RFIDIOts!!! RFID Hacking without a Soldering Iron (... or a Patent Attorney :)

Similar documents

Core Fittings C-Core and CD-Core Fittings

E-Passport Testing. Ensuring Global Acceptance. Jos Chehin Date: 17 November 2006 Location: ASML

RFID Penetration Tests when the truth is stranger than fiction

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Gemalto Mifare 1K Datasheet

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Using Contactless Smart Cards for Secure Applications

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

MIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER

How To Understand The Power Of An Freddi Tag (Rfid) System

Entrust Smartcard & USB Authentication

CHAPTER 1 Introduction 1

PMAfob Home Automation Demo

advant advanced contactless smart card system

Development of Hybrid Radio Frequency Identification and Biometric Security Attendance System

LoRaWAN. What is it? A technical overview of LoRa and LoRaWAN. Technical Marketing Workgroup 1.0

Ajay Gummalla-July 2001

Technical Data Sheet UM-005. UM005-doc In reference to UM005-c-01.04

RFID Design Principles

European Electronic Identity Practices Country Update of Portugal

Keep Out of My Passport: Access Control Mechanisms in E-passports

A Note on the Relay Attacks on e-passports

W.A.R.N. Passive Biometric ID Card Solution

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Vidder PrecisionAccess

A C C E S S C O N T R O L S Y S T E M

Cotag active cards and tags

Moving to Multi-factor Authentication. Kevin Unthank

AN3332 Application note

Mobitex Network Security

Access Control System Access Control System is designed for the places where need for crucial security.

rf Technology to automate your BUsiness

Full page passport/document reader Regula model 70X4M

Smart Card Evolution

PRIME IDENTITY MANAGEMENT CORE

In this article we will discuss the SI. Both from the point of view of how it s used to create an EPG, and what effect SI errors may have on the EPG

Using Smart Cards for Secure Physical Access

Security Classification: EIDA ID Card Toolkit v2.7. Developer s Guide

AN3998 Application note

Chapter 6 Bandwidth Utilization: Multiplexing and Spreading 6.1

SECURITY & ACCESS CONTROL SYSTEM BASED PROJECTS

OBID RFID by FEIG ELECTRONIC. OBID classic / OBID classic-pro. RFID Reader Technology for Security Applications

Multi-Factor Authentication of Online Transactions

Multi Factor Authentication

Readers and Credentials. from Security Technologies

Mobitex Network Security

Contactless Technology for Secure Physical Access: Technology and Standards Choices

Electronic Access Control Solutions

ID Document Scanning and Biometric Solutions

intertrax MOBILE PIV

Building Technologies. Access Control. SiPass integrated Fully expandable system that grows with your business

NFC Hacking: The Easy Way

Accessories for the SoMo 655 Handheld Computer

Preventing fraud in epassports and eids

Oracle IVR Integrator

Atmel Innovative Silicon RFID IDIC Solutions

Security and Privacy in RFID Applications

Combining Mifare Card and agsxmpp to Construct a Secure Instant Messaging Software

File System Encryption with Integrated User Management

TCB Workshop. Unlicensed National Information Infrastructure Devices (U-NII)/Dynamic Frequency Selection (DFS)

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

New Attacks against RFID-Systems. Lukas Grunwald DN-Systems GmbH Germany

Manufacturers Suggested Retail Price List

NACCU Migrating to Contactless:

EP line Industrial Long Range Cordless System. Overview

AUDIENCE MEASUREMENT SYSTEM BASED ON BLUETOOTH CORDLESS COMMUNICATION

E-Blocks Easy RFID Bundle

WBS AFC Standard SW Solution Development

Sampling Theorem Notes. Recall: That a time sampled signal is like taking a snap shot or picture of signal periodically.

Introducing etoken. What is etoken?

Secure recharge of disposable RFID tickets

SIM CARD PROTOCOLS. This paper attempts in broad strokes to outline the construction of these protocols and how they are used.

Why test results can t compare

Grundig SAT Systems HEADEND RECEIVER MODULATOR HRM 391 TWIN ENGLISH

End-to-end security with advanced biometrics technology

End-to-end security with advanced biometrics technology

Water Metering System SmartMeter Prepayment. SmartMeter Prepayment. Water Metering System

Time recording with the Terminal B-web 93 00

Detailed Specifications

LED Bulb Manual. Aeotec by Aeon Labs LED Bulb.

1-MINIMUM REQUIREMENT SPECIFICATIONS FOR DVB-T SET-TOP-BOXES RECEIVERS (STB) FOR SDTV

LTE BACKHAUL REQUIREMENTS A REALITY CHECK PETER CROY, SENIOR NETWORK ARCHITECT, AVIAT NETWORKS

Guard All Security Symposium. Identity and Access Management

Advanced Electronic System for Human Safety (Smart Watch)

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

Broadband access. Nils Holte, NTNU. NTNU Department of Telecommunications Kursdagene ved NTNU, Digitale telenett, 9. januar

Complete Technology and RFID

Two-Way Radio Express Products List (EPL) 3744 Effective November 1, 2014

Global network of innovation. Svein Arne Lindøe Arnfinn Strand Security Competence Center Scandic Siemens Business Services (Norway)

Project 25 Compliance Assessment Program Summary Test Report NX-5200 Portable Radio, VHF STR-JKWRD-NX

Smart Cards and Biometrics in Physical Access Control Systems

Contents. User guide. TDX Headend Unit - Art. No I

Unverified Fields - A Problem with Firewalls & Firewall Technology Today

RFID Design Principles

Transcription:

RFIDIOts!!! RFIDHackingwithoutaSolderingIron (...orapatentattorney:) AdamLaurie adam@algroup.co.uk http://trifinite.org http://rfidiot.org CanSecWest Vancouver,2007

