Keynote speaker Iceman

okie dokie uh it's time to be shocked that we are ahead of time microphone this is the microphone be afraid of the microphone you're telling to me okay uh oh all right for those who didn't hear what he just said this is the microphone don't be afraid of the microphone did I get it right amazing and now you're taking the microphone away because you no I don't you can practice your thrwing skills amazing wow see this this is what grown men do in Estonia thr things at each other see it works great so we killed another minute of the time we're ahead of let's do that always work for your money that's what my mom keeps telling me because I'm

the unemployed son of the family so you know she has to remind me all the time but moving along our uh next speaker um I have to be honest when I saw his name on the list I got a bit worried because last time I heard that name it had something to do with heavyweight boxing and I wasn't ready for the fact I'm not in shape to go up against anything I mean I get beat up by my mom every day so we're not going to do boxing but then it turned out that no it has to do a lot with it it's going to be the keynote speaker of this year are you [Applause]

excited great that's a that's a good Estonian level of excitement maybe a bit too much but we're going to work on it uh so this year keynote is going to be about RF id hacking and the security of the internet I presume we're going to find out more from the speaker so without further Ado I would like to invite on this stage Mr Chris Dian

[Music] holy moly that was nothing that I was surprised to do it's a little bit too early isn't it as well damn I curse a lot so I hope you're not worry too much about it I thought I going to get some time to prepare myself with some stuff here but I wasn't so I'm going to do it now instead

cool it works all right I'm

Iceman and this is the first uh keynote it should be a keynote should be the first talk of the day but it's not so that was a little bit surprising as well but I guess that's the Estonian way anyway uh I do RFID stuff so question is uh what do you know about RFID no nothing little bit okay you know a littleit but perfect what do you know about RFID hacking flipper flipper here it's good it's a it's a good start it's a good start uh all right do you know anything about proc marks have you doing a pen testing physical Access Control Systems no okay cool okay we're set there nobody knows anything perfect perfect perfect perfect give me

some seconds here I'm just going to put up some

stuff before we kick it off we're going to kick it off don't worry we're going to get there yeah that beeps perfect great peeps all done from Curiosity to cloning um yes so this is my journey into RFID hacking and I'm going to tell you a story how it was it's kind of strange because I ended up being the you know like a front person for RFID hacking and I don't know how that happened but I can tell you about my story though so that is what I'm going to do and why do we do this things why do we do it yes because the adversary out there is going to know very much more

about RFID hacking than anybody else and I'm one of them so better to teach people how to do and be aware about things and then you as vendors I don't know if you represent the vendors in here or if you represent the hackers in here but on either side of it you still need to understand that you need to see what's wrong with your product and get a feeling for it and what how the other side works it goes both ways whoa this is me this is what I'm famous for this here prox Mar free a before repo and if you ever seen that logo somewhere that's me still that's my little silly shirt I'm very serious and

I'm de con very boring and I ended up in this world because of I have no idea the story is like this tell you a little story about it I was depressed because I was going through a divorce and computers has always been the most joyful thing in my life I always love computers I felt it like ah God I lost it it was all dark and black so I thought to myself I'm going to be a little bit naughty I'm going to do something for me I'm going to buy a hacking tool and it happened to be as I'm from Sweden from northern part of Sweden in um they had a hacker group there doing research on the bus

transport to get the system there and it's uh was Myer classic system and they were hacking it and was this articles about it in his newspaper and I'm coming from gothenberg and they that c has also the same system so I thought like oh God that would be interesting you know you take this thing you put it on reader and bleeps and you can go on the bus how does that work it's just magic so you Google a little bit and you found the word proxmark and then you Google a little bit more and you found some dodgy Chinese site Alibaba or AliExpress or tab I don't know and then you have to pay $300 us this was back in

2013 and doing that has never done anything with anything like embedded or hacking like that before was a little bit surprised you you fill in the order two weeks later you get a package you're happy like a little boy and you take and open that package up and it's a naked PCB now what and it's two antennas and you're like hauh and you go I've been doing computers for 40 years I'm going to sort this out don't worry I'm going to do this you start looking at something says Ming here okay sure Linux environment I don't have it I'm running Windows [ __ ] it I'm going to do it and you startop plugging things in nothing works and you fail

