rfidiots
play

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent - PowerPoint PPT Presentation

Mar 10, 2024 •201 likes •739 views

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://rfidiot.org 20 th Annual FIRST Conference Vancouver, BC June 2008 Who Am I? Co-Publisher APACHE-SSL DEFCON 'goon'

  1. RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://rfidiot.org 20 th Annual FIRST Conference Vancouver, BC June 2008

  2. Who Am I? ● Co-Publisher APACHE-SSL ● DEFCON 'goon' ● London DEFCON poc - http://dc4420.org ● Open Source developer / researcher – Bluetooth – RFID – Full Disclosure / White Hat! ● Freelance research / training / lecturing

  3. What do I do?

  4. What is RFID? ● Radio Frequency IDentification – Radio Frequency or Magnetically Coupled chip ● Chip is passive ● Carrier wave energy from reader activates the chip ● Carrier modulation for two way communication

  5. Carrier Modulation READER message to TAG

  6. Carrier Modulation TAG reply to READER

  7. 'Dumb' vs 'Smart' ● Dumb: Simple ID/Data only – Door Entry Systems ● e.g. HID ● Smart: Smartcards – Payment Cards ● e.g. London Transport Oyster – Biometrics ● Passports

  8. 'Dumb' RFID – Moo am I? ● Animal ID ● Hotel Keys ● Car Immobilisers ● Ski Passes ● Goods Labels ● Luggage Handling ● Vending ● Human Implants

  9. Selling the idea of Human Implants

  10. Human Implants ● Military – Access Control ● Mental Patients – Tracking ● Beach Bars – Digital Wallets

  11. Unique ID!!! ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned

  12. Unique ID? ● DIY Cloning Units – http://cq.cx/vchdiy.pl Spot the original?

  13. Unique ID? ● DIY Cloning Units – http://cq.cx/vchdiy.pl ● Industry Defence: Spot the original?

  14. Unique ID? ● DIY Cloning Units – http://cq.cx/vchdiy.pl ● Industry Defence: Spot the original? “These 'clones' do not have the same form factor and are therefore not true clones”

  15. 2 nd Line of Defence

  16. 2 nd Line of Defence ● Security by Patent Attorney?

  17. 2 nd Line of Defence ● Security by Patent Attorney? – HID vs IOActive

  18. 2 nd Line of Defence ● Security by Patent Attorney? – HID vs IOActive ● “HID Responds to Staged Proximity Card Cloning” – http://www.hidcorp.com/page.php?page_id=147 ● “IOActive Provides Clarification on HID Dispute” – http://www.ioactive.com/pressreleases.html

  19. Unique ID? ● Readers cannot 'see' so form factor irrelevant

  20. Unique ID? ● Readers cannot 'see' so form factor = irrelevant

  21. Cloning Devices

  22. Cloning Devices

  23. Cloning Devices

  24. Cloning Devices

  25. Cloning Devices

  26. Cloning Devices

  27. Cloning Devices

  28. Cloning Devices

  29. The Challenge ● Create a 'true' clone – Same ID – Same Form Factor

  30. Understanding the ID ● Industry standard example – Animal Tagging – ISO-11784/5 FDX-B ● Application flag (Animal/Non-Animal) ● 3 Digit Country or Manufacturer code ● National ID

  31. Sending the ID ● Reader and TAG will communicate with – Specific frequency ● 125/134.2 kHz - 'dumb' ● 13.56 Mhz - 'smart' – Specific data bitrate ● RF/2 - RF/128 – Specific encoding (modulation) scheme ● FSK, Manchester, BiPhase, PSK, NRZ – Specific bit patterns ● Header / Data / CRC

  32. Decoding the ID ● 8 Byte raw ID from 'dumb' reader Byte 7 Byte 6 Byte 5 Byte 4 Byte 3 Byte 2 Byte 1 Byte 0 National ID Country Application Code – Reverse MSB/LSB – Reverse each Nibble – Right shift (x2) – Convert to Decimal

