 Fy enw'n cyfnod, ysgol, gyda ni'n gwybod i Tref Sheldraith yn gweithio'r cyrtytau cyrtyf. Hwyl. Felly mae'n gweithio'n ei ddechrau. Nid oedd yn cyd- i'r cyfnod o'r cyfnod, mae'n cyd- i'r cyfnod o'r cyfnod, nid oedd gallwn yn gweithio'n cyfnod i ddefnyddio'r cyfnod. Mae'r cyfrigeid yn y set, mae'r cyfrigeid yn gweithio'n cyfrigeid. I'm only going to be able to talk about some of the content that's normally in this talk because of the limited opportunities to the limited lengths that we have to speak at. But if you do have any interest or you want to ask questions or you want to just like come and hang out, I will be outside the bar, buy me a beer, you can ask anything you like and I will demonstrate every crack that I don't happen to have in this talk then. But you have to buy me a beer to get to that point. I'm going to talk about high-tag 2 crypto, this is me, I work in cyber. I do interesting things with crypto and RFID. So the first question is why do we copy RFID tags at 125 kHz? So for those that don't know RFID exists in low frequencies like 125 kHz, high frequency is 13.56 MHz and very high frequency is 866 MHz or 433 MHz depending on where you live. So why do we care about 125 kHz RFID which are basically quite old as a technology and they're going out of fashion, they're disappearing. It's because they're used to protect things that are far more valuable than the amount of money it costs to break it. Most 125 kHz RFID tags are rubbish but the ones I'm talking about are less rubbish but they're still rubbish unfortunately. They're also used to implement the car immobiliser in most cars. I've since been contacted from giving these talks by Audi and Nissan because apparently they're using that technology, who knows. So normal RFID at 125 kHz looks like this. It transmits a single page of data over and over and over again whenever it's powered up. And at the start of that single page of data is a synchronisation pattern which the reader and the tag both know. And when the reader detects that synchronisation pattern it reads whatever bits come afterwards and turns that into a number. And that is the number they then use to make access control decisions. Clearly you can copy these easily by just emulating a field at 125 kHz and seeing what number comes out, write it down and then program that to another tag. So they're trivial to break. In an electromagnetic sort of spectrum basis this is kind of how it looks. The reader emulates the field, the tag has no battery, it absorbs its power from the field and then it damps that field on and off in a pattern to signal information to the reader. And if the reader wants to transmit information to the tag such as I want you to write this page with a particular value then it damps the field in a particular way as well. The way that they damp the field is one of these types of keying modulations and possibly encoded with Manchester biphase or not as the case may be. I'm not going to talk about this any more. The many, many months that I spent looking at this technology I had to learn a lot of this stuff and none of this is interesting to the crypto world. Yes it's very interesting if you care about radio and I did start this project. So I'll quite happily talk about it but honestly the crypto is much more interesting so we're going to skip this bit. So if we wanted to secure 125 kHz RFID what we'd want is two way comms and we'd want some sort of authentication and some sort of encryption such that you couldn't replay the comms and you couldn't copy the tags easily. That's kind of the goal. So I'm going to talk about HiTag2 which is one of these not that it makes any difference because that's the standard ISO card but it's HiTag2 which is the technology I say probably in your car immobiliser and possibly in the tags that let you into the building that you work in. In password mode and in crypto mode and you might note from the contents I'll talk about password mode very, very, very small amount of time and I'll talk about crypto mode a large amount of time. That's because password mode is rubbish as we're about to see. So what I won't be talking about is everything else and specifically cars but come and talk to me later if you want to know more. So it all started with an academic paper. Basically we had a job which we involved breaking into buildings by copying RFID tags and one of my colleagues said I think this academic paper says a lot about the sort of system that we're looking at breaking. Would you like to have a look at it and could you implement the stuff that they're talking about? This is the academic paper. It's called Gone In 360 Seconds, hijacked with HiTag2 by Fadalt Garcia and Balash. I've met Flavio Garcia. He's a lovely man, very Italian and the stuff they did is awesome. It's very, very clever mathematics. It's very hard to understand. They wrote code to implement three attacks in this paper when they produced the paper in 2012 and then never released their code. For five years no one had written that code and people were asking for it on the RFID forums. That's why we decided that we should write that code and release it, which is what we've done. So what does the HiTag2 tag look like? It looks like this if you drop it into acetone and then magnify it with a child's microscope. For the sake of a pound for the acetone perhaps and 30 pounds for the microscope and 700 pounds for a decent SLR, you can get photos like this as well. In the bottom right one it does actually say HT2, which means HiTag2. If you