then you end up in the prox mark Forum that's an old style Forum place where we ask questions and when you're there they go and ask you did you follow the guide no because I I know this [ __ ] oh no I don't know this [ __ ] but anyway I I try to know this [ __ ] so I do this and I keep on doing it and I'm failing because it doesn't work it doesn't compile nothing works like [ __ ] it f and it's like the frustration so I pack the [ __ ] bag up again put it on a shelf I have a little shelf in my office where I sit and it's

it sits there and I'm sitting there I'm sitting there it's like a cat where you have a love hating relationship where the cat lays down there lays and looks down and despises you what you do like that and I you look up and you're reminded about your failure because I wasn't curious enough to be humble enough to learn so I had to wait until I was humble enough it took me not one month not two months it took me six months before I was like ready to learn again I was like okay IC man you spend so much money on it let's make a second try right put that stuff down again let's follow a

guide oh it compiles flashing what's that W it flashed wo you start getting all excited he running this command line interface this one here and you go like H where's my bus ticket system you run up get it out and put it on antenna and you run this attack there always different attacks in R hacking world this one was called the dark side so I run is Type in this command hfmf dark side and you press enter and it says uh trying to recover key 25 seconds average average run time and you go like and about 25 or 26 27 seconds later a Ki pops out and I can still remember that feeling I got when I crack that first

key that dopamine rush I was like I'm Invincible I was cursing there but I didn't that was an intense feeling and I can still remember that feeling today and that's why I'm still into this world and that feeling there got me so curious and learning all the stuff that's into this world of RFID hacking that I ended up being Iceman I ended up doing being a main 10 of repository we have about 19,000 commits and I have around 9,960 commits that's about 53% of it that's a lot of code during the years you can see it all there you can see in the next one doj so that's Philip Turan he's really good by the way he's about 2,500 commits and you

go wow are you that into software kind of kind of you know you want to learn you learn R is so much more RFID is so much more than everything else you think it is it's not just physical access control because you guys have it you have a low frequency antennas or cards for the normal entry systems you have high frequency for the bus ticket system among other things you have it in your passports you have it in your payment terms when you bleep and go or touch and go you have it everywhere you just don't know it and that's the whole Rabbit Hole of RFID hacking I did not know this before but oh boy what's my world about to

change it's actually leted me all the way here that's imagine that when it comes to R acing first thing you do is you realize the complexity this you see here is a Shar that fish made last year that just tries to describe the different credentials that a fiscal access control system by hid looks like that's just one vendor one area of things that has all this stuff in it it's frustrating as hell so learn the tools of trade the Hardway that's my favorite expression that's from frog I did the search laws back in 2000 I don't know if you ever was there the old school hackers in the in the house you should know about him because

you went there to learn about things you know they showed you how to crack stuff and he was like oh wow great I took that with me I took that feeling when when I was thinking when I was into this community of our hacking and I'm going to be like I'm going to be into this I'm going to learn stuff so first things all the damn tools you need this when it comes to hacking is always about the tools you know about that how many of you guys has too many tools one two you're lying all of you you are so lying you're so full of it anyway this is a normal thing you use

this one with uh NFC lib if you do that system which is an HID and coder the CP 1000 this is another encoder but just a reader classic ones development boards you can use this ones with u Raspberry Pi or arduinos you put it on you put some open source other um libraries the libnfc for instance good to have to good play around with you have a RF idler RF idler is a low frequency only tool that developed by Zach McCracken and andam Lori and they made a really good toy my antenna connector sucks up there in the corner if you see it there but it runs there and it also does uh this amazing

part of a high teag 2 cracks that's really good comes into the proxmark world ah god this is my world this is me again up there so up here you see all the different versions of of prox marks it doesn't matter which one of the proxar you buy today it's all different price ranges but buy one that has 512 kilobytes of flash on it remember and repeat after me 512 kilobytes of Flash and you never go wrong the price whatever you do if you buy a before it's very price and expensive and I've been in that development and in that group but it's good if your company pays for it it's quite quite High short quality the rest

of it just works as well uh it started out down here so the guy who did this one be one be two or be three easy and four that's the same guy it's the name is is called it's his name is pro grind you're going to hear him a lot because he's really good in Hardware then that's another tool have you ever seen this one before I can't hear you yes see you do know about offat hacking I knew it see don't lie to me that's an interesting tool yes I'm mentioned there as well uh he and his team Alexander I think bone uh took up this tool that is really amazing in the sense that they brought

