Jeff Murri Exploiting RFID Based Access Controls

I'm rockin okay you can hear me now though right okay I'm gonna apologize because I'm a wanderer so I'm going to walk in front of the screen and do everything that they say professional speakers shouldn't do but yeah by way of introduction I'm Jeff Murray actually did not live in the valley anymore I live in Augusta Georgia moved down about nine years ago I think but all my family's here and fortunately I was able to come up here for b-sides last year and this year my family's here I get to kill two birds with one stone and I get to geek out and get to see my family so it's awesome so I would argue if you're

not getting up to speed on hardware solutions and will get into different hardware solutions Red Team Blue Team doesn't matter the industry and the bad guys are going to roll right over you by hardware I mean things like you being able to possibly check your wireless access point to see if it's been owned not software firm worth being able to take your wireless access point dump the firmware and reflash it build your own wireless access points same thing walk through your building and see if somebody's sitting there with you know a malicious Bluetooth device something like that so basically what this is is going to be a quick chat about hardware hardware in general and what is

currently out there and this is just I'm just scratching the surface but ultimately grab on we're ready to go we're going to talk about software-defined radio we're gonna talk about owning Hardware how many of you have a PlayStation ps3 ps4 ok ps4 has been broken if you weren't aware of it I'm going to show you the tool that you can use to get in there and use it anger basically can bus you want treat you know tweak your hooptie out there I have a 2003 Ford Focus one interesting thing that I did is I talked about this during my workshop the damage check engine light used to come up Oh it ran great but the oxygen sensors on

the port focus SVT are really expensive and they burn up about every six months so what I did is I create a little device that hooked into the can bus port and as soon as it saw the code for bad oxygen sensor it sent the recent so basically I wasn't bothered by the check engine light and as far as I know actually I haven't seen the check engine light in awhile so I haven't checked my code lately so hopefully valid codes are coming through but I'm going to show you how to do that other USB hacking tools things like that again hardware devices not software stuff hardware devices and then if we have time you know I know there

was a talk this morning on raspberry PI's there's a ton ton of small form-factor pcs out there now Linux windows Internet of Things being run Windows 10 on hardware now so I mean little hardware now a little Intel Edison board something like that if we're going to go into that so now is it time for you to bomb the nose if this doesn't sound like your thing but what I did do is because of the RFID this is dude but in honor of the talk that you were hoping to probably see I did add a RFID hacking tool and I did that this morning and no you know the drill now I'm going to tell you my employer

who cares they don't care what I do after hours is what they'll break the law same thing the big thing here is as far as SDR it depends on where you are whether it's legal to listen to some of the stuff that's really going through your body as airwaves so long story short if you do something illegal based on anything you see here ain't my fault okay software-defined radio so software-defined radio I'm looking at how many of you weren't in my workshop yesterday okay know what it was a Friday I understand so software-defined radio think of the radio with tubes and all that or a car radio from your hooptie car from the 1990s transistors or tubes

what-have-you software-defined radio has taken all of that circuitry that demodulates that frequency modulated or FM signal AM signal all of that put it into hardware or software so basically what a radio is now even in the newer cars is it is taking the analog signal going through the air converting it to ones and zeros and that's where the radio stops everything else isn't software what would be the advantage to that being able to configure it tune it if you can get access to the firmware or in this case this RTL SDR dongle this guy here was originally designed for TV reception an enterprising Russian they're pretty crafty sometimes an enterprising Russian said hey it doesn't

have to be used just for TV because it's taking analog radio waves converting it into ones and zeros so I'll write a driver then takes this dongle and I thought you guys I got right over there and be a software decode FM radio AM radio a cars you know FlightAware some of those websites out there it's scary as hell that you can see where every aircraft is now well how that's getting there is a software-defined radio listening to the transponder information coming from airplanes you can do that for free you can do that with a twenty dollar TV dongle the mice my slides from the workshop yesterday will be posted Monday I think and you can just walk the dog on

it so really easy so for under 20 bucks you know your own software-defined radio and you're able to see from 30 megahertz up to about 1.8 gigahertz that's a lot of spectrum yesterday we were looking at pager signals pager signals like the ones at the hospital here are not encrypted you would not believe what's coming over those paper signals you want to see your stats clear down to what diseases you have so there listen to the pager signals okay so software-defined radio the rtl-sdr basically kicked off the software-defined radio as we know it the barrier to entry before him was right around 1200 bucks once the $20 so we should hit then a bunch of other folks decided and bunch

