Executive Summary
The purpose of this assessment is to show a Proof-of-Concept that ATF’s current mechanism of controlling user access to facilities is compromised, and propose the solution in response to this challenge.
Challenge
Currently, ATF (Anytime Fitness) implements keyless entry to their facilities by means of a low-frequency (125khz) RFID tag enabled Access Control System (Fapointe Data Inc., manufacturer).
In their present state, these Access Control Systems do not implement encryption protected RFID tags as a security feature, thus, are susceptible to “cloning,” whereby attackers are able to successfully clone existing ATF issued RFID tags with cloning instruments (RFID hacking devices) which are readily available to the general public.
RFID Cloning
RFID cloning is a process by which an RFID tag is duplicated, whereby the copied tag code is then relayed back to a target RFID tag reading device. When this type of attack is performed successfully, an attacker physically gains privileged access to restricted areas without
authorization.
Keysy (Low-frequency RFID hacking device)
Keysy is a low-frequency RFID tag duplicator, which enables attackers with the capability to clone RFID tags within the 125khz range. Keysy device resembles a key fob in appearance, and consists of 4 programmable buttons, and an indicator LED light (red, orange, and green). The Keysy device can act as the duplicated tag by pressing one of the 4 buttons programmed with a cloned RFID tag, and then relaying the copied tag back to the target RFID reader (Keyless Access Control Systems).
ATF Access Control System (current)
Anytime Fitness Low-Frequency 125khz Key Fob
Chip Type: T55x7
Modulation: FSK2a
Bit Rate: 4 — RF/50
Farpointe Data Inc., Low-Frequency RFID Card Reader
Proof-of-Concept
With the Keysy RFID tag duplicator, users can program any of the 4 keys by holding the button down while copying a target RFID tag. This can be accomplished by placing the target RFID tag against the Keysy duplicator, with the target tag aligned with the Keysy fob LED light, while holding the button down until the LED light flashes red and then turns green.
A green light is an indicator the target RFID tag has been cloned successfully.
There are then two options to perform the replay attack. The first is by using the Keysy RFID tag duplicator as an RFID tag. This is achieved by holding the Keysy device next to the target RFID tag reader. If successful, the reader will scan the Keysy as the RFID tag which was copied.
The second option is to duplicate the tag that was copied by simultaneously pressing the button which was programmed 5 times, and holding the Keysy against a blank low-frequency 125khz RFID tag, during which the Keysy will copy the target RFID tag to a clone.
The clone tag can now be used to obtain access to any ATF location.
Risk (7.1 High, CVSS)
Scored 7.1 (high) on the Common Vulnerability Scoring System V. 3.1
Revenue Loss-The unauthorized duplication of credentials, which if such continues its current trajectory trend, would impact business profitability.
Liability-In the event there are any incidentals as a result of the unauthorized access (property damage, theft, etc.), Anytime Fitness could incur additional impact to cost of business as a result thereof. The risk factor here is high, considering the complexity of the attack requires minimal effort. There runs an additional risk of revenue loss due to intellectual property theft and counterfeiting markets, such as the DarkWeb, and marketplaces like eBay, where RFID access tags are being sold illegally.
Solution
The solution proposal is to implement an encrypted RFID function which combines the CRC-16 of the EPCGen2 standard with its 16-bit RNG to hash, randomizing and linking protocol flows, which prevents cloning, impersonation, and denial of service attacks. This is attained with what is
known as the “Duc-Park-Lee-Kim” protocol, which would require upgrading to an Ultra-High
References;
Anytime Fitness PWNED! Keysy RFID tag duplicator NFC “cloning”…
https://www.youtube.com/watch?v=Qjpy5U7pqhQ
Efficient authentication scheme with tag-identity protection for EPC Class 2…
https://journals.sagepub.com/doi/pdf/10.1177/1550147717697321
Hacked Anytime Fitness Key Tags for sale on Ebay
https://www.ebay.com/itm/313845207963
Keysy hacking device
https://tinylabs.io/wp-content/uploads/2018/09/keysy_manual.pdf
The security of EPC Gen2 compliant RFID protocols
https://www.cs.fsu.edu/~burmeste/410.pdf
