Radiofrequency identification (RFID) has been a key feature of physical security systems and inventory control monitoring for the better part of 50 years. Industries as diverse as agriculture, manufacturing, retail, and pharmaceuticals use RFID in their supply chains to track materials and products. Retailers use it for inventory control and analytics on shrinkage. RFID is also common in building access control systems.  

RFID is also part of the Internet of Things (IoT). The readers that accept information and validate the identifiers included in RFID tags are connected to a central network. This makes them components within the IoT architecture of the companies that use them. As such, they are vulnerable to threat actors in specific ways as they seek to exploit any potential weakness in their target companies. 

RFID Systems and the Internet of Things 

A functioning RFID system includes three pieces: the antenna, transceiver, and transponder. When the antenna and transceiver are in the same device, they make up an RFID reader. These can be mobile or fixed devices and are used in things like electronic locks or handheld scanners. The RFID readers send and receive electromagnetic signals from the transponder in the RFID tag itself. This signal transmits information to the reader that is then shown. 

The information on the RFID tag could be inventory information or a unique identifier (UID) designed to grant access to a facility or a secure room. The data on an RFID tag is hardcoded and unique, which can be problematic for long-term security. 

In general, there are two types of RFID tags:

• Passive Tags have to receive a radio signal from the receiver in order to function. This type of tag functions within a limited distance and doesn’t store a lot of data. This is the type of tag that’s used for indoor passes or inventory control.
• Active Tags have an onboard battery, which allows them to actively transmit their data over longer distances. They can transmit a far greater amount of data compared to passive tags. Think of passes mounted in cars for automated toll collection. 

These tags broadcast their information on low, high, and ultra-high frequency depending on type and use-case. High frequency is often used in near-field communication applications, which is mostly payment cards and some access badges. Ultra-high frequency is typically reserved for tracking large containers from a distance of more than 10 meters. 

Regardless of which frequency the information is broadcast over, an RFID reader is needed to collect the information. The reader need not have an interface. A smart lock, such as a badge reader, doesn’t have a screen for humans to read the data. It instead validates the badge or key – as in a hotel room door – against a database to ensure that the key should unlock that door or allow access to that space. For inventory control use, the RFID reader may be a handheld device that allows users to scan the tag and track items through a warehouse. Or it could be a system that scans from above to track the movement of tags throughout a physical space. 

RFID readers tend to be internet-accessible devices connected to a central network. This is where they align with the ideas of the Internet of Things most strongly, and where they present the biggest security risks. 

Common RFID Security Vulnerabilities 

RFID has a number of technical limitations and built-in vulnerabilities that create issues for security professionals. Basic RFID tags, especially the low-frequency variety, don’t possess any sort of data encryption at the source. High and ultrahigh-frequency tags are able to encrypt their information at some level, but they often use common standards that are easy to discover online. 

RFID tags also tend to be vulnerable to cloning, eavesdropping, and spoofing, to enable credential theft. The data transmitted between tag and reader is often plaintext, except with some of the newer “smart cards,” which makes it easy for threat actors to collect sensitive information from a distance. Once this information is collected, cybercriminals can use it to create counterfeit cards or trick readers into thinking they possess a legitimate access card. 

In terms of RFID readers, there are a number of recently reported vulnerabilities: 

• Saflok-brand RFID-based keycard locks were recently discovered to have security vulnerabilities in dormakaba’s saflok electronic RFID locks, commonly used in hotels and multi-family housing environments. These locks are used on more than 3 million doors across 13,000 hotels and multi-family housing environments in 131 countries. Dormakaba began rolling out a patch last November but it needs to be deployed one at a time on each door so it may be a slow rollout.
• Digoo DG-HAMB Smart Home Security System has missing encryption on its RFID tag, allowing the tag to be stolen easily with brief physical proximity. This could potentially allow criminals to break into homes with this security system. 

RFID as a technology has enough issues that it needs to be accounted for in inventory management and access control. Threat actors can easily build an RFID sniffer that sucks up numbers to potentially use them later, as demonstrated by security consultant Bishop Fox’s handheld devices. Organizations need to be aware of this and ensure that there is enough security wrapped around the RFID to ensure you remain uncompromised. 

These are just the weaknesses related to the tags themselves. The readers present the added issue of being IoT devices connected to your networks and potential avenues for additional lateral movement. Although these are featured-limited devices like smart locks, this does not mean that they cannot be used as a step in a larger attack chain. Especially given that the information on an RFID tag or access card is validated against a central list, which may be compromised because of stolen credentials used to access systems. 

How Asimily Supports RFID System Security

The Asimily platform is designed with IoT device security at the forefront. RFID readers are internet-accessible and feature-limited connected systems. Asimily can track RFID information at the point it reaches a network. Then it is like any other device monitored by Asimily and can be discovered, its vulnerabilities mitigated and anomalies detected for further investigation. 

Asimily also has patented vulnerability identification through its scanning capabilities. When building an inventory of devices connected to your network, Asimily gathers data from multiple sources like manufacturers’ Software Bills of Material (SBOMs) and EPSS to identify the riskiest known software and hardware vulnerabilities. This means that security teams can be informed about any possible RFID reader weaknesses for further hardening. 

Ultimately, having this strong security posture will make you more secure and ensure that data is not compromised. Asimily can help customers improve their security and make better decisions for how to protect their work.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.