RFID Vulnerabilities: Analyzing Ghost on the Wire Security Risks

Recent security research highlighted by SANS ISC brings renewed attention to the vulnerabilities inherent in physical access control systems. The ‘Ghost on the Wire’ research, presented by Lennert Wouters, demonstrates that many widely deployed passive RFID tags lack the necessary cryptographic protections to prevent cloning and relay attacks. While many security teams focus exclusively on digital CVE entries, the physical layer often remains a neglected vector that can lead to total facility compromise.

Technical Analysis of Passive RFID Vulnerabilities

Passive RFID tags operate by harvesting energy from the electromagnetic field generated by a reader. Once powered, they communicate via backscatter modulation. The research underscores that passive RFID tag security vulnerabilities primarily stem from a lack of mutual authentication between the card and the reader. In legacy 125kHz (Low Frequency) systems, such as HID Prox, the card essentially broadcasts its unique identifier (UID) to any reader that provides power. Because this identifier is unencrypted and lacks a challenge-response mechanism, an attacker can capture the ID using a long-range reader or a portable device like a Proxmark3 and replay it later to gain unauthorized access.

High Frequency (13.56MHz) systems were intended to solve these issues, but they are not immune to sophisticated TTP sets. For instance, MIFARE Classic tags utilize a proprietary stream cipher called CRYPTO1. Years of research have proven this cipher to be cryptographically weak, allowing attackers to recover keys in seconds. Once the keys are recovered, the attacker can clone the entire contents of the tag, including data sectors that might be used for logic-based access or stored value applications.

Ghost on the Wire Mitigation Steps

The Ghost on the Wire research highlights that even when encryption is present, implementation flaws can still allow for relay attacks. In a relay scenario, an attacker uses two devices: one near the legitimate tag and one near the target reader. The communication is forwarded in real-time over a wireless bridge, effectively tricking the reader into believing the legitimate tag is physically present.

To address these risks, the following Ghost on the Wire mitigation steps are recommended for enterprise environments:

• Transition to Advanced Protocols: Deprecate the use of 125kHz proximity cards and MIFARE Classic HF tags. Transition to tags that support AES-128 bit encryption and mutual authentication, such as MIFARE DESFire EV3 or HID iCLASS SEOS.
• Implement Secure Messaging: Ensure that the reader-to-controller communication utilizes the Open Supervised Device Protocol (OSDP) with Secure Channel encryption rather than the legacy Wiegand protocol, which is susceptible to sniffing and signal injection.
• Enforce Multi-Factor Authentication (MFA): For high-security areas, badge access alone is insufficient. Implementing a PIN or biometric secondary factor significantly reduces the utility of a cloned RFID tag.

Operationalizing Detection in the SOC

Security professionals must evaluate how to detect RFID cloning attacks within their existing SOC infrastructure. While the physical hardware may not provide traditional telemetry, modern access control systems can be integrated with a SIEM to identify anomalies. For example, ‘impossible travel’ alerts can be triggered if the same credential is used at two different physical locations in a timeframe that defies physical movement. Furthermore, monitoring for repeated ‘Access Denied’ events at a single door may indicate an attacker attempting to brute-force a key or test a series of cloned identifiers.

Adopting a Zero Trust architecture for physical environments means assuming the perimeter is already compromised. By treating physical access points as sensitive network nodes and monitoring them with the same rigor as logical assets, organizations can significantly mitigate the impact of hardware-based vulnerabilities.