Offensive RFID/NFC

So, okay. Still not had any takers for the lost headphones. If anybody wants to give me a shout. Just finishing the setup. Everybody see the slides okay? Discord channel, we're live. Can you see us?

Awesome. Thanks everyone for giving us a shout. It's all still very new to us, so we appreciate feedback.

Good scale, mate.

Okay, we're just logging in and getting this one set up. So, about 30 seconds away.

We've got to say as organizers of this, we have been hugely stressed with the whole in-person virtual thing, but it seems to be working out really, really quite well. So, stress levels decreasing.

Sweet. This time with feeling. Yeah. Yeah, just right close.

Sweet. Okay, I think we're ready to go. So, grab your seats. Shush. All the cool things. Thank you. Let's kick this off and I will hand over to Shane who's talking about offensive RFID and NFC. Thanks, Shane. Thanks Nigel. All right. So, good afternoon, everyone. My name's Shane. My name's Shane and I'm here to talk to you about RFID and why you should start caring about it. All righty. So, going to manage two screens here. Sorry, mate. That better? Better? I don't want to eat it. How's How's that? Good? All right. Okay, so who am I? I'm a penetration tester with Kinetic IT's Protect Plus security consulting team. Um a bit of my background. I've got

around a decade of experience within law enforcement and defense. I was in the Navy for a bit and worked for the government after that. Um my most recent role was as a marine tactical officer, which sounds probably a lot cooler than it was. I spent a lot of time at sea watching movies in alphabetical order. So, there you go. All right. For hobbies, I'm a commercial pilot. I'm a flight instructor, so I fly things. I do skydiving, scuba diving. Like to get away from the computer every now and then, which I'd highly recommend. All right. So, most of my cyber experience before this was in DFIR just for a bit of background. All righty. So, what are we talking

about today? Today, I'm going to talk about RFID and NFC. So, because it's a little bit of a niche subject, you can go into real fine detail with this and I want to avoid that. So, I'm just going to start with a high-level overview of what RFID and what NFC is. So, if you're a Proxmark guru, just go and have a nap for the next 15 minutes and wake up at the end. All right. So, yeah, we'll have a look at a high level of how it operates. Then, I'll talk about some of the more interesting tools you can use to bypass access control. Then, we're going to have a chat about bioimplants. So, NFC implants under the

skin, which are pretty cool. Then, I'm going to show you a demo of a couple of things that I've done with that, which some of you may or may not think is cool, but we'll see. All right. So, bit of a disclaimer. Um some of the stuff, particularly at the end of this these slides, it's not a good idea. Don't try it at home. I don't recommend it. Um and yeah, don't go out scanning cards of people without their permission. That goes without saying. All right. So, RFID. So, generally speaking, what is it? Well, it's radio frequency identification that uses electromagnetic field to automatically identify and track tags attached to objects. So, um historically, interestingly, the

first known use of RFID tech goes all the way back to 1945. There was a Russian chap called Leon Theremin and he invented a listening device. It's the one you can see in the picture there. It was ominously called the thing. So, I don't know who came up with that. But, inside the device, it had like a sensitive membrane and basically, when that membrane vibrated, it vibrated when it was subject to a certain RF certain radio frequency. And when that happened, it would then transmit audio when it when it was subject to that that signal. That was gifted to the US ambassador to Moscow and it sat in his office for 7 years until it was

discovered in 1952. So, that is the precursor to modern-day RFID. All righty. So, what are the modern uses of RFID and NFC? So, NFC is pretty much everywhere and the current global estimate is placed at about 2 billion devices. So, for example, all of you in this room have an NFC tag around your neck. Um pretty much unless you don't upgrade your phone very often, it's going to have NFC on it, too, which is a form of RFID. So, greater than 20% of the entire world's population have access to an internet-enabled NFC device. All right. So, what are some of the uses? Well, we use it for access control. Chances are you get into work

using an access badge. Use it for stocktake, inventory anti-theft e-wallets library cards, vending machines, laundries. Hospitals, they're in breast implants. You name it, you're going to find an RFID tag.