six other open- source projects and made a really nice form factor it really makes you go playable is this gamification and it's cute and it has this open source software where you can see all this stuff and change and that triggered something that you call the firmware Wars if you're into flippers you realize you're going to talk you're going to get a question which firm where are you working with and that's even worse than the prox world because the prox world is the only one and that's mine in this world it's like four and the last one the two one you should look into is the official one because that's very maintained and then another one now

is called momentum that's a really good one so those are the two if you're going to deal with and if you look at this little thing here it has an extra board onto it and I will mention that one a little bit later on chameleon is another tool you see how many it is you're going to feel it already how many it is so the chameleon here is developed by the Casper brother of the chaos brothers and they made a tool that simulates HF the high frequency of RFID only so that's what we do there it's different version of it you see this is also proxy grind proxy grind did that one that one that one

that one and may did one so he's Chinese doing a lot of development of Hardware you see him invol it and that's the chameleon Ultra which is which doesn't makes it fair when I going to show you to it because you don't believe how small it is that's how small it is now this one does low frequency high frequency simulation of tags you upload a dump of a file and and you only emulate it with it and it also does reading so it's a you have like eight slots on it so it's like having eight U different credentials on you and it's a it's it's kind of amazing how small you can make things but it comes with a

with a price of you don't get much read range and stuff like that it also comes with this Android apps that was developed by a UI it's a UI and an Android app and the UI was actually made by a young guy he's only 16 young he was 15 last year but he did uh this UI for your apps you download that iOS it's a rust no Dart based thing works on both kind of awesome you je next one I realize something since you don't know much about RFID do you understand the basic physics about it no it's answer to that okay great do you want me to talk bit about that all right cool let's go back to that one um okay

let me hold on we we s

okay so arfa is based on something called inductive coupling do you know what that is no I didn't know either but it turns back on the 18th century 1874 when Maxwell did his laws of physics four laws that inducts talks about how the Electric magnetic field runs so if you have a copper wire tuned in and you push electron or you put Power into it a moving electron field or moving electrons generates a moving magnetic change this is this is the electromagnetic field so the magnetic field goes like this way this is the way that comes out from it and the electro goes this way perpendicular so imagine that eminates out from that little antenna of yours that you have so

if you have an antenna I don't have an antenna but you have a copper antenna so electron goes one way or another way and it pushes does this make sense to you imagine a big antenna classic T antenna you have an alternating current that go means it goes one way or the other way every time dep on the Hertz so you push the electron that way and it GS up in end there and comes back and goes that way right the electron moves that generates this magnetic field as well so the field we're talking about now is nothing that you can touch and sense in that in that sense it's a MAG it's a flux it's it's something that just

perinates and exists so it's it's a way of seeing it and when those electron moves you have elect magnetic field and it's and if you tune that to a specific frequency this free frequency that's interesting for rid hacking or RFID it's low frequency that's 125 to 134 khz it's high frequency which is 13.56 megahertz and it's ultra high frequency uhfs which is operates about 800 MHz to 900 MHz it's a clock cyle how much it swings like that oscillates now when that electron moves there it makes a little quink in this flux field and that emanates a wave out in reflex field so Maxwell's equations number two is another one that if you take another

tuned copper antenna for the same frequency and introduce it into that reader field that you have here it harmones so now you have a magnetic field that harmones with the one that's generated here and as soon as you have a Harting magnetic field you have moving electrons inside of the copper why is in this antenna this is the inductance this is how you transfer Wireless power and this is how we communicate this is mag magic Moon beans so we talk RFID Talks by squeezing and not squeezing the amount of power in this field so we shoren it on the on the tag side so you'll have a tag and you have a reader and you introduce it like this the field

generates around here simple right did that make sense to you oh you physic guys that's good I'm not so that took me several years to learn so this is ultra high frequency that's used for Logistics airports uh you have it in luggage systems toll booth systems garage doors and I heard this weird ass story about this uh in the US there was something about uh counterfeit tires for we for cars and they forc the US government for forced to I think it's called the Firestone event so all tires Now in America that sold has to have a UHF tag let me explain why this is a big thing low frequency and high frequency is very connected because it's magnetic

inductive ultra high frequencies Ultra HF does not use that it Ed radio waves so it's not passive in that's say inductance so you can do a very much longer reading distance so basically every car with American Tires is trackable let that stick into you a little bit like huh wait a minute and then you think about the next thing if you're into the wireless Village in in Devcon they they keep on talking about different Wireless signals right so you your car has a Bluetooth system it has Wi-Fi nowadays it has everything right so that means that you can do very much fun things not fun things I don't know what you want to call it but it