looked closer it would say Micron, which the people who originally made it and stamped the silicone that Philips then bought, that XP was rebranded to. But this is largely pointless. It's just fun. What a HiTag2 really looks like is this. This is logically what it looks like. There's eight pages of 32 bits of data. So the first page is the UID. That is stamped into it in the factory and is not changeable. You can buy Chinese HiTag2 tags where you can change the page zero data, but typically the vast majority in the world that you will see you can't. It doesn't matter because it's not important to the crypto. Pages one, two and three contain secrets, which is why they're red. Pages four to seven contain user data, such as this user's ID within the system, which the system then makes access control decisions over. So whether you're in password or crypto mode, the whole system resides on shared secrets. Now it would be lovely if there was enough process in power to do asymmetric crypto in these kind of things, but there's not because at 125 kHz it just isn't the power to do these kind of things. So therefore you have to do symmetric encryption and if you do symmetric encryption then you basically have to share the secrets. What that really means in practice is that if you have a system with a thousand doors and 10,000 users with tags that can open those doors or a subset of those doors, then every door reader and every tag has the same secret within it and you only have to compromise one bit of that system to access the secret and then you can compromise the rest of the system really, really quickly. So this is kind of fundamentally bad as security goes in terms of access control. When you move into the world of 13.56 megs and you look at sort of Desphire, EV2s and things like that, these problems don't really exist in this kind of form and things are much, much better, but if you were to look at another crypto system, whatever it happens to be, and you found that kind of signature, then you at Lambell should ring, you should start to think, well I could probably just compromise a tiny bit of this and then I could own the whole thing and to compromise a tiny bit of it really means I just need to steal something and take it apart, which is kind of what I did. So password mode, I'll talk about password mode really quickly. So the reader in password mode constantly emanates the binary pattern 11000 using Porthwyrth modulation of the field and when a tag enters the field and powers up, it sees that and it responds with its UID value on page 0. The reader then sends page 1 in clear, which is the system password, and the tag responds with the tag password page 3 in clear and then the reader talks to it in clear and the tag responds in clear. So if you can eavesdrop on that, you can get all the passwords. So password mode is awful, we're not going to talk about that anymore in this talk. Crypto mode, however, starts with the same thing. So basically your system can be either in password mode or crypto mode, it can't be a hybrid. So in crypto mode, it's emanating 11000, the same pattern in Porthwyrth modulation and the tag responds with its UID in clear because there's no established creds at that point but at that point things are seedier, the encryption system exists and the reader sends the encrypted nonce and the encrypted challenge response value to the tag, the tag responds with an encrypted page 3, the reader can then send encrypted commands and then respond with encrypted responses. So the whole thing is much more encrypted. This is kind of how it looks in terms of what data is needed where. The reader has the key and the nonce and receives the UID from the tag and from that it seeds it and randomises its PRNG. Equally, the tag has the same data, it uses that to seed and randomise its PRNG and then both PRNGs end up in the exactly the same position, the exactly the same state. This is a key thing that I keep forgetting to say when I give this talk but if the PRNGs are at exactly the same position seeded and randomised with the same data they will then check out the same randomised binary stream. That's important because that's how you use them in a stream cypher. For example, if the reader wanted to encrypt some data to send to the tag it would say I want to encrypt 32 bits of data I'll get 32 bits of randomness from my PRNG and XOR that with my data and send it to the tag and the tag could go to its PRNG and go I want 32 bits of data and it would get the same 32 bits that the reader got because they're in the same state. It can then XOR that with the data it's received and that will give it back the plain text. This is a key thing to how this attack or the first attack that I'm going to talk about works. So stream cyphers, if you aren't aware, are basically XORing with a pad. Stream cyphers are rubbish, they're awful, please don't use them, don't take any of this as examples of fit ways you should build systems but the amateur cryptographer sat next to you will tell you that the only secure cypher in the world is a one-time pad and it's not because it has no integrity protection so I can own the one-time pad with certain caveats. Anyway, let's talk about the high-tag 2 PRNG and encryption. So the high-tag 2 PRNG is based on a linear feedback shift register that is 48 bits wide and it is initially seeded with the 32 bit UID which is from page 0 of the tag and the first 16 bits of the key which obviously the tag and the reader both know. Next up, the reader invents