 All right, we'll go ahead and get started. Welcome, everybody. This is RFIDigity. I'm Fran Brown. I'm a partner at Bishop Fox, a security firm that helps companies secure their networks and applications. I got some pretty fun stuff for you here today. I was mixing it up at the end there a little bit and adding some of the newer slides to the beginning, just a front load a little bit. Because I realized in looking at the abstract, I kind of took on a lot of things. So just in case we don't get to everything, we'll at least go over some of the new stuff as well. New. OK, so I got some bad news and good news. But the good news trumps the bad news. So it's OK. For those of you that noticed in the abstract that it said that it would be giving out 100 circuit boards for the new backdoor version of the Tastacrofidith, I didn't get it any time to get a print it for this. But it's probably for the best. I don't know how many of you guys were here when we did it two years ago. But it was basically like a madhouse. I think like three people got stabbed, like crawling over each other. One woman gave birth. It was just like pandemonium, like people crawling to get to the circuit board. So that's for the better. But the good news, the trumps that if you stick around to the end, at the very end, and remind me because I don't say it, I'm going to throw up an email and the first 100 people that email me with their physical address, I will mail the circuit boards once they come into them. And then I'll send you random letters as well, love letters and things like that. If you, you know, it's risk, risk, reward. So I will, but you have to stick around to the end. So the first 100 items in my inbox will get one mail out to them pretty soon. But just, I'm going to go over kind of a little bit of logical order. Some of these RFID issues, but in the beginning here, just to kick things off, I kind of want to highlight a few of the newer tools. So with this talk, what I want to do is in doing research for this to do practical penetration tests, and I've always had the issue of, you have to read, you know, like a hundred things before you get the answer that you want. So this is to be the best of tools and techniques. And what you need to know is a pen tester for doing RFID hacking, in this case, HF and UHF. And there's a few new tools as well, in addition to some of the best of them brief. So I mentioned that I was creating a, it's getting pretty popular right now. I saw at Black Hat, the guys released the BLE key. Are you guys in here? Guys, did the BLE key? Yeah? Oh yeah? All right, cool. So yeah, so something similar to that, and we've seen some things before as well, but basically weaponizing the Tastic Circuit Board to be a man in the middle device that instead of weaponizing a reader as we, how many people have seen my last talk? I'm assuming a lot, or if you're in here that you're interested in RFID. So basically I created the Circuit Board to weaponize a reader, and it just reads the reader standard input. And I realized afterwards that, hey, you can make it actually as a back door device as well. And instead of putting it in your own reader, you creep up it three in the morning to the building that you're trying to break into and pop the lid off a reader and plant it in there instead and close it. And it can capture badge values as they get them by just actually tapping into the wires. So I was like, okay, I have basically what I need already. Like this goes into a reader, this reads it, this Tastic Circuit Board. If only I could make it smaller and maybe hook up Bluetooth to it or something like that. And then I was like, oh, we shrunk, or how many of you guys are familiar with RFDuino? I was looking, I was like, let me see, we shrunk the Arduino and we added Bluetooth to it, but I was like, that is exactly what I'm looking for. Awesome, that made it a lot easier. So I'll be releasing the Schematics. Basically I have much stripped down version just using this RFDuino without the SD card to make it small and that you can plant it to any reader. Quickly going through a few other things that are new. I'm getting more detail on them. We were just in a blog post on this, but as we'll see, some of the traditional RFID hacking techniques involve trying to secretly walk by somebody and steal their badge information, make a fake copy of their badge, and then break into a building. Some of the newer technologies for RFID, physical security anyway. Like i-Class, there's been some flaws in them that allowed people to continue this type of attack, but eventually we have to imagine people are gonna get their act together and eventually it'll be no longer a viable target to go into Starbucks and walk by somebody and steal their badge, in which case we're gonna have to start attacking the readers and the controllers directly, which is, we just saw the readers and basically we're just coming up with a few queries here. In Shodan, I found a, I literally just put in three queries that just sticking around with it and found a few hundred controllers exposed to the internet. And basically if you guys are familiar with these controllers at all, if you have network connection to the metal, it's game over. There's basically, they have