  33. Decoding the ID ● 8 Byte raw ID 70 91 53 12 EA 6F 00 01 – Reverse MSB/LSB 10 00 F6 AE 21 35 19 07 – Reverse each Nibble 80 00 F6 57 48 CA 89 0E

  34. Decoding the ID ● 8 Byte raw ID 80 00 F6 57 48 CA 89 0E Application ID Country National ID 8000 F65 748CA890E – Country F65 rightshifted: 3D9 == '985' decimal ● icar.org: 'Destron Fearing / Digital Angel Corporation' – National ID 748CA890E == '31286003982'

  35. Encoding the ID ● Reverse the decoding process 64 Bit ID ● Add Header / CRC to raw binary ID Header ID B ID B ID B ID B ID B ID B ID B ID B CRC – Fixed bits embedded in ID prevent header being duplicated in datastream ● Now we have 128 bits of raw bit-level ID – How do we deliver it?

  36. Multi-Format Transponders ● Why make 10 transponder types when you can make 1? – Lower manufacturing costs – Lower stocking/distribution costs – Convenience

  37. Multi-Format Transponders ● Independently configurable parameters – Q5 ● Configuration for Bit Rate, Modulation etc. ● 224 Bits user programmable memory ● Dump <n> data blocks on wakeup ● Multiple 'personalities' – Hitag2 ● Configuration for 'Public Modes' ● 256 Bit user programmable memory ● Dump <n> data blocks on wakeup as per Mode setting

  38. Sending the ID ● Take a redundant Door Entry tag – Re-Set configuration as appropriate ● Bit Rate ● Modulation ● Inversion ● Number of blocks to dump on 'wakeup' – Program data blocks with raw ID

  39. Demonstration ● Clone Trovan 'Unique' TAG – Access Control System ● Clone ISO 11784 'Animal' TAG (FDX-B) – Cow Implant – VeriChip paperweight

  40. RFID implanted chip threats ● Track individuals ● Target individuals ● Impersonate individuals – Gain access to restricted areas – Provide alibi for accomplice! ● 'Smart' Bombs – Device only goes off if target of sufficient rank is in range.

  41. 'Smart': Encryption is your friend ● RFID Enabled 'Biometric' passports ● 48 Items of Data – Fingerprint – Facial Image – Birth Certificate – Home Address – Phone Numbers – Profession

  42. Keys to your kingdom ● Pseudo random UID – Cannot determine presence of specific passport without authentication ● Strong Authentication – Basic Access Control ● 3DES ● Content Encryption – Extended Access Control

  43. Deriving the Keys ● MRZ – Machine Readable Zone ● Key – Document Number – Date of Birth – Expiry Date

  44. ePassport Demonstration

  45. ePassport Cloning

  46. ePassport Cloning

  47. ePassport Modification ● “Not Possible” due to cryptographic signatures – Certificate Authority (CA) not verifiable ● Signatures provided by document ● CA Key provided by same document ● Public Key Directory PKD now available – As of April 2007 – 15 Participating Countries ● Self-Signed Forgery may not be detected!

  48. ePassport Certificates New Zealand genuine: Certificate: Data: Version: 3 (0x2) Serial Number: 1122333666 (0x42e573e2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=NZ, O=Government of New Zealand, OU=Passports, OU=Identity Services Passport CA Validity Not Before: Jan 23 21:46:58 2007 GMT Not After : May 18 12:00:00 2012 GMT Subject: C=NZ, O=Government of New Zealand, OU=Passports, OU=MRTD, CN=Document Signer 200701241034 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a8:bf:fb:c0:ae:f4:c7:fe:ec:19:71:b6:25:e9: ...

