Security Review: Stevens Pass RFID Lift Access

By Erik Turnquist at 2:27 pm on February 6, 2009Comments Off on Security Review: Stevens Pass RFID Lift Access

The Stevens Pass ski resort has recently implemented a new RFID lift tickets access system for all their chair lifts. Although this greatly improves convenience and may shorten lift lines, it is vulnerable to severable attacks which could prevent it from functioning or allow a malicious skier to access the lifts without a proper lift ticket.

The new ski passes were introduced for the 2008-2009 season and drastically change the lift ticketing system. Once an RFID lift ticket has been obtained the user no longer has to be manually scanned by a lift operator; it is now processed automatically by an RFID reader. When preparing to get on a lift, the user will enter through a gate which contains an RFID reader. The gates are programmed so that only a user with a valid RFID ticket will be let through. The lift operator also has a manual override which can temporarily open or close the gates on demand. Furthermore, if your ticket is backed by a credit card and it is your first lift access of the day, the reader can signal for a charge to be placed automatically on your credit card. If your ticket is not backed by a credit card, then it marks the ticket as in use for that day. A user may also go to the Stevens Pass online store and put daily tickets onto the account linked to their RFID card, which prevents them from having to stand in the ticketing line.

The RFID ticket itself does not store any personal data, but a randomly assigned number that represents an account ID. As previously stated, this can be linked to a Stevens Pass online store account, or used once. However, the unique id is always linked to a database which contains whether the ticket is valid for that day when the user passes through a reader. When purchasing a ticket, the ticketing office advises users not to put their cellphone in the same pocket as the ticket because it may cause the readers to malfunction due to radio interference.

In my own personal experience, the RFID tickets were not always reliable and often scanned as invalid even when they were valid. If this occurred, the lift operators never checked the validity of the pass itself, and would simply open the gates. Furthermore, I tested the system with a season pass that did not belong to me and contained a picture of who it belong to with their birth date. The ticket’s owner was a friend of my family who is approximately 10 years old, so if they had checked my ticket they definitely would have been able to tell that it was not mine (I did purchase a valid ticket for that day, this ticket was used simply for testing). Occasionally, the lift operators would open the gates and not check passes because they were tired of having to help people with a tickets that would not scan.

Assets & Security Goals:

  • Prevent unauthorized ticket holders from gaining access to lifts: The reader, tickets, and lift operator should be able to distinguish falsified tickets.
  • Secure back-end database of tickets: an attacker should not be able to modify content in transmission to the database, or the database itself. This is especially important because the database may contain credit card information.
  • Online store should make secure transactions: An attacker should not be able to compromise the data, or supply invalid information. Each RFID registered on the store, must be associated with a single person.

Potential Adversaries & Threats:

  • Ticket thief: There is almost nothing stopping a user from obtaining and RFID ticket and duplicating the random number embedded into it. This would allow multiple people with only paying for one pass, to successfully trick the reader into thinking that the duplicate ticket was the original.
  • Malicious User: A user may prevent any of the RFID readers nearby from working properly. Using a radio antenna in a backpack could easily jam all readers for a ski lift, and be difficult to detect. If this were to occur, the lift operators would probably open up the gates and let people through because they thought that the reader was simply defective. This kind of user could be a person who simply wants a group of friends to be allowed onto the ski lift, or by a competitor of the resort who wants to reduce their ability to check for valid tickets.
  • Fraudulent User: Depending on the reader to database scheme implemented, an attacker may be able to cause unsuspecting people to have their credit cards charged, by using an attack that controlled the reader and data transmitted to the database. For example, if the communication between the reader and database were unencrypted, the attacker could simulate an action that might cause a credit card to be charged. I emphasis might in this case, because I have no knowledge of what data is actually transmitted.

Potential Weaknesses:

  • The readers themselves are subject to tampering and/or defacing which could prevent them from functioning properly or may cause the data they transmit to be altered. To my knowledge there is no authenticity detection for the readers that can make sure that the readers are behaving as expected.
  • If the transmission from the readers to the databases are not protected properly, then an attacker may be able to modify the data transmitted from the readers. This attack could either prevent anyone from being accepted by the gate (by changing the transmitted unique id), or could result in unauthorized credit card transactions.
  • Reading the tickets provides no form of authentication, which makes duplication of passes a simple exploit. Although this is a very difficult problem because one of the main pushes behind the adoption of this technology was the ease of use for the user. If some other authentication technology was introduced, then it might increase the chance of user error or frustration.

Potential Defenses:

  • The communication between reader and database should be encrypted so that an attacker cannot determine the format of the transmission (if it is not already). This might prevent an attacker from being able to send data that could cause a credit card transaction.
  • The reader should use a MAC so that its authenticity can be verified (if it is not already). This will prevent an attacker from using their own reader, as it will not verify against the original reader. By implementing this capability, an attacker will not be able to scan RFIDs with a reader they control and send content to the database because it will not match the original reader.
  • An investigation needs to take place as to why there are so many false negatives when reading tickets. This will prevent lift operators from simply opening up the gates due to reader malfunction, because they can be fairly sure that the tickets are being read properly.

Although the current implementation provides a huge usability improvement for users, it is susceptible to a variety of attacks. There are many ways that a potential attacker can take advantage of the system such as through the online store, by duplicating RFID tags, by modifying the reader, or changing data in transmission to the database. Furthermore, the lift operators often do not seem thrilled to enforce their own security policies as people are let through without being checked. These exploits have the potential for lost revenue or a public relations nightmare especially in the way that credit card data might be handled. By enforcing a small number of cryptographic protocols and improving reliability of the service, a potential attack can be greatly reduced.

Filed under: Security ReviewsComments Off on Security Review: Stevens Pass RFID Lift Access

Comments are closed.