opens up an very much attch vectors about car hacking and now we went from car hacking RF id oh wait a moment there's more things car hacking also has immobilization systems and key entry key fobs to enter the car RFID low frequency and high frequency Tesla is a high frequency car key uh normally is triggered by low frequency when you're getting close to the reader meaning the door and then it the car answers back with 400 for3 mehz signal back to dual frequency technology but it's a crossover the rabbit holes goes deeper so you use tools like this this here is popular you see the tags you can always see different kind of tags how look like

this is a typical ultra high frequency tag next step is I want to clone things and the market provides tons of cloning devices and you need to know this [ __ ] as well because they do all different stuff they come in all different price ranges and yeah this is an old one low frequency em 41 tags only this is more high frequency this is so as expensive as hell this is high tag too completely useless I tried to play with one last summer last spring yeah uh don't buy that one and this one does low frequency and high frequency it's it's very annoying you buy it and you think it solves a problem maybe it solves your

specific problem but as you understand understand this is much Technologies much different use cases and these cloners are presented as the tool to solve it and I swear to God that that's not the case they are lying to you field detectors that's another interesting little thing to do a field detector is something very simple if you introduce one of his antennas with an LED on it it starts flashing this is the size of that thing this is this how [ __ ] it this is how big it is it's kind of easy do you want to see how it works I I know the Audio Light guys hates me right now because I I'm doing

this I'm doing this I'm doing this so this is a reader that's active and if I present this to a reader so you see it flashing there a little white lights if I go and look on this one it says high frequency so this reader reads high frequency cards so that's what you do with a field detector you detect what kind of technology that that reader that you're doing so if you're doing a pen test it's a very fast way to look at what kind of Technology do we have to focus on next step is to identify the read in specific and look up the vendor and see what what's known about it disruptive devices this is the fun

part this is when things go

boom disrupted yeah so this is a NFC kill and this is a UF kill this generates a massive EMV pulse that breaks and breaks cards like this I used to demonstrate that to people and you can see the card jumps like that and you see a little black dot on the white RFID Card and it's really fun and sometimes you get a little smell about it and then someone told me if you do this and you put it to a reader and you know you can see blue smoke coming up from reader because they didn't protect it or we didn't design the hardware properly to do it so yeah that's really disruptive and so you know you can go and break a

reader that way it's looks like that you have some big ass capacitors battery to charge up and then you send out the pulse through there boom and that's how it looks like and the reader goes like Oh no too much power and then the card goes like Oh no too much power I'm dead I think I also forgot to mention how that works doesn't it on the cards on the card sides it's an IC for the low frequencies it's a very simple one so it's start screaming out where IDs five bytes ID something normally different over and over again it's no security higher frequency cards comes a little bit later uh with Isis more smarter has

some own cryptos and even this dedicated Crypt engines this is why so many of high frequency cards are cracked today because people really smart people start looking into 10 years ago and then I'll TR frequency it's the same thing weaponized readers do you know what that is no yes you do you pentest this you know what a weaponized reader is it is when you take a reader like this you put on a battery on it and then you have a SD card or something like that you store the data that comes out the vegan things and it collects all the credentials so what you typically do in an assignment is but you look at the company you're

going to attack you look at you know you watch what kind of readers they have on wall you go and buy the same stuff you go on and see if they have a longest range reader you ever can find you take that one smack on one of his little baby circuit boards next to it and then put on the batteries and then you go put that in a backpack and then you go around hunting for credentials right that's how that works kind of simple it's a very famous talk from uh Fran Brown Fran Brown 2013 and I think you should watch it it's really good in talking about it that was improved his design there last

year by fish there's also the ESP key that's put into the data wires it works it opens up it's kind of fun and then you have door simulators which is pretty much close to weaponized readers and I have one here I have one here this is a door simulator you have a battery pack you have a reader and you have a little circuit board or what have a little screen on it and if you present this is why that audio video hates me now if you present the card it shows it shows up there and you can see what's number is on it yeah yeah yeah it's good good enough why do you have that one well you

have it to practice you practice that the credentials you make on an assignment works that you get the same data out it's a way to look and understand you can also use that reader to sniff a traffic with a prox mark and see how it works to understand more it's very good to have in your lab at home to play with to understand because you have how it works from the Cod the reader and what comes out of it that's that one yeah this is what it looks like that's that thing there very simple so this this was evil Damon here had a talk at Defcon at a village talk at Defcon and he presented this is an

