bsideslondon rookie talk - rfid hacking - an introduction
TRANSCRIPT
RFID HACKING AN INTRODUCTION D3SRE, BSIDES LONDON, 2014
CONTENT
• First step
• RFID technology need to know
• Next steps to play around
• RFID reader
• The «playful»
• The «intermediate»
• The «deluxe»
• References
• Questions
RFID Hacking - An Introduction 2
FIRST STEP
• What is your goal?
• Set up «Home RFID System»?
• Learn about the technology?
• Read a specific card?
• Type of card
• Encryption used
RFID Hacking - An Introduction 3
Source: RFID Handbook, Finkenzeller, fig 2.18
RFID TECHNOLOGY NEED TO KNOW
• ISO 14443 Standard on 13.56 MHz
• Mifare Classic 1k
• 16 sectors, each 4 blocks
• Last block of each sector has
access key
• Up to 2 access keys/sector
(with different permissions)
• 1st block (0) has UID, usually
write protected
• Crypto 1 encryption
RFID Hacking – An Introduction – BSides London 2014 4
Source: http://www.adafruit.com/blog/wp-content/uploads/2011/05/tagassortment_LRG.jpg
RFID TECHNOLOGY NEED TO KNOW
• Authentication for Mifare Classic 1k
• Authentication per Sector
RFID Hacking – An Introduction – BSides London 2014 5
Reader Card
1. Authentication
2. Send card UID
3. Send card UID + Sector Key
4. Send card UID + Data
5. Send further command
6. Send further reply
2566 possibilities
NEXT STEPS TO PLAY AROUND
• 1. Find Authentication Key
• Try default keys first …
• Don’t try brute force, rather
• Eavesdrop communication (needs antenna & receiver)
• Emulate tag (e.g. with XBee, OpenPICC, Proxmark3)
• 2. Read Data block (probably encrypted)
• 3. Decrypt Data block (probably Crypto 1 hacked)
• 4. Clone card
• Important Keywords are «Mifare classic UID eBay»
RFID Hacking – An Introduction – BSides London 2014 6
RFID READER - THE «PLAYFUL»
• Arduino or Raspberry Pi Shields
• Comply with Standard
• Write protocol code yourself
• Might have hardware limitations
• Quality of documentation varies
• Examples
• XBee
• XBee communication shield €15
• XBee NFC/RFID module €50
• Seeed Studio RFID module $29.50
RFID Hacking – An Introduction – BSides London 2014 7
Source: http://www.cooking-hacks.com/documentation/tutorials/rfid-13-56-mhz-nfc-module-for-arduino
RFID READER - THE «INTERMEDIATE»
• ACR122U USB
• Manuals for use with Backtrack
• $59.00
• OpenPCD
• Famous from CCC talks
• Open Source Development
• Trainings available/Live System
• 46.22 €
RFID Hacking – An Introduction – BSides London 2014 8
Source: http://www.openpcd.org/OpenPCD_2_RFID_Reader_for_13.56MHz
RFID READER - THE «DELUXE»
• Proxmark 3
• Big active community
• Antennas for LF & HF
• Supports emulating, cloning
& eavesdropping
• $399 (enclosed version),
antenna $59
RFID Hacking – An Introduction – BSides London 2014 9
Source: http://www.proxmark3.com/item_pm3.html
REFERENCES
• http://en.wikipedia.org/wiki/MIFARE
• http://www.backtrack-linux.org/wiki/index.php/RFID_Cooking_with_Mifare_Classic#RFID_Cooking_with_Mifare_Classic
• http://penturalabs.wordpress.com/2013/07/15/access-control-part-2-mifare-attacks/
• http://www.proxmark.org/documents/mifare_weakness.pdf
• http://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2008-21/SAR-PR-2008-21_.pdf
• http://www.cs.virginia.edu/~kn5f/Mifare.Cryptanalysis.htm
• http://www.eng.tau.ac.il/~yash/kw-usenix06/
• http://www.rfidblog.org.uk/Hancke-JoCSSpecialRFIDJune2010.pdf
• http://www.rfidblog.org.uk/Hancke-RFIDsec08-Eavesdropping.pdf
• http://www.securestate.com/Downloads/whitepaper/All-is-MIFARE-in-Love-and-War.pdf
• http://www.openpcd.org/OpenPCD_2_RFID_Reader_for_13.56MHz
RFID Hacking – An Introduction – BSides London 2014 10
QUESTIONS?
Desiree Sacher
@d3sre
RFID Hacking – An Introduction – BSides London 2014 11
HAVE FUN THANK YOU FOR LISTENING