BSidesIA 2017 Track2: RFID Stuff and Things – Brandon Murphy

I'm Brandon I have been really busy today and I'm going to talk to you guys about RFID and stuff so uh my attorney said I should say this kind of crap so oh oh we're good yes we that worked all right so the first thing is that nothing I'm presenting is original to me right so all of this is a conglomeration of other people's efforts so the whole point of this talk was like I wanted to be a elite hacker after watching mr. robot and I became a like an RFID Script kitty so credit goes where credit's due and that's to other people not me so what else we got here I can make this

a little bigger click Next yeah sweet Oh continuing with what my attorney said so I'm here speaking not representing anyone including myself and man I can't do that oh yeah we're not going to do like any cool stuff here so you know everything that does out there is already known and I have no filter so I'm probably going to offend someone during this talk all right like brain to mouth boom there it is right so I'm sorry if I offend you I didn't mean to who's this guy so I'm doing equipped on slack or Twitter also Brandon Murphy and I'm not a Red Team guide so I'm not an offensive guy so like trying to break

into a door is really outside of my expertise and but as I was kind of cool I helped found like the ascender person announced and I'm also a semi-professional bullet porch Burpo barber which means that I use a blowtorch to trim and fringe the hair on my face it's pretty awesome especially when you shave and then you do that and I'm an Infosys kid man like I don't really know that much you know I know a lot of other smart people so I just kind of follow those guys well we uh I'm gonna skip that because it's totally not cool ah so how I got started my motivation is kind of silly so I started like the guy

said by watching mr. robot so this is the scene that kind of inspired all the work that I did so hopefully I don't get sued by USA for joining us well there's no audio sorry just pretend that there's some cool audio doesn't work over vga so i apologize

no it's pretty weak sumaya so he's bumping into people and you can see that he plumped in that one person really hard and he's pretty cool now he's like oh yeah we got it done so and then then clone the card and then they're able to break into steel Mountain at least the first layer of steel Mountain right so I was like heck yeah man I want to break into a data center that sounds fun so so then after I watch that I was like hey I don't know anything about its crap so let's do a whole bunch of research right so first I was like alright RFID cloning videos right I knew I needed to learn from other people so I

did that and then I got a little bit more particular and started looking for previous Def Con docs so there was some really good research there and then I was like alright let's go buy some so let's just search for RFID cloners and there was like these like $10 little Chinese made RFID cloners he like hold them up to the card clone them so that was kind of fun and then oh yeah I went to eBay and then I just started buying like if it was under ten bucks I bought it so that was kind of fun my wife left me but then I got kind of serious about it so there are a lot of

cool people that did some research so this particular slide like this research slide I don't know how old share our talks but I have like a whole bunch of Def Con videos and slides and people that are way smarter than I am that I actually use so this talks so I can't really see my slide so this talk is from hold six and twenty and 2006 where they're talking about implantable RFID devices and how they were able to clone them so I thought that was kind of cool I going back to 2006 and then this guy who Jonathan is he did a lot of the research that I used like how RFID cards work and some one-on-one stuff and then

so a lot of the work was originally done that I'll talk about what's originally done by this guy that runs procs clone but it was kind of a like a double-edged sword I guess maybe so he would he did a lot of work he actually demonstrated that the stuff could be done that you can read an RFID card from feet away and clone that but unfortunately he released the schematics but no source code so you could get an idea of what's feasible but you couldn't actually do it and so these other guys yeah so that's an image of what he created that could read from approximately three feet away so it's actually using a an HID reader that's

designed for like parking garages stuff like that and to clone them oh man that was really important sorry and so I was like hey this is kind of cool I think this is what I want to do but there's no there's nothing there nothing for me to do there so then I found this thing which is called a proxmark three and so this one is this is the same one from Vella Cal so this is kind of gives you a size reference it costs two hundred and twelve dollars shipped from ship from Hong Kong and it works phenomenally but it does both high frequency low frequency it was a little shady paying the guy but it worked out fine they

shipped it to me so so after you know I started doing the research so they alright let's just continue buying stuff and so I'm from the eBay stuff and did more expensive stuff and this is the thing that everyone said that you need like if you want to do cloning and RFID work this is what you need so anyway alright let's do it so then other people are like hey if you want to do NFC then you need this chameleon mini so there's a really good talk where these guys hacked while - two hacks they exploited a vulnerability within some subway systems that allowed them to ride on the subway for free so they could like re load their NFC cards