  49. ePassport Certificates New Zealand forgery: Certificate: Data: Version: 3 (0x2) Serial Number: 1122333666 (0x42e573e2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=NZ, O=Government of New Zealand, OU=Passports, OU=Identity Services Passport CA Validity Not Before: Jan 23 21:46:58 2007 GMT Not After : May 18 12:00:00 2012 GMT Subject: C=NZ, O=Government of New Zealand, OU=Passports, OU=MRTD, CN=Document Signer 200701241034 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:dc:19:33:f3:11:86:a4:82:b9:c7:21:45:ca:81: ...

  50. Other ePassport threats ● Key data may be obtained through other channels ● Passport profiling – Determine country of origin without logging in – Implementation errors: ● Australian passport does not start with '08' on select ● Australian passport does not require Basic Auth on 'File Select', only on 'File Read'. ● Target specific passport holders – Bomb that works for Australians only...

  51. New For 2008 - “Chappy” ● ChAP.py – Chip And PIN (in python) ● PC/SC Smartcard – EMV ● Visa ● MasterCard ● Maestro ● Amex

  52. RFIDIOt ● Open Source Python library ● Hardware independent – ACG – Frosch – PCSC-Lite – OpenPCD coming soon http://rfidiot.org

  53. Questions? http://rfidiot.org adam@algroup.co.uk

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://trifinite.org http://rfidiot.org BlackHat Briefings Las Vegas, 2007 Who Am I? The Bunker non-exec Co-Publisher APACHE-SSL

503 views • 48 slides
RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://trifinite.org http://rfidiot.org FIRST TC, 2008 Prague, Czec Republic Who Am I? The Bunker non-exec Co-Publisher

607 views • 50 slides
RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://trifinite.org http://rfidiot.org Black Hat DC Briefings, 2008 Washington DC, USA Who Am I? The Bunker non-exec

502 views • 49 slides
RFIDIOts!!! RFID Hacking without a Soldering Iron (... or a Patent Attorney :) Adam Laurie

RFIDIOts!!! RFID Hacking without a Soldering Iron (... or a Patent Attorney :) Adam Laurie

RFIDIOts!!! RFID Hacking without a Soldering Iron (... or a Patent Attorney :) Adam Laurie adam@algroup.co.uk http://www.apache-ssl.org http://trifinite.org http://rfidiot.org BlackHat Europe 2007 Amsterdam, The Netherlands What is RFID?

849 views • 40 slides
MapReduce for accurate error correction of next-generation sequencing data Assoc. Prof . Liang

MapReduce for accurate error correction of next-generation sequencing data Assoc. Prof . Liang

MapReduce for accurate error correction of next-generation sequencing data Assoc. Prof . Liang Zhao School of Computing and Electronic Information Guangxi University &amp; Taihe Hospital Oct 5th, 2016 (GXU, THH) error correction GIW2016 1

530 views • 27 slides
Lab 1: Introduction to Python Programming Adapted from Nicole Rockweiler 01/09/2019 1

Lab 1: Introduction to Python Programming Adapted from Nicole Rockweiler 01/09/2019 1

Lab 1: Introduction to Python Programming Adapted from Nicole Rockweiler 01/09/2019 1 Overview Logistics Getting Started Intro to Unix Intro to Python Assignment 1 2 Getting the most out of this course 1. Start the

1.04k views • 101 slides
Lecture 1: CS 425 Introduction Fall 2019 August 27, 2019 In this lecture Logistics of the

Lecture 1: CS 425 Introduction Fall 2019 August 27, 2019 In this lecture Logistics of the

Lecture 1: CS 425 Introduction Fall 2019 August 27, 2019 In this lecture Logistics of the course Introduction to basic biology which will continue in the following lecture Logistics of the Course Logistics About the Course

783 views • 41 slides
Model-Agnostic Meta-Learning for Fast Adaptation of Deep Networks Chelsea Finn, Pieter Abbeel,

Model-Agnostic Meta-Learning for Fast Adaptation of Deep Networks Chelsea Finn, Pieter Abbeel,

Model-Agnostic Meta-Learning for Fast Adaptation of Deep Networks Chelsea Finn, Pieter Abbeel, Sergey Levine Presented by: Teymur Azayev CTU in Prague 17 January 2019 Deep Learning Very powerful, expressive differentiable models.

