RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 - - PowerPoint PPT Presentation

RFID Hacking

Live Free or RFID Hard

Agenda

• Qu

Quic ick k Over erview ew

• RFID badge basics
• Hackin

king T g Tool

• ols
• Primary existing RFID hacking tools
• Badge stealing, replaying, and cloning
• Attacking badge readers and controllers directly
• Planting Pwn Plugs and other backdoors
• Cus

Custom S Solu lution

• Arduino and weaponized commercial RFID readers
• Def

efens enses es

• Protecting badges, readers, controllers, and more

O V E R V I E W

Methodology

3 S T E P A P P R O A C H

• 1. Silently steal badge info
• 2. Create card clone
• 3. Enter and plant backdoor

Distance Limitations

A $ $ G R A B B I N G M E T H O D

Existing RFID hacking tools only work when a few centimeters away from badge

Introduction/Background

GETTING UP TO SPEED

Badge Basics

F R E Q U E N C I E S

Legacy 125kHz

S T I L L K I C K I N

80%

• “Legacy 125-kilohertz proximity technology is still in place at around

70% t % to 80% % of all physical access control deployments in the U.S. and it will be a long time” - Stephane Ardiley, HID Global.

• “There is no

no security ty, the they’ y’ve b been ha n hacked, there’s no protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks.”

Opposite of Progress

T A L K M O T I V A T I O N S

2007 2013

How a Card Is Read

P O I N T S O F A T T A C K

Card Reader Controller Wiegand output Host PC Ethernet

• Broadcasts 26-37 bit card number

• Converts card data to “Wiegand Protocol”

• No access decisions are made by reader

• Binary card data “format” is decoded
• Makes decision to grant access (or not)

• Add/remove card holders, access privileges
• Monitor system events in real time

Badge Types

Badge Basics

C A R D E L E M E N T S Card – “Formats” Decoded

• Card ID Number
• Facility Code
• Site Code (occasionally)

Badge Formats

HID ID ProxCar ard II II “F “Format ats”

• 26

26 – 37 bi 37 bit c car ards ds

• 44 bi

44 bits ac actual ally o y on c n car ard

• 10

10 hex hex c char harac acters

• Le

D A T A F O R M A T S

Badge Formats

D A T A F O R M A T S

RFID Other Usage

W H E R E E L S E ?

RFID Hacking Tools

P E N T E S T T O O L K I T

Proxmark3

R F I D H A C K I N G T O O L S

Single button, crazy flow diagram on lone button below $399

• RFID Hacking swiss army knife
• Read/simulate/clone RFID cards

ProxBrute

R F I D H A C K I N G T O O L S

• Custom firmware for the Proxmark3
• Brute-force higher privileged badges,

like data center door

RFIDiot Scripts

R F I D H A C K I N G T O O L S

RFIDeas Tools

R F I D H A C K I N G T O O L S

• No software required
• Identifies card type and data
• Great for badges w/o visual

indicators of card type

$269.00

Tastic Solution

L O N G R A N G E R F I D S T E A L E R

Tastic RFID Thief

• Easily hide in briefcase or messenger bag,

read badges from up t p to 3 f 3 feet aw away

• Silent powering and stealing of RFID badge

creds to be cloned later using T55x7 cards L O N G R A N G E R F I D S T E A L E R

Tastic RFID Thief

• Designed using Fritzing
• Exports to Extended-Gerber
• Order PCB at www.4pcb.com
• $33 for 1 PCB
• Much cheaper in bulk

L O N G R A N G E R F I D S T E A L E R

Custom PCB

T A S T I C R F I D T H I E F Custom PCB – easy to plug into any type of RFID badge reader

Wiegand Input

Tastic Custom PCB – reads from Wiegand output of RFID badge reader:

