 So RFID myth busting if you are here expecting to see a myth buster, that's next Okay, yeah feedback Little bit about hardware hardware is my consulting company. We're a San Francisco based startup We do hardware security consulting. We design products. We assess products. We do a gate level Reverse engineering you give us a chip will give you a net list and a crypt analysis Hardware is some folks that you've heard of myself Tim Mullen Cast and null broke my fair a little while ago Some names that you haven't heard of that. We just call secret agents one and two I don't actually know what their real names are Okay, so first up the plan that was so we did have this grand scheme planned Where we were going to have all of this gear set up by those doors such that whenever anyone walked through the doors We were going to read all of your RFID tags Every single one of them stick it all on a database correlate it based on time All kinds of stuff as it turned out We had a quite horrific number of equipment failures Some were our fault things like you know feeding 120 volts into a 741 doesn't tend to do it much good Some of them weren't our fault like radio shack just not selling good enough components So hopefully everything that I've got here appears to be working at the moment, so we'll we'll see how far we get Okay, let me introduce you to the hardware first First up we have this device here. I don't know how well you can see that This is a custom built 125 kilohertz RFID reader. It's based around a pic 18. It's written in C and It'll output Anywhere from about half a watts with the 12 volt supply that I've got on it at the moment It'll scale up to about five watts output power with a 60 volt rail To put that into perspective a traditional typical off-the-shelf 125 kilohertz reader Somewhere between 10 milliwatts and 50 milliwatts We're dumping a lot of power into this coil It's capable of reading copying and playing back over a dozen different tag formats at 125 kilohertz Including tags that we have never before seen so I'd be interested to to see if anyone does have any 125 kilohertz tags That we've not encountered before if this was working completely which it isn't at the moment But we would be able to read those with zero knowledge I'll get back to how Next up over here This is an off-the-shelf 13.56 megahertz vivo pay reader. This was a couple hundred bucks online This as it is at the moment is completely unmodified We are in the process of producing an antenna chain for it. We've got a one watt amplifier that Again, it has worked. It has failed. It has been rebuilt and failed again several times So we can't demo the long-range stuff on that, but we do have it The the amplifier is built exclusively with parts from Radio Shack You spend 10 bucks on Radio Shack parts and you can amp this thing up to about about a three-foot read range We'll we'll come back to the details on that important point very important point about this this Credit card RFID reader. I have performed no reverse engineering whatsoever I can stand before you put my hand on my heart and swear to you faithfully. I know nothing about EMV It's actually a good thing. Trust me. We'll we'll come back to it Both of these devices the the 13.56 one watt amplifier and the 125 kilohertz It's called a prox pic. These will both be made available for sale They're gonna be commercial devices We're hoping to launch them by the end of August, but depends on getting a few other things sorted first But yes, we will be making these commercially available Finally at the end we have a 900 megahertz EPC Gen 2 reader This is completely unmodified. This is the the system that I presented about at Schmuck on Exactly the same gear you can go up on Google video and watch the talk if you're interested Okay, so onto the myths first up RFID is short range So let's talk about this short range thing for a second the 900 megahertz gear EPC Generation 2 has a design read range of 20 to 30 feet with a completely standard Credit card size tag you will get a 20 foot read range with off-the-shelf unmodified gear With a larger tag you'll get 30 feet easily It's relatively simple to scale it up to half a mile If you wanted to go beyond that it's also plausible that You could make friends with someone who operates your local airport And just if you can possibly convince them to let them borrow your radar to let you borrow their radar tower You could probably read these things from tens of miles away Interesting note about this technology this is for the enhanced driver's license and the passport card Anyone have one of these things? Anyone have an EDL? You've been tagged with exactly the same technology that Walmart uses to tag razor blades Everyone thank the federal government for making that law 13.56 megahertz This is It's an industry term contactless smart card. I'm gonna be making gratuitous use of air quotes throughout my talk here Doesn't necessarily mean that I disagree with the term It just means that I'm using it out of context it is quite an important point because there's some subtleties that we'll see a little bit later on Again Standard reader is about 50 milliwatts gives you maybe an