with subway credits which I thought was kind of cool so that's the community mini so then while we were out at which one is this yeah so when we were out at DEFCON we got exposed to this RFID poner which is a 40 M 40 100 corner I don't even know what he and 40 100 is right like I'm a total skit I have no idea how this thing works but I know on some particular cards this thing works so you hold up the card to it you can save it to a slot there's 16 slots and then you can replay that card so you can go up to a reader it's like replay that one so I

thought that's kind of cool again links to all the guys that actually do those work so the problem with all of these is that you have to play a game of math gravity gravity in order to grab someone's card right and so I'm not a big fan of being charged with sexual assault when I go up and grab someone back so another is like we need to find a better solution to this and that's where the oh so I'm going to come back to that slide slide number 12 I got it so that's where things like the tastic RFID thief that that was released by of Bishop Fox so scanning frame Brown kind of released

this at Def Con in 2013 and this is so what you saw in the procs clone website this is pretty much the same thing except it's totally open source so I was able to make one so like it's kind of delegate not really glued down or anything I'm totally getting radiated with for there well this is kind of what that looks like and I'll show you it supposed to read from three of your ways when I'm going to have any problems thought out sorry I probably is in the video and so I wanted to make one of these that way to have to play a grim game of a scrappy grabby and since this thing has been released there there have

been a whole bunch of other ones that have been made so I had a really hard time actually sourcing parts for this so it's based off of an Arduino Nano which was not for sale anymore so I had to buy it off the eBay and it uses a screen that can't be made anymore so these people have actually improvised because it's all open source they've improvised and improved on it so there's one that it has a Wi-Fi hotspot on to it so you connect to the Wi-Fi hotspot and then you can see all of the cards that you've read and I'll try to give a demonstration of this not the Wi-Fi stuff but so there's all sorts of

ones that have been improved the why gotcha the procs thief as well as a boss clone or so the boss color has bottom is like a full-fledged reading and writing solution so if you want to like the turnkey solution go buy boss phone or now they're like fourteen hundred bucks but you can walk within three feet of someone that's got a card and then hold your writable card up to it and now you got a clone so go walk in the door right behind them so that's kind of cool whereas this one you'll see you have to like take an SD card out and make a clone so RFID explained it like m5 so we'll go

back to slide 12 now all right so this guy his name's Steven Steven he gave a talk at Def Con in 2012 about procs cards what I want his talk was good enough that I'd literally just wanted to steal from him and give the guy credit obviously so borrow the slides but go find his talks I have a link to them in here they're out on SlideShare but there if I were to give this talk again I would actually just ask him to come up here and give that talk because he was phenomenal all right so explain it like I'm five so there are really two types of cards that I've worked with a low

frequency which works at 125 kilohertz and high frequency which works at 13.5 six megahertz so normally you'd be like the most common stuff that you're going to see there is hid working at low frequency and NFC working at high frequency and I'll show you kind of both of those the reader actually powers up the card so like when we talk about wireless power so these cards the normal access cards like these little guys they don't have batteries on them or anything so when you put them into the field of the reader it reads it so it actually powers up the card when it comes into the electromagnetic field of the reader this one's having some power problems

right now and it powers up the electronics in this card and does some magic to like put out binary over-the-air so the reader actually reads that interference and who's going to cool there's all sorts of other cards that are out there but I'm going to talked about the ones that I always see so you've got hid which works generally speaking like this so the card has some identifiers on it and so there's normally a 26 bit card it's the most common one that I see you'll find some other bit formats in there that has a facility code which is up to there's 255 valuable or available facility codes and then the card ID and you'll see this kind of when I

demonstrate making clone and then there are some other formats like employee numbers and if you pay hid enough then they'll guarantee you the uniqueness of your facility codes so it's kind of kind of interesting right so originally they started of 26 bits they were like okay we'll just start at number 1 and work up until we've populated all 26 pics and so that only leaves like a couple million card identifiers so there's a good chance we're if we're both in Des Moines and I work at company a and you work at Company B and we both start at card number one and I have card number one you have card number one I can go up to

your dork card number one I'm you and I'm in and so they added the concept of a facility code to help combat that right so now there's 255 unique facility codes which has less card values but now you're more likely to have a unique card within your geographical area if you pay hid enough then they'll actually guarantee you a unique facility code that's a corporate 1000 card but this stuff's all boring man so what you really need to know about RFID is that the output is called this wagon format there's a whole bunch of history about this guy that created this discovered anyway just like physics anomaly about the way that electromagnetic energy react I don't know man I don't know

