defcon presentation (pdf) - the techtech.mit.edu/v128/n30/subway/defcon_presentation.pdfyou’ll...
TRANSCRIPT
![Page 1: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/1.jpg)
Anatomy
Russell Ryan
Zack Anderson
Alessandro Chiesa
Subway Hackof a
For updated slides and code, see: http://web.mit.edu/zacka/www/subway/
![Page 2: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/2.jpg)
what this talk is:Pen-testing a subway system
![Page 3: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/3.jpg)
what this talk is not:evidence in court
(hopefully)
![Page 4: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/4.jpg)
You’ll learn how to
• Generate stored-value fare cards• Reverse engineer magstripes• Hack RFID cards• Use software radio to sniff• Use FPGAs to brute force• Tap into the fare vending network• Social engineer• WARCART!
![Page 5: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/5.jpg)
AND THIS IS VERY ILLEGAL!So the following material is for educational use only.
![Page 6: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/6.jpg)
![Page 7: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/7.jpg)
ATTACKPHYSICALSECURITY
![Page 8: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/8.jpg)
there is almost always a free way to get in
![Page 9: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/9.jpg)
turnstile control boxes open…almost everywhere
![Page 10: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/10.jpg)
computer screens visible through windows
![Page 11: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/11.jpg)
door keys left in open boxes
![Page 12: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/12.jpg)
door keys left in open boxes
4 3 7 6 6
![Page 13: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/13.jpg)
state-of-the-art surveillance…often unattended
![Page 14: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/14.jpg)
documents left in the open
![Page 15: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/15.jpg)
![Page 16: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/16.jpg)
![Page 17: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/17.jpg)
what we found on Ebay
![Page 18: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/18.jpg)
ATTACKTHE
MAGCARD
![Page 19: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/19.jpg)
pick the hardware
![Page 20: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/20.jpg)
$139.95
Spark Fun Electronics
3-Track Lo-Co
Includes source code
$5<
Homebrew reader
With inserts, can read 3-tracks
stripesnoop.sourceforge.net
$300
MSR206 or MAKStripe
3-Track Hi/Lo-Co
Works with our GPL’d software
![Page 21: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/21.jpg)
![Page 22: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/22.jpg)
![Page 23: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/23.jpg)
EC9010402AC9D000000005B800C80150342248A84EBD132BE10280002000000002025D0000FD60
![Page 24: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/24.jpg)
try a cloning attackIs value stored on the card?
![Page 25: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/25.jpg)
you now have free subwayrides for life
If yes, then
![Page 26: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/26.jpg)
but you want more than that,eh?
Oh,
![Page 27: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/27.jpg)
reverse engineeringThe Charlie Ticket
![Page 28: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/28.jpg)
reverse engineeringEverybody talks about it,But where do you start?
1) Make a guess about what’s in the data2) Change a single variable; see what
changes3) Repeat many times with varying data4) Compare similar and dissimilar data5) Ignore constant regions6) Build/use tools
![Page 29: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/29.jpg)
reverse engineeringIsolate Variables method
To locate a single variable:
• Group data by that variable• Ignore global similarities (between
different groups)• Ignore differences within groups
Resulting locations are probably where the data is stored
![Page 30: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/30.jpg)
EC901 0402AC9D 000000005B8 00C8
028 0002 000000002025D0000 FD60
0150342 248 A84EBD 132 BE 1
![Page 31: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/31.jpg)
EC901 0402AC9D 000000005B8 00C8
const ticket # ticket type(ticket / pass)
value(in cents)
028 0002 000000002025D0000 FD60# ofuses
last trans(in nickels)
checksumconst (approx)
0150342 248 A84EBD 132 BE 1last
reader used
laststationused
timetime const const(approx)
![Page 32: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/32.jpg)
forgingThe Charlie Ticket
![Page 33: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/33.jpg)
EC901 0402AC9D 000000005B8 00C8
const ticket # ticket type(ticket / pass)
value(in cents)
028 0002 000000002025D0000 FD60# ofuses
last trans(in nickels)
checksumconst (approx)
0150342 248 A84EBD 132 BE 1last
reader used
laststationused
timetime const const(approx)
![Page 34: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/34.jpg)
EC901 0402AC9D 000000005B8 FE4C
const ticket # ticket type(ticket / pass)
value(in cents)
028 0002 000000002025D0000 FC90# ofuses
last trans(in nickels)
checksumconst (approx)
0150342 248 A84EBD 132 BE 1last
reader used
laststationused
timetime const const(approx)
![Page 35: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/35.jpg)
![Page 36: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/36.jpg)
+ =
![Page 37: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/37.jpg)
MagCardMSR206
BitstirReverse Engineering
GUI
CharlieTicket MetroCardBoston, MA New York City, NY
Utilities
MagCard Reverse-Engineering Framework
read()
write()
erase()
…
conversions
comparisons
checksums
time stamps
…
…
![Page 38: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/38.jpg)
Demo: MagCard and Reverse Engineering Toolkit
wrote Python libraries for analyzing magcards
integrated with the MSR206 reader/writer
GUI helps visualize and organize data
Can Now Forge Cards
![Page 39: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/39.jpg)
what about other subways?