inch of read range Our one watt amplifier again when it works gives you about three feet 13.56 megahertz if you double the frequency you're in 27 megahertz There's a whole lot of gear available for 27 megahertz and it's really easy to drop the frequency by half So hundred watt amplifiers are very very easy to get hold of The 125 kilohertz prox gear off the shelf reader does about an inch My gear here as it stands at the moment not entirely functional I'll be demonstrating about an eight to nine inch read range If it was working completely it would have a foot maybe more so I Mean already we've got you know good long read range out of the the 900 megahertz gear to start out with Short a range on the other two bands, but let's let's look at that a little more closely The demo for the 900 megahertz I might be able to do Despite the broken projector Is that coming through on the screens? So we can just about see the window there as much as we need to okay So three windows here on the left is tags that are currently visible So you can see that there's there's one tag with a zero Code that's kind of fading in and out The panel in the middle is all of the tags that it has seen at any point and if you click on one Then it logs what the tag details were what type of tag when it read it how many times it read it all that kind of stuff so if if I can have a volunteer someone in the front row have an EPC generation to RFID card and You can see that's reading I can step back and it's still reading it So yeah, that's there's no way. That's a short range system This it just doesn't even argue so 900 megahertz, okay, we've already busted the the short range at 900 megahertz That's very easy. If you think that was good keep watching. Wow. The Vista machine came back so Ash mucon and on the synopsis of my talk I did say that we were going to be setting a 900 megahertz world record It didn't happen because as it turns out 900 megahertz amplifiers When you're working in this kind of spectrum Every single circuit trace every leg of every component every ground line everything wants to radiate power So your circuit is constantly just trying to bleed off all of the power into space The design of this gear is very very involved and as a result. It's very expensive We weren't able to find anyone who was prepared to lend us twenty thousand dollars of RFID amplifier For us to take it out into the desert and screw with it Can't imagine why So What has been demonstrated? 213 feet is is what I'm aware of of the the longest read range That was using 10 watts of output power compared to the normal one watt off the shelf You can easily go up to 100 watts with no no real problems at all other than getting hold of a gear Standard antenna is six decibels gain The 213 feet was using nine decibels of gain. You can easily get 15 15 DBI antennas The only real problem you've got with amping this up to to infinity With this kind of UHF spectrum if you can see the antenna you can receive the signal It's it's as simple as that So the biggest problem that you've got is the the amount of power that you're putting out a lot of that gets reflected back in And you need some way to filter that out So you need to Dump all of the carrier that you don't want and just look for the modulated data that's coming back from the tag That's that's not tremendously That's not a particularly important factor until you get up to about half a mile We did a whole bunch of number crunching on it and we reckon that half a mile is kind of the the bridge point where? You know just simply dumping more power into it will not give you more read range That is the point at which you need to design your own preamp It's again. It's it's 900 megahertz design. So it's inherently Sensitive to noise and things like that. But the actual amplifier itself isn't particularly complicated We we haven't looked at doing yet We haven't had time with all the other gear that that we've got I do promise that we will set the 900 megahertz world record for RFID We will do that at some point. I'm also contemplating running a an RFID range shootout competition at DEF CON next year Show of hands anyone that would be interested in RFID range shootout Okay, I might see about that then Okay So this is the the prox pic. This is the the 125 kilohertz reader So I want to kind of go through this schematic in some detail And kind of explain why RFID is is different from radio If you if you treat RFID like a radio system and you just try and amplify it up and you know increase your gain You will fail. There's there's a number of things that are very specific to RFID that just Kind of don't map over from radio. So it's it's kind of a bizarre System to try and build if if you're a radio geek so I Don't know if I can get my oscilloscope working. Hopefully So let me walk you through the circuit really quick first I'll use this one over here. So You So you come out from the pic you generate a 125 kilohertz square wave and feed it in here You're limited to about 30 milliamps. So the first thing that you need to do is amplify it up. So This first transistor here. This is just configured as a Voltage buffer The pic runs on five volts and we want