of other companies decided hey we can come up with solutions that are probably a little bit more expensive but have fine or tuning more filtering things like that one problem with the RTOS VR is that if you have a strong radio station next to you know adjacent to where you're sitting and actually receiving a signal sometimes it can actually crowd that signal out so you're hearing a radio station at like 40 megahertz when it should be it 88 - what 118 so a lot of what's going on here is either broadening out okay so the funk you've Dumbo Pro 150 kilohertz up to 1.9 gigahertz SDR play one kilohertz up to two gigahertz and then hack RF that

would transmits is spread out for a while Michael Osman who is a rock star when it comes to hardware 10 megahertz up to 6 gigahertz will transmit its milliwatts but you can actually transmit one of the things that they were doing at blackhat a couple years ago was confusing phones because they were modulating GPS signals so sitting there with your phone right next to a hack RF it was saying you were in Lithuania so line STR this is a new one and it transmitted and it's got gets ran around 1 watt which is a lot and if you look at the prices of these Lima SDR $2.99 they just come out with a mini version for 149 hack RF $2.99 and then

you know it goes down from there so there's a lot of them out there the only thing I would caution you on is these are really cheap on Alibaba drawing a blank on some of those Chinese tiny sites or just eBay you get what you pay for sometimes buy from somebody that has a lot of new positives and you know they instead of you know a bunch of negatives this thing sucked it didn't have anything inside the plastic panel something like that but in short the barrier to entry has came way down so GSM you can decode GSM now you can create your own GSM base station out of alignment see our pretty cool stuff okay as far as

software I did this just I did this in here just because this is free it's called SDR sharp why would you think it's called SDR sharp because it's written in C sharp excellent it's close source now used to be open source HD SDR is open source so if you want to roll your own software find radio application you can take his code and do so you can schedule recordings here which is actually pretty cool with HD SDR so if you know that the ISS the International Space Station is going to be flying over your house it you know between 3 a.m. and 4 a.m. then you can actually have HDS star HD SVR running on

your laptop your computer what have you and then it turns on records for an hour turns off you wake up figure out what's going on or in a lot of cases what I've used this for is digital I just want to record overnight 10 megahertz worth of spectrum and see what's there so I'm gonna - radio operator I like to know what's going on with ham radio satellites so another reason to record that spectrum but either app works pretty well now if you're if you're a baller and have a map or yeah basically Matt they're still expensive aren't they no the Mac people are like both story short you can get the raw rtl-sdr software the the russian guy and

the grip that he belongs to you can actually turn around and download that actually running the raw software hat v dot org you're not a security guy unless you least watch hat hat v or vo a couple times they have a great video on the rtl-sdr the $20 dongle and using the the original software from the command line both linux and mac gqr x it's open-source it works very well so we're talking free software at a minimum a $20 TV dongle and you've got software-defined radio that you can listen to signals analog signals plus decode digital signals pagers etc water meters one thing that we did yesterday during the workshop as I showed a packet

capture I call it a packet capture because those air waves are still layer one right in the OSI model its layer 1 but somebody near my mother's house has a weather station so I actually finished the decoding of it for those of you that were my workshop and it's just sending Peaks modulates peaks and up is a one nothings at zero and it's just spaced out every half second you can decode his weather station because I'm cheap down by water station but pretty cheap okay also on Linux and Mac if you really get into it good new radio it's a beast and make sure your laptop has some horsepower it does compile under windows but I would not recommend that just bite

the bullet download a Linux distribution that already has the compiled optimized in has all the plugins and just run it but Michael Osman get Rockstar he has written some very thorough some of them are two hours of tutorials to really get in and just start decoding signals with the raw softener ballot ballot Sieber he he's excellent to his videos are all out there on the youtubes and then he's written a bunch of tutorials off of them so pretty much there's a solution as far as software-defined radio from $20 to I wouldn't spend more than a thousand I wouldn't spend more than five hundred free software barrier to entry is very small because you would not believe and

we were having this discussion during my workshops what is actually going through the air now it's crazy well going through you okay so as far as hardware exploration or I would say possible exploitation there is a little USB dongle made by Travis good speed if if Einstein and a silicon chip had a baby it would be Travis good speed I made that up on the fly and it was really stupid anyway the good fit' sent him an email he'll send you the PCB for about five dollars in parts from digi-key or any electronic supplier you get insider your own it is SMD parts so any of you that have soldered those little SMD parts you know where you sneeze and all

your parts just went all over the place some of you are laughing because you've done it too but if you want he'll send you a PCB for free in fact he's looking at a revision of the PCB so last time I sent him I threw him five bucks just for shipping because a lot of people can't afford shipping send him five bucks and he sent me thirty PCBs do it thirty PCB though I need was one but if you want to actually buy one Adafruit for $49 so what does this guy do what this guy does is he's got a lot of pin outs on him that allow you to hook up to the chips on a