• Most subway fare collection systems in US are made by two major integrators
• Scheidt & Bachmann made Boston T, San Francisco Bart, Long Island Railroad, Seattle Sound Transit, London Silverlink, etc. systems
• Cubic Transportation made NYC MTA, Washington DC WMATA, Chicago CTA, Shanghai Metro, etc. systems
Are they hackable? Yes!
![Page 40: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/40.jpg)
ATTACKTHERFID
![Page 41: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/41.jpg)
learn about your RFID card
![Page 42: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/42.jpg)
MIFARE Classic
• 13.56MHz RFID smartcard• End-to-end proprietary “crypto” (Crypto-1)• 1K memory & unique identifier on card• Over 500 million tags in use
![Page 43: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/43.jpg)
Crypto-1 CryptanalysisCrypto-1 reverse engineered by Karsten Nohl, University of Virginia, 2007:• Etched and inspected silicon wafer using high-powered imagery.• Found and reconstructed crypto portions from over 10k gates.• Found vulnerabilities in the cipher and implementation
![Page 44: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/44.jpg)
security of the MIFARE card
Mutual 3-pass authentication
Card Reader
sector? key A or B?
random-challenge
answer, random-challenge
answer
read key
verify answer
verify answer
Each sector two keys
Non-linear filterfunctions
![Page 45: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/45.jpg)
security of the MIFARE card
Mutual 3-pass authentication
Card Reader
sector? key A or B?
random-challenge
answer, random-challenge
answer
read key
verify answer
verify answer
Non-linear filterfunctions
KEY IS 48bits!
![Page 46: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/46.jpg)
security of the MIFARE card
Non-linear filterfunctions
KEY IS 48bits!
PRG IS WEAK!
![Page 47: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/47.jpg)
security of the MIFARE card
KEY IS 48bits!
PRG IS WEAK!