to be able to scale to any arbitrary voltage that we want to dump into it Like I said, we can handle up to about 60 volts just with the components that we're rated to at the moment. So Amplified up Just a normal inverting amplifier Followed by an emitter follower pair So this is this forms the the entirety of the power output stage the the first transistor acts as a voltage amplifier The second pair of transistors acts as a current amplifier. So on the positive half of the signal You're effectively shorting. Whatever your supply voltage is just shorting that straight into the coil on the negative Phase this PNP transistor right at the bottom here That will turn on during the negative phase and it will dump the power back out of the coil So given that we're feeding a square wave into it and it's an inductor. We get very very rapid changes in current we get lots of flyback voltage and Coming out here between the end of the inductor and this cap this capacitor There we've got about Well, typically about a hundred and fifty volts. We're rated to 400 volts at there. We're getting about 60 so The next thing that we do See if this works. I can get an oscilloscope trace up Okay, kind of got an oscilloscope trace. So let me give this thing power Okay, do we actually have a trace there? Oh, there we go awesome, it's working so This is what we get out of the coil. This is between the The the inductor that you saw horizontally and the capacitor that sits vertically. These these two components are tuned So they're resonant at 125 kilohertz This is why you can put 12 volts into it and this is currently producing So that's currently 70 volts peak to peak From a 12 volt rail. So that's that's healthy. That's not too bad the idea is that Can everyone see the the oscilloscope trace is okay? Yeah, awesome So the idea is that you you get your RFID tag. I have a whole bunch of them here I'm gonna use I'm actually gonna use a an HID prox card not because there's anything particularly special about HID prox It just happens to be much more visible on the oscilloscope trace So we drop that into our antenna. This is my antenna This is just like 50 turns or so of 26 gauge wire This used to be a table Oddly it was my wife's suggestion that I destroy it So we drop our tag into the middle of our coil and you can see that the the the trace If you look at the very top and bottom edges of that trace You can see it just kind of wiggling up and down a little tiny bit. That's the modulation So that's the that's the entirety of the signal from the card at this point so what we've got in effect is we've got Somewhere somewhere north of a watt of power being dumped into that coil It gets transformed from 12 volts at reasonable current to high voltage lower current That's what the coil does it kind of mutates the one into the other So we've got very high voltage We've got lots of power behind it and we've got a very very small signal so a modulation depth Given that we've got about about 70 volts of carrier We're looking at maybe two volts of modulation depth So what we've got to do is we've got to separate that signal from the carrier Reject all of the carrier and just pass the the modulation So the way that we do that I come back to the schematic real quick Is this they're gonna cooperate with me? Yes, it is awesome. So the way that we do that First thing that we do is is halfway rectify with this diode here So what that effectively does is it just completely cuts off the negative half of the the supply So everything that we're doing from this point forward is positive with respect to ground We then have This resistor going to ground and this capacitor going to ground. This is it's called a tank circuit It's an AM detector So the idea is that on the very positive spikes that capacitor will charge up to whatever voltage it gets to When the voltage drops off the capacitor will start slowly leaking through that resistor So if we take a look at the trace coming out of there We can see straight away so I haven't changed the scale on the oscilloscope and Straight away you can see that it's a much smaller signal. So let me put my scope down to times one Okay, so that's the peak detector output if everyone can see that Let me try moving that over a little. Is that a little better? Okay, so this is the output from our peak detector you can see It's AC coupled which is why the the the negative side of the Sorry, the lower voltage side of the the trace is moving up and down that should be completely flat more or less and you can see that we've got We've got modulation here Which is much more visible than than was present on the coil. So we've There we go. That's a good clean signal. So we've already rejected 80-90% of the coil the coil carrier voltage at this point just with a peak detector Now the problem with this is if I come back here This is one of the first major problems with RFID systems You've got an awful lot of power coming through this coil into this peak detector circuit So there's you know plenty of power available to charge that capacitor What you don't want is you don't want the voltage on this tank circuit You don't want that to leak out too quickly because the