T A S T I C R F I D T H I E F

• Outputs a badge binary number by sending electrical

• Wiegand Interface consists of 3 lines: “Data 0”,

• To send a ‘0’-bit, a pulse is sent on DATA 0 (Green)
• To send a ‘1’-bit, a pulse is sent on DATA 1 (White)
• Every HID reader has a Wiegand output available

Commercial Readers

T A S T I C R F I D T H I E F Long-range commercial RFID readers to weaponize: 3 out of 4 HID RFID product families covered

Commercial Readers

• Indal

Indala L a Long ng-Ran ange R Reade eader 620 620

• HID

ID Max axiProx 5375 5375AGN00

T A S T I C R F I D T H I E F

~$400 - $500 on ebay ~$400 - $500 on ebay

Commercial Readers

• HID

D iCLASS SS – R90 90 – Lon Long R g Range ge Reade eader

• Tastic PCB in R90 will pick up iCLASS card if target

company is using default “Standard Security”.

T A S T I C R F I D T H I E F

~$345 on ebay

iCLASS Cloner

X F P G A . C O M - F R O M C H I N A

~$218 USD

• http://www.xfpga.com/html_products/iclass-

• Read/Write iCLASS cards using “Standard

• Requires older 32bit driver, and won’t let you

• Built from original ContactlessDemoVC.exe
• USB hardware licensing dongle shipped

Indala Cloning

E X A M P L E I N P R A C T I C E

Tastic Solution: Add-ons

M O D U L E S T O P O T E N T I A L L Y A D D

• Arduino NFC Shield
• Arduino BlueTooth Modules
• Arduino WiFly Shield (802.11b/g)
• Arduino GSM/GPRS shields (SMS messaging)
• WIZnet Embedded Web Server Module
• Xbee 2.4GHz Module (802.15.4 Zigbee)
• Parallax GPS Module PMB-648 SiRF
• Arduino Ethernet Shield
• Redpark - Serial-to-iPad/iPhone Cable

Forward Channel Attacks

P A S S I V E E A V E S D R O P P I N G R F I D

Droppin’ Eaves

B A D G E B R O A D C A S T S

Cloner 2.0 by Paget

E A V E S D R O P P I N G A T T A C K

• Chris Paget talked of his tool reach

ching g 10 feet feet for this type of attack

• Tool never actually released, unfortunately
• Una

naware of any p ny pub ublic t tools that exist for this attack currently

RFID Card Cloning

C A R D P R O G R A M M I N G

Programmable Cards

Simulate data and and behav behavior of any badge type

• T55x7 Cards
• Q5 cards (T5555)

Programmable Cards

• T55x

• Q5 car

Cloning to T55x T55x7 C Car ard using Proxmark3

• Simulate data an

and be d behavior of any badge type

• HID Prox Cloning – example:
• Indala Prox Cloning – example:
• ioProx Cloning – example:

Reader and Controller Attacks

D I R E C T A P P R O A C H

Reader Attacks

J A C K E D I N

• Dump private keys, valid badge

info, and more in few seconds

• Plant backdoor devices in reader
• Brute-force badge numbers over

the wire via Wiegand (5x faster)

Reader Attacks

G E C K O – M I T M A T T A C K

• Insert in door reader of target

building – record badg badge #s #s

• Tastic R

RFI FID Th Thief ief’s P PCB could be used similiarly for MITM attack

Never publicly released

Reader Attacks

T A S T I C – M I T M A T T A C K

• Insert in door reader of target

building – record badg badge #s #s

• Tastic R

RFI FID Th Thief ief’s P PCB could be used similiarly for MITM attack

+

Controller Attacks

J A C K E D I N

Controller Attacks

J A C K E D I N

Open en the he Badge R e Rea eader er t to Attack ck t the he Cont ntroller er D Direct ectly v via W Wieg egand nd Int Inter erface: ce:

