rfidiots rfid hacking without a soldering iron or a
play

RFIDIOts!!! RFID Hacking without a Soldering Iron (... or a Patent - PowerPoint PPT Presentation

Oct 21, 2022 •445 likes •849 views

RFIDIOts!!! RFID Hacking without a Soldering Iron (... or a Patent Attorney :) Adam Laurie adam@algroup.co.uk http://www.apache-ssl.org http://trifinite.org http://rfidiot.org BlackHat Europe 2007 Amsterdam, The Netherlands What is RFID?

  1. RFIDIOts!!! RFID Hacking without a Soldering Iron (... or a Patent Attorney :) Adam Laurie adam@algroup.co.uk http://www.apache-ssl.org http://trifinite.org http://rfidiot.org BlackHat Europe 2007 Amsterdam, The Netherlands

  2. What is RFID? ● Contacless Auto-ID technology – Radio Frequency or Magnetically Coupled chip ● Chip is passive ● Energy from reader activates the chip

  3. What is it for? ● Simple ID only – Door Entry Systems ● e.g. HID ● Smartcards – Payment Cards ● e.g. Oyster – Biometrics ● e.g. Passports

  4. RFID – Moo am I? ● Animal ID ● Hotel Keys ● Car Immobilisers ● Ski Passes ● Goods Labels ● Luggage Handling ● Vending ● Human Implants

  5. Selling the idea of Human Implants

  6. Human Implants ● Military – Access Control ● Mental Patients – Tracking ● Beach Bars – Digital Wallets

  7. Unique ID!!! ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned ● Cannot be cloned

  8. Unique ID? ● DIY Cloning Units – http://cq.cx/vchdiy.pl Spot the original?

  9. Unique ID? ● DIY Cloning Units – http://cq.cx/vchdiy.pl ● Industry Defence: Spot the original?

  10. Unique ID? ● DIY Cloning Units – http://cq.cx/vchdiy.pl ● Industry Defence: Spot the original? “Clones do not have the same form factor and are therefore not true clones”

  11. Unique ID? ● Readers cannot 'see' so form factor irrelevant

  12. Unique ID? ● Readers cannot 'see' so form factor = irrelevant

  13. Cloning Devices

  14. Cloning Devices

  15. Cloning Devices

  16. Cloning Devices

  17. Cloning Devices

  18. Cloning Devices

  19. Cloning Devices

  20. Cloning Devices

  21. The Challenge ● Create a 'true' clone – Same ID – Same Form Factor

  22. Understanding the ID ● Industry standard example – Animal Tagging – ISO-11784/5 FDX-B ● Application flag (Animal/Non-Animal) ● 3 Digit Country or Manufacturer code ● National ID

  23. Sending the ID ● Reader and TAG will communicate with – Specific frequency ● 125/134.2 kHz ● (13.56 MHz) – Specific data bitrate ● RF/2 - RF/128 – Specific encoding (modulation) scheme ● FSK, Manchester, BiPhase, PSK, NRZ – Specific bit patterns ● Header / Data / CRC

  24. Decoding the ID ● 8 Byte raw ID from 'dumb' reader Byte 7 Byte 6 Byte 5 Byte 4 Byte 3 Byte 2 Byte 1 Byte 0 National ID Country Application Code – Reverse MSB/LSB – Reverse each Nibble – Right shift (x2) – Convert to Decimal

  25. Decoding the ID ● 8 Byte raw ID 70 91 53 12 EA 6F 00 01 – Reverse MSB/LSB 10 00 F6 AE 21 35 19 07 – Reverse each Nibble 80 00 F6 57 48 CA 89 0E

  26. Decoding the ID ● 8 Byte raw ID 80 00 F6 57 48 CA 89 0E Application ID Country National ID 8000 F65 748CA890E – Country F65 rightshifted: 3D9 == '985' decimal ● icar.org: 'Destron Fearing / Digital Angel Corporation' – National ID 748CA890E == '31286003982'

  27. Encoding the ID ● Reverse the decoding process 64 Bit ID ● Add Header / CRC to raw binary ID B B B B B B B B Header ID ID ID ID ID ID ID ID CRC – Fixed bits embedded in ID prevent header being duplicated in datastream ● Now we have 128 bits of raw bit-level ID – How do we deliver it?

  28. Multi-Format Transponders ● Why make 10 transponder types when you can make 1? – Lower manufacturing costs – Lower stocking/distribution costs – Convenience

  29. Multi-Format Transponders ● Independently configurable parameters – Q5 ● Configuration for Bit Rate, Modulation etc. ● 224 Bits user programmable memory ● Dump <n> data blocks on wakeup ● Multiple 'personalities' – Hitag2 ● Configuration for 'Public Modes' ● 256 Bit user programmable memory ● Dump <n> data blocks on wakeup as per Mode setting

  30. Sending the ID ● Take a redundant Door Entry tag – Re-Set configuration as appropriate ● Bit Rate ● Modulation ● Inversion ● Number of blocks to dump on 'wakeup' – Program data blocks with raw ID

  31. Demonstration ● Clone Trovan 'Unique' TAG – Access Control System ● Clone ISO 11784 'Animal' TAG (FDX-B) – Cow Implant – VeriChip paperweight

  32. RFID implanted chip threats ● Track individuals ● Target individuals ● Impersonate individuals – Gain access to restricted areas – Provide alibi for accomplice! ● 'Smart' Bombs – Device only goes off if target of sufficient rank is in range.