a nonce, a 32 bit value which could be properly random, it should be properly random and it XORs that with the upper 32 bits of the key and then it pushes that in one bit at a time into the LFSR as it extracts bits of output from the LFSR. Those bits it extracts from the LFSR it uses to encrypt the nonce by XORing each bit of the nonce with the next bit of the output from the LFSR which creates an encrypted nonce which it then sends to the tag. The tag can then do the same thing. So it gets the output from its PRNG, XORs that with the upper 32 bits of the key and XORs that with the 32 bits of the encrypted nonce. Of course you can't do that from the outset because you don't have 32 bits of output from the PRNG so you only have one bit of output at this particular moment in time because you only have one state that you know. So you take the first bit of output from your LFSR PRNG XOR that with the 16th bit of the key the first bit of the upper half of the key and XOR that with the first bit of the encrypted nonce which will decrypt that bit of the nonce XORed with the key which is the next value that you need to push into the LFSR. So it then pushes that value in which shifts the whole LFSR by one bit at which point you can then generate the next bit of output XOR that with the next bit of the key XOR that with the next bit of the encrypted nonce to decrypt it XORed with the key which happens to be the value that you then push in. It's a really neat scheme and when you've done it all both the reader and the tag end up in exactly the same state. It's not secure but I really like it it's kind of cool. It's like how to decrypt and seed your LFSR at the same time it's a neat thing it's just not secure. For really complicated mathematical reasons that I can't even go into in this talk but it's not secure. I will say if you're interested by the time I get to the end of this I'll be putting you at a github where you can find all the other code. Other attacks that I've implemented from the academic papers none of this is my invention I've literally just coded up what they've said in maths and turned it into C. But other attacks use that fact to completely break the crypto really really quickly so it is worth bearing in mind. After the tag and the reader we've got to that state they have no more randomisation or seeding information they need to continually be able to shift through the LFSR and invent new bits that get pushed in as the thing shifts. They use the feedback function L to generate the new bit. So it takes the LFSR state and generates one bit. So when you encrypt it kind of looks like this literally you get output from the PRNG XOR that with your data and that produces encrypted data it's a stream cipher and the receiver can do exactly the same thing. The function L will produce exactly the same stream of bits based on the state that you started with so it gets the same PRNG output it can XOR that with the encrypted data that you've just received back to the plain text and then you have the plain text data. The feedback function if you care looks like this is literally the XOR of 16 bits of the LFSR so the LFSR is 48 bits wide it takes 16 of those XORs and all together and that produces one bit of output that is the new bit that gets shifted in. So if you don't know the entire LFSR state there's a good chance you don't know the new bit that's getting pushed in. And the output of the LFSR the PRNG is not just the bit that falls off the right-hand side when you push it through it's actually generated with a filter function and that filter function is based on functions A, B and C in this kind of arrangement so functions A and B take four bits each from the LFSR and produce one bit of output and those five single bits of output get pushed into function C and that produces one bit of output and that is your output. Each of functions A, B and C are biased 50-50 which means if you don't know the input you can't predict the output with any confidence either way there's a 50% chance of getting a 1 a 50% chance of getting a 0 so looking at that that seems pretty cool pretty secure right? because how could you guess this sort of stuff? Well you look at some of the other attacks those academics are quite clever there's ways of breaking these things that I've implemented you can read the C to understand how it works so if we go back to my slide about how crypto mode worked it sends the start off the tag responds with its UID the reader sends the encrypted notes the reader sends the encrypted the tag responds with its encrypted password and then the reader sends encrypted commands and the tag responds with the encrypted responses so let's look at high tag two commands high tag two command is only five bits long the first two bits determine which commander is from read, read page, right page or halt and the following three bits determine which page of data we care about so if we're trying to read a page or write a page those three bits will tell you which page we care about read page inverted is essentially read page but every bit that comes back is inverted fair enough and halt turns the tag off until it leaves the RF field and comes back into it again and the reason that's there or a use case of where that's used I should say is in Las Vegas casinos where every chip has one of these tags inside it and the entire table is circulated by an RFID field and therefore they can track every tag being on the table or not on the table so when you set your field up and you kind of