CLONING ATTACKS AGAINST NFC-BASED ACCESS CONTROL SYSTEMS

Abstract: The wireless communication methods Near Field Communication (NFC) and Radio FrequencyIdentification (RFID) are today used in different products such as access cards, smartphones, andpayment cards. An effective attack against this type of technology is cloning attacks. Cloning attacks can deceive access control systems which may cause serious damage to organizations such asinformation leakage and financial loss. This type of attack attempts to deceive a system with anillegitimate cloned card that may be an identical copy of all the data on a card, parts of the data, orperhaps only by using its identification number. Therefore the existing security flaws that cloningattacks exploit are an important threat for organizations to acknowledge and manage. This thesis focuses on evaluating three different access control systems in use and demonstratessecurity flaws that exist in these systems. The systems are evaluated by how data can be extractedfrom the access control cards, this includes the time to collect all the data, reading distance, andinterfering objects. Systems are also evaluated by what information the systems validate. Compatible equipment for evaluating the different systems is necessary such as readers, writers, and otherpenetration testing tools. The type of card that the systems use is called Mifare classic whereastwo of the systems used a 1K version and one a 4K version, specifying the amount of availablememory on the card itself. The equipment also made it possible to perform and verify cloningattacks through different processes such as simulation and sniffing to explore what information certain access control systems deem necessary on the access cards. Rigorous experiments on the systems and the results reveal that crucial information on the accesscards could easily be extracted, reused, and simulated for accessing two of the systems. One systemproved to be more secure since it required more advanced methods to clone cards that the systemaccepted. The results of this thesis demonstrate that the evaluated access control systems cannotbe considered secure without additional layers of security added to them, instead, it is important tokeep the back-end system maintained through various applicable means.