  33. Encryption is your friend ● RFID Enabled 'Biometric' passports ● 48 Items of Data – Fingerprint – Facial Image – Birth Certificate – Home Address – Phone Numbers – Profession

  34. Keys to your kingdom ● Pseudo random UID – Cannot determine presence of specific passport without logging in ● Strong Authentication – Basic Access Control ● 3DES ● Content Encryption – Extended Access Control

  35. Deriving the Keys ● MRZ – Machine Readable Zone ● Key – Document Number – Date of Birth – Expiry Date

  36. ePassport Demonstration

  37. ePassport threats ● Key data may be obtained through other channels ● Passport profiling – Determine country of origin without logging in – Implementation errors: ● Australian passport ID does not start with '08' on select ● Australian passport does not require Basic Auth on 'File Select', only on 'File Read'. ● Target specific passport holders – Bomb that detonates for Australians only...

  38. RFIDIOt ● Open Source Python library ● Hardware independent – ACG – Frosch – OpenPCD coming soon ● Low cost reader/writers now available http://rfidiot.org

  39. ACG reaction to RFIDIOt “Unfortunately your companies activities seem to be counter to ACG's interests so we will not be able to support you any further.” Email - 3 rd January, 2007

  40. Questions? http://rfidiot.org adam@algroup.co.uk

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://rfidiot.org 20 th Annual FIRST Conference Vancouver, BC June 2008 Who Am I? Co-Publisher APACHE-SSL DEFCON 'goon'

739 views • 53 slides
RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://trifinite.org http://rfidiot.org BlackHat Briefings Las Vegas, 2007 Who Am I? The Bunker non-exec Co-Publisher APACHE-SSL

503 views • 48 slides
RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://trifinite.org http://rfidiot.org FIRST TC, 2008 Prague, Czec Republic Who Am I? The Bunker non-exec Co-Publisher

607 views • 50 slides
RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie

RFIDIOts!!! Hacking RFID Without A Soldering Iron (or a Patent Attorney) Adam Laurie adam@algroup.co.uk http://trifinite.org http://rfidiot.org Black Hat DC Briefings, 2008 Washington DC, USA Who Am I? The Bunker non-exec

502 views • 49 slides
RFID Hacking Live Free or RFID Hard 01 Aug 2013 Black Hat USA 2013 Las Vegas, NV Presen

RFID Hacking Live Free or RFID Hard 01 Aug 2013 Black Hat USA 2013 Las Vegas, NV Presen

RFID Hacking Live Free or RFID Hard 01 Aug 2013 Black Hat USA 2013 Las Vegas, NV Presen sented ed b by: Francis Brown Bishop Fox www.bishopfox.com Agenda O V E R V I E W Qu Quic ick k Over erview ew RFID badge

883 views • 50 slides
RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 Orlando, FL Presen

RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 Orlando, FL Presen

RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 Orlando, FL Presen sented ed b by: Francis Brown &amp; Rob Ragan Bishop Fox www.bishopfox.com Agenda O V E R V I E W Qu Quic ick k Over erview ew

853 views • 57 slides
Soldering Everything you always wanted to know about soldering but were afraid to ask. By:

Soldering Everything you always wanted to know about soldering but were afraid to ask. By:

Soldering Everything you always wanted to know about soldering but were afraid to ask. By: David M. Thibodeau Topics Copper Solder Fluxes Irons How to solder 1 Definition A joining process wherein coalescence is

294 views • 10 slides
NL(C)V Series SMD Inductor for Power/Signal Line FEATURES Highly reliable and adaptable to

NL(C)V Series SMD Inductor for Power/Signal Line FEATURES Highly reliable and adaptable to

NL(C)V Series SMD Inductor for Power/Signal Line FEATURES Highly reliable and adaptable to reflow soldering, soldering iron or wave soldering. Strong structure and highly accurate dimensions. Highly resistant to mechanical and

361 views • 6 slides
Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

March 2, 2014 Monte Jade's RFID Seminar Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight RFID 4. Current Airport RFID Deployments 5. Atlanta International Airport Activity with IATA RFID

912 views • 35 slides
FLEXIBLE ROBOT SOLDERING Locations Locations Ireland Czech Slovakia Hungary Ukraine

FLEXIBLE ROBOT SOLDERING Locations Locations Ireland Czech Slovakia Hungary Ukraine

FLEXIBLE ROBOT SOLDERING Locations Locations Ireland Czech Slovakia Hungary Ukraine Romania Mexico INTELLIGENT SOLUTIONS COMPANY IN-LINE ROBOT SOLDERING Although various soldering techniques have been invented and applied in

