This article was prepared to examine the fixed code and rolling code-based wireless access security architecture, to evaluate current and potential vulnerabilities in these architectures, and to explain the behaviors observed in the analyses within a technical framework. The analysis process was carried out on NFC-based cards, RF-based access cards, RFID card access systems, and the protection logic of these systems. The vulnerability numbered CVE-2023-33221 was examined within the DesFire example.
Terminology
RF -> Radio Frequency
NFC – Near Field Communication
RFID -> Radio Frequency Identification
Nonce -> Number Used Only Once
PRNG -> Pseudorandom Number Generator
Heap -> The part of memory that the program dynamically allocates at runtime.
Simple RF devices using fixed code send the same signal with each trigger. Therefore, if the signal is captured at any stage, it is considered valid by the system when it is sent again later. Since there is no cryptographic verification, this behavior is expected by design. The system only sees the fixed value it recognizes and executes the trigger operation. The fact that this type of structure is not considered secure in terms of modern security principles is based on the fundamental architectural features of this structure.
Rolling code structures are based on a different security logic. The transmitter generates a one-time code with each trigger. After the receiver verifies this code, it moves its nonce value to the next position. In this way, if an old code is used again, it is rejected by the receiver. This method is based on ensuring that the code is not repeatable.
At this stage, it is necessary to mention methods such as RollJam. RollJam is a method aimed at bypassing the rolling code approach. RollJam is an approach that can only be effective when certain conditions are met. For the method to work, the code that the sender first tries to send must be blocked before reaching the receiver, simultaneously recorded, and the user must press the button a second time. If the system accepts the second code, the attacker is left with unused code. However, even this method does not work in every rolling code structure. RollJam is ineffective if the counter interval is wide, integrity verification is present, or the cryptography used is robust.
At this point, we can refer to the CVE-2023-33221 example. This vulnerability arises when data is copied to the heap part without boundary checks in the DESFire card reader function. When the length of the data sent by the card is not properly checked, a buffer overflow occurs, and the device’s workflow may crash or be redirected in an unintended way. This vulnerability shows that even with highly cryptographically strong technology, a lack of control at the application layer can lead to vulnerability. The use of default DESFire keys also makes the attack easier, as the attacker does not need to know the device’s private keys.
Detailed Analysis of CVE-2023-33221:
Overview
- Vulnerability Code: CVE-2023-33221
- Vendor: IDEMIA
- Affected Products: Biometric access control terminals (SIGMA, MorphoWave, VisionPass series).
- Vulnerability Type: Heap-based Buffer Overflow.
- Criticality: High (CVSS v3.1 Score: 7.8)
Technical Analysis and Root Cause
This vulnerability lies in the logic behind the device’s reading and processing of Mifare DESFire cards.
• Mechanism: IDEMIA terminals establish an encrypted communication (handshake) with the card to read high-security DESFire cards and attempt to read/verify the card’s keys.
• Vulnerability: The card reading function in the firmware does not perform a boundary check when copying the data from the card to the device’s memory (heap memory).
• Triggering: The attacker scans a specially crafted (malicious) DESFire card into the terminal. The card sends data (payload) that is longer or in a corrupted format than the terminal expects.
• Result: The software overflows this excessively long data beyond its allocated memory space. This overflow causes other critical data or function pointers in the “heap” region to be overwritten.
Attack Scenario (Attack Vector)
This vulnerability is classified in the Local/Physical category of the CVSS classification, not the Remote category; however, its effect can potentially result in command execution (RCE).
- Preparation: The attacker prepares a fake DESFire card containing the payload that will trigger the vulnerability using a special RFID/NFC writing device.
- Action: The attacker physically approaches the target terminal and scans the card.
- Default Key Risk: The phrase “This is especially problematic if you use Default DESFire key” in the CVE description is critical. If the terminal is configured to use the factory default DESFire keys, it becomes much easier for an attacker to communicate with the device and trigger the exploit. If diversified keys were used, the attacker would first need to know that key.
Conclusion: The device may crash (DoS) or the attacker’s shellcode may be executed on the device with root privileges. In this case, the attacker can open the gateway, delete logs, or use the device as a stepping stone (pivot) to infiltrate the network.
For a wireless access system to be considered insecure, certain technical conditions must be met. The use of hard code is inherently an insecure design. In a rolling code structure, weaknesses in the PRNG, predictable nonce values, lack of encryption, or signal authentication errors at the application layer make the system vulnerable. The use of default keys is another risk factor. If even one of these deficiencies creates a “repeatable signal” or a “manipulable authentication process” in the system, the security level weakens.
Practical Example
In this research, which simulates a Replay Attack on a fixed-code device using Flipper Zero Princeton 24-Bit (PT2262) Simulation, a Flipper Zero device was used instead of a physical controller to create a controlled signal source in a laboratory environment.
Research Setup
Signal Source (TX): Flipper Zero was configured to simulate the Princeton (PT2262) protocol via a Sub-GHz module. 24-bit fixed code packets were manually generated and periodically released.
Signal Receiver (RX): HackRF One is locked onto the 433.92 MHz frequency using URH (Universal Radio Hacker) software. The Flipper Zero frequency was captured using Universal Radio Hacker. Then, the signal was replayed using Universal Radio Hacker.
When we put Flipper Zero into read mode in the Sub-GHz menu, the signal being played was successfully read, specifically the key 1AEAB4 sent by Flipper Zero.
Finally, wireless signal capture and retransmission processes are regulated in many countries. Such tests can only be performed with the explicit permission of the system owner. The methods described in this research have been evaluated solely from a defense perspective and have been performed in isolated lab environment. Their use outside of legal boundaries may have legal consequences. Within the European Union, regulations such as the EECC, and in the US regulations such as the ECPA, address the privacy of electronic communications within legal frameworks.
TL;DR
This article has been prepared as a document on the fundamentals of wireless access system security. It has been observed that hard-coded systems are insufficient against modern threats, while rolling-code systems can provide high protection when properly designed. Application layer vulnerabilities such as CVE-2023-33221 clearly show that even technologies considered secure can be weakened due to faulty implementation.
Sources:
https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf
https://en.wikipedia.org/wiki/Rolling_code
https://vietsol.com.vn/rollback-rolljam-exploring-vulnerabilities-to-strengthen-vehicle-security/
https://en.wikipedia.org/wiki/MIFARE
https://github.com/jopohl/urh
https://docs.flipper.net/sub-ghz
https://eur-lex.europa.eu/EN/legal-content/summary/european-electronic-communications-code.html
https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285