go start off the first or fastest or loudest tag will respond and that'll be the one that the field is and then the field will then communicate with that one all the other tags will ignore the communications because they don't meet the integrity checks that I'll come to in a minute and when it's finished talking to that tag it then sends the halt command which shuts that tag down while it's still in the field and then it does a start off and the next loudest or closest or noisiest tag will respond and it will talk to that one so you can talk to multiple tags within a single field using this because you can halt the loudest ones first if you see what I mean so if you want to use this in a really hostile environment take it to Las Vegas apparently they use this stuff now so high tag 2 commands are 5 bits long but in actual fact in a practical level when you send them they're actually 10 bits long so it's the first 5 bits followed by that 5 bits inverted so 0 goes to a 1 1 goes to a 0 so 1 0 1 1 1 inverted becomes 0 1 0 0 0 and so an actual command the minimum size it can really be is 10 bits this provides integrity checking now if you're trying to read a tag or maybe you're trying to write a page and the write page command gets corrupted and you accidentally write to the wrong page that could be quite devastating in some kind of industrial situation so with this the same bit would have to be corrupted in the first 5 bits and the second 5 bits for it to pass the integrity check it basically checks that each block needs to be the inverse of the proceeding block right but extended wise you can have as many of these blocks as you like as long as every block is the inverse of the proceeding block so you can have 20 blocks normal inverse, normal inverse normal inverse, normal inverse which apparently adds to the integrity what it actually does is creates a hole through which we can attack the system so let's talk about attacks and we're going to talk only about the first attack but the academic paper from 2012 has 3 attacks in it I've implemented all 3 I'm going to talk about the first one the Flavio Garcia then went on and wrote another paper in 2016 which has a new attack which is much faster Vincent Imler produced a GPU based attack that took 11 hours brute force in 2012 and last year Talas and the French government produced an optimised version that would work on Amazon using multiple GPUs and multiple hosts and then I just got word only last week that one of the other authors of the first paper produced a new paper last year that can attack the whole thing in like 30 seconds or something some incredible another attack that I now need to go and read about just for completeness to satisfy my OCD but basically there's lots of ways of attacking these things I'm going to talk about one the one I'm going to talk about is the nonce replay and length extension for key stream recovery attack which is a long sentence but it's really straightforward honestly we're going to replay a nonce several times and using that we're going to extend the amount of key stream that we can recover until we get enough key stream that we can then break the crypto so what you might have noticed when we were looking at how these things work was that all the entropy comes from the reader in the form of the nonce so if you have one tag it has a single UID on it and every time you present that to a field you'll get the same UID so if you stick with one tag that UID is not going to change the key on it equally is not going to change because it's the same key on the entire system and that is again fixed so nothing on the tag is generating any entropy when you put it in the field of the reader the reader takes that and seeds it and it generates a nonce and then it encrypts that nonce and sends it to the tag and the nonce together with the key in the UID is what sees the PRNG right so the only entropy is that nonce so if we have a device such as one of these perhaps and our fiddler and we eavesdrop on the communications between a tag and the reader we could steal an encrypted nonce and an encrypted channel's response value from that one handshake and then in our little back smoky room somewhere else we could then replay that nonce and challenge response value over and over and over again to the tag and every time we replay it the tag would reset to the exact same position each time the same PRNG position because all the entropy comes from that nonce and the challenge response value just proves that the nonce is a valid nonce essentially properly encrypted so if you remember that this is the position that the reader and the tag got into after they were seeded and randomised then we could create this in emulated reader and pretend to be a real reader because all the reader has to provide is the start auth command which we know from this spec the encrypted nonce we captured the encrypted challenge response value we captured and then it will get back the encrypted page tree from the tag at which point the tag will be in a particular state and if we do it again it will be in exactly the same state however many thousand times we do this it will be in the same state each time so for example if we gave it the encrypted nonce of 4A85B2DF we might expect that PRNG output of O1O O1100 O1100 for example and each time we initialise the tag with that same nonce we would get that same PRNG output which is what is being used to encrypt the stream of data it is really important to understand how the nonce replay works