• Arduino Wiegand BruteForcer – Arduino_VertX_Wiegand_BruteForce.ino
• 5 IDs pe

• Arduino Wiegand Skimmer and Emulator - Arduino_Vertx_ProxPoint_Skimmer.ino
• Arduino Wiegand Fuzzer - Arduino_VertX_Wiegand_Fuzzer.ino

Attacki king g the he Ver ertX C Cont ntroller O Over er the he Ne Netw twork:

• VertX_Query.py – HID VertX Controller Discovery and Query Tool
• VertX_WebOpen.py – Physically Open Door via HTTP GET Request to the WebUI
• VertX_CacheTool.c – HID VertX V2000 Cache Dump and Insertion Tool

RFID Reader / Controller Attack Tools – by Brad Antoniewicz

Controller Attacks

J A C K E D I N

• HID Global – MAC Address OUI: 00:0

• Scan network for MAC Addresses starting with 00:06:

• ntrol
• ller d

• very G

• ol:
• https://www.hidglobal.com/drivers/15654

MAC AC Ad Address - Targetting HID Controllers Over Network

Controller Attacks

J A C K E D I N

• HID VertX Controller – Default Open Ports:
• FTP (21), Telnet (23), HTTP (80)
• HID VertX Controller – Connect via FTP / Telnet /

• Banne

• Can also find using SH

Port S Scanni nning ng a and nd Banner nner G Grabbing ng - Targetting HID Controllers Over Network

Backdoors and Other Fun

L I T T L E D I F F E R E N C E S

Pwn Plug

M A I N T A I N I N G A C C E S S

Pwn Plug

M A I N T A I N I N G A C C E S S

• Pwn Plug Elite: $995.00
• Power Pwn: $1,495.00

Raspberry Pi

M A I N T A I N I N G A C C E S S

• Raspberry Pi - credit card sized, single-board computer – cheap $35

Raspberry Pi

M A I N T A I N I N G A C C E S S

• Raspberry Pi – cheap alternative (~$35

35) to Pwn Plug/Power Pwn

• Pwnie Express – Raspberry Pwn
• Rogue Pi – RPi Pentesting Dropbox
• Pwn Pi v3.0

Little Extra Touches

G O A L O N G W A Y

Defenses

A V O I D B E I N G P R O B E D

RFID Security Resources

S L I M P I C K I N S . . .

• RFID Security by Syngress
• Not updated since July 2005
• NIST SP 800-98 – Securing RFID
• Not updated since April 2007
• Hackin9 Magazine – Aug 2011
• RFID Hacking, pretty decent

Defenses

R E C O M M E N D A T I O N S

• Consider implementing a more secure, active RFID

system (e.g. “contactless s ss smart c t cards”) that incorporates encrypt ption

• n,

, mutual a authent hentica cation, and message replay protection.

• Consider systems that also support 2-fac

factor authentication, using elements such as a PIN pad pad or biom iometric ic inputs.

• Consider implementing physical security intrusion and

ano nomaly d det etec ection software.

• Implement “feel

eel t tes ests” by guards to ensure badges are not fake printed badges

Defenses

R E C O M M E N D A T I O N S

• Instruct employees no

not to wea ear t thei heir b badges es i in n prominent nent v view ew when outside the company premises.

• Utilize RFID

ID c card s shi hiel elds when the badge is not in use to prevent drive-by card sniffing attacks.

• Physically protect the RFID badge readers by using

se security sc screws that require special tools to remove the cover and access security components.

• Employ the tamper

er d det etec ect m mec echa hani nisms to prevent badge reader physical tampering. All readers and doors should be monitored by d by CCT CCTV.

Defenses (Broken)

S O M E D O N ’ T . . . E X A M P L E . . .

Defenses

F L Y G E A R

• RFID Blocking Skinny Jeans
• RFID Blocking Vests and Clothes
• RFID Blocking Bags and Backpacks

Thank You

Bi Bishop

• p F

Fox

• x – see f

for mo more info:

http://www.bishopfox.com/resources/tools/rfid-hacking/