579 views • 18 slides
Algorithms for NLP Lecture 1: Introduction Yulia Tsvetkov CMU Slides: Nathan Schneider

Algorithms for NLP Lecture 1: Introduction Yulia Tsvetkov CMU Slides: Nathan Schneider

Algorithms for NLP Lecture 1: Introduction Yulia Tsvetkov CMU Slides: Nathan Schneider Georgetown, Taylor Berg-Kirkpatrick CMU/UCSD, Dan Klein, David Bamman UC Berkeley Course Website http://demo.clab.cs.cmu.edu/11711fa18/

1.36k views • 56 slides
Algorithms for NLP CS 11711, Spring 2020 Lecture 1: Introduction Yulia Tsvetkov 1 Welcome!

Algorithms for NLP CS 11711, Spring 2020 Lecture 1: Introduction Yulia Tsvetkov 1 Welcome!

Algorithms for NLP CS 11711, Spring 2020 Lecture 1: Introduction Yulia Tsvetkov 1 Welcome! Yulia Chan Lexi David 2 Course Website http://demo.clab.cs.cmu.edu/algo4nlp20/ 3 Communication with Machines ~50s-70s 4 Communication

1.26k views • 71 slides
Introduction to Artificial Intelligence CS540-1 Yingyu Liang slide 1 Logistics Course

Introduction to Artificial Intelligence CS540-1 Yingyu Liang slide 1 Logistics Course

Introduction to Artificial Intelligence CS540-1 Yingyu Liang slide 1 Logistics Course website: logistic info, schedules, coursework http://pages.cs.wisc.edu/~cs540-1/ TA, Graders, Peer Mentors Grading policy Homework A lot

826 views • 58 slides
Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th

Autopsy of an automation disaster Simon J Mudd (Senior Database Engineer) Percona Live, 25 th April 2017 To err is human To really foul things up requires a computer [1] (or a script) [1]: http://quoteinvestigator.com/2010/12/07/foul-computer/

571 views • 39 slides
6hp http://www.ida.liu.se/~patla00/courses/BDA Teachers Lectures: Patrick Lambrix,

6hp http://www.ida.liu.se/~patla00/courses/BDA Teachers Lectures: Patrick Lambrix,

Big Data Analytics 6hp http://www.ida.liu.se/~patla00/courses/BDA Teachers Lectures: Patrick Lambrix, Christoph Kessler, Jose Pena, Valentina Ivanova, Labs: Zlatan Dragisic, Huanyu Li NSC: Rickard Armiento 2

2.32k views • 63 slides
CS885 Reinforcement Learning Module 3: July 5, 2020 Imitation Learning Torabi, F., Warnell, G.,

CS885 Reinforcement Learning Module 3: July 5, 2020 Imitation Learning Torabi, F., Warnell, G.,

CS885 Reinforcement Learning Module 3: July 5, 2020 Imitation Learning Torabi, F., Warnell, G., &amp; Stone, P. (2018). Behavioral cloning from observation. In IJCAI (pp. 4950-4957). Ho, J., &amp; Ermon, S. (2016). Generative adversarial

464 views • 14 slides
Understanding Git Nelson Elhage Anders Kaseorg Student Information Processing Board September

Understanding Git Nelson Elhage Anders Kaseorg Student Information Processing Board September

Understanding Git Nelson Elhage Anders Kaseorg Student Information Processing Board September 29, 2009 Nelson Elhage, Anders Kaseorg (SIPB) Understanding Git September 29, 2009 1 / 41 The Git model Outline The Git model 1 Using Git 2

974 views • 70 slides
Model-Agnostic Meta-Learning Universality, Inductive Bias, and Weak Supervision Chelsea Finn

Model-Agnostic Meta-Learning Universality, Inductive Bias, and Weak Supervision Chelsea Finn