free and open uh design so you can go to the GitHub down there and you can get the schematics just poured into this jlbc and you get the stuff out of there and you buy a reader and you hook it up it's really simple really simple beautiful design uh Power USBC power delivery thing reader and many habits go and get one you should next thing is something what we call Magic cards if you into ID hacking you think that it's something with a game it's nothing but it's about the game of collecting stuff most stuff wins I don't know this is my assertive collection of different magic cards that exist out there there's a pleora of

cards out there you wouldn't believe me and the all accent does a little bit different it's really annoying and we do differently by doing with u changeable with sign you can modify a medic card doesn't it pretends to be a normal card but according to different standards you shouldn't be able to change some stuff some stuff should be fixed and locked in by the vendors when manufactured but this one doesn't so this has all different qualities it goes up to different Generations it all names we have a marvelous little piece of U document we call the magic notes it's on the repo read that one you need to know it other cloning things is the multi-

tag key fobs we have dual technology usually this ones have like four slots this have six slots and it presents it's like an ultra like this one but can't do reading but you can program it like a card this is just six cards in one next thing you need to do when you do cloning and hacking and RFD things is that you need to understand that on RFID Card is just like a USB memory stick it's a simple memory stick that memory is protected by keys and access rights if you have the keys to the kingdom you don't need to hack it or crack it you can just generate it and all the vendors nowadays

use different ways of diversify all these Keys generated so one of the things that we Target in RFID hacking is to figure out kdf so key univers diversification function it goes fast once you have all keys you do a clone and copy of a card in two seconds that's why you know touch and go woo boom a little story about cloning things just because it's fun if you want to hear it still this is Marina Sans Bay in Singapore I was there last year in uh was black hat Asia 2023 on top of there on this marvelous Hotel I didn't stay there of course because why is expensive they have this infinity pool that infinity pool is one of those

you know top 10 things in list of world your bucket list in the world it's amazing so I have this friend I was there and I was visiting the knock the network operations center at the black hat and I met into doc matter the guy with Wi-Fi Cactus I don't know if you know that one he was say oh Iceman you know they used to stay at this hotel before but now we changed we didn't have that but he wanted access to the to the infinity poo so he goes like I use the flipper but you know I can't crack two of a keys you know it's like well shame for you not my problem it's like ah dude

come on okay give me u u ID I will send you the keys because I have a key I have a kdf it's known and sure enough do that sad enough and he sends you know thanks man I got up it's like great and I like it you know it's a very harmless way of doing rid hacking to get access to something and if you ask me did I like

it now you wonder why did you mention kdf and Dorma cabba yeah well because it was a big damn talk about dmac Cara and the unsoft look talk at defcom this year talking about how they could get into any room one part of it is actually known the kdf so yeah it all gets together R of the in hotel systems is also one of those things that people look into you didn't know about that enough also current problems with all that said there's always something more to learn and figure the [ __ ] out we had something in the Myer classic world world that we call the static nouns it's where it doesn't act according to the

properties of the protocol that's implemented so my fair is made by nxp genuine manufacturer there's also this they I don't know if they loaned it or were allowed or licensed to do it so Fudan and other companies like that did what's it giantic qur unicorn lot of them they implemented the same thing but they didn't quite follow the standard when it comes to the to the nons generation that's used in the cryptographic exchange for the key that's that's one of weaknesses so what we had something what's called Static en Crypton NS that was the bane of Our Lives for four years that you know those cards showed up in hotel systems 2019 and and forward and

that was just [ __ ] nightmare because no one can do it you can only do find the keys by sniffing the traffic and that's a little bit annoying however Philip Turin that I mentioned in the beginning spent got curious like now in may this year and he did some amazing research but he figure out what's going on he also figured out other things like secret backd door keys for this system I'm not going to talk anything more about it because he's going to do his talk where he going to present this for the first time at at the hardware iio in Holland in 24th of October so squar you should tune into his talk and look at it

he has released a white paper or a paper about it it's remarkable if you're into his stuff and it's really he's really good at R hacking and he he's well written not like me and he he has you know he organized and all that stuff so now we can actually solve this and crack these Keys as well in the prox world has also gone into the flipper world so yeah a problem that existed last year doesn't exist anymore things change Other M attacks well we have a you know didn't quite mention that one did I know but this extra stuff here this little extra board that you plug in here it has this this is an HID genuine Sam with

