Unlocking the Risks: Examining the Security Flaws of RFID Access Control Systems

In today's security-conscious world, access control systems play a crucial role in safeguarding various environments, from office buildings to parking decks. While basic RFID (Radio Frequency Identification) access control systems are commonly used, it is important to recognize their potential vulnerabilities and the security risks they may pose. In this article, we will explore the inherent weaknesses of such systems, using an example from a parking deck, and discuss the implications for security.

Understanding Basic RFID Access Control Systems

Basic RFID access control systems rely on access cards that contain a facility code and a serial number. These cards enable authorized individuals to gain entry to specific areas, such as parking decks or buildings. The facility code represents the particular location, while the serial number provides a unique identifier for each card.

Examining the Example

I've been experimenting with the Flipper Zero for a while now, and was absolutely thrilled when I find outside in the middle of the road an old, rain-soaked, beat-up access card. This card appears to have been there for at least a week, based upon the layers of rust on the lanyard. Undoubtedly whoever lost it has already gotten a replacement by now, so no sense in not letting this opportunity go to waste. I'm not going to tell you which parking deck it's for, but it is a local parking deck within a few miles of my house.

Once the card dried off, I used my Flipper Zero to examine it. Much to my excitement, the card still worked despite its damaged state. I found it to be a 125 kHz RFID card without any encryption whatsoever. The key type on the card is H10301, and the data is encoded in hexadecimal format as 20 01 8A. By decoding this data, we can analyze its structure and potential vulnerabilities.

All data is encoded in Hexidecimal format. The first piece of data we can decode is the facility code, which in Hex format is 20. Converting to Decimal, 20 becomes Facility Code 32.

Next we can examine the serial number. In this case, the serial number is as follows in Hex: 01 8A When converted to decimal, this becomes serial number 394, which matches the 00394 serial number on the card.

We can now reverse engineer this card, and make our own cards. Of course I have no intention of actually doing so (plus the card is for an open air parking deck I can literally walk into), but let's take a look at how simple the process is. (I've uploaded all of the files to my GitHub if anyone wants to play around with them)

So, if we wanted to gain access under someone else's card, all we need to do is view the back of their card, which has the serial number printed on it. For example, if we look at someone else's card and it has 00123, we just need to adjust our Flipper generated card accordingly. Facility code will stay at 32, so that converts to 20 in Hex. Serial number 123 becomes 00 7B in Hex. So our new card will need to have the data: 20 00 7B. Now I simply need to create a new RFID card file on my Flipper Zero with that data, and I should be able to park for free.

These old outdated systems are still commonly used across the globe. Unfortunately, as long as these older systems are still used, many places will be very vulnerable.

Identifying Vulnerabilities

• Unencrypted communication: Basic RFID access control systems often lack robust encryption protocols, leaving the communication between the card and the reader susceptible to interception. This vulnerability opens the door for potential unauthorized access and cloning attempts.
• Visible serial numbers: In the example of the access card found, the serial number is printed on the back of the card, making it easily visible to anyone who comes across it. This presents a significant security risk, as the exposed serial number can be exploited to create duplicate cards for unauthorized access.
• Limited authentication measures: Basic access control systems usually rely solely on the facility code and serial number for authentication. These simple identifiers are relatively easy to replicate or manipulate, thereby compromising the system's overall security.

Security Implications for Parking Decks and Similar Systems

• Unauthorized access to restricted areas: The vulnerabilities inherent in basic RFID access control systems create opportunities for unauthorized individuals to gain entry to restricted areas, such as parking decks or buildings. By obtaining or replicating a legitimate access card, malicious actors can bypass security measures and potentially engage in illicit activities or misuse parking facilities.
• Cloning attacks and misuse: The lack of encryption and the visibility of the serial number on access cards make them susceptible to cloning attempts. Malicious individuals can exploit this vulnerability by creating duplicate cards with adjusted facility codes and serial numbers, allowing them unauthorized access to parking decks and potentially causing disruptions or committing fraudulent activities.
• Social engineering risks: The simplicity of basic access control systems, coupled with visible serial numbers, increases the likelihood of social engineering attacks. By manipulating individuals or convincing them to share their access cards or card information, unauthorized individuals can gain entry, jeopardizing the security and integrity of sensitive areas.