default credentials that they can't change of route and pass. Use an hammer. And if you change it, it actually breaks the product. So if you have network connectivity at all to any of these controllers, you basically own their physical security system. And they're not supposed to be hooked up to the internet, but it seems like quite a few people have, especially a lot of universities, so you can basically start closing and open the doors and things like that over the internet there, which is a handful of Shodan queries. Or how many of you guys have seen any of my Google hacking, Google Diggity research before? Only a few people? The origins of the Diggity name, basically this is a search Diggity and one of the tools in it is Shodan Diggity, which allows you to just hook up to the API for Shodan and quickly do some queries. So we see a few of them here. No, you can't, no, you see me. One other thing I should mention is that basically my slide decks are like the note sections are like white papers. So if you ever want to follow up on any of these things, if you download the slides, the note sections have links to every resource and well documented. I tried to site most people for their tools actually in the slide, but at the very least, if you guys are looking to follow up on this stuff, the notes of the slides are a great resource for that. So using that, I just ran it. And basically these guys have Telnet and FTP and they have a nice web interface open. For, I believe this was for a college dorm. But basically, I mean this took me all of two seconds to put this together and quickly found them in Shodan and you just by browsing to them. If you actually mouse over any of the doors, it gives you a pop up of the last valid badge that you can see there that logged in. So I mean, it's not really necessary anyway because you can just open the doors from this interface, but it's just one of those things where it never ceases to amaze me what people hook up to the internet which you can get access to. So that is the controllers. And I came up with a few scripts that were based on Brad, I've never heard him pronounce his last name. Is Brad in here from McAfee, the RFID hacking? And Tanavich and Tanawicks. I put his last name, but basically, Brad, and when I get into it, you'll see some links to his research has done a lot with attacking readers and controllers. And he had one script that went out and can query them and get the exact version of the controllers and one at a time. And I'll be releasing on our GitHub a few random RFID hacking scripts for things like that. So being able to feed a list of a couple hundred IPs to what the script and it can go out and actually query it and figure out what kind of controller it is, what's its version, and things like that is just some of the stats from me just messing around for like an hour. So that's a quick preview on the reader and controller front. Be getting back to the traditional type of attacks that we covered in the last talk with the low frequency RFID hacking. You get to our base methodology, which is still extremely effective of. If you wanna break into a building, if you're looking at physical security systems that are RFID based, you got three simple steps. First, you wanna steal somebody's badge information. Second, you wanna create a copy of it. And then third, you go and break in and to minimize the amount of time that you are a trespasser, you wanna plan a backdoor so that you can get out as quickly as possible. I maintain your presence. And we've seen before, I hope that for the low frequency that hit prox and in dollar prox stuff, some of you guys might have seen this, but this is the i-Class R90 long range reader, which without any modification at all, if you already have a TASDIC RFID thief circuit board, you could just hook it right up to this i-Class long range reader and still accomplish that type of attack for most people out there. And cloning, and I'll get in a little more details about it, but there's a number of cloners that have come out based on some of the vulnerabilities in i-Class and the quickest and easiest that I've come across is the one that you buy from China. It's funny, in China, I mean, this is by far the easiest point click making clone copies of high frequency i-Class cards. But he's like, you have to do a bank transfer to China and he had all these requirements and stuff like that, which could turn some of you guys off to wanting to do it. I was getting some weird looks in the office when I was like, yeah, so yeah, how do I transfer to China, this amount, and people's ears were perking up? But I ended up just sending the guy the money via PayPal, even though he didn't say that was an option and he sent me the thing anyway. So FYI, if that was what was stopping you, just send it to him via PayPal. I'll hook you up with it. So yeah, so we got the step one steal, the badge information for high frequency system, step two, make a clone copy of an i-Class card, and step three. And I'll be releasing this on our Thingiverse page. How many of you guys are familiar with the poem plug? I imagine most people. How many of you are familiar with the power poem version? So the power poem version is like a power strip instead of just a