Home page logo

bugtraq logo Bugtraq mailing list archives

RFID access control tokens widely open to cloning
From: Adam Laurie <adam.laurie () thebunker net>
Date: Mon, 11 Dec 2006 17:51:40 +0000

Too many systems to itemize here rely on the 'unique ID' of an RFID token to grant access to a system or building, and, in the case that these tokens are based on 125kHz or 134.2kHz standard tags, many of them may be vulnerable to relatively simple cloning attacks.

In a way this is nothing new - several researchers have previously presented attacks whereby RFID tags were emulated by custom built circuits which were able to fool readers into thinking that a genuine tag had been presented. However, the industry response was normally that this was not a 'real' threat, as it required specialist knowledge and equipment, and the resulting device was not a 'true clone' as it didn't have the same form factor as the original.

The difference here is that the 'clone' may actually follow the same form factor as the original, and is therefore indistinguishable not just to the reader, but also to the human eye. In addition, no specialist equipment or custom circuitry is required, and the 'clones' can be produced using off the shelf equipment, software and blank tags purchased perfectly legally over the Internet. In fact, the tags are only doing what they were designed to do in the first place: implement industry standards.

The problem is that many security system suppliers are integrating industry standard tag readers, and promoting the 'uniqueness' of the tag ID as a guaranteed certainty when it isn't, and thereby compromising the security of the entire system.

The two specific tag types I've looked at are:

  Trovan 'Unique', aka EM4x02

  FDX-B, aka EM4x05 - ISO-11784/5 (animal tags)

The description of the 'Unique' tag, from the Trovan website is as follows:

"The TROVAN UNIQUE™ Read-Only System is well-suited to applications that require a high level of data security. Unlike other vendors' factory preprogrammed lines, the protocol of the TROVAN UNIQUE™ line is patented, providing unmatched protection against unauthorised third-party cloning. Each transponder is programmed with a unique 10-digit ID code during manufacture. Comprehensive automatic test methods ensure that no code exists in duplicate in any of the TROVAN UNIQUE™ transponder types, and that codes are programmed correctly in a readable manner. Once the code is programmed at the time of the transponder's manufacture, it cannot be counterfeited or tampered with. A total of 550 billion unique ID codes is available."

Q5 are general purpose, multi-standard tags, that are capable of emulating other devices. I found that it was a standard feature of the Q5 chip to emulate a 'Unique' tag, and it was trivial to program a duplicate ID into one. The resulting tags were tested against three different systems that I have access to, and all three systems were unable to distinguish between the original and the 'clone'.

In response to my questioning the security of the Unique tags, the response I got from Trovan was: "There are a variety of H4102 versions, some of which can be emulated by a Q5 tag. Our tags are a custom version of the H4100 tag.".

It should be noted that I am not pointing the finger at Trovan
devices here, but the 'Unique' standard some of their tags implement and which are generally available as a generic tag type - it is sometimes hard to tell exactly who's devices or tags are used in a specific installation, but suffice it to say that I have found 3rd party systems (one at a very recent security systems show in London) that were vulnerable to EM4x02 style cloning. The equipment required to do this was a laptop and off the shelf RFID reader/writer, but it could just as easily have been a small handheld, and so a credible threat exists of simply swiping an access tag ID in a 'walk-by' of someone leaving a building, and then producing a clone which will give full access.

I am also able to produce what seem to be accurate clones of FDX-B tags (such as the one in my dog), and also VeriChip tags, in as much as a standard FDX-B reader such as you might find at your local vet will not be able to tell the difference. I have not been able to test if a genuine VeriGuard system would also be fooled, but VeriCorp's response when I took it up with them was:

"You can take a write once and re-writeable chip and put the VeriGuard ID number on this chip, and a lot of readers will read the ID and including the VeriGuard reader. I can not tell you every but their three things that tell are unit that it is a VeriChip 16 digits not 15, timing and one other thing. We call it copying not cloning because the can't get all the information need to send to the VeriGuard reader at the right time."[sic]

The latest release of the open source python library, RFIDIOt (v0.1h), contains tools for programming both EM4x02 and EM4x05 tag IDs to Q5 or Hitag2 tags, and I would suggest that if you own (or supply) systems based on either of these standards, that you use them to audit for this vulnerability.

Full details here:


Adam Laurie                         Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd.      Fax: +44 (0) 1304 814899
Ash Radar Station                   http://www.thebunker.net
Marshborough Road
Sandwich                            mailto:adam () thebunker net
CT13 0PL
UNITED KINGDOM                      PGP key on keyservers

  By Date           By Thread  

Current thread:
  • RFID access control tokens widely open to cloning Adam Laurie (Dec 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]