motherboard itself and then start actually tampering with signals one of the things that we can do even if the chip is and the firmware is encrypted is we can do something called a side channel attack what that is is we glitch it and by glitching it what we do is we we actually stop the power real clip to a couple quick to a couple of pins and see what it does and eventually sometimes we can catch that cycle in the chip the crypto running in the background glitch it and then get in dump the firmware so that's just one thing that you can do with this I program a ton of different little devices with the good FET a lot a lot of

information out there great tool $49 or hang on your soldering skills very cheap okay yardstick 1 this is kind of software-defined radio but Michael Osman would say it's not this is a sub 1 gigahertz tool and it covers transmit and receive in the isn bet so these are bands that are open the the FCC said low-power again like the weather stations things like that don't need licensing as long as you don't broadcast above this and you submit a test report that says you're not going to bleed all over everything else so what this guy does from 300 and 300 340 a 391 464 782 to 928 it allows you to actually go in and be a Python

command line send packets radio packets to hardware devices again wireless access point weather station nest thermostat you know those had a big vulnerability a while back you know you want texture net nest thermostat get one of those guys or if you want to just listen to the traffic and see if you can decode it $20 rtl-sdr but does all these different modulation schemes and RF cat is the firmware comes pre flashed with it you can actually build one of these two they'll send you a PCB I would not advise you to do that I gave up I thought I was going to build one I wasn't but again there's a link on every one of these slides to further

information because I obviously don't have time to go into every one of them uber teeth so the uber tooth is dedicated to Bluetooth and Bluetooth Low Energy it's nothing transmit and receive so a friend of mine gave me these really cool earbuds and they had a little heart rate sensor in there so I fired up my my uber tooth and just hit play watching a whole bunch of Bluetooth devices bounce back and forth everything and I see this one that says Jeff's Fitbit and I see another one that just says had a kind of a scramble name I would quite really sure I think it was maybe some binary thing that it was throwing so

record then I just sit there and I start watching it go through there's my heart rate and a bunch of other values that I will go into but I mean like blood pressure things like that I thought it was just a heart rate monitor but it's got there's the tracking blood pressure everything is not encrypted now the thing is is somebody like me I don't care if anybody go god damn he's in a heart attack pretty soon I know but but realistically some people don't want somebody to just sit there and sniff that type of information you know it's an invasion of privacy a lot of people get pretty freaked out about that it's in the clear you do that with your

imagers 119 Adafruit has something very similar this now you go to adafruit.com that it's right around $20 but it's not as fast so you may actually lose Bluetooth packets but it'll get you there and then if you're like well I know I'm missing packets then you know go for the dedicated tool but it's not software-defined radio because it's dedicated to a specific purpose Bluetooth and decoding really to package whereas again those software-defined radio devices it runs the gamut okay in order of the the speaker that you wanted to see you want to hack RFID tags and RFID readers all those smart cards proxmark three they're up to revision for this is they have an entire

kit or they have one that's just the reader and a couple of cards that you can then program but this will actually allow you to take a card hold it up against it and you just close the card so pretty easy and then you can either haul this thing around or you can burn a copy of the card and then you've got a copy of that person's card so there is some basic crypto and a lot of that off RFID stuff but for the most part it's wide open and the problem is is the spec that it's based on there's so many devices out there there's no way they're gonna be able to get all those devices

fixed I mean hotels there was a big you know I live in Augusta Georgia right now and Atlanta had a big string of hotel room steps and what they had been doing is actually cloning RFID cars you sit there in the bar set their little device right there next to the person's hotel key and the way they went very very cool again can pretend to be a reader or a tag or if you're I think now if you're within eight inches of the card it will send are up to it and wait for a response back so you can clone it without even actually touching the car so pretty cool yes

well so like so for instance like at a corporation if I clone to card I could just sit there yeah I'm going to scam my way in the thing is is even most the ones that you have to swipe with enough power coming from one of these devices it will actually just talk through the chip anyway or talk through the the reader anyway so just because maybe you've got a reader at your corporation or what have you and it's really hard to kind of get around to it to swipe it doesn't matter these are very easy you can actually solder an amp onto this guy and be probably 12 13 inches away and just open the door from there you're

just not skipping a beat so physical when it comes to the RFID tags and the RFID readers the the physical securing the physical reader itself really doesn't help you much for a determinant determined individual answer your question okay

