RFID Hacking (without a degree in electronics)

Similar documents
RFIDIOts!!! RFID Hacking without a Soldering Iron (... or a Patent Attorney :)

MIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

Using RFID Techniques for a Universal Identification Device

RFID Penetration Tests when the truth is stranger than fiction

How To Understand The Power Of An Freddi Tag (Rfid) System

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Atmel Innovative Silicon RFID IDIC Solutions

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Using Contactless Smart Cards for Secure Applications

CHAPTER 1 Introduction 1

NFC Hacking: The Easy Way

Gemalto Mifare 1K Datasheet

Implementation of biometrics, issues to be solved

RFID Design Principles

NFC Hacking: The Easy Way

Development of Hybrid Radio Frequency Identification and Biometric Security Attendance System

Keep Out of My Passport: Access Control Mechanisms in E-passports

NACCU Migrating to Contactless:

New Attacks against RFID-Systems. Lukas Grunwald DN-Systems GmbH Germany

A Note on the Relay Attacks on e-passports

USING MIFARE CLASSIC TAGS VERSION

RFID Design Principles

Security Issues in RFID systems. By Nikhil Nemade Krishna C Konda

Karsten Nohl University of Virginia. Henryk Plötz HU Berlin

Location-Aware and Safer Cards: Enhancing RFID Security and Privacy

Evolving Bar Codes. Y398 Internship. William Holmes

W.A.R.N. Passive Biometric ID Card Solution

advant advanced contactless smart card system

OBID RFID by FEIG ELECTRONIC. OBID classic / OBID classic-pro. RFID Reader Technology for Security Applications

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

RFID Security: Threats, solutions and open challenges

Design And Implementation Of Bank Locker Security System Based On Fingerprint Sensing Circuit And RFID Reader

Strengthen RFID Tags Security Using New Data Structure

Time & Access System An RFID based technology

Technical Article. NFiC: a new, economical way to make a device NFC-compliant. Prashant Dekate

Special Topics in Security and Privacy of Medical Information. Reminders. Medical device security. Sujata Garera

SALTO Systems I SALTO Carriers. innovation in ID technology. MIFARE DESFire

E-Blocks Easy RFID Bundle

Radio Frequency Identification (RFID)

Amy Hissom Fall 2007

iclass Card Cloning using an RW300 Reader/Writer

Full page passport/document reader Regula model 70X4M

International Journal of Engineering Research & Management Technology

Security & Chip Card ICs SLE 44R35S / Mifare

What standards ISO/CEI ISO/CEI EPC class 1 gen 2. RFID standards. ISO14443,ISO15693 and EPCGlobal. Mate SoosINRIA.

Implantable RFID Chips: Security versus Ethics

To effectively manage and control a factory, we need information. How do we collect it?

How Does It Work? Internet of Things

PMAfob Home Automation Demo

RFID BASED VEHICLE TRACKING SYSTEM

Preventing fraud in epassports and eids

Self-Check-In Hotels Using RFID. Technology

Information Security Group (ISG) Core Research Areas. The ISG Smart Card Centre. From Smart Cards to NFC Smart Phone Security

RFID Hacking. Live Free or RFID Hard. 01 Aug 2013 Black Hat USA 2013 Las Vegas, NV. Presented by: Francis Brown Bishop Fox

DT3: RF On/Off Remote Control Technology. Rodney Singleton Joe Larsen Luis Garcia Rafael Ocampo Mike Moulton Eric Hatch

E-Passport Testing. Ensuring Global Acceptance. Jos Chehin Date: 17 November 2006 Location: ASML

Security in Near Field Communication (NFC)

AN1304. NFC Type MIFARE Classic Tag Operation. Application note PUBLIC. Rev October Document information

Microchip FAQ's All you wanted to know about microchips but were afraid to ask!

Yubico YubiHSM Monitor

Electronic Access Control Security. Matteo Beccaro HackInTheBox Amsterdam, May 27 th, 2016

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

Small Tech, Big Issues

Abracon PTM Introduction to ANFCA Series Flexible Peel & Stick NFC Antennas

Chip Card & Security ICs Mifare NRG SLE 66R35

Using ISO Compliant RFID Tags in an Inventory Control System

Secure recharge of disposable RFID tickets

QUESTIONS & ANSWERS. How did the Department decide on the cost of the Passport Card?

RFID Toys. Cool Projects for Home, Office, and Entertainment. Amal Graafstra. WILEY Wiley Publishing, Inc.

50 ways to break RFID privacy

RFID Security. April 10, Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

Securing Host Operations with a Dedicated Cryptographic IC - CryptoCompanion

How to hack your way out of home detention

ASSET TRACKING USING RFID SRAVANI.P(07241A12A7) DEEPTHI.B(07241A1262) SRUTHI.B(07241A12A3)

Cloud RFID UHF Gen 2

Combatting Counterfeit Identities: The Power of Pairing Physical & Digital IDs

RF ID Security and Privacy

RFID Technology - Potential Of Big Brother

AN1305. MIFARE Classic as NFC Type MIFARE Classic Tag. Application note COMPANY PUBLIC. Rev October Document information

Overview of Contactless Payment Cards. Peter Fillmore. July 20, 2015

2.0 System Description

Home Security System for Automatic Doors

fleischhauer tickets RFID

NFC Test Challenges for Mobile Device Developers Presented by: Miguel Angel Guijarro

PUF Physical Unclonable Functions

Statewatch Briefing ID Cards in the EU: Current state of play

Enhancing the Contactless Cards UAT. Enabling faster and efficient transactions.