which is why I labour that point so strongly so the way we are going to attack this is we are going to try and find the read page 0 command because we know the answer to page 0 page 0 is the UID so we already know what answer we should get even though it will be encrypted but if you are working from the position of something you already know attacking it is a lot easier now if an encrypted command is 10 bits long because a basic command has to be at least 10 bits long and then it gets encrypted to random noise essentially then there is 1024 possibilities and out of that there are 16 correct answers of which one will be the read page 0 command so we could search and search and search when you send an invalid command you get this unencrypted error response of F402889C and it has to be unencrypted because the idea is that the reason it has gone wrong in the normal use case is because something has gone wrong with the encryption if someone has gone wrong with the encryption you can't expect the tag to be able to decrypt your encrypted error response therefore it has to send an unencrypted error response value and it is always the same number so we can use that as a canary in order to work out or an oracle in order to work out whether we are sending the right commands or not so one way of attacking this we are actually going to bit flip but one way of attacking this would be to send 1024 or up to 1024 encrypted commands one after another, cycle through them until we get something that isn't the error response which would be the dumb brute force approach to doing this so I am going to have a drink because it has been at least half an hour I should do me until the demo but this would be dumb you can obviously see why this would be pointless but the reason it is pointless is because if we imagine what an encrypted command would look like we know that F if the encrypted command is F E F G H I J K L M N as individual bits we know that F decryps to 1 and K decryps to 0 because C M 0 has to be a 1 for a read page command and K has to be the inverse of that the decryption of K has to be the inverse of the decryption of F so we know those sort of parameters we know what they must decrypt to but equally we know that the decryption of E G H and I must be the inverse of the decryption of J L M and N and we don't know what the pad is that we are dealing with but we are using the same pad each time so what we do know is that we don't have to care what J L M and N actually decrypt to they could decrypt to a random like bit pan we can search E G H and I to find something that decrypts to the same as that and that takes 4 whole bits out of our search space which reduces our space to 2 to the 6 rather than 2 to the 10 which means our chances of finding something will be we'll probably need to send 32 actual requests before we hit an actual success as opposed to 64 so we've halved the amount of work we need to do honestly it's cool it's crypto cool so we find one valid re-command because basically we just do that until one of them comes back with a different response to the only decrypted error right now we have one valid re-command now what we're going to do rather than search for all the others we're going to bit flip that to find all the others because then we don't have to actually do any transmission over the RF much quicker so if the one we found is E F G H I J K L M then we could take that imagine that that decrypts to read page 4 inverted as the actual plain text well the first half and the second half when they're decrypted must be the inverse of each other because it's a stream cipher if you flip a bit in the encrypted version it flips the same bit in the plain text version which is where all the integrity and the insecurity of one pad of cipher is going to fall down right so we could flip the first bit E for example in this example and in this example it would flip it from a read inverted to a read command but if it was originally a read command it would flip it to a read inverted command okay so as long but in order to maintain the integrity we also have to flip the same bit in the inverted half so bit 6 also has to be flipped but because of the nature of stream ciphers if we flip the bit in the cipher text we flip the same bit in the plain text we can do the same thing on bit 6 as well so if we flip bit 0 we also have to flip bit sorry if we flip bit 1 we also have to flip bit 6 and it will flip it from a read to a read inverted or a read inverted to a read but either way what we end up with is a valid read command equally we could flip a bit in the page bits so if we had read inverted page 4 and we flipped bit 5 it would flip it to read inverted page 5 as long as we also flipped bit 10 to maintain the integrity by flipping the same bit in the second half of the command that's really neat so basically given one actual read command that works in the encrypted form we can flip it around until we get all 16 by basically just building a table it's really trivial and then what we can do is try every one of them out one of them must be read page 0 like not inverted and that's the one we're looking for so what we'll do is we'll go around a loop of trying each of the 16 possibilities every time we'll reset the tag back to the same position with the same nonce to the same point of the PRNG and we'll test our guess and if it's right we'll store the key stream and if it's wrong we'll just go around the loop and try another one and each time we'll reinitialise the tag because we're working