more voltage that leaks out of that The more carrier is going to leak through With your signal because you only want to drop about five volts per per carrier wave Any more than that and you're just catching carrier and it's all just noise that you need to filter out so What you end up with is you need a As large a capacitor as you can get here so that it charges up as high as possible And then you need as high an impedance as possible both with this resistor That forms the tank circuit as well as the impedance of the rest of the receive chain. So Currently this is configured the the tank circuit sees a load of about 10 mega ohms Which is how we've got the the noise down to such a manageable figure. So the Straight away, we've got the situation where we can't draw any power out of it We've got a huge amount of power going into the circuit and the more power that we draw out of it The more noise we get that we're just going to have to filter out anyway So we want to make sure that we've got our impedances as high as possible The way that we do that This the the peak detector so this this oscilloscope trace that I showed you That's the AC component of the signal now. Don't forget. We we halfway rectified it first. So We're only on the positive phase and and this signal that we've got is you know a couple of volts of ripple voltage That's floating 60 volts up in the air So we first off we need to block that DC voltage in order to get it back down into a range At which we can work with it again. So that's that's what this Capacitor right here does that's a DC blocking capacitor forms a low Sorry a high pass filter with this resistor So that helps us get rid of a little bit of the noise blocks out the DC And then we go straight into our op amp circuit from there so that we can amplify it up the idea of choosing the the op amp it's a Op amps generally have extremely high input impedances. So we're looking at just the raw voltage We're not actually loading the circuit at all. So So our AM detector is only clipping the very very top of the signal off which has got all the data that we're interested in So if I just kind of step through this on the oscilloscope now Having explained the basic mode of operation So this is the the output from the peak detector If you look at the read range from the the coil right here You can more or less see modulation About there has few inches of read range. Not very good. We need to clean the signal up a bit more so we come out of that and into our Low high-pass filter I beg your pardon And our signal gets a little smaller still because we're still filtering However When you drop the card in you've got pretty clear modulation And again, we've got a little less carrier and a little more signal So if I just zoom in a little here So you can see the the ratio between the amount of modulation depth that you've got Versus the amount of noise that you've got from the carrier It's getting higher as you progress through the circuit. So That's the point at which the the output of this goes into an op-amp circuit and gets amplified up The the problem with that is one of dynamic range So we've got extremely high voltage swings 120 volts peak to peak trivially 200 volts peak to peak is very manageable. I'm actually rated to 400 volts peak to peak huge voltages flying back and forth And we've got tiny tiny tiny modulation depths on the top So if you were to to try to do this digitally just by sampling it with an ADC at the peak of every carrier It's not going to work because if you've got a 16-bit ADC even You're going to be sampling 15 bits of resolution to cover the 120 200 volts swing of the carrier And you're going to have one bit of resolution left for the actual modulation depth so We need to reduce the dynamic range of the signal Before we can do anything digital with it and as it turns out going digital is quite an expensive option There's a device called the Proxmark 3. I don't know if many people have heard of it It's a general-purpose RFID experimentation platform. It's very very powerful It's based on an arm CPU and digital signal processor Because of that they cost about $500 Because this is based on a pic microcontroller and an analog receive chain the analog path has Extremely good dynamic range bet far better than you'd ever get from Crap 10 minutes. Okay. I've got to move on Okay, so anyway, you do it in analog because you get better dynamic range and you don't need to worry about it so right here you can see The card is detectable From about here, so that's maybe we hold that up so you can see it at the back So you've you've got a clear signal from four or five inches My reader is actually wigging out and not being entirely happy at the moment. So I'm going to leave it there and move on Okay, so anyway That's the 125 kilohertz circuit the major problems that you've got are input impedance and dynamic range So let's let's go back to the slides because I want to get on to the boomstick You'll like the boomstick Okay, so as I mentioned the prox pic it's going to be commercially available. We're aiming for a $50 price point Probably available in kit form There'll be some slight variations on this but we'll