Services and Data Definitions

Allwin Initiative for Corporate Citizenship Dartmouth Center for the Advancement of Learning Dickey Center Ethics Institute Institute for Security

3M Cogent, Inc. White Paper. Beyond. Wiegand: Access Control. in the 21st Century. a 3M Company

ID Document Scanning and Biometric Solutions

Implementation of an Improved Secure System Detection for E-passport by using EPC RFID Tags

NAIT DEVICE STANDARD FOR CATTLE 25 SEPTEMBER 2014

Technical Data Sheet UM-005. UM005-doc In reference to UM005-c-01.04

LibRFID: Automation Software for Library Management System Using RFID Technology

The Research and Application of College Student Attendance System based on RFID Technology

RF Attendance System Framework for Faculties of Higher Education

Transcription:

RFID Hacking (without a degree in electronics) Adam Laurie adam@algroup.co.uk http://www.apache ssl.org http://trifinite.org http://rfidiot.org EUSecWest 2007 London, UK

What is RFID? Contacless Auto ID technology Radio Frequency or Magnetically Coupled chip Chip is passive Energy from reader activates the chip

What is it for? Simple ID only Door Entry Systems e.g. HID Smartcards Payment Cards e.g. Oyster Biometrics e.g. Passports

RFID Moo am I? Animal ID Hotel Keys Car Immobilisers Ski Passes Goods Labels Luggage Handling Vending Human Implants

Selling the idea of Human Implants

Human Implants Military Mental Patients Access Control Tracking Beach Bars Digital Wallets

Unique ID!!! Cannot be cloned Cannot be cloned Cannot be cloned Cannot be cloned Cannot be cloned Cannot be cloned Cannot be cloned

Unique ID? DIY Cloning Units Spot the original? http://cq.cx/vchdiy.pl

Unique ID? DIY Cloning Units Spot the original? http://cq.cx/vchdiy.pl Industry Defence: Clones do not have the same form factor and are therefore not true clones

Unique ID? Readers cannot 'see' so form factor irrelevant

Unique ID? = Readers cannot 'see' so form factor irrelevant

The Challenge Create a 'true' clone Same form factor Same ID

Understanding the ID Industry standard example Animal Tagging ISO 11784/5 FDX B Application flag (Animal/Non Animal) 3 Digit Country or Manufacturer code National ID

Sending the ID Reader and TAG will communicate with Specific frequency 125/134.2 khz (13.56 MHz) Specific data bitrate Specific encoding (modulation) scheme RF/2 RF/128 FSK, Manchester, BiPhase, PSK, NRZ Specific bit patterns Header / Data / CRC

Decoding the ID 8 Byte raw ID from 'dumb' reader Byte 7 Byte 6 Byte 5 Byte 4 National ID Reverse MSB/LSB Reverse each Nibble Right shift (x2) Convert to Decimal Byte 3 Byte 2 Country Byte 1 Byte 0 Application Code

Decoding the ID 8 Byte raw ID 70 53 12 EA 6F 00 01 AE 21 35 19 07 48 CA 89 0E Reverse MSB/LSB 10 91 00 F6 Reverse each Nibble 80 00 F6 57

Decoding the ID 8 Byte raw ID 80 00 Application ID 8000 Country F65 57 48 CA 89 0E National ID 748CA890E Country F65 rightshifted 3D9 == '985' decimal F6 icar.org: 'Destron Fearing / Digital Angel Corporation' National ID 748CA890E == '31286003982'

Encoding the ID Reverse the decoding process Add Header / CRC to raw binary ID Header ID B ID B ID B ID B ID B ID B ID B ID Fixed bits embedded in ID prevent header being duplicated in datastream Now we have 128 bits of raw bit level ID B CRC How do we deliver it?

Multi Format Transponders Why make 10 transponder types when you can make 1? Lower manufacturing costs Lower stocking/distribution costs Convenience

Multi Format Transponders Independantly configurable parameters Q5 Configuration for Bit Rate, Modulation etc. 224 Bits user programmable memory 'Dump' <n> blocks on wakeup Multiple 'personalities' Hitag2 Configuration for 'Public Modes' 256 Bit user programmable memory Dump <n> blocks on wakeup as per Mode

Sending the ID Take a Door Entry tag Set configuration Bit Rate Modulation Inversion Number of blocks to send on wakeup Program data blocks with raw ID

Demonstration Clone Trovan 'Unique' TAG Access Control System Clone ISO 11784 'Animal' TAG (FDX B) Cow implant VeriChip paperweight

RFID implanted chip threats Track individuals Target individuals Impersonate individuals Gain access to restricted areas Provide alibi for accomplice! 'Smart' Bombs Device only goes off if target of sufficient rank is in range.

Encryption is your friend RFID Enabled 'Biometric' passports 48 Items of Data Fingerprint Facial Image Birth Certificate Home Address Phone Numbers Profession

Keys to your kingdom Pseudo random UID Cannot determine presence of specific passport without logging in Strong Authentication Basic Access Control 3DES Content Encryption Extended Access Control

Deriving the Keys MRZ Machine Readable Zone Key Document Number Date of Birth Expiry Date

epassport Demonstration

epassport threats Key data may be obtained through other channels Passport profiling Determine country of origin without logging in Implementation errors: Australian passport does not start with '08' on select Australian passport does not require Basic Auth on 'File Select', only on 'File Read'. Target specific passport holders Bomb that works for Australians only...

RFIDIOt Open Source Python library Hardware independent ACG Frosch OpenPCD coming soon Low cost reader/writers now available http://rfidiot.org

ACG reaction to RFIDIOt Unfortunately your companies activities seem to be counter to ACG's interests so we will not be able to support you any further. Email 3rd January, 2007

Questions? http://rfidiot.org adam@algroup.co.uk

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information