from the same position of the PRNG because we're using an emulated reader that's replaying the same nonce that if you replay the same nonce you get the same key stream back I repeat this enough times to hope that it gets boring so you just understand what I'm saying at this point because I'm always fearful that I'm saying stuff and people are kind of going why, why does that work it's not actually that hard so if we try our guess we're going to assume that our guess is correct where we have a 10 bit encrypted command we don't know which read page or inverted page command we have but we're going to assume it's read page 0 and so we can XOR that with the plain text of the read page 0 command and that will retrieve the 10 bits of key stream that would be necessary if our guess was correct when we've sent in we get back our 32 bit response which won't be the error response because it will be a valid read page command of some description we can take that read page response and assume that's page 0 which we know because it gets given to us for free in clear at the beginning of the handshake it's the UID so we can XOR whatever we get back with the UID and that will give us the next 32 bits of key stream if our guess is correct and if our guess is incorrect we've got nonsense so somehow we need to check if our 42 bits of key stream is correct or not so what we do is we create a read page 0 command that is 40 bits long and we do that using that extended command definition that we had earlier the thing that we were going to attack so a read page 0 command will be 11000 111 at the very minimum followed by 11000 followed by 0011 et cetera over and over and over again up until the point where you stop sending these blocks so we can make a 40 bit version of this read page 0 command with extreme integrity and then all we do is XOR that with the first 40 bits of the key stream that we think we've generated is an encrypted version of that command and then we send it we reinitialise the tag with the nonce back to the same point again so it's using the same key stream and then we send that encrypted read page 0 command and we either get back the error response which means that when it decrypted the integrity failed which means that we weren't correct that wasn't the right command or we get back a 32 bit response which isn't the error response but the transcription of page 0 UID that means at that point that the first 40 bits of key stream must be correct and then we can take the response and XOR with the UID to get back the next 32 bits of key stream which basically gives us 72 bits of key stream that we know from the point that the PRNG was initialised from the nonce mean transmitted and it completed in the handshake which means that we can send that nonce and challenge response value encrypted and know the pad that the commands and the responses are being XORed with which means we can do things like this where we can basically read each page of the tag one by one by initialising the tag back to the same point and then doing a different read page command each time and the way we do the read page command is we correct the plain text version the first 10 bits of key stream send that to the tag and whatever comes back we XOR that with the next 32 bits of key stream to get back the actual answer which means that we can then recover all eight pages of the tag and three of those pages involve the secrets that we need to know in order to be able to talk to any other tag in the system so it's kind of a really I think it's a really cool attack so I implemented it and the way I implemented it was I took our Fiddler made by Aperture Labs which if you don't know is Major Marr Function and Zack Frankin and they've made a really nice bit of equipment so if you have a Proxmark which can do low frequency and high frequency what you'll find is that high frequency is really good like it actually works mainly because Major Marr Function wrote the code for that but when it comes to low frequency stuff it's not very good at all it keeps crashing especially on high tag too doesn't really work very well however they made the R Fiddler to kind of plug that gap and vote the code for it and it's really good so I went to the R Fiddler github page and they say you can download the IDE that you need in order to edit the firmware and you can download all of the firmware from the github and then you can start writing your own C which is just straight for C you can read through the code and kind of go and it's understandable, it's just programming like you expect, normal kind of code and when you actually want to transmit or receive stuff over the R F you can hunt through the rest of the code base and find out where they've done the same thing that you need to do and copy and paste their function calls into your code and then the thing just works Honestly it's magic, it did not take me that long it took me longer to understand the maths in the paper than it did to write the C to actually implement this stuff I've added a whole load of commands to R Fiddler I've extended their stiffp.wm command so I can just literally pull out encrypted nonces and change the response values I'll create a crack command for doing the attack that I've just talked about a keystream command for the second attack a reader command so that once you've got the key you can read any high tag 2 card in that or tag in that system the clear store tags it's all about weaponising this kind of stuff so you can have it hidden away with a battery