447 views • 11 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing Tag Oslo, 28 November 2007 IntelliSense RFID Workshop IntelliSense RFID RESEARCH PROJECT FOR TECHNOLOGY DEVELOPMENT WITHIN THE FIELDS OF RFID

788 views • 13 slides
The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio Frequency Identification Modern RFID Applications VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips

628 views • 29 slides
Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do? Embedded Security Research 2009 RFID MiFare Classic (MFCUK) Click to edit Master text styles https://github.com/nfc-tools/mfcuk Second

1.12k views • 71 slides
RFID attacks and proxmark hands-on @ KirilsSolovjovs +4fd9 About me Programming sysad

RFID attacks and proxmark hands-on @ KirilsSolovjovs +4fd9 About me Programming sysad

RFID attacks and proxmark hands-on @ KirilsSolovjovs +4fd9 About me Programming sysad networking IT security for the past 10+ y Owner and Lead Researcher at Possible Security Hacking and breaking things

946 views • 19 slides
TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &amp;

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &amp;

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &amp; Blaine McDonnell Using RFID for Model Railroad Operations What is RFID? How does RFID Work? RFID Frequencies and Type of Tags

853 views • 25 slides
Poster Prentation List No. Title / Authors / Affiliation Crystalline Orientation Relations of

Poster Prentation List No. Title / Authors / Affiliation Crystalline Orientation Relations of

Poster Prentation List No. Title / Authors / Affiliation Crystalline Orientation Relations of to -phase in Pressure-induced 36 P01 Transformation of Zr by High-pressure Torsion Straining *Nozomu Adachi, Yoshikazu Todaka, Minoru

362 views • 6 slides
23 January 2020: Nin ina Vask Vaskunla lahti, Under-Secretary of State, Ministry for Foreign

23 January 2020: Nin ina Vask Vaskunla lahti, Under-Secretary of State, Ministry for Foreign

PEI Presentation Awards In autumn 2003 the Pan-European Institute started a tradition of granting Presentation Awards to distinguished visiting lecturers. The award is given in recognition of expertise and a high-quality presentation. The

276 views • 12 slides
Agenda Item No: 5 Report To: Audit Committee Date of Meeting: 20 March 2018 Report Title:

Agenda Item No: 5 Report To: Audit Committee Date of Meeting: 20 March 2018 Report Title:

Agenda Item No: 5 Report To: Audit Committee Date of Meeting: 20 March 2018 Report Title: Presentation of Financial Statements Report Author &amp; Maria Hadfield Job Title: Senior Accountant Portfolio Holder Cllr. Shorter Portfolio

447 views • 22 slides
Migration in Austria Refugees From the CSSR 1968 (Prague Spring) Prague Spring Antonin Novotny

Migration in Austria Refugees From the CSSR 1968 (Prague Spring) Prague Spring Antonin Novotny

Migration in Austria Refugees From the CSSR 1968 (Prague Spring) Prague Spring Antonin Novotny Alexander Dubek Refugees From Ex-Yugoslavia in the 1990s Refugees from the former Yugoslavia ethnic conflicts fought from 1991 to 2003

585 views • 16 slides
Atlantic County Cross- - Atlantic County Cross Acceptance Acceptance Public Meeting Public

Atlantic County Cross- - Atlantic County Cross Acceptance Acceptance Public Meeting Public

Atlantic County Cross- - Atlantic County Cross Acceptance Acceptance Public Meeting Public Meeting January 29, 2007 January 29, 2007 Cross- -Acceptance Acceptance Cross Process to Obtain Input on State Plan From Counties Process to

226 views • 11 slides
IB Global Conference, The Hague 2017 : Call for Research Poster Presentations We invite all

IB Global Conference, The Hague 2017 : Call for Research Poster Presentations We invite all

IB Global Conference, The Hague 2017 : Call for Research Poster Presentations We invite all conference attendees to submit an expression of interest for presenting a research poster at the 2017 IB Global Conference, The Hague. We know that many

362 views • 3 slides
UCC Articles 8 and 9 and the Hague Securities Convention: Investment Property Update Resolving

UCC Articles 8 and 9 and the Hague Securities Convention: Investment Property Update Resolving

Presenting a live 90-minute webinar with interactive Q&amp;A UCC Articles 8 and 9 and the Hague Securities Convention: Investment Property Update Resolving Current Risks Facing Securities Customers, Banks, Brokers, Clearing Corporations and

514 views • 48 slides
The College of Europe &quot;Au cours des soixante dernires annes, le Collge d'Europe s'est

The College of Europe &quot;Au cours des soixante dernires annes, le Collge d'Europe s'est

The College of Europe &quot;Au cours des soixante dernires annes, le Collge d'Europe s'est acquis une rputation enviable dans le domaine des tudes europennes, et est ainsi devenu le lieu privilgi pour ceux qui veulent tudier

668 views • 27 slides

More recommend