simulations of Authorized Cards and Unauthorized Card

This simulation shows that the reader recognized the authorized card just by identifying its unique ID. The same concept is used in locks and RFID-based credit cards.

Algorithms

Data Format:

I started building the RFID reader circuit in order to get the data that is send when the card is approximated to the reader. This step will allow me to discover the type of the data and the content. RFID cards have usually a number that is printed on them. This number is showing the data that is stored in the card. In my case, the numbers were hidden, but I got them directly from the RFID reader.

The card had 0007820706  119,21922, it transmits it in the following binary form:

1111111110010111000000000000001111011110101001010101000010101100.

If we investigate the transmitted signal, we will understand that the first set of bits “111111111” are the start sequence that is used to tell the reader that a key is coming, so it should interpret it. The reader uses it as well as a semaphore to lock the critical section while reading data.

From literature, I knew that the data is transmitted in groups of 4 bits and a parity bit at the end of every group. So, the data being sent can be divided into those groups as follows:

00101 11000 00000 00000 01111 01111 01010 01010 10100 00101 01100. If we ignore the parity bit for the moment, we can get:

0010 1100 0000 0000 0111 0111 0101 0101 1010 0010 0110. If we convert this data from binary to hexadecimal, we can get:

0010 : 2, 1100 : C, 0000 : 0, 0000 : 0, 0111 : 7, 0111 : 7, 0101 : 5, 0101 : 5, 1010 : A, 0010 : 2, 0110 : Checksum. So, this code can be rewritten simply as 2C007755A2. If we break this code into 3 parts, we get: 2C 0077 55A2. So, we should try to convert this number to decimal to compare it with the value stored in the card.

We have 2C which is just a constant that identifies the RFID cards, 0077 which is 119, and 55A2 which is 21922. So, this represent the second part that was written in the card 119, 21922. If we look at the number from a different angle, we have 7755A2 which is 0007820706 which represent the first part that is stored in the card.

At this point, we understood how the RFID cards work. So, if we take the number as a whole, it represents the first number of the card in hexadecimal. If we divide it into two parts, we get the second part in hexadecimal.

Error Detection Mechanisms:

We ignored the checksum early in this project in order to give a better overview of how RFID cards and locks work. So, the checksum is an error control mechanism to ensure that all the transmitted bits are received successfully. In our case, we used both vertical and horizontal even parity checks then adds up the elements to get a checksum that is sent at the end of the transmitted data. So, we get:

00101 2
11000 C
00000 0
00000 0
01111 7
01111 7
01010 5
01010 5
10100 A
00101 2
0110 checksum + 0 stop bit

At the level of the receiver, it adds the checksum to the sent data and takes its complement in order to check if the data was sent successfully or not.

Implementation:

Electrical Components:

Arduino UNO

RFID RC554

Cables

Circuit Design:

mifare_bb
Figure 3: Arduino Uno with RC554 Reader Circuit Sketch

Code in Arduino-C:

#include <SPI.h>
#include <MFRC522.h>
#define SS_PIN 10
#define RST_PIN 9
MFRC522 mfrc522(SS_PIN, RST_PIN);   

void setup() {
  Serial.begin(9600);   
  SPI.begin();     
  mfrc522.PCD_Init();   
  Serial.println("Waiting for cards...");
  Serial.println();

}
void loop() {
  if ( ! mfrc522.PICC_IsNewCardPresent()) {
    return;
  }

  if ( ! mfrc522.PICC_ReadCardSerial()) {
    return;
  }

  Serial.print("UID tag :");
  String content= "";
  byte letter;
  for (byte i = 0; i < mfrc522.uid.size; i++) {
     Serial.print(mfrc522.uid.uidByte[i] < 0x10 ? " 0" : " ");
     Serial.print(mfrc522.uid.uidByte[i], HEX);
     content.concat(String(mfrc522.uid.uidByte[i] < 0x10 ? " 0" : " "));
     content.concat(String(mfrc522.uid.uidByte[i], HEX));
  }
  Serial.println();
  Serial.print("Message : ");
  content.toUpperCase();
  if (content.substring(1) == "10 D3 9A 7C") { //change here the UID
    Serial.println("Authorized access");
    Serial.println();
    delay(3000);
  } else {
    Serial.println("Access denied");
    delay(3000);
  }
}

Importance:

The importance of this project is investigating the RFID bypassing techniques because the trend now is going into wireless locks. In addition, the new payment methods have become wireless as well. They use either the RFID or the NFC which are rich fields in terms of security. Research is not done at advanced levels since the locks as we demonstrated can be easily bypassed. This project is an attempt to raise awareness about those new technologies in order to protect the private lives of people in the future.

References

“Defining strong privacy for RFID.” ACM Transactions on Information and System Security (TISSEC). ACM, n.d. Web. 05 May 2017.

Drj113. “A Universal RFID Key.” Instructables.com. Instructables, 16 June 2016. Web. 05 May  2017.

“Security Access using MFRC522 RFID Reader with Arduino.” Random Nerd Tutorials. N.p.,  n.d. Web. 05 May 2017.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s