a crypto material that is used to talking and verify things with a with a genuine hid credential so if you talk to them you can let flipper talk to a card talk to a crypto engine and then you can get the pack that out that's what you do with that and we have a demo for that one so if you play that

one that's a zos card

yeah I'm trying to read it upside down

and that's all you didn't do you just took the flipper with the Sam you put it on a reader you read it out and you save a copy of it of a Pex

data different versions of uh credentials that we use for hid

that's that's all you do that's how hard it's become that's the state of progress ofd hacking something that was considered secure safe this is the top notch we're selling this to you for the premium price the RFID hack is go like okay man I don't think so so let's take your stuff genuine stuff and we talk to it and then Bob's your uncle it turns out actually we did a talk about that one at def con as well we talked about how they hacked the Sam so that's another talk you should look into if you're interested in this one it should be another that was this one sorry another video this is to crack a Elite key this

is the custom key that we sell for more pricey pricey than standard again you take one of those we did a dictionary [ __ ] I'm in the wrong way here we go so you figure out the keys for it and you can actually do a lookup attack because we generate the kdf for generating these Elite Keys uh we figure that one out 2017 we didn't talk about it so we can just generate a whole key list for it and then we could just do a check a classic dictionary attack to get the keys out for it it takes about two seconds and now I have a keys to read out the memory that's needed for this

Elite system of hid we have now since gone a little bit further you will see that I'm dumping the file up there that's what it is that's been crypted credential there this the CIO um that's it and it has gone so you know that's s implement that Elite key kdf is now implementing in the proxo world should be in the in The Flipper world as well right now so it doesn't once you figure out the kfs it's like well game over it's like it's not secure anymore so this the what do you call it um the repution No No the protection against this don't use what standard keys that we're selling you because the cheapest one always use

custom Keys tell that to your uh customers if you're going to implement a pack system run your own Keys securely generated securely stored away of course but yeah that's what you do it should be another video as well um yeah we're doing the same thing here but I'm showing the Sam with a prox mar because I had fun last year and they said it couldn't be done so I was like yes it can because inside water before was a Sim module but we had to upgrade the firware and I had to spend way too much time into learning lowlevel IC 2 and 786 communication but I did implement it on the prox I'm trying to figure out one

here here we go that means it's a legacy which says there this is the old style I only implemented that part we could have implemented the elite the cosos as well but I haven't talks to the Smart car that I hooked up before shows you the output of a card you see here 200 3146 yes and this is how you clone it to a prox Mya classic Tar this is a downgrade attacks all this here is to do the downgrade attacks a downgrade attack is when you take something from a Secure Media and since the reader is multiclass that they use different they allow you to present different older credentials to it you can downgrade once you extract

that data you can downgrade that data the pack data onto a simpler technology and then you beat in the system again that's what we call the downgrade attacks and finally is one do you want to see one more video all right let's crack some more high-tech stuff so this is something I made this year I just made before I went here uh this is a Hightech reader this is my [ __ ] key up there because I was playing with a with a high Tag 2 cracks uh one of the things implemented from the RF itler world was the Crack 2 where you extend where you extend this nouns you collect the nouns you up there before was announced that I

had to sniff from the reader from the car when I in the ignition so I have to sniff that first once I had that data I can run the Crack 2 against just the key fob right and it tries to extract 248 bits of data and then he getes it gets to this keyst Strom here now what you do need now now in this next step is to use a gigantic lookup table so this is a Time memory trade-off where you go from instead of online you go and take extract and all data and you look up in tables not rainbow tables but close enough and I did that you create a file of that one it says you can run locally

but I put that file on a Raspberry Pi somewhere else just to show that this is a you can use this as a distributed way to offer services instead so I created that file now and then I'm finally I'm going to actually run the attack yep yeah cut and paste yeah you're not going to get into that IP address trust me and yeah take you oh God I'm in the way again I go over here and I take that part where nouns from the reader take some time to do it this is my call to that service and because of a magic of um of cash so this is actually a problem it doesn't go that fast it takes 30

seconds the reason why it went fast this time is because I run this before to the Raspberry Pi and then the OS the modern os are so smart in caching so it caches this stuff and since that was not touched you got the key very fast out it takes 30 second trust me if you're on it on an MVM and on my multi threed normal host it takes 4 seconds but it takes longer time than that anyway you saw I can read out my car key ha so now you can clone my car key and that's it okay you either not impressed or you think I'm boring I don't know thank [Applause] you you doing me