WhatisRFID? ContaclessAuto IDtechnology RadioFrequencyorMagneticallyCoupledchip Chipispassive Energyfromreaderactivatesthechip

Whatisitfor? SimpleIDonly DoorEntrySystems Smartcards PaymentCards e.g.oyster Biometrics e.g.hid e.g.passports

RFIDMooamI? AnimalID HotelKeys CarImmobilisers SkiPasses GoodsLabels LuggageHandling Vending HumanImplants

SellingtheideaofHumanImplants

HumanImplants Military MentalPatients Tracking BeachBars AccessControl DigitalWallets

UniqueID!!! Cannotbecloned Cannotbecloned Cannotbecloned Cannotbecloned Cannotbecloned Cannotbecloned Cannotbecloned

UniqueID? DIYCloningUnits Spottheoriginal? http://cq.cx/vchdiy.pl

UniqueID? DIYCloningUnits Spottheoriginal? http://cq.cx/vchdiy.pl IndustryDefence:

UniqueID? DIYCloningUnits Spottheoriginal? http://cq.cx/vchdiy.pl IndustryDefence: Clonesdonothave thesameformfactor andarethereforenot trueclones

UniqueID? Readerscannot'see' soformfactor irrelevant

UniqueID? = Readerscannot'see' soformfactor irrelevant

CloningDevices

CloningDevices

CloningDevices

CloningDevices

CloningDevices

CloningDevices

CloningDevices

CloningDevices

TheChallenge Createa'true'clone SameID SameFormFactor

UnderstandingtheID Industrystandardexample AnimalTagging ISO 11784/5FDX B Applicationflag(Animal/Non Animal) 3DigitCountryorManufacturercode NationalID

SendingtheID ReaderandTAGwillcommunicatewith Specificfrequency 125/134.2kHz (13.56MHz) Specificdatabitrate Specificencoding(modulation)scheme RF/2 RF/128 FSK,Manchester,BiPhase,PSK,NRZ Specificbitpatterns Header/Data/CRC

DecodingtheID 8ByterawIDfrom'dumb'reader Byte7 Byte6 Byte5 Byte4 Byte3 NationalID ReverseMSB/LSB ReverseeachNibble Rightshift(x2) ConverttoDecimal Byte2 Country Byte1 Byte0 ApplicationCode

DecodingtheID 8ByterawID 70 12 EA 6F 00 01 00 F6 AE 21 35 19 07 48 CA 89 0E ReverseeachNibble 80 53 ReverseMSB/LSB 10 91 00 F6 57

DecodingtheID 8ByterawID 80 00 ApplicationID 8000 57 48 Country F65 CA 89 0E NationalID 748CA890E CountryF65rightshifted:3D9=='985'decimal F6 icar.org:'destronfearing/digitalangelcorporation' NationalID748CA890E=='31286003982'

EncodingtheID Reversethedecodingprocess 64BitID AddHeader/CRCtorawbinaryID Header ID B ID B ID B ID B ID B ID B ID B ID FixedbitsembeddedinIDpreventheaderbeing duplicatedindatastream Nowwehave128bitsofrawbit levelid B CRC Howdowedeliverit?

Multi FormatTransponders Whymake10transpondertypeswhenyoucan make1? Lowermanufacturingcosts Lowerstocking/distributioncosts Convenience

Multi FormatTransponders Independentlyconfigurableparameters ConfigurationforBitRate,Modulationetc. 224Bitsuserprogrammablememory Dump<n>datablocksonwakeup Multiple'personalities' Q5 Hitag2 Configurationfor'PublicModes' 256Bituserprogrammablememory Dump<n>datablocksonwakeupasperModesetting

SendingtheID TakearedundantDoorEntrytag Re Setconfigurationasappropriate BitRate Modulation Inversion Numberofblockstodumpon'wakeup' ProgramdatablockswithrawID

Demonstration CloneTrovan'Unique'TAG AccessControlSystem CloneISO11784'Animal'TAG(FDX B) CowImplant VeriChippaperweight

RFIDimplantedchipthreats Trackindividuals Targetindividuals Impersonateindividuals Gainaccesstorestrictedareas Providealibiforaccomplice! 'Smart'Bombs Deviceonlygoesoffiftargetofsufficientrankisin range.

Encryptionisyourfriend RFIDEnabled 'Biometric'passports 48ItemsofData Fingerprint FacialImage BirthCertificate HomeAddress PhoneNumbers Profession

Keystoyourkingdom PseudorandomUID Cannotdetermine presenceofspecific passportwithout loggingin StrongAuthentication BasicAccessControl ContentEncryption 3DES ExtendedAccess Control

DerivingtheKeys MRZ MachineReadable Zone Key DocumentNumber DateofBirth ExpiryDate

epassportdemonstration

epassportthreats Keydatamaybeobtainedthroughother channels Passportprofiling Determinecountryoforiginwithoutloggingin Implementationerrors: AustralianpassportIDdoesnotstartwith'08'onselect AustralianpassportdoesnotrequireBasicAuthon'File Select',onlyon'FileRead'. Targetspecificpassportholders BombthatdetonatesforAustraliansonly...

RFIDIOt OpenSourcePythonlibrary Hardwareindependent ACG Frosch OpenPCDcomingsoon Lowcostreader/writersnowavailable http://rfidiot.org

ACGreactiontoRFIDIOt Unfortunatelyyourcompaniesactivities seemtobecountertoacg'sinterestsso wewillnotbeabletosupportyouany further. Email 3rdJanuary,2007

Questions? http://rfidiot.org adam@algroup.co.uk