Enhancing Access Control System Security

To mitigate the risks associated with basic access control systems, several security measures should be implemented. Some of these measures require complete replacement of access control systems with newer systems, while others address the human element.

• Encryption and secure communication: Employing strong encryption protocols between access cards and readers can protect against eavesdropping and unauthorized cloning attempts.
• Two-factor authentication: Implementing additional layers of authentication, such as PIN codes or biometric verification, can enhance the security of access control systems. This makes it more difficult for unauthorized individuals to gain entry, even if they possess a cloned access card.
• Regular audits and monitoring: Conducting periodic audits and monitoring access logs can help detect any suspicious activities or anomalies. This enables prompt identification and response to potential security breaches.
• Employee education and awareness: Training employees about the importance of access control system security, the risks associated with unauthorized sharing of cards, and the need to report lost or stolen cards can significantly improve overall system security.

Overall, newer systems contain much better security measures to prevent RFID card cloning, and hopefully will be adopted much more commonly soon.

Conclusion

While basic access control systems provide a level of convenience and security, it is crucial to acknowledge their inherent vulnerabilities. The ease with which access cards can be cloned or manipulated poses a significant risk to the overall integrity of the system. By implementing stronger security measures, including encryption, two-factor authentication, and regular monitoring, organizations can fortify their access control systems and mitigate potential threats. Maintaining a robust and secure access control system is vital for safeguarding sensitive areas and ensuring the protection of individuals and assets. The vulnerable access control systems of yesterday must be replaced, if we're truly going to properly secure our physical world.

Ken is a Cybersecurity practitioner with over 15 years experience. All opinions are his own, and do not reflect those of his employer or clients.

Understanding the Risks of Mastodon: A Closer Look at its Decentralized Model

Mastodon, a decentralized social network, has gained attention for its alternative approach to online social interactions. While it offers unique benefits, such as data ownership and community-driven moderation, it's important to be aware of the risks it presents when compared to other social networks. This article explores the potential risks of Mastodon and discusses why it is not a true peer-to-peer solution.

Instance Reliability and Data Loss

Mastodon instances, typically operated by individual administrators or small groups, may lack the resources and stability of larger platforms. This can lead to instances shutting down abruptly without warning, potentially resulting in data loss for users. Unlike centralized networks that invest in redundant servers and backup systems, smaller Mastodon instances may have limited capacity to ensure data integrity or facilitate smooth data migration during closures.

Fragmented User Experience

The decentralized nature of Mastodon means that each instance has its own community, rules, and moderation policies. While this allows users to find communities that align with their interests, it also introduces a fragmented user experience. Moving between instances can be challenging, as users must create new accounts, build followerships from scratch, and adapt to different community dynamics. This fragmentation can impede the growth and adoption of Mastodon on a broader scale, as it lacks the unified experience offered by centralized social networks.

Lack of Standardization and Interoperability

Mastodon's decentralized model, although fostering diversity, does not provide a true peer-to-peer solution. Unlike protocols like ActivityPub that facilitate cross-platform communication, Mastodon's implementation relies heavily on the federation of instances. This lack of standardization and interoperability means that Mastodon users cannot directly interact with users on other decentralized platforms unless they are also part of the same instance federation. This limitation hinders the vision of a truly open and interconnected social web.

Moderation Challenges

Decentralized networks like Mastodon place a significant burden on individual administrators to enforce community guidelines and combat abusive or harmful behavior. While this approach allows for diverse moderation practices, it also introduces inconsistency in moderation standards across instances. Instances may have varying degrees of effectiveness in addressing harassment, hate speech, or other forms of misconduct. Users may face challenges in finding instances that align with their preferred moderation practices or that provide effective mechanisms to report and address issues.