All right. So, here's some of the examples. So, you can see there Well, how do we identify this tech? Well, not by the look, obviously. You can see at the bottom you've got a cup there. That's at a takeaway store. And it stops people from having more than one refill of the of the drink. So, you can hack that and get multiple refills if you like, if you have a Proxmark. It's used in NRL to track players, casino chips to automatically count bets. The one on the tooth is pretty interesting. That automatically measures glucose intake. So, you can track your calories through it. The one up the top is a breast implant. I'm not quite sure why they're tracked,

but um I think it's a health and safety issue. All right. Okay, and we've got the cow there, so for tracking livestock. But, generally speaking, hard to tell what a tag is just by looking at it. You can use some tooling to figure that out. All right. So, how does the tech actually work? Well, for RFID, there's three types. You've got passive, active, and semi-passive. So, the first one, which is actually the one you've got around your neck, too. If you look at that circuit board, you'll see there's no battery on it. So, how it works is the electrical current, which comes from your phone when you place it on that PCB, provides power to the tag, the chip,

which allows it to then use that power to transmit a response. And that's just a one-way ticket. It's a one-way response. The other type you have is active. So, this tag has an internal power source and it's actively broadcasting its unique identifier to a reader. The last one is semi-passive. Doesn't broadcast its ID, but it has a greater read range because of the battery in it. All right.

So, NFC and RFID, what is the difference here? Well, the main difference between RFID and NFC is that RFID is only a one-way form of communication. Typically, the RFID tag, when it's powered, sends its data to the reader, which then uses that data in some way. NFC, on the other hand, is built on top of the RFID, but it's capable of establishing two-way communication. So, with NFC, you have things like contactless payments, data sharing between phones, mobile devices, etc. And also increased security mechanisms. All right. What type of frequencies do these operate on and how can we identify these technologies in use? As I said, you can't just by looking at them. They come in all different forms.

So, generally speaking, a lot of access control still uses the old RFID tech in the low frequency range of 125 kHz. Now, there's a handout that they're giving out upstairs. You can use that as a diagnostic card. You could also use your badge. So, if you hold your badge against one of the readers on the walls, the LED will illuminate. And the amount of times that it illuminates per second is going to tell you the duty cycle, which is a more advanced thing if you want to check it out. But, if it illuminates, it's going to tell you that that's operating in the 13.5 MHz range. If it doesn't, then you know it's 125 kHz and it's an older form of tech.

So, yeah, the high-frequency form of tech, usually NFC, and that's where you're seeing like your My Fair cards, your Transperth card, Visa card, etc. These old low-frequency ones, they're going to have a lot less security and they're going to be really easy to hack. And strangely enough, they're everywhere. You walk around with your diagnostic card in Perth and chances are you're going to find a a hell of a lot of buildings using old outdated tech. All right. So, why does this matter? Well, for access control, the amount of times I've walked around and I've been into a company, they have a million-dollar, millions of dollars of appliances, millions of dollars of software, the best firewall money can

buy, but they're protected by a 10-cent piece of plastic that anyone can break that has zero or you know, security protocol. People are forgetting about the physical layer. There is a physical layer of cybersecurity. You know, this isn't the Matrix. We're real here in the real world. All right. So, if you go to work and take a look at your own access control, there's probably a high chance it's operating on 125 kHz. And that's probably something you should uh flag up. So, how can we use that? Yeah. All right. I think I skipped ahead one. All right. So, this is why it's a bad thing. With these access control cards in the 125 kHz range,

they don't contain any other data apart from a unique identifier. So, with an access control system like the one on the screen, the card is presented to the reader and the reader simply checks if that unique identifier is registered. If it is, then it gives you access. If it isn't, it doesn't give you access. The problem with this is that if an attacker can learn what that unique identifier is, then they gain the same level of access control that you have. And you know, that might make you think twice about before you hand out your visitor passes. It only takes a couple of seconds to clone a card and you've just given someone an unchangeable

