RFID Fuzzing

From RFID Guardian

Contents 1 Objectives 2 Introduction 3 Framing Layer Fuzzing 4 Command Layer Fuzzing 5 Application Layer Fuzzing 5.1 Current project state 5.2 Documention 6 Contributors 6.1 Current 6.2 Past

Objectives

This sub-project aims to expose unknown vulnerabilities in RFID systems. We propose to do so using fuzzing techniques.

Introduction

There are three distinct layers of interaction between a RFID transponder and the target middleware. These layers cover transmission, formatting, and content, and we refer to them as the framing layer, the command layer, and the application layer, respectively. Our efforts in fuzzing and testing revolves around these three layers.

Framing Layer Fuzzing

The most fundamental layer is the framing layer, as it governs the RFID transmission mechanism, the transmission of bits and framing delimiters (i.e. a “start of frame” delimiter). While these units are strictly defined in ISO­15693, the popular High Frequency (HF) standard, the strictness of interpretation is hardware ­specific, so testing the system boundaries could prove useful. The variable elements in this case are time parameters, the frequencies used, and adherence to Manchester encoding. We imagine that violating the standard in these cases would result in the message being either ignored or read incorrectly, much like a bit change in command layer fuzzing.

Command Layer Fuzzing

The next highest layer is the command layer. The command layer is the highest layer defined by the ISO standard. It governs request and response structure in ISO­15693. The data between the frame delimiters, the flags set, and the cyclic redundancy check (CRC) are all variables in this layer. How stringent is the reader software with the structure of the response frame? If the reply to a “read multiple blocks” request is significantly over the 8kB maximum, is the system at risk? These are easily tested with the right hardware. Peter Peerdeman has done a bachelor project on Command Layer Fuzzing, the report of that project can be seen here: Report

Application Layer Fuzzing

The application layer, the highest of the three, includes the middleware application. Here, tags have been read and interpreted, and the data transferred is limited to the tag id and data payload. Risks at this level might include code ­injection or similar attacks with potential RFID malware and are greatest because of the middleware's complexity. This has been the focus of our work.

Current project state

Work is underway to integrate the high level fuzzing tool BeStorm by Beyond Security. Our test platform is Oracle SES server.

Documention

• Barebones Image Guide very basic html guide to our test setup.

Contributors

Current

Nicolas Tittley (first.last@gmail)

Past

Andrew Richardson

• Report
• Complete zip of all work

Peter Peerdeman

• Report on command layer fuzzing
• Zip containing all of the sourcecode on command layer fuzzing