BIASED Filter Functions
![Page 48: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/48.jpg)
choose your hardwareto execute these attacks we need to interact with the card
![Page 49: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/49.jpg)
$220
OpenPCD + OpenPICC
Open design 13.56MHz RFID reader + emulator
Free schematics (www.openpcd.org)
$50
MiFare RFID Reader/Writer
Comes with source code
Hard to hack, but doable
$700
USRP
Full control over signal input/output
Works with GNU Radio + our plugin
![Page 50: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/50.jpg)
USRP
![Page 51: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/51.jpg)
13.56MHz
13.56MHz +/- 847kHz
ASK modulationModified miller encoding
OOK modulationManchester encoding
card/reader communication
![Page 52: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/52.jpg)
Tune Radiosreceiver #1 to 13.56MHzreceiver #2 to 12.71MHz
GNU radio RFID toolchain
![Page 53: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/53.jpg)
charlie card + reader FFTcarrier
subcarrier subcarrier
![Page 54: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/54.jpg)
Tune Radiosreceiver #1 to 13.56MHzreceiver #2 to 12.71MHz
GNU radio RFID toolchain
subcarrier(card-> reader)
Band-Pass Filter400kHz width
FIR LPF w/ shifted center
![Page 55: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/55.jpg)
charlie card + reader FFT
Band Pass Filter
400kHz
![Page 56: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/56.jpg)
13.56MHz reader -> card transmission
12.71MHz card -> reader transmissiontime
time
![Page 57: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/57.jpg)
Tune Radiosreceiver #1 to 13.56MHzreceiver #2 to 12.71MHz
GNU radio RFID toolchain
Band-Pass Filter400kHz width
FIR LPF w/ shifted center
DemodulateRemove carrier by converting complex IQ to magnitude
subcarrier(card-> reader)
carrier(reader -> card)
DemodulateRemove carrier by converting complex IQ to magnitude
![Page 58: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/58.jpg)
Tune Radiosreceiver #1 to 13.56MHzreceiver #2 to 12.71MHz
GNU radio RFID toolchain
Band-Pass Filter400kHz width
FIR LPF w/ shifted center
DemodulateRemove carrier by converting complex IQ to magnitude
subcarrier(card-> reader)
carrier(reader -> card)
DemodulateRemove carrier by converting complex IQ to magnitude
Manchester DecoderConvert transitions to bits
Modified Miller DecoderConvert transitions to bits
to file
![Page 59: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/59.jpg)
sniffing the turnstile
challenge/response pairs
![Page 60: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/60.jpg)
attacks on the MIFARE cardGoal: get secret key (can clone card with it)
Brute Forcesniff handshake and use an FPGA to crack key.Filter function weaknesses reduce key space.See:
www.cs.virginia.edu/~kn5f/Mifare.Cryptanalysis.htm
For info on reducing key space
![Page 61: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/61.jpg)
attacks on the MIFARE cardGoal: get secret key (can clone card with it)
Brute Forcesniff handshake and use an FPGA to crack key.Filter function weaknesses reduce key space.
Manipulate PRG Timing“random” challenge depends on clock cycles since powered up –thus it is not random.
This enables replay attacks:Timing allows selection of specific challenges. With deterministic challenges, data can be replayed.
Keep on transmitting those “add $5” commands
![Page 62: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/62.jpg)
attacks on the MIFARE cardGoal: get secret key (can clone card with it)
Brute Forcesniff handshake and use an FPGA to crack key.Filter function weaknesses reduce key space.
Manipulate PRG Timing“random” challenge depends on clock cycles since powered up –thus it is not random.
Algebraic Attackswrite Crypto-1 as system of multivariate quadratic equations combined with sniffed data, convert to SAT and then solve it with a SAT-solver… currently being worked on by Courtois, Nohl, and O’Neil
![Page 63: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/63.jpg)
brute force itwhen all else fails
![Page 64: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/64.jpg)
Why Brute Force with an FPGA?
Because it’s fast!
- Dedicated logic- Hardware description
language defines hardware- Hundreds of parallelizations
- General purpose device- Finite instruction set
- 1-8 parallelizations
(Uh, oh. Sounds RISCy)
microprocessor FPGA
![Page 65: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/65.jpg)
FPGA Brute
Forcing Platform
Code
Generator
KwickBreakGUI
Crypto-1 DES
FPGA
KwickBreak FPGA Brute-Forcer
…
Executes known plaintext attack to recover key
generates
uses
interfaces w/
runs onHardware Used
Opal Kelly
XEM3001
www.opalkelly.com
![Page 66: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/66.jpg)
![Page 67: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/67.jpg)
module xorPlugin(input wire clk,input wire [47:0] key,input wire [47:0] plaintext,output reg [47:0] encrypted,output reg ready);
always @(posedge clk) beginready <= 1;encrypted <= key ^ plaintext;
endendmodule
writing a (trivial) XOR module
![Page 68: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/68.jpg)
./kwickbreakGenerator.py>>> Please enter your plugin module name, as written.xorPluginOutput filename (and path)xorBruteForceUtil.vHow many cores would you like on the chip?50If you have a pipelined design, how many clock delays for valid data?0xorBruteForceUtil.v successfully written!
writing a (trivial) XOR module (cont)
Now just create a new project in Xilinx ISE, load the files, and synthesize
Done!