plug. And it costs like a couple grand and I think it's discontinued now, but it's pretty awesome. Even when you can get it, it's like two grand. So I finished the designs and they'll be out there. My printer broke after printing the bottom half. It's gonna be two halves, but basically created at the 3D prints top and bottom half to create a custom case for a Raspberry Pi that's like the power poem. So you can buy a $35 Raspberry Pi, print out the two halves of this 3D file that you'll throw up on Thingiverse, and that's our Bishop Fox Thingiverse, and go down to Home Depot and just grab a standard plug and you're gonna have a $2,000 power poem for like 40 bucks. Yeah, cool. Yeah, so that should be up. And most of the stuff, most of the stuff will either be up later today on our various sites or by the end of tomorrow at the very latest. So either our, go to our main website. All the stuff's always free. All of our tools, our research are all free. The website's the best place to go and that'll link you to either our GitHub or our Thingiverse for 3D prints, or YouTube for tutorial videos and stuff like that. So you got step one, two, and three for a high frequency system. How many of you guys have been watching Mr. Robot? It's freaking awesome, right? It's unbelievably awesome. How many of you guys saw the episode where he used the Tastic RFID Thief? Basically, if you look at their plan for taking down Evil Corp, it was three steps that they basically had. And I figured I could show you guys, I got a couple videos here. So first is the quick, let's see what it looks like stealing. So it's just an eyeglass card and just with the normal Tastic RFID circuit board, it goes ahead and grabs it and stores it and gives you everything that you need. I don't know if you'd see it there, I'll blow it up later and have time. Basically, it's card number 14569. So, I mean, pretty simple and then just go and make a fake copy of the card. It's not that impressive. I mean, it is, but it's not as impressive as, say, Christian Slater doing it. Like my mom and dad get it now. They're like, oh, that's who you were talking about. I never watched any of my blackout or Def Con talks but like Christian Slater's got their attention on USA. So, yeah, I could have put together a demonstration video that did it for me. So step one, go into Starbucks, well, buy somebody with your Tastic RFID Thief, either a weaponized version of the eyeclass or hip-rocks or whatever technology. Christian Slater's not even slick at all doing this. Sorry, I just wanna pay my compliments. Hey, excellent coffee, fantastic service, buy yourself something nice. Step two, turn up the card. Oh, mom, we're trying to penetrate a data security facility whose tagline literally is. We'll ask to speak to it soon. And then step three, Bob's a wendy. She'll get us to exactly where we need to be. Then we'll be able to give it to her from the bank. After that, you connect to Raspberry Pi to the climate control system and Bob's your uncle. So, yeah, so basically the plan for taking down EvoCorp was the step one, step two, step three from the last dog, which is pretty awesome. But it's simple, but it's pretty effective. In case you don't wanna, I mean, they're not too slick. I think he's got caught a couple of times doing stuff. If you don't wanna sit there and try to pull together and pull out of the wall, somebody's thermostat and mess with it. Basically, instead of doing that, this is just your easy way of, this would just be your easy way to go ahead and drop something instead of trying to pull the whole wall apart. But basically the end result is the same, trying to plan a Raspberry Pi as a permanent presence on their internal network. Cool. So this is a quick, a quick brief over some of the newer things that we are releasing or just released. That's so far. So, what am I talking about here? In the talk I gave in 2013, I'm that strictly just focused on low frequency RFID hacking. And it's always a great one and one of these articles come now and it's for getting long distance on the low frequency is pretty hard to do. You can only get a couple feet and most people wanna post links to, that's not a big deal at all. Here's an antenna and it's an antenna for like UHF or something completely different. So there's a lot of misunderstandings and a lot of myths and a lot of room for confusion when it comes to RFID hacking. In fact, I mean, I was pretty dedicated and it took me a while to get to the most basic answers that I would want for myself, for most of these things. So I could understand most people's confusion when it comes down to it. And basically you're looking at three major branches of RFID. We covered the low frequency before, which is mainly physical security systems and it's the completely grossly insecure stuff that most people still today use and if you have an RFID card on you, which it probably is. But with this talk, I wanted to extend into the high frequency and ultra high frequency aspects of it. Both the newer physical security systems that use high frequency as well as various other things that are basically blowing up all over the place. Just some examples. RFID isn't everything, it's kind of scary. It's all over the place now. With the internet