we'll deal with that when we come to it So off the shelf you're looking at a few inches of read range with a moderately complicated circuit like this You can bump that up to a foot if you really worked at it You could probably get two feet out of a rate out of a system like this The problem with that is that that's not what you need to count as your read range Your read range is actually largely irrelevant because I won't show you the the oscilloscope trace because we're kind of running out of time already But suffice it to say that wherever the tag is placed within that coil as long as it's within the coil somewhere You got a clean signal from that So what you can do is you can wind your coil around a door Such that every tag that walks through goes through the coil and you get a clean read on every tag I don't give a damn how far away that'll read if I can read every tag that comes through a door Surely that's a valid attack You can actually do that with anything that's inductively coupled you can't do this 900 megahertz gear that but you don't really need to Because it's already long range 1356 and prox you can you can do it really easily I'm actually going to be hanging out at the hardware hacking village for the rest of the day I've brought some magnet wire with me if someone wants to you know help out and we'll try and make a prox reader Prox antenna for a doorway and see just how efficient it is. I've got everything that we need So Let's go back to the myth 900 megahertz Range of 20 to 30 feet half a mile is achievable. Is it short range? Totally busted 13.56 megahertz I'm standing here claiming that we've got amplifiers that'll that'll give us a few feet of read range or cover a door I haven't got the gear to actually prove that so I kind of got a call call that plausible 125 kilohertz Well, you've seen read range here of that's about six inches The the the next amplifier stage the the op amp stage is actually broken on this particular circuit So I can't show you that but it's it's definitely busted There is no way that you can claim that 125 kilohertz is short range when you can wind a coil around a door And capture everything The only practical limit to that attack is how stealthy you how stealthily you can hide your coil So one out of three is plausible two out of three busted. I think we've got a cool short range busted Okay RFID is secure You'll like this one So first thing that we've got to do First thing we've got to do is fork the myth. So I mentioned this this industry term contactless smart card It's interesting because the the industry that pushes this term to try and separate themselves from RFID Don't actually use the term contactless smart card If you look at your credit card, it won't say I'm a contactless smart card credit card It'll say I'm an RFID credit card So the industry doesn't use their own terminology that they're trying to enforce to separate it But whatever we'll give them the benefit of the doubt. We'll say, okay Maybe there's something different between a contactless smart card and an RFID tag. So we'll consider them separately Two things that we need to know about them. Firstly, are the tags themselves secure? If the tags can be trivially copied then the myth is busted If the tags can't be trivially copied then it comes down to whether the infrastructure surrounding the tags is secure If you can break the that the system then you don't necessarily need to break the tag so let's consider both just to be clear 125 kilohertz prox and 13. Sorry 900 megahertz. Those are RFID systems 13.56 this pay pass that's contactless smart card So our RFID tag secure 125 kilohertz the answer is just plain flat. No this device here the Receive chain is is kind of broken at the moment, but the when it does work. We're able to copy Several different formats of HID prox. We can read indala. We can read varichip em4100 all of these tags Every single one of them. We can read them. We can copy them. We can replay them We can't clone TI type tags Just purely because they use a slightly different method to energize the tag We can support them with a firmware upgrade as soon as someone actually gives us this humble that we can code again We deliberately left out playback functionality from this it will be present in the final device That was for privacy Concerns over the demo that didn't happen We do also have working code for high tag too The fact that I'm working with with cast and all at hardware should give that definite credibility The the high tag is an encrypted tag the idea of it is that The there is some kind of cryptographic exchange I'm not too familiar with the details myself But the upshot of it is that the the final production version of this device you can scan someone's Prius car key Plug the device into your PC. There were a few hours of number crunching to break the crypto Upload the result back to the device back to the prox pic And then not only can you open the doors on the Prius you can actually start the car and drive it away so High tag two is actually used by by quite a few vehicle manufacturers the list that I was given was Prius BMW Lexus Mercedes All the top-end vehicles. It's kind of amusing