UID unless that is then later deregistered. All right. These UID's are also set during production and they can't be altered. So, how do we get the UID though? Back in the day, people used to put Proxmark up their sleeve and you know, try and touch people's pockets, but that becomes a little bit odd if you're feeling up people at the coffee shop. So, we've gone and luckily times have changed and there's some modern tools. So, we'll take a take a gaze at these. So, the first one is known as an ESP key. So, this is a tiny little device, about the size of a 10-cent coin. It's an implantable logic analyzer and debugger. It's powered from the reader device. So,

it takes power when it's clipped on the back. It generates its own wireless network and it can store up to 80,000 credits. These credits, you can basically, so what you would do, if you walk around and look at readers, pretty much all of them, 99% aren't behind a metal cage. If you have a screwdriver, you can pop the plastic casing off, clip this device on the back, and then it will read and capture those credentials. You can stand back around the corner, connect to your wireless network that it generates, and steal those credits, and you can replay them at will. So, if you want to enter, someone swipes in, you can then just replay that credential and walk

inside. The card reader has no idea that this is actually happening. So, yeah, pretty cool tool, but we can make it better. There's another tool which came out quite a few years ago. I've got one here. If you're interested in building one, I can let you know how. I've also been walking around scanning your cards all day. No, I haven't. But, this is called the Tastic RFID thief. What it is, it's basically a card reader for a garage. So, to enter a garage, it has a really long range and a massive antenna. So, what you can do with it, you can just pop it open, as in the picture, put some batteries in it, put your ESP key inside,

put it in your backpack, and then you can go and walk around, you know, stealing access cards for your for your target organization. Really easy, really simple, just flick it on, plug and play. So, this is how you get these UID's and this is why having better security is important because this is easy. I built this in my garage in, you know, a couple of hours. If I can do it, anyone with access to the internet can. All right. So, we've had a look at more conventional access control. Now, we're going to take a look at some of the more emerging tech such as like RFID or NFC implants. All right. So, bio implants. These are under the skin. I have one in

my left hand. You wouldn't be able to tell just by looking at it. It has exactly the same tech as a normal NFC chip. So, same use case applies to these. But, the difference being, this is concealable. It doesn't trigger a metal detector. You can have high frequency and low frequency and it combined in the one and it can hold up to 8 kilobytes of encrypted storage. Heaps of uses for this. All right. So, this got me thinking. When I first got this, I was a little bit socially responsible and I put a link on it to Bill Gates' LinkedIn page and my hairdresser, who is a a big conspiracy theorist, I told her that I

had my vaccine and then I scanned my hand and then and and showed her, her mind was blown, but that was terrible. I told her afterwards, but anyway. So, you can do things like that. It was fun to have some pranks. But then, it got me thinking, what can I do offensively or maliciously with this tool? What could someone do? So, I thought about it and I thought, well, you know, this is in my skin. It's concealed. I could use it to trigger something. So, I wrote up a script and I put it in spun up an AWS EC2 instance, so in the cloud. If you're from work at AWS, just cover your ears. Um

And so, the idea was that someone with an NFC implant, anywhere in the world, could walk up to someone on the street, ask to use their phone, scan the implant, and then that would perform an action. So, what this script does, it takes the public IP address of the phone that you've scanned. It begins enumerating and fingerprinting it. So, runs Shodan, runs the IP through Shodan, runs Nmap over the IP, and then it runs Auto Recon, which is, if you've done your OSCP, you'll know what that is, which is a really cool script. So, basically starts drilling down into that public IP. And then and then after that, it powers on a server that you control and securely

wipes the SSD. Which is like cool. It's just like a kill switch, right? All right. So that's essentially how it works. I'll put all these slides up so you can check it out and the script will be up to if you want to have a look at it. So there's a bit of a demo. Cover your eyes AWS people. Probably violates some terms of service. I didn't read it. So we can see up there in the terminal it's running it's listening for a connection. This just uses a raw web socket. So it doesn't actually establish any it just literally listens for the a base 64 encoded string. When it receives that you can see up there it

takes the public IP, runs Nmap, starts enumerating and attacking that public IP address. So if you ever think about that for a minute, there's a lot of really cool social engineering implications. You could walk into your target building off the street and say hey my car broke down. Can I borrow your phone for a minute to make a phone call? If they're connected to their corporate Wi-Fi, run your hand over the back of the phone, you've got the public IP address and you're already running enumeration over the network. Pretty cool. All right. So you can see that's powered up the the server and wiped it and it's running auto recon.