dirty anyway so relay attacks this is the final thing I'm going to say to you and then oh no not this more is relays meaning that you have a reader here you go of internet and you have a someone sitting with a card somewhere else can be on across the world it's really interesting attacks and talks about it do for it and NFC NFC is something where people think I'm going to do this fast because I only got one minute uh NFC is something that people thinks is RFID and they like no RFID is the umbrella NFC is a part of that umbrella down here and they mostly famous for endf messages funny thing with endf messages is

actually that your public C us have a man endf message and one of the thing is I got one of his dumps someone sent it to me a year or so and we didn't have support to read out the things for it so I was very happy this this is what I do this what I think is cool with RF improving the tools right mastering the tools learning the tools of a trade so I actually added up so you can see what it is here you can extract the data out that's his account number and this is the signature data was done and how you verify it and it's really interesting because you guys was

some other guys who's looking into how to to make this happen uh how to look and talk to the system it expands so our can extract the memory data and values here and here's an API we can hack that now we into web hacking you see payment system it's tons of them uh blip and go super interesting EMV format 6,000 Pages haven't read it [ __ ] it I'm not doing it but I am very interested into it so I got to hang out with the W uh the payment Village in in the def coin they are awesome laan and Timor and they're going to teach me more about this stuff so I'm going to be really

good at this one tier of attacks is nothing else that we develop me and Phillip uh develop this concept of tear off attacks meaning that we do like glitching but it's not glitching it's just in the magnetic field we can cut the power and depending on the capacitors inside the the the card we can interrupt especially at moment very precisely moment and you do it several times and you can make the card acting in a way it shouldn't doing we call about tiar off attacks it's not power glitching and not in it's not for injections it's just like that but it's very cool look into it now I'm getting to the end of it how

do you become the next Rockstar hacker that's my question to you guys because you into this now I can feel it you're like yeah you're like you don't know you're a little bit there but I know you're going to buy some stuff off with so take this with you now how are you going to be it by being curious I'm here 13 years later because I got C curious as [ __ ] and I still do this I still hack on that firmware I I can tell that I crack more cards than you ever done in your whole life and I do this because I think it's fun it brings me joy but you also need to have information so here's

a good link for resources where you find it and here is vfd hacking Discord please join us and thank you [Applause] so I'm sure before you all going to go and buy some stuff which wink wink might be a bit illegal depends on how you define the limits and parameters of the law uh anybody want a uh a box to be thrown at them we have one gentleman here in the front try not to oh here we go check one oh yeah asking for a friend can you say again how do you get into the infin B actually that kdf is known and is public in the in The Flipper app so the flipper can now yes read the hotel card

and you duplicate that onto a magic card and then you go up to the pool entry area where we have this little reader and and then you have to like I you take an old card Hotel card we put it over your magic cards you don't see it because there's a guy standing there and then you just present it they really going to go like beep and then you just go ahead sir and then you that's a very nice pool I'm telling you not like the SAA we had yesterday which I forgot to say amazing SAA and you didn't melt you know the Iceman thing it's like St and SAA didn't get to I'm Aquaman oh great hi uh I have a

question about boosting cars so let's talk about cars now so just also asking from for a friend uh and he has a very expensive Mercedes and um how should he protect his car key uh and uh what kind of but what types of cars are easier to steal welcome to the police department uh I refrain to answer that question because I don't know the laws in Estonia so I cannot give you an a clear answer on that one I will say you can try out and find out and uh yeah you [ __ ] about and you take the consequences about it but uh I would say the relay attacks that's going on that's typically a relay attack

where people go around with with gigantic antennas and we go close to the hose where you have a key and then they trigger the key to generate the signal and they relay it to the door to the car and opens the car and triggers the immobilizing system does that make sense to you so if you want to protect yourself about that don't keep your key close to the Door Keep It long you know further in the house right simple as to the law you can keep it theoretical unless you name the specific model then you should be good um so where's the yes over there and then we have a box over yeah uh a question at which slide did

this talk become illegal none actually actually none okay thanks only if you took that stuff and did it and you applied it in reality then it becomes illegal depending on the law in your in your country but before that it's all science and academic and research yeah uh there was a hand over here hello cool uh thanks a great presentation I'm over here Jesus [ __ ] Christ on the right side uh is there any access control system in the world that you trust that I is there any access control system in the world that you trust is there the question is is there any access control system in the world that's a big scope that I trust