powered thing rather than having to carry a laptop around it's kind of neat and if you were to do the attack you'd do something along these lines but rather than talk about it let's do a demo this is the bit that will fail miserably I might add I've got a couple of terminal windows and a whole load of windows underneath you don't need to care about right so let's top tip if you're talking at AMF camp don't sit in the sun and drink beer all day it's not the answer right so this is an RFID R Fiddler and I'm already in high tag 2 mode so I'm going to put that into SNF PWM I'm going to clear it and then in store mode I can't type I'll worry about that in a second I just set up another one over here so I'm going to create one as a reader the one that I'm hoping to configure there is going to be the eavesdropper it's really funny trying to type one handed but it's okay honestly we have trust we have faith in the room this will all be super marvellous right so I've got a fake reader set up so if we come back to this one we're on a SNF PWM store okay so you can see the start-auth commands the reader is constantly emanating start-auth using pulse width modulation mode of modulation over the field that means that it's shouting out start-auth, start-auth, start-auth because it's looking for a tag many many many times a second so I'm going to introduce the tag and I'm hoping hoping we're going to manage to read it hang on there so that is kind of reading it most of the time and what we're capturing will be the encrypted nonce and encrypted challenge-response values assuming that that's working so let's stop that am I in the right yep so let's see let's see what we've managed to capture list list L ah there we go we've captured all of these encrypted nonces and challenge-response values now you see the ones that are ffff clear it's an error ignore that there's no guarantee that others will have been received clearly but we'll just trust that it's the case for the time being so if I now take hang on I take the one that's the fake reader out of the way and I just have I just have this ar fiddler here and the tag now what I'm going to do is place the tag on the antenna and I'm going to try and crack it using one of those values so where's my cursor I can take the last one if you like I can take the first one of this page if you like I can take any in between apart from the ffff does someone want to shout stop and I'll just pick one at random yeah that one there we shall have that pair okay now as a magician clearly I will have forced you to the only one that works in this list but honestly we'll come back and try it again in a minute with a different one just to prove that I'm not using magic and mind control to trick this right so what I'm doing is I'm going to run the crack command with this particular encrypted nonce and this particular encrypted challenge value that goes with that nonce it will get the uid of the tag itself it will hunt for a valid read page command it will then bit flip and try each of them out until it finds a read page zero command and then from there it will read tags banks of memory the reason I tell you this before I press enter is that when I tested this in my demo I pressed enter and it just happened immediately and people weren't convinced that this was actually doing magic so brilliant cannot get your eye oh okay I just need to move see this is the trouble with things that aren't soft with it it's very very sensitive right let's try that again it's such a big build up for such a big error hang on hang on where's infosec westward to like take the piss oh god you're for fuck's sake man don't keep that bit on the film will you because yeah I'm not surely no this should definitely be 1411 that should be 1421 down there that one's still reading in fairness honestly that one is still reading I know you're being helpful it's like it's like not having two hands it really is like like this is accessibility errors yes oh I can just hold it you can just hold it there I mean I don't even need like two that one is gone it is no longer right it will work now I guarantee I don't know how good electronics is so easy I don't know what you're worried about right so anyway we need to run this command up here and honestly we will come back if this completes super quick I'll do it again with another pair so that you can see oh look at that it's actually searching for a read command it's gone off the side of the page ah it found one and God jeez that's actually a really good demo but there you go and so you can see that that is definitely a tag that I've read because page four says dead beef and pages five and six on my office phone number feel free to ring me with all of your high tag two ways but now we know that we could do things like we could put it into high tag two reader mode and we could use the key that we can pull out of pages two and one so that is the key and we run that we could then take our other tags which are hidden away down here see we don't have to crack the other tags we can just read them so that one is a beef face that one is feed face and if we read the special tag four we notice that pages one and two are inaccessible because it's been configured to not give you the contents of pages one and two which I'm now going to flip back to my size and talk about very briefly so that was the demo tag cloning if you know the key and they are not protecting the tags you can just read the tags using that key that is provided and then once you've read the