of things and everything's connected. Basically everybody's talking to everybody. So from your credit cards to your Disney fast passes to your green cards to your passports to, some people are just putting them in their hand to open doors like their Darth Vader or something. I don't know who it is. I mean, it looks cool, but that's gotta be, yeah. To hospitals or especially, which is kind of scary. To, I just noticed in the airport on the way here, I mean the just the vending machines are all RFID based. Mobile payment systems are NFC and NFC is basically high frequency, same frequency as high frequency. I'm even seeing like weird things. Somebody in my company found a secure hard drive, which you see there in the top row, second from the left, that basically to utilize the external hard drive, you have to have an RFID badge near it for it to unlock it. So you're starting to see all kinds of weird applications. Enhanced driver's licenses. How many people's hotel room key while they were in Vegas was RFID? You're starting to see more and more have them, especially in Vegas. But I imagine in a couple years from now, most hotel keys are gonna be RFID based. So these types of attacks are only becoming more and more useful. So this is a basic physical security setup in terms of how things flow, whether it's credit cards or somebody's physical security system or your Coke rewards. How many people use Coke rewards? My Coke rewards now, any? Nobody? Pepsi crowd, huh? All right. Good to know. But basically what we're looking at, somebody's carrying around something with them, whether it's their phone or a badge or a tag or their Obi-Wan Kenobi hand implant. And it can talk to a reader of some kind. And the type of attacks are gonna be similar. Just different approaches. So we might wanna walk by somebody and skim it off them without their knowing, like Christian Slater did with his backpack and then make a copy of theirs. We might wanna do things like directly attack the readers or controllers and not even worry about getting a valid badge at all, but just go right to the source. We wanna do things like make fake copies of badges, have devices that can emulate badges themselves. You don't have to make a fake copy. It could pretend to be type of technology. You have some pretty interesting things like relay attacks, which we see in which case if things start to escalate and more RFID-based systems are doing mutual authentication and things like that, you basically have the circumstance of you got two guys involved in it. One guy's standing at the door or the payment system or whatever with his device and another guy's following you behind you and basically it just starts passing the information back and forth relaying it. So relay attacks. And we're starting to see more and more of these things as people are locking down the actual badges, whether they have, we're gonna see some pretty fly gear when we get to the defensive section here at the end, like RFID blocking skinny jeans, which are getting popular. How many of you are here as RFID blocking skinny jeans? They're coming. The kids are gonna love it. But as people start to do stuff like that and the badge gets harder to copy and clone and steal, then people are gonna start moving along to these different types of attacks. Maybe we can't steal the badge. Can we brute force badges? Can we guess? If we know one badge or number, can we guess the next values? Can we predict? If I bought one Disney ticket that was an RFID badge, can I predict what the next three sold are? Can you predict values? So I mean, no matter what these, the uses are getting at diverse and crazy, but the types of thought process and things that you wanna do to them or how you'll come about attacking are pretty much the same across the board. So as I get into a few attack types, I'll show some other gear, but I'd like to basically give you the gist of, for each type of technology, what are the main types of attacks you'd wanna try? The things you'd wanna perform and what are the main tools that you'd wanna use? Cause there's a lot of noise out there. And I basically brought this up in my last talk for years due to good reasons. During kind of the heyday of RFID hacking, you could read a million articles about certain tools and this tool did this and all these things and you find 100 articles about something that doesn't exist and never got released. All there is is a photo of it on the internet and you're trying to find an actual, you're trying to do a penetration test. You're trying to find an actual tool that can help you right now. And you gotta like, you know, the first 500 Google hits are all too referring to a tool that was never publicly released. So it's a lot to sort through. These are some of the ones I covered before. You got the custom long range readers. So taking that circuit board and plugging it into a long range reader for either hit procs or in dollar procs or i-class, which we just saw there. You got programmable cards. These are some of the ones I covered in my last talk so I don't wanna go over them too much. Some of the stuff that works with the RFID scripts, the RFIDs stuff in the middle there, those things are great. Most people aren't aware of those. They're not