okay we had a workshop on this yesterday those of you that weren't there you can ask some of the people that were there I don't know if it went well or not but nobody left which is kind of a good thing either they're like oh yeah and you're doing something else on there or whatever but lolly short of it you've got the eight to sixty-six chip and then ESP 30 to chip the difference the eight two six six is about the size of my pinky nail does 802 dot 11 a BGN and then can also you can see the pins on the side here can actually access those those pins so things like running a motor stepper motor reading a

temperature sensor what I mentioned yesterday in the workshop was a buddy of mine has actually designed a complete sprinkler system around esp8266 chips so he's got a web interface that they all talked to but then and he can talk via Wi-Fi to these devices but essentially what it's doing is he's got a moisture sensor stuck into the ground and then he's got another one that is a heat sensor so basically it's it's day or ass night Georgia gets hot and so the key thing is is he wants to water his lawn when the moisture is at a certain level and then you doesn't want to do it during the day because he's one of those

guys that says that prize is long and everything you know he's everything's perfect in his long but you can do everything from that to one things that we did yesterday was a captive portal wireless access point you connect to it and then it captures a dns request that your computer's sending and redirects you to the web page on that captive portal all on this guy these guys are cheap 11 bucks can run on a lipo battery how many of you were here last year okay for those of you who were here last year you've got this and a beautiful set up the bags they had last year was the best value I've ever seen at any con I've been to a

lot of them running off three double A batteries everything you need to do pretty much everything that I was just talking about as far as a weatherproof weatherproof container and everything else they gave it to you last year the ESP 32 it's a follow on chip it does not replace it it's a little bit more expensive this thing is gonna be about 15 bucks mount it on this board but it also does bluetooth 2.0 so Bluetooth and Bluetooth Low Energy so you can actually throw this guy into promiscuous mode he's got a dual-core processor it's running at 1.2 gigahertz again about the size of my thumb so I would highly encourage you again evil twin or evil made the tax man in the

middle attacks at hacker Halton last year we had a bunch of 18 6 sixes all over the Hyatt Hotel in Atlanta and it's a Hyatt and there was a space between the tea and the tea public and people working connecting to it all at time we had a little forum in there they would type in their last name then it would hand them off to the real one wants dad in jail but ultimately it was a proof-of-concept and what are you gonna do about something like that I mean without having a radius server you know etc I mean there's ways to secure wireless but it's not practical for a public hotel and a lot of those

you know a bunch of other installation again my workshop slide deck will be up shortly and can read all about that I've got a bunch they've got a bunch to give away and you can go to town take ten bus again one thing that the ESB 32 board also has is it supports the complete can bus language all you need to do is actually get the cabling and power it and that ESP 32 can talk can to your car yeah and that's what I use just shut the damn check engine light off of my car you there used to be and there still is a bunch of Arduino shields a bunch of other stuff that you

could buy and it's still out there just get yourself a DSP 32 board and then some cables and download some code that somebody else wrote on the internet if you improve it send it better code to him that's the way open-source works right perfect okay some other notable devices based answer if you really want to dive into USB buzzing and USB testing hardware testing then based answer allows you to take a device by the way this is how the ps4 got hacked and prior to that the there was an Xbox model that got hacked USB into the faced answer from the base dancer into the computer and any Python app or anything that you run on your

computer looks like a USB endpoint plus you can blast it the other way and see how badly that USB device screamed okay there's a link for you as far as examples cetera and then we got some links of gogo here so when you you want to download the slides pretty much everything that I talked about as far as examples things like that explanations are all here and I've been blinking red for a minute so I think that's it so we got like maybe a minute and a half for questions any questions yes

yeah you all should have said it'd be up here with the cameras this one in particular is pretty cool this guy hacker Arsenal I actually can't pronounce his name but he had an $80.00 custom device the was built off in the SP 32 board and did everything from man-in-the-middle attacks to custom corals etc the cool thing is is that he did one run of them and when he ran out of them he posted the firmware up so that you can download the firmware flash your PSP 32 device that you buy for 15 20 bucks and I say 15 to 20 bucks because again you get what you pay for sometimes with this stuff from China and

make your own device so Hardware again software's cool being able to sit there and you know whatever everybody's watched mr. robot he does more hardware they does software so if you are not integrating Hardware into both your red team and your blue team e8 266 drop those all over the place who's connecting to them somebody I don't know where he went it has a beautiful sketch or application that he flashed to is a 266 and he's watching every single beacon frame even hidden SS IDs you can drop that thing out in the middle of nowhere connect to it be a webpage download the text file you're good to go and you know them all over your campus

and set up a mesh so poor-man's IDs no questions right pretty tough crowd [Applause]