{"id":97916,"date":"2020-01-06T21:01:14","date_gmt":"2020-01-07T05:01:14","guid":{"rendered":"\/blogs\/?p=97916"},"modified":"2024-06-26T01:04:37","modified_gmt":"2024-06-26T08:04:37","slug":"the-cloning-of-the-ring-who-can-unlock-your-door","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-cloning-of-the-ring-who-can-unlock-your-door\/","title":{"rendered":"The Cloning of The Ring \u2013 Who Can Unlock Your Door?"},"content":{"rendered":"

Steve Povolny contributed to this report.<\/em><\/p>\n

McAfee\u2019s Advanced Threat Research team performs security analysis of products and technologies across nearly every industry vertical. Special interest in the consumer space and Internet of Things (IoT) led to the discovery of an insecure design with the McLear NFC Ring a household access control device. The NFC Ring can be used to interact with NFC-enabled door locks which conform to the ISO\/IEC 14443A NFC card type. Once the NFC Ring has been paired with the NFC enabled door lock, the user can access their house by simply placing the NFC Ring within NFC range of the door lock.<\/p>\n

McLear<\/a> originally invented the NFC Ring<\/a> to replace traditional keys with functional jewelry. The NFC Ring uses near field communication (NFC) for access control, to unlock and control mobile devices, share and transfer information, link people and much more. McLear NFC Ring aims to redefine and modernize access control to bring physical household security through convenience. Their latest ring also supports payment capability with McLear Smart Payment Rings, which were not in scope for this research.<\/p>\n

Identity is something which uniquely identifies a person or object; an NFC tag is a perfect example of this. Authentication can be generally classified into three types; something you know, something you have and something you are. A NFC Ring is different from the general NFC access tag devices (something you have) as the Ring sits on your finger, so it is a hybrid authentication type of something you have and something you are. This unique combination, as well as the accessibility of a wearable Ring with NFC capabilities sparked our interest in researching this product as an NFC-enabled access control device. Therefore, the focus of our research was on NFC Ring protection against cloning as opposed to the door lock, since NFC access control tags and door locks have been well-researched<\/a>.<\/p>\n

The research and findings for this flaw were reported to McLear on September 25, 2019. To date, McAfee Advanced Threat Research has not received a response from the vendor.<\/p>\n

Duplicating Keys Beyond the Hardware Store<\/h2>\n

In the era of Internet of Things (IoT), the balance between security and convenience is an important factor to get right during the concept phase of a new product and the bill of materials (BOM) selection. The hardware selection is critical as it often determines the security objectives and requirements that can be fulfilled during design and implementation of the product lifecycle. The NFC Ring uses an NFC capable Integrate Circuit (IC) which can be easily cloned and provides no security other than NFC proximity. The NFC protocol does not provide authentication and relies on its operational proximity as a form of protection. The problem with NFC Tags is that they automatically transmit their UID when in range of NFC device reader without any authentication.<\/p>\n

Most consumers today use physical keys to secure access to their household door. The physical key security model requires an attacker to get physical access to the key or break the door or door lock. The NFC Ring, if designed securely, would provide equal or greater security than the physical key security model. However, since the NFC Ring can be easily cloned without having to attain physical access to the Ring, it makes the product\u2019s security model less secure than a consumer having a physical key.<\/p>\n

In this blog we discuss cloning of the NFC Ring and secure design recommendations to improve its security to a level equal to or greater than existing physical keys.<\/p>\n

NFC Ring Security Model and Identity Theft<\/h2>\n

All McLear non-payment NFC Rings using NTAG216 ICs are impacted by this design flaw. Testing was performed specifically on the OPN<\/a> which has an NTAG216 IC. The NFC Ring uses the NTAG 216<\/a> NFC enabled Integrated Circuit (IC) to provide secure access control by means of NFC communication.<\/p>\n

The NFC protocol provides no security as it\u2019s just a transmission mechanism. \u00a0The onus is on product owners to responsibly design and implement a security layer to meet the security objectives, capable of thwarting threats identified during the threat modeling phase at concept commit.<\/p>\n

The main threats against an NFC access control tag are physical theft and tag cloning by NFC. At a minimum, a tag should be protected against cloning by NFC; with this research, it would ensure the NFC Ring provides the same<\/em> level of security as a physical key. Ideal security would also protect against cloning even when the NFC Ring has been physically stolen which would provide greater<\/u><\/em> security than that of a physical key.<\/p>\n

The NTAG216 IC provide the following security per the NFC Ring spec<\/a>:<\/p>\n

    \n
  1. Manufacturer programmed 7-byte UID for each device<\/li>\n
  2. Pre-programmed capability container with one-time programmable bits<\/li>\n
  3. Field programmable read-only locking function<\/li>\n
  4. ECC based originality signature<\/li>\n
  5. 32-bit password protection to prevent unauthorized memory operations<\/li>\n<\/ol>\n

    The NFC Ring security model is built on the \u201cManufacturer programmed 7-byte UID for each device\u201d as the Identity and Authentication with the access control principle or door lock. This 7-byte UID (unique identifier) can be read by any NFC enabled device reader such as a proxmark3<\/a> or mobile phone when within NFC communication range.<\/p>\n

    The NFC Ring security model can be broken by any NFC device reader when they come within NFC communication range since the static 7-byte UID is automatically transmitted without any authentication. Once the 7-byte UID has been successfully read, a magic NTAG card<\/a> can be programmed with the UID, which forms a clone of the NFC Ring and allows an attacker to bypass the secure access control without attaining physical access to the NFC Ring.<\/p>\n

    The NFC Ring is insecure by design as it relies on the static 7-byte UID programmed at manufacture within the NTAG216 for device identity and authentication purposes. The NFC Ring security model relies on NFC proximity and a static identifier which can be cloned.<\/p>\n

    In addition, we discovered that the UIDs across NFC Rings maybe predictable (this was a very small sample size of three NFC Rings):<\/p>\n