![Page 69: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/69.jpg)
Subways using MiFare Classic
- Boston (CharlieCard)- London (Oyster Card)- Netherlands (OV-Chipkaart)- Minneapolis- South Korea (Upass)- Hong Kong- Beijing- Madrid (Sube-T)- Rio de Janeiro (RioCard)- New Delhi- Bangkok and more
![Page 70: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/70.jpg)
ATTACKTHE
NETWORK
![Page 71: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/71.jpg)
network security
• Performed site surveys of T stations and offices (no WiFi found)
• Performed wireless device audit• Found unguarded network switches
![Page 72: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/72.jpg)
fiber switches in unlocked roomconnect fare vending machines to the internal network
![Page 73: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/73.jpg)
fiber switches in unlocked roomconnect fare vending machines to the internal network
![Page 74: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/74.jpg)
Executed the “PHANTOM MEETING” attack
Social Engineering
Gained access to internal network drops and computers
Nobody suspected a thing as we walked intooffices and conference rooms…
So we took it up a notch.
![Page 75: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/75.jpg)
first there was wardialingc.1983 - 2000 – 2001 – 2002 – 2006 – 2007 - 2008
![Page 76: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/76.jpg)
then there was wardrivingc.1983 - 2000 – 2001 – 2002 – 2006 – 2007 - 2008
![Page 77: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/77.jpg)
then there was warwalkingc.1983 - 2000 – 2001 – 2002 – 2006 – 2007 - 2008
![Page 78: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/78.jpg)
then there was warflying
c.1983 - 2000 – 2001 – 2002 – 2006 – 2007 - 2008
and warboating
![Page 79: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/79.jpg)
then there was war-rocketingc.1983 - 2000 – 2001 – 2002 – 2006 – 2007 - 2008
![Page 80: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/80.jpg)
then there was warballooningc.1983 - 2000 – 2001 – 2002 – 2006 – 2007 - 2008
![Page 81: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/81.jpg)
and now… warcartingc.1983 - 2000 – 2001 – 2002 – 2006 – 2007 - 2008
![Page 82: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/82.jpg)
19dBi WiFi Antennadirectional
Control Boxw/ key switch for activation
Two Laptopsfor control and data logging
Pan/Tilt Mechanismattachments include antennas or a smoke grenade launcher
900 MHz Antennadirectional, great for cordless phones
Flash Drive Dropperfor U3 hacksaws
12dBi WiFi Antennaomnidirectional
25-1300 MHz Antennageneral coverage, great for picking up the police
Scannerto pick up various communications
Lights2M candlepower for night operations
PA SpeakerFor announcements and intimidating music
CCD Cameratrip documentationAntenna Switch Box
To toggle between antennas and radios
WarCart
![Page 83: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/83.jpg)
We decided to take it to the MBTA headquartersWe decided to take it to the MBTA headquarters
![Page 84: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/84.jpg)
And then we ran into some problems with the police
That’s one of the WarCart’ssmoke grenades, by the way
![Page 85: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/85.jpg)
So to avoid ending up like this
We turned back
![Page 86: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/86.jpg)
contributions
![Page 87: Defcon Presentation (PDF) - The Techtech.mit.edu/V128/N30/subway/Defcon_Presentation.pdfYou’ll learn how to • Generate stored-value fare cards • Reverse engineer magstripes •](https://reader031.vdocuments.net/reader031/viewer/2022011800/5ab2f6587f8b9ad9788dae34/html5/thumbnails/87.jpg)
contributions
• 1) Exploited physical security holes• 2) Reverse engineered the CharlieTicket• 3) Wrote code to analyze & generate magcards• 4) Wrote a toolchain for analyzing 13.56MHz RFID
transactions using the USRP+GNUradio• 5) Attacked problems with the MIFARE Classic cards• 6) Wrote brute forcer-generator to crack keys on an FPGA• 7) Developed software to reduce MQ to SAT, allowing key
recovery• 8) Wrote code to read and clone MIFARE cards (given the
key)