to me that you know $50 of of pick microcontroller can steal $50,000 of Lexus We couldn't integrate it in time for Defconn It wouldn't make a good presentation any way because there's a few hours of crypto But we do have it it will be in the production devices Total security fail on prox technology all prox technology. No no one vendor is any better or worse than anyone else High tag two makes an effort not a very good one. It's it's just all bad So I mentioned that we can clone other tags that we haven't seen before We have a whole pile of different test tags here all different kinds of of cards and syringes with horrible injectable microchips in Quite possibly the nastiest scariest needle I've ever seen in my life Despite all of the different tag formats all of the different data structures that they contain there are essentially two modulation formats One of those does two different bit rates So if you can support dynamic bit rates with two different modulation formats, you can clone anything Simple as that. It's all comes down to Manchester encoding HID tags use a slightly different encoding scheme. They they they layer a thing called fc8 10 on top of it But it's it's still Manchester underneath Manchester is designed to be very easy to decode You can actually our routine on this Doesn't use any memory at all and it receives decodes and error checks Manchester encoded RFID tags in about 20 lines of C Very very easy. So we've got two decode routines That'll copy every RFID tag that lives at 125 kilohertz the exception being one high tag two just because there's some back-end crypto It's it's very easy. So quick note about Manchester for those you don't know the The the idea is you take a data one becomes a one zero you get a transition in the middle of every bit you can sync on that transition in the middle of every bit and You can check if the first bit and the last bit in your in your Manchester encoded stream If those are the same then you've got invalid Manchester coding and you can throw an error. It's very simple I'll skip the decode routine. You can look at the source Some other features that this this prox pic has it can sniff tags passively We don't need to be the one powering the tag We can let someone else's read a power the tag and we can just sniff and synchronize on their carrier And then read their tag from their carrier. We can actually power ourselves passively while we're doing it So you put a one meg e-prom in this you can slap it on the wall behind a legitimate RFID reader It'll power itself passively for pretty much indefinitely and just sit and harvest tags until you get bored and take it down It's also got a semi-active shielding mode so the idea of this is that it detects an incident carrier from a reader and It sends out invalid modulation So the idea being that the prox type the prox cards don't have any collision avoidance So what this thing does is it it just kind of blurs the data It just messes the data up makes it completely impossible to pick up anything It's much better than an RFID shielding wallet because you know You can actually actively interfere with it instead of just trusting that it's it's passively being killed Other bands 900 megahertz trivial to clone watch the schmooch on talk if you want to know more 13.56 megahertz danger will Robertson. I smell crypto There is some deep voodoo going on at 13.56. We'll come back to that in a sec other bands. I've no idea. Give me tax samples So back to the myth we forked it originally and we're considering RFID differently from RFID so RFID 900 megahertz 125 kilohertz Totally busted totally insecure wide open trivial to clone totally busted not secure in the slightest 13.56 megahertz contactless smart cards these things support deep deep voodoo They support all of the basic cryptographic primitives that you need to build any kind of system that you want Strong strong crypto strong algorithms. They can sign they can encrypt they can key exchange They can key generate all on chip They have some insanely powerful capabilities. It's all written in Java You can have multiple applications with multiple data stores in theory. That should be secure In practice, it's kind of fail $200 online buys you one of these vivo pay readers I'll skip the demo, but I'll show anyone later if they want Suffice it to say that you take your your RFID reader you take your contactless credit card This actually belongs to a guy who's known to all of his friends of spam seems kind of amusing that I'm screwing with spam's credit card Swipe it over the reader and It spits out all the card details of you over RS 232 So the reason why I mentioned that I know nothing about EMV is because I don't have to This does all of the crypto for me Yeah, it's it's pretty pitiful. You get full card information you get Running out of time You get card number expiry date name Same as card face the newer technologies you get a thing called dynamic CVV The card details that you read will be good for one transaction and one transaction only so you read it a thousand times big deal The other thing to bear in mind the name may not be supplied If you think about this for a second, you're the oh no