anything about it but what I do know is over a wire you have two wires a data 0 and data 1 and both of them are sitting at 5 volts and we do have a zero data zero goes down to zero volts and back up for a time slice so that represents a binary 0 when you have a 1 then data 1 goes down to 0 volts and back up so that will come important in a little bit because if you don't if you can't make a clone of the card then you should attack the reader and so they have these Hardware implants that that will read the data 0 and data 1 in there and so

this is an example of a the picture as a PSP key which was actually just released in shmoocon in January by this guy named Kenny all the credits are in the slides and then you've got ble key which came out a little bit before uses bluetooth so the whole concept of these is that if you can't access to a card attacked the reader so I don't know if anyone noticed walking around here about each of these doors in the room have a reader and if you feel on the bottom they have a screw so if you unscrew that screw you can pop open the reader and expose or all these wires so you put in this hardware implant you

leave it in there you come back with your phone and you connect to the hotspot and now you can say oh yesterday someone had access to that room I'm just going to replay that guy's card and then over that wagon output it sends it off and then the door opens so it's pretty cool like I thought Hardware implants were kind of interesting until I met these guys here in Des Moines that took hardware implants to the next level and so these guys are pretty cool they actually bought these injectable RFID tags into their hands pad emplaced and kind of mixed results on that I think they're still trying to figure out I think how to program them there were

some minor issues there but I'm sure they'll figure them out and if not you can just surgically remove them right no no big deal yeah yeah you get two tries at it so it's cool let's see and then demo time so we're gonna we're going to give this a try my buddy Nick made this cool little document camera oh wait hold on for a second all right let's see what I actually had so first thing that I wanted to do is demonstrate the RFID tastic thief so I'm having power problems right the demo gods weren't very nice Tuesday and normally this thing works so just this is an HID reader like straight up

boosting needs right like you pull up to a parking garage there from three feet away right so like you don't have to be so close to them so when you take the cover off you know it looks something like this guy and so what I've done here is made that RFID tastic thief so here's the Arduino it has an SD card as an LCD display that would normally work fine now's the time to use a document camera thanks Nick start sorry my screen is cracked so you'll just kind of have to deal with a bad camera uh so this is what this guy looks like it's powered by 12 double-a batteries and so you have

two LCD so which would normally show the cards that are being read the Arduino and so instead of this like now the newer ones have a have the ESP 86 2282 266 wireless access points out that you connect to so the idea is that you can read a card quite clearly and it's supposed to work from about three feet away you might seven power problems so that's about as close as you're going to get right now I don't know normally it's like way up here demo gods right and then it writes it to an SD card and ER it provides you all the information that you need to make it clone so I'll demonstrate making a clone now so I'm

going to use the proxmark three of this guy and

and now you guys don't care about me

I don't work oh man I cannot see that at all

cool

cool alright sorry while you guys we're just watching me that whole time that's creepy alright so oh my gosh I cannot see this all right I'm gonna duplicate my screens

you guys see what I see now cool all right how does that look you guys need bigger taxes on you you can see how well-prepared I am for this stuff oh yeah sweet so what we're going to do is a start the proxmark client so it's a the hardware has a client right so you have to install and compile this this client let me scroll down so what you'd normally do in this scenario is use that RFID tastic thief to read the ID in this case I'll actually demonstrate using the proxmark to read an ID so this is a readable writable card so we use a low frequency so there's two antennas on this so like

directionality and stuff like that matters so we'll do low frequency hid and then we're going to put it in a mode where it just reads cards and so now if I hold my card up to this reader you can see that card number and take it away it stops right so what we care about is this text well we care about is this hex value here which is the unique identifier on an HID card so to clone that guy I'm going to copy that low frequency hid clone paste out identify err and I'm going to grab a different card altogether here before I do that we'll put this back and read mode so this is

going to be a different identifier so this is the card there we go that's a goofy tag and now we're going to clone that original card under this guy put it back in the read mode and there you go so now that's a clone card right so the whole idea is that I use that RFID tastic thief and I do that from three feet away so well so they have next I don't need presenter mode anymore sweet so are fantastic in it oh yeah so NFC cloning so this is pretty cool I had the opportunity to say height and so they gave me this card and I was actually my anniversary I feel bad for

my wife because I get out for like three hours trying to crack this card and I got it and so I wanted to show you guys this so NFC is kind of interesting there are actually all sorts of different types of protocols that you can put on these cards so I figured it was a high frequency card because it wasn't like none of the low frequency stuff was working and so you do a - you do a single high frequency search so what that does it just kind of scans everything and tries to find a card that proxmark knows about and so how are they yeah must be working now so we do a high