All right. So you can also do that with web hook. So a lot of you might be familiar with beef the browser exploitation framework. So you can also put a web hook in your hand, scan someone's phone and take over the browser. Which is which is pretty cool. So imagine if you had a you know a cyber criminal and he's been arrested, you're sitting there and you're given a fine call to call your a fine to call your lawyer, you can swipe your hand over the back and pawn a browser or do something interesting. All right. Running out of time here so I might speed it up but you get the picture. Basically you swipe

your hand over the back and then you can take over the browser and start putting through fishing attacks. You can propagate that hook to the other tabs etc. All right. Now after that I thought well but what about you know that's lame. Like digital forensics has come a long way. You can recover data off wiped SSDs for sure. Kai from Kit did a talk on something kind of like that a few years back. So I thought well why don't we just physically destroy it? I can trigger the script to SSH into a Raspberry Pi and melt it. And that seemed like a really good idea at the time and it turns out that that this actually

was really easy. So it functions just the same as the last script apart from with the added step of SSHing into the into the Pi and kicking off an igniter. So you can see how that works. You scan the chip with your hand. Uh I put a bit of a delay in there. That was to give me time to run away. And then it triggers a servo which will then go and ignite a coil to a very high temperature. All right. And this is the part where it became a bad a bad idea. So I'm not going to blow up my you know $4,000 server. So yeah, this is the next best thing. You can see the igniter there.

Don't even bother asking what's in that. And there's the SSD sitting underneath. So here's the finished product. So with this you could be on the other side of the country, walk up to anyone on the street just with your hand, put it on someone's phone and melt your computer back in your house. So I'm totally not responsible for anyone burning their house down. Do not try this. I also have like 10 years experience in some capacity of fire fighting. So I took all the appropriate safety precautions. So as you can see scan my hand, it tricks off the igniter starts going down to the charge and the unfortunate $35 SSD from PLE. All right.

All right. So yeah, as it was going I was a little bit disappointed at the start but yeah then it kind of kind of got going and I had to pop it open and throw some sand in there. This isn't in a residential area either.

Yeah, so you have your remote self-destructing PC. Pretty cool, right? All with a chip in your hand that no one would possibly know about. And here we have the aftermath. So I'm not a DFI expert but I don't think anyone's getting any data off that. Yeah. All right. So thanks very much for listening. The main takeaways from this are don't forget that there is a physical layer of security. This isn't the Matrix. We live in the real world. Servers are real. Protect them. For law enforcement maybe start putting it in your SOPs or protocols to switch off NFC if you're dealing with perps because you know if I can think of this then a cyber

criminal can think of this. And also don't forget about NFC and RFID on your end user devices. All righty. Thanks for listening. Any questions?

That's a really good idea. Yeah. Yeah, no for sure that's a great idea. I'll have to check it out. Yeah.

Yeah, so it turns out that probably about 50% of the phones just punch out the connection straight away. So with my iPhone it comes up with a prompt. With a lot of Android phones it doesn't ask and it would just make the connection anyway. Yeah. But certainly if it has a prompt then it's a little bit safer.

The most secure I can't really say off the top of my head. There's some cards that operate in the 13 the high frequency range that actually establish an encrypted connection between the card and the reader and they're much harder to be sniffed and cracked. I've got some stuff on my laptop. If you want to if you pop up and see me after I've got a heap of RFID stuff I can we can have a chat about. Yeah.

Sorry for holding a certificate. Oh yeah. Yeah, totally. So basically it's more security through obscurity. Yeah so it's totally readable. If the thing is though who would think that you had it? No one would really you know believe even know where to scan on your body. But you're right. There is no great security on these chips. There was a company made these chips that basically had a unique identifier. When scanned they would connect out to a medical info database. So you can imagine the privacy issues there. All you have to do is scan someone's hand, get the UID and then you know you have their entire medical history. I don't think that ended that well for

that company. Yeah.

For mine besides the Bill Gates LinkedIn page, I did put my access control for for work. So I just So I may have cloned my work fob and put it on my hand. Yeah. But I don't do that anymore. Yes. Yeah. All right.

Yeah. Yeah. Yeah. Yeah, totally. Yeah. So yeah, switch switch it off but by default it's generally on for pretty much every phone. Yeah. All right. Cool. Thanks.