wow well you have different levels of it right the thing with can I talk do we have time yeah okay perfect when it comes to access control systems you have to understand one thing it's not meant to be secure it's meant to be secure enough it's meant for you to feel oh this Hightech thing this looks like bam latest model Dam know you feel secure but as all the pentest in this room will tell you or red teamers we go like h ENT into a door easy they always get in that's not an issue this is not about how I trust an access control system if you ask me which version of card technology they should use if you do it

properly that is secure enough I would say uh nxp is my fair desire and that's it for commercial grade for gov and law enforcements and Military they have different rules so you will do PIV and Civ if you know about th those ones it's like you know public key information structure where public and private Keys communicating you have to understand for them it doesn't matter that it takes two and a half seconds to enter it's okay for you and I when we go to a bus station and it doesn't say bleep immediately we [ __ ] [ __ ] you know you can't stand at two and a half seconds right so that's what I

mean it's secure enough for what you get it's meant to be feeling of security and meant for you process fastly does that make sense anyone has more question I'm I'm going to be around the all day and on the after party so you can ask me questions as much as you want to everybody is scared about the law now are we by the way uh based on that question I have a lovely example from three of my former employees zero of them collecting back those lovely cards you collect so I have my own collection haven't been working in a building for for 15 years oh I'm still welcome apparently I want that if you have cards

that you don't want to have I take them okay pure academic I love collecting them and looking at them and see oh wow look at that stuff yes do it I take them which when you were talking about it made me kind of think that you know you can have all the lovely people in it security takes one person in HR department to forget we're done that is true anybody oh yeah up up there yeah cool hi oh oh oh I see you under the light somewhere yeah so I've seen some building access systems now that are biometric fire fingerprints and not toofa just fingerprints have you seen anything interesting testing these any thoughts in general oh oh darling uh you have to

pay me to answer that one uh but uh biometric systems are fun in that way they always implement it the wrong way uh so it's you have to you have to understand what's going on in a in a biometric or toctor system right somehow we have to collect the data of your fingerprints or the irises and we have to store it somewhere where do we store it on the card and who's good at getting stuff out of a card Iceman and once you can manipulate that you know if you buy the same reader and you store your own credential onto card and you sniff that traffic later on so you have your own valid hash that is generated from your

fingerprint right once you have that data and you have access to write your data on that credential there you just put your data on there and that's it you just steal a card and you put your data on it so what we got that's for pent and red teamers know that's it yeah one again uh red the I've seen these where you are just scanning the fingerprint to get into the building so where is it stored then it's not on a card usually this is the two factors where you present a card and uh you know fingerprints if you just do fingerprints that's a connected system that connects to the microcontroller door controll in the back end and to a

database better worse well better as soon as you can't get access to their physical lines all right thank you because they have to send the data Can you capture that data in the wires can you replay it can you send it and same thing but that's not off idea as we're discussing Biometrics now what do you think of Apple pay it's becoming more and more common and uh it includes biometric face ID face ID and you can transfer quite huge amounts so uh or you can pay quite big amounts with it so have you looked into it or are you planning to like I said the payment Village lean and timore are looking into that stuff and

they always smile when I ask them exactly the same question so I'm I'm a very fortunate man because back in the day when I started doing this nobody answered my questions and today everybody tries to at least answer my email so I'm very blessed in that way that means when I ask them a question like you're doing and I get actual answer and they go like I man you should only know and then I know but they don't like it because they attack apis and they're most likely doing replay attacks uh I think from our perspective here it's secure enough it's good enough for what it is EMV uh Euro card mustard Visa is very

very good at in doing what they do there they [ __ ] up in the Point of Sales Systems and and and other things but that's a different story and yeah yeah well it's very deep rabbit hole but I think Apple Apple pay or Google pay today is good enough if you ask those two people that I mentioned before they're going to smile yeah we'll be waiting for the next demonstration from them there yeah yeah we should so we have Microsoft in the house good um I guess this is as I understand I've been signaled from the corner with the good out I'm not sure what it means for me we going to find out but uh this is I guess at the moment

the stop for the questions but as Mr Ian promised he's going to be around you can ask everything about your friend's car if it's a Mercedes I can relate we we need something oh by the way have you seen a TV series called Leverage this is me asking a question no no you should there is a hacker who uses your name so you know you can already get angry or not I don't know hack I mean I took his name from him I don't know so you survived the Estonian SAA here is something to think about the Estonian Sona thank you so much thank you thanks man and before we move on to our next

speaker an official announcement bear tent is open