Limited Discovery and Network Effects

One of the strengths of centralized social networks is their ability to leverage network effects, where a large user base enhances the value and reach of the platform. In Mastodon's decentralized model, instances operate independently, and user interactions are restricted to the specific instance they belong to. This limits the discoverability of new users and content and can lead to smaller, more isolated communities forming. Mastodon may struggle to achieve the same level of user adoption and engagement as centralized platforms due to the lack of network effects.

Conclusion

While Mastodon's decentralized model brings several advantages, it also introduces certain risks and limitations when compared to centralized social networks. The reliance on individual administrators or small groups can lead to instance closures and data loss. Fragmented user experiences, lack of standardization, and limited interoperability challenge Mastodon's potential as a true peer-to-peer solution. Moderation challenges and the absence of network effects further impact user experience and platform growth. To make informed decisions about their social networking choices, users must consider both the benefits and risks presented by Mastodon and understand the trade-offs associated with its decentralized approach.

Ken is a cybersecurity professional with over 15 years experience. All opinions expressed are his own, and not reflective of his employer or clients.

Moving Beyond Web3 - How Peer-to-Peer and Personal Branding is the Future of Communication

Commonly I see Web3 being associated with decentralized finance, blockchain, cryptocurrency, and NFTs. And while that's likely an excellent example of Web3, that's not what Web3 truly is at its core. Web3 is much more than that. Web3 is a true information revolution, laying the foundations for Web4. I had a great conversation last night with the Diamond Hand Media Group about this concept, and thought I'd go a little more in-depth here.

Let's step in the time machine for a moment and go through the history of the web. And I, being older than the Internet, can happily step you through.

Web1 - Static websites, news sites, email. Everybody paid per minute for access to the web. Sign on, find what you need, sign off so you don't get charged extra.

Web1.5 - This is when the potential of the web started to take shape. We added in chat rooms, instant messaging, and forums. Geocities let us even publish our own (limited) webpages! And now, unlimited internet access!  Suddenly, the world got a little bit smaller, as we started to communicate across the globe.

Web2 - Behold, broadband and social media! YouTube, Myspace, and eventually Facebook and Twitter! Blogs also started to rapidly grow, and the redistribution of content creation from commercial publishers to users started to take shape. But unfortunately, commercial publishers looked to continue controlling the narrative, continue controlling the audience, continue controlling the message. Everything is still centrally managed and owned by a select few companies, and social media "networks" aren't actually networks at all, but distribution hubs. One-way live streams of audio and video start to take off, because we actually have the internet connection speeds to support this type of content.

Web2.5 - Gnutella, Limewire, and other filesharing networks enter the stage, and early peer-to-peer distributed computing is born.

Web3 - Distributed finance, distributed content, distributed knowledge. Through blockchain, crypto, and NFTs, "digital ownership" can be established for assets, and distributed finance can allow for digital currency transactions without the need for a bank or the Federal reserve. For content creation, anyone can create content and share with others, and even have multi-party livestream audio and video sessions. No longer are we locked into getting our news and information from publishers, but instead shared directly person-to-person. But this person-to-person sharing is still limited to rely on distribution hubs such as social media networks, and even when using a network such as Mastodon (which could arguably be considered Web3.5), users still rely on a centralized hub to connect. Love him or hate him, the effects of this concept of direct person-to-person information sharing are now showing through Tucker Carlson's announcement of his own show on Twitter, and the massive reach this announcement has achieved. Carlson is now, on his own, likely going to get just as many if not more viewers on his own personal show than he did through Fox News. What we're now seeing is a shift from "trusted sources" such as news outlets to "trusted voices" such as the personalities we once saw on those news outlets. Those trusted voices will become the face of those organizations, and the reason people trust those sources - not because of the company name and the people behind it, but because of the people in front of it! This shift is why I've started focusing more on my own personal brand in the cybersecurity community, in addition to helping grow the brand of the fantastic company I'm working for. Only by moving in front of the brand instead of hiding behind it, can I be considered a "trusted voice" and help that company brand grow.