Model-Agnostic Meta-Learning Universality, Inductive Bias, and Weak Supervision Chelsea Finn Why Learn to Learn? - e ff ectively reuse data on other tasks - replace manual engineering of architecture, hyperparameters, etc. - learn to quickly

915 views • 30 slides
APPLD: Adaptive Planner Parameter Learning From Demonstration Xuesu Xiao 1* , Bo Liu 1* , Garrett

APPLD: Adaptive Planner Parameter Learning From Demonstration Xuesu Xiao 1* , Bo Liu 1* , Garrett

APPLD: Adaptive Planner Parameter Learning From Demonstration Xuesu Xiao 1* , Bo Liu 1* , Garrett Warnell 2 , Jonathan Fink 2 , and Peter Stone 1 1 The University of Texas at Austin 2 Army Research Laboratory * Equally Contributing Authors 1 LfD

530 views • 11 slides
ASIC and Custom in Nanometer Technologies David Chinnery Outline Introduction

ASIC and Custom in Nanometer Technologies David Chinnery Outline Introduction

High Performance and Low Power Design Techniques for ASIC and Custom in Nanometer Technologies David Chinnery Outline Introduction Microarchitecture Clock distribution, clock gating, and registers Logic style Cell design,

949 views • 40 slides
Posix-Free File Systems in the Cloud Jeff Chase Duke University Beyond Posix

Posix-Free File Systems in the Cloud Jeff Chase Duke University Beyond Posix

Posix-Free File Systems in the Cloud Jeff Chase Duke University Beyond Posix Filesystem Posix file system semantics? open(2) Hierarchical directories with aliasing Human-readable symbolic names Atomic ops on

599 views • 12 slides
Building a Robust Research Commons: Enhancing the Precompe99ve

Building a Robust Research Commons: Enhancing the Precompe99ve

2010 ITMAT International Symposium Philadelphia 26-27 October 2010 Building a Robust Research Commons: Enhancing the Precompe99ve Environment Tania Bubela School of Public Health

315 views • 30 slides
General Consent to Research Use of Biological Samples and Health Information Eiji Maruyama Kobe

General Consent to Research Use of Biological Samples and Health Information Eiji Maruyama Kobe

General Consent to Research Use of Biological Samples and Health Information Eiji Maruyama Kobe University, Japan Eiji Maruyama 2010WCML@Zagreb 1 Requirement of Informed Consent Obtaining informed consent from the subject or her/his legal

419 views • 17 slides
Ohio State/WIRB Submission Process Sarah Hersch, MA, CIP, ORRP Objectives General workflow

Ohio State/WIRB Submission Process Sarah Hersch, MA, CIP, ORRP Objectives General workflow

Ohio State/WIRB Submission Process Sarah Hersch, MA, CIP, ORRP Objectives General workflow Ohio State overview Required forms for submission Questions 2 General Submission Workflow Sponsor PI creates provides Buck-IRB

567 views • 46 slides
Discovery and Analysis of Regulatory Regions in the Human Genome Wyeth Wasserman Centre for

Discovery and Analysis of Regulatory Regions in the Human Genome Wyeth Wasserman Centre for

Discovery and Analysis of Regulatory Regions in the Human Genome Wyeth Wasserman Centre for Molecular Medicine and Therapeutics Childrens and Womens Hospital University of British Columbia Acknowledgements Wasserman Group CMMT

1.28k views • 90 slides
Quantitative Genomics and Genetics BTRY 4830/6830; PBSB.5201.01 Jason Mezey Biological

Quantitative Genomics and Genetics BTRY 4830/6830; PBSB.5201.01 Jason Mezey Biological

Quantitative Genomics and Genetics BTRY 4830/6830; PBSB.5201.01 Jason Mezey Biological Statistics and Computational Biology (BSCB) Department of Genetic Medicine Institute for Computational Biomedicine jgm45@cornell.edu Cornell TA: Mahya

520 views • 36 slides

More recommend