frequency card now a high frequency search and it finds a card so the important point the important part generally speaking is going to be this unique identifier so one thing to know about the Mifare so this is a my favorite classic 1k card which means it has one kilobyte of memory so the interesting thing about this is that the you IDs are supposed to be non writable so I can't take this card and I can write over every block every byte in this card except for the UID so what you do is you go on eBay and you buy an NFC card that you can write to on that blog zero which means I can make

this card a magic u ID card be any card I want it to be but first we have to learn about this card so they actually have encryption on the NFC cards in this particular Mifare classic but as many encryption algorithms go they get cracked so I'm going to perform the crack on this and we're going to actually clone this card so the methodology that they use is to sir check is to check the card for known keys so the NFC it has a bunch of different articles this particular one has multiple sectors that are made out of each block so there's 64 blocks on this particular card and if I know the key to

one block on this card I can find the key to all the other blocks which then allows me to decrypt and use this key read all the data off this key so I'm going to cheat a little bit just to make sure that the demo gods are happy with me because they're pissed off of me right now and my Tonko

in this lie is really well with the whole like script anything right I don't quite know what I'm doing I think I kind of know what I'm doing it works Wow on your net sweet cool so what we tell it to do is to check for all of the known cards that it knows yeah sweet so this command checks for blocks with known keys copy word VM work oh sweet edit script kid man copy and paste until it works right that's my motto it's how I win CTF so we got to hold the card up there so it's going to read the card and you'll see it so there's 12 keys they're kind of flying past as it

goes through each block sound valid key so that's kind of the part that we care and we care about so we know that there's a default key here of ssssss F there's 12 of them and we know that the first one that I found is on sector 2 block 11 and it's key type a that's all I care about so we're going to copy that guy and now what we're going to do oops wrong way is tell it to do a nested attack so one of the nice thing about proxmark is like you need help right it's just right there so high-frequency Mifare a nested attack which takes that known key and we'll figure out all of the other keys

for the other blocks so card memory it's a 1 K the block number is 11 and it was a type a key paste that bad boy in there and we do D and what D does is it dumps it out to a file you see the right keys to binary file so we hold that guy up there and this will only take a few seconds so it's going to go through and find the blocks for all the other keys I'm sorry find the keys for all the other blocks so at this point my wife's like hey we're gonna go to dinner tonight and I'm like I'm so close just a little bit more googling and I'll figure

this out and so I saw this point I'm like all right I think this is working like I think this is going to work so I got at this point I'm like all right well those are different keys and what I started with so that's cool but uh it still doesn't get me anywhere closer to having this key be my hotel keycard so I'm like well I don't know what else to do so I keep on googling around what I find is that after I dumped the keys what I need to do is actually dump use those keys to now dump the data off the card right because there's 64 blocks on this card and I need all the data to make an exact

clone so I'm like all right high frequency my fare how do I do that so there's this whole like dump right I'm like oh all right my fare dump let's try that so hold this guy up there again and now it's going to use those keys and dump the data off the card onto my desk super exciting isn't it sweet guys we're getting there we're getting there all right so now I have this data and I'm like all right well I don't know what to do with this so I've googled around on the proxmark forms this great resource and I found this thing so that this proxmark actually supports you Lulla Lulla scripts so there's one that's like dumped to the

mule Emeril so it's for a simulation is what I gathered and so I just it takes the dump this data this dump data bin and puts it into a format in which the proxmark can actually now emulate the card and then what you do is you say hey man now that I have that I need to load my dump into the magic Chinese card so we do a C load and if you just do nothing it asks for help you know like it gives you the help so my favorite e load and it gave me the file so a little bit more copy and paste oh man I hope you guys won't cctf secrets for my slack popping up copy

that guy so now it's going to go read that and it's going to put it on to my magic card here and I hope this works

all right well that seemed to work so let's do this again read the original card there it is you can see the unique identifier read my card unique identifiers the same so we've successfully cloned this card so now if I go up into my Hyatt hotel room and I use this card it works just fine so I tried to actually figure out like is there my name on this card is my room number on this card and as it turns out I doesn't do that so at least in this particular case so I still have to know the room number I'd love to know you know how to get in that room but I thought it was an interesting exercise