While distributed finance without a central bank sounds great in theory, it's still difficult to implement. Many would argue that cryptocurrency's potential downfall is the now heavy reliance on crypto exchanges which are now going bankrupt, and in the process resulting in significant reductions in the value of crypto currencies.

Some of you might be too young to remember the dot com bubble burst. There was a lot of speculation, a lot of investing in companies which never should have been invested in, but all a company had to do to get investors was talk about how they were going to revolutionize their industry through the internet. The result of course was extreme overvalue of the companies, and when these companies failed to live up to their promises, the investors lost significant amounts of money.

Bitcoin 5 Year Value - Source: Google

Crypto currency is now facing the aftermath of a similar bubble. The collapse of crypto exchanges is very similar to the dot com bubble burst, in that the exchanges were causing crypto to become extremely overvalued. Unfortunately, with some exchanges still in operation, it's quite possible that this burst hasn't quite finished yet, but only time will tell. Personally, I prefer to invest in much more tangible assets I can directly influence the value of, such as real estate, than investments I have little to no control over. I currently have a wonderful property in Florida that is sitting in an upcoming neighborhood and will absolutely skyrocket in value once I build a house on it. The key here is that I can directly influence the value of the property by improving the property. With crypto currency, or even the stock market for that matter, I am but a bystander at a horse race, hoping that my bet will win. That's not investing in my opinion, that's just gambling. In fact, often I would be better off taking that money to the horse track, because at least at a horse track I know what my odds are of winning, and how much I'll make if I do win.

Full disclosure, I sold all my crypto currencies several years ago when I started to see indicators that the market was in a bubble and about to burst. I'm glad I did, because those investments would today be worth a fraction of what I sold them for. I didn't make much from this, as I only had about a hundred dollars invested anyway. But getting a hundred dollars back is much better than getting only twenty-five. With that said, I believe that crypto currencies are not the future of the web, but blockchain is in fact an important building block for the future of the web, and the true currency of tomorrow - information.

So what's next? What comes after distributed finance, crypto currency and Web3? 

Web3.5 - Artificial intelligence such as ChatGPT will help further pave the road for Web4. Much like the traditional OSI computing "layer" model, information will develop its own layers which ChatGPT will help revolutionize. I'll write further on this in a future blog, but think of information as "raw data" with an accompanying "presentation layer", i.e. formatting, or even illustrations. DALL-E and ChatGPT have the ability to take raw data or concepts and turn them into presentable information, ready for consumption by others. This helps further break down barriers for users by helping build useful content with less time and fewer resources. By the way, the illustration at the beginning of this article was AI generated, though I opted not to have AI write the article. After all, I still take much enjoyment in writing, and I won't let a computer deny me that.

Web4 - The Web4 revolution will remove the content distribution hubs for information. Content will be shared directly with users peer-to-peer. Not only does this create a failsafe redundancy in case a social media outlet goes down, but it also creates the opportunity to operate without censorship. And no, sorry Mark Zuckerberg, but virtual reality "Metaverse" will not be part of the Web4 revolution. The Web4 revolution will focus more on the digitally connected world which is constantly mobile, and until we get better augmented reality glasses to connect to our mobile phones, our digital conversations will remain in the two dimensional world. Don't get me wrong, virtual reality will absolutely play an important part in our lives in the future, but won't be the "virtual Facebook" experience that Zuckerberg is hoping for - because at that point, most content distribution will be peer-to-peer instead of centrally managed. This is also going to shift branding away from corporate branding as trusted sources and more towards personal branding and trusted voices. By building to make yourself a trusted voice now through your own personal branding, you'll be much better positioned to be viewed as an expert in your field with the Web4 transition.

Think of the Web4 content sharing concept like a relay network of walkie-talkies. You broadcast your message on a frequency that others are tuned into, and the recipients of your message then pass on that message to others within their listening area. Eventually your message makes it across the entire network. We could then enhance this communication to include unique signatures through blockchain, ensuring that you were indeed who you say you are, and that your message wasn't tampered with.

