Description
Radio Frequency Identification (RFID) has now
been used for more than two decades and numerous attack
vectors have been found for a variety of systems. Most of
these attacks are specific to different RFID systems. However,
in recent years a common hardware weakness in the Erasable
Programmable Read-Only Memory (EEPROM) across most
systems has been discovered. Tearing a tag at the right moment
leaves the memory in an inconsistent state. As many RFID tags
feature an EEPROM flash memory, this discovery paves the
way for a new common attack vector across multiple RFID
systems. In this work, we build on that discovery and show a
systematic approach leveraging memory mapping and reliable
weak bit setting to exploit the tearing weakness. We use the
Proxmark3, a versatile RFID research tool, to develop two tools
to harness the possible weaknesses. We implement a tool to
automatically map the memory layout of the internal flash to
read, write, increment, decrement or one-time programmable
(OTP) to identify tearing points of interest. We then demonstrate
how to exploit these tearing points enabled by setting inconsistent
bits in the EEPROM. We evaluate our tooling on 5 different
RFID tags and show that it is possible to automatically map
their memory layout and identify tearing points of interest. We
further outline our procedure to set these inconsistent bits with
a near 50/50 probability of 0 and 1. We evaluate our procedure
on the same five RFID tags and show that it is possible to set
inconsistent memory in a fully automated way.
|