and after that my wife and I went out to dinner and she didn't care so that's a enough C card what else they have oh so I did all of that right I was like three hours into it so we come back from dinner and I'm feeling pretty good and so I sit back down at my computer and I'm like I wonder if I really needed to do all that and so what I learned was they're looking through this whole like C set UID set UID from magic Chinese card and so I'm like alright well what happens if I just take this UID C set UID get the help there right all right so it expects a hex value of the UID

paste so the first thing I'll do is we'll just like let's do this let's just write a different UID onto my writable card I forgot my command so you said UID so now you can see the old and the new put the guy back well let's do this search so now you can see oops

so as you can see that uh oh jeez did I break it well here it is dead beef so so now we just rewrote the unique identifier and as it turns out that's all that height cares about they don't care about all the rest of the data on the card all you need is that unique ID and so when I found that out I got even more excited and I woke up my wife and you choose this but uh so yeah I'm like opening and closing the door it was fun though I enjoyed it so that's really all that's required like you set that unique identifier and that's all that they use so that's enough see so the cool thing

is so I'm like so then I started collecting these little cards NFC cards I'm like if you see it a hotel hey if anyone is saying that out of town stay in a hotel and you have an NFC card give to me okay fine I promise so I did that one time I asked people for their card and they gave me the Sheraton card which is pretty cool when I was like alright it's got to be another high-frequency card so let's search for that guy and this kind of gives you an example of all the different protocols that are on the card so you can see that this one is a Mifare ultralight ev1 with 48 bytes of data and

so here's that unique identifier so the cool thing about these magic cards is that they can be whatever my fare card I want it to be they're programmable in that nature so I can say hey my fare right this be an ultra-light card it's going to be an ultra-light card they also make very particular cards that that aren't quite that variable but it works great so here's man I hope I don't regret this later on in my life but so like your credit cards right they also have RFID on them now 10 years this is going to bite me hopefully I should probably just change my credit card after this so they also have RFID on um

but they use yet another I'm sorry NFC on them but they use yet another protocol I've found that these are a little bit more touchy

oops there you go so this one uses DESFire 4k I have no idea what that is I think it uses real encryption all of the research that I've done has indicated that these things aren't crackable with today's technology so hopefully in 10 years I've gotten a new credit card and this is going to be a big deal because we all know that encryption is designed to only last for its meaningful time and so this expires you know sometime in the future that goes back to my wallet but you know like passports so I actually compared it to my passport well it uses the same technology so hopefully this stuff's good so some defenses right so that's actually the

end of my talk I don't have any more slides for you guys so some defenses all right they actually make RFID protecting wallets and shields things of that nature so we tested out two of these today that advertised that they were good shields and they weren't in fact the proxmark red and fine in the shield put them up to it I read it just fine what I've been told I haven't tested this it should be relatively simple is aluminum foil around your cards oh right create a little cheap Faraday cage that works so I've been told by some guy on YouTube so I know it's true there was one no like we actually put it with a metal enclosing

case and that one worked fine so there's another guy that had a RFID shielding wallet so it's like leather wallet but you open it up and like the lining of the wallet has like some shimmery stuff on it and I tried that initially like months ago and I couldn't get it to read but today we tried it and it worked just fine so you know I guess maybe you get what you pay for use some common sense the one thing that I'm always particular about is don't use I kind of want to pull up this guy's slides but I want to do it to them but they talked about like men carry theirs and they're in their back pocket right

or it's on their on their side or their lanyard right women will carry a lanyard or it's in their purse or it's in their wallet but the question that I have is why carry your card if you don't need it don't carry it leave it in your car man like the the read distance from that from three feet away I can't hold that up to your window and read it from your center console right so if you don't need it if you're going out to the bars you don't need it so stop carrying your stuff and be suspicious right like if I come up in and I'm standing right behind you in the men's urinal like kind of

wonder what I'm doing or I like protect your wallets so yeah that's pretty much all I got I'll take any questions if there are any but I don't really know any answers because I'm just a script kiddie so what's up man

there's no idea we were talking about you got one head bring it up let's come on man let's do it I can't want to see this metal in the card let's see that Oh so this oh wow that is a nice card man no it's not they're doing it it's not just this that's like I don't know I just look at my camera no yeah that's right I don't know but but it's weird to give them like mail it back a bit shredder person really can I try reasoning I don't I don't think that this actually has any there's no um yeah I don't think there is you won't try okay all right let's hurry man sweet hey how

about a round of applause for this guy he's like living dangerously you want to like stop the recording or anything just in case okay can we do that should I just