The beautiful part of this approach is that it becomes self regulating, and users share their content with other users who want to see that content. If a user doesn't like the content you're distributing, they simply need to block your posts, and in the process block the re-distribution of your content through their network node. Like users will find like users, and corporate censorship will be a thing of the past. Now I know that this causes concerns for illegal content, but I'm quite confident that through the non-repudiation part of the blockchain, law enforcement would be able to successfully find the originator of such content and prosecute accordingly. After all, they were able to shut down Silk Road.

Web3 has absolutely laid the foundation for the distributed communication and information sharing of tomorrow. I find myself more and more interested in ongoing conversations on Discord and Twitter Spaces, and it's fantastic some of the information you can learn just by listening, and the relationships you can build by participating. There are already some applications out there under development for Web4 distributed communication and social network sharing. I've tried them, I love the concept. They're young, they're buggy, they're absolutely not ready for prime time. But I think with a lot of nurturing, and support from the community for such projects, these Web4 applications will begin to shine, and give the power back to the people for sharing information, with Web3.5 helping people build that content for Web4. 

In the meantime, start working on that personal branding and becoming a "trusted voice" - you're going to need it sooner than you think.

Ken is a cybersecurity professional with over 15 years experience. All opinions are his own, and do not reflect those of his employer or clients. I am not a financial advisor, don't use this for investing advice.

Is Quantum Computing the Achilles Heel of Cryptocurrency?

The world of cryptocurrency has experienced explosive growth over the past decade, with Bitcoin and other digital currencies becoming increasingly popular as a means of payment and store of value. However, one of the biggest threats to the future of cryptocurrencies is the emergence of quantum computing.

Quantum computing is a technology that harnesses the power of quantum mechanics to perform calculations exponentially faster than traditional computers. While this is an exciting development with many potential benefits, it also poses a significant risk to the security of cryptocurrencies.

The security of most cryptocurrencies, including Bitcoin, is based on complex mathematical algorithms that are designed to be resistant to attacks from traditional computers. These algorithms are based on the difficulty of solving certain mathematical problems, such as factoring large numbers, which are believed to be computationally infeasible for classical computers. However, quantum computers are able to solve these problems much faster than classical computers, which means that they could potentially be used to break the security of cryptocurrencies.

One of the most significant risks posed by quantum computing is the potential for an attacker to use a quantum computer to perform a so-called "51% attack" on a cryptocurrency network. In a 51% attack, an attacker gains control of more than 50% of the computing power on a network, which allows them to manipulate transactions and potentially double-spend coins. This type of attack is currently difficult to carry out on most cryptocurrencies, but a quantum computer could make it much easier.

Another risk posed by quantum computing is the potential for an attacker to break the cryptography that is used to secure cryptocurrency wallets. Most cryptocurrencies use public-key cryptography, which relies on the difficulty of factoring large numbers. If a quantum computer is able to factor large numbers quickly, it could potentially break the security of these wallets and allow an attacker to steal funds.

There are also concerns that quantum computing could be used to break the cryptography used to secure the Bitcoin blockchain itself. The Bitcoin blockchain is a decentralized ledger that records all transactions on the network. It is secured by a complex cryptographic algorithm known as SHA-256. While this algorithm is currently believed to be secure, it is possible that a quantum computer could be used to break it.

Despite these risks, it is important to note that quantum computing is still in its early stages of development, and it may be several years or even decades before it poses a significant threat to the security of cryptocurrencies. In the meantime, researchers are working to develop new cryptographic algorithms that are resistant to quantum attacks.

In conclusion, while quantum computing represents a major threat to the security of cryptocurrencies, it is important to keep these risks in perspective. Cryptocurrencies have already faced many challenges in their short history, including hacking attacks, regulatory scrutiny, and price volatility. However, they have continued to grow in popularity and adoption, and it is likely that they will continue to do so in the future. As long as developers are able to stay ahead of the curve and develop new security measures to protect against quantum attacks, cryptocurrencies will remain a viable and valuable asset class for years to come.

Ken is a Cybersecurity professional with over 15 years experience. All opinions are his own, and do not reflect those of his employer or clients.