"session replay" would probably be the best approach if you wanted to clone the contents of an RFID Proximity Card, Access Card, so on.. Basically anything that uses static data on the card for identification. I have been informed that each RFID chip/card has a UID burned in similar to MAC's on network cards.. so it's easier to replay this than to locate a blank card and burn the data.
So most of the research has been done here already.. Which brings me to the work done by www.rfidvirus.org
They have some really good ideas about attacking the middleware using SQL injections, SSL includes, and buffer overflows on the reader to middle ware interface. Some really good stuff.
What about attacking the reader itself and not the middleware... you wouldn't have to worry about "cloning" or "session-replay" at this point. The ISO defines the protocol used to communicate from the reader to the card. Then the reader to the middleware so on... What if you would attack the reader and exploit it directly before even going to the middleware to the app logic...??
I'm thinking that the middleware will send some type of confirmation to open a door for instance. So if you could reproduce this by exploiting the communication between the card and the reader you could open the door.
My thinking was more along the lines of when certain types of authentication of encryption is used.. that if you could exploit the communication protocol itself then you could bypass the proposed layers of security.
JP
www.packetfocus.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
