RFIDIOts!!! RFIDHackingwithoutaSolderingIron (...orapatentattorney:) AdamLaurie adam@algroup.co.uk http://trifinite.org http://rfidiot.org CanSecWest Vancouver,2007
WhatisRFID? ContaclessAuto IDtechnology RadioFrequencyorMagneticallyCoupledchip Chipispassive Energyfromreaderactivatesthechip
Whatisitfor? SimpleIDonly DoorEntrySystems Smartcards PaymentCards e.g.oyster Biometrics e.g.hid e.g.passports
RFIDMooamI? AnimalID HotelKeys CarImmobilisers SkiPasses GoodsLabels LuggageHandling Vending HumanImplants
SellingtheideaofHumanImplants
HumanImplants Military MentalPatients Tracking BeachBars AccessControl DigitalWallets
UniqueID!!! Cannotbecloned Cannotbecloned Cannotbecloned Cannotbecloned Cannotbecloned Cannotbecloned Cannotbecloned
UniqueID? DIYCloningUnits Spottheoriginal? http://cq.cx/vchdiy.pl
UniqueID? DIYCloningUnits Spottheoriginal? http://cq.cx/vchdiy.pl IndustryDefence:
UniqueID? DIYCloningUnits Spottheoriginal? http://cq.cx/vchdiy.pl IndustryDefence: Clonesdonothave thesameformfactor andarethereforenot trueclones
UniqueID? Readerscannot'see' soformfactor irrelevant
UniqueID? = Readerscannot'see' soformfactor irrelevant
CloningDevices
CloningDevices
CloningDevices
CloningDevices
CloningDevices
CloningDevices
CloningDevices
CloningDevices
TheChallenge Createa'true'clone SameID SameFormFactor
UnderstandingtheID Industrystandardexample AnimalTagging ISO 11784/5FDX B Applicationflag(Animal/Non Animal) 3DigitCountryorManufacturercode NationalID
SendingtheID ReaderandTAGwillcommunicatewith Specificfrequency 125/134.2kHz (13.56MHz) Specificdatabitrate Specificencoding(modulation)scheme RF/2 RF/128 FSK,Manchester,BiPhase,PSK,NRZ Specificbitpatterns Header/Data/CRC
DecodingtheID 8ByterawIDfrom'dumb'reader Byte7 Byte6 Byte5 Byte4 Byte3 NationalID ReverseMSB/LSB ReverseeachNibble Rightshift(x2) ConverttoDecimal Byte2 Country Byte1 Byte0 ApplicationCode
DecodingtheID 8ByterawID 70 12 EA 6F 00 01 00 F6 AE 21 35 19 07 48 CA 89 0E ReverseeachNibble 80 53 ReverseMSB/LSB 10 91 00 F6 57
DecodingtheID 8ByterawID 80 00 ApplicationID 8000 57 48 Country F65 CA 89 0E NationalID 748CA890E CountryF65rightshifted:3D9=='985'decimal F6 icar.org:'destronfearing/digitalangelcorporation' NationalID748CA890E=='31286003982'
EncodingtheID Reversethedecodingprocess 64BitID AddHeader/CRCtorawbinaryID Header ID B ID B ID B ID B ID B ID B ID B ID FixedbitsembeddedinIDpreventheaderbeing duplicatedindatastream Nowwehave128bitsofrawbit levelid B CRC Howdowedeliverit?
Multi FormatTransponders Whymake10transpondertypeswhenyoucan make1? Lowermanufacturingcosts Lowerstocking/distributioncosts Convenience
Multi FormatTransponders Independentlyconfigurableparameters ConfigurationforBitRate,Modulationetc. 224Bitsuserprogrammablememory Dump<n>datablocksonwakeup Multiple'personalities' Q5 Hitag2 Configurationfor'PublicModes' 256Bituserprogrammablememory Dump<n>datablocksonwakeupasperModesetting
SendingtheID TakearedundantDoorEntrytag Re Setconfigurationasappropriate BitRate Modulation Inversion Numberofblockstodumpon'wakeup' ProgramdatablockswithrawID
Demonstration CloneTrovan'Unique'TAG AccessControlSystem CloneISO11784'Animal'TAG(FDX B) CowImplant VeriChippaperweight
RFIDimplantedchipthreats Trackindividuals Targetindividuals Impersonateindividuals Gainaccesstorestrictedareas Providealibiforaccomplice! 'Smart'Bombs Deviceonlygoesoffiftargetofsufficientrankisin range.
Encryptionisyourfriend RFIDEnabled 'Biometric'passports 48ItemsofData Fingerprint FacialImage BirthCertificate HomeAddress PhoneNumbers Profession
Keystoyourkingdom PseudorandomUID Cannotdetermine presenceofspecific passportwithout loggingin StrongAuthentication BasicAccessControl ContentEncryption 3DES ExtendedAccess Control
DerivingtheKeys MRZ MachineReadable Zone Key DocumentNumber DateofBirth ExpiryDate
epassportdemonstration
epassportthreats Keydatamaybeobtainedthroughother channels Passportprofiling Determinecountryoforiginwithoutloggingin Implementationerrors: AustralianpassportIDdoesnotstartwith'08'onselect AustralianpassportdoesnotrequireBasicAuthon'File Select',onlyon'FileRead'. Targetspecificpassportholders BombthatdetonatesforAustraliansonly...
RFIDIOt OpenSourcePythonlibrary Hardwareindependent ACG Frosch OpenPCDcomingsoon Lowcostreader/writersnowavailable http://rfidiot.org
ACGreactiontoRFIDIOt Unfortunatelyyourcompaniesactivities seemtobecountertoacg'sinterestsso wewillnotbeabletosupportyouany further. Email 3rdJanuary,2007
Questions? http://rfidiot.org adam@algroup.co.uk