tag you can write that to another tag the UID will be different but it doesn't matter because the UID is not used for any access control decisions it's only used for the randomisation for the PRNG at the start of the crypto and you can potentially do that at a distance although anyone who wants to do it at a distance who knows analog electronics can touch we have money and we'd like to help build something at a distance that works so I'll quickly move on to my closing remarks this attack is amazing it's really cool not because it attacks high tag two or you could use it to steal cars but because it's a really neat way of abusing the protocol of the crypto and abusing something that people would generally think was secure to actually retrieve all of the secrets within the system so read the paper it's really clever it's hard to read but you might want to read the code instead but if they do protect the tag then you can't use that attack because you don't get pages one or two you don't get the key that stops you being able to clone tags so instead you need to use attacks two or three that come from the same paper or attack four that comes from the later paper that comes from the early GPU attack or six that comes from the later GPU attack so to put those into context attack two to recover the key takes two days to build a table a minute to get a key stream off the tag you need a valid tag and then two minutes to search the table to find a matching key right so if you've got a valid tag attack two is really awesome if you haven't got a valid tag you can use attack three which only attacks the reader there are five minutes collecting values but once you've got those values it takes 16 minutes on average to attack the tag on my Mac unoptimised they reckon they can do it in six minutes hence gone in 360 seconds six minutes, 16 minutes whatever I didn't really bother optimising that attack but basically if you can get the values from the reader you can attack that really quickly and get the key equally attack four takes the same values but you only need about 16 of them maybe 16 to 32 depending on how many on your random luck or unluckiness because it's a fast correlation attack which is based on probability and the actual attack only takes 45 seconds it's really awesome but you could just take two of those pairs of values and run them against attack five or six attack five would take two hours on average on EC2 using a P2X large but if you run it against a P2 8X large on Amazon which has got 8 GPUs you can get it down to 15 minutes the same code will work over multiple hosts with multiple GPUs so you could like half that if you had two hosts you could quarter if you had four hosts etc and it all cost the same amount of money which is $5 which is a very cheap way of attacking someone and stealing someone's BMW so the point that I'd like to make in my penultimate slide is that we can learn lots from academics in the world of crypto so in the world of academia they might not be the best hackers in the world we might think that we know more than them because we're down and dirty and we're messing with tools and attacking networks and they are theorising in their ivory towers but when it comes to crypto theorising in ivory towers seems to be the way to get the answers and I think that when they don't provide the tools we can take their maths and make our own tools and there must be a lot of stuff that we haven't even noticed yet because we are just simply not looking there so I think we should look more in the world of academia implement more of their stuff and scare everybody with that so my final slide is simply the github for aperture labs limited which is where you can find the RFID RFIDLIP source which has got all four it's got the first four attacks and all of the slides to explain it and you can find my contacts if you wish thank you very much oh we'll be drinking more 42 the mic's not on can you turn on the mic for the audience please try talking it might work do you want to shout and I'll repeat it oh oh actually stream cifers based on LFSRs are not exactly state of the art but could we salvage a system like this by taking a page out of the Blu-ray book and having each tag have multiple say 64 keys on it 64 different keys on it so when you actually steal one of the cards you can compromise those 64 keys but somehow by clever use of the other keys you are able to steal cable integrity of the entire system I think I've not looked at that attack I think adding more keys would just give me more things to attack and I'd end up with a bank of 64 keys in the dictionary and then for I could probably use that to attack the rest of the system and clone all the tags what you need is integrity protection not obfuscating of the keys so that's what this tag system doesn't provide and what one-time pads and stream cifers generally don't provide is integrity but nowadays we have GCM and various other authenticated encryption so go on Graeme you clearly you're going to okay you're probably going to be the last one you need to set up for the next week just quick question would all of that bit flipping have not worked if they'd put like a checksum instead or CRC, something like that no it doesn't help at all no it doesn't really solve the problem at all because at that point we have the pad that we're attacking so it might expand the space that we need to search within but it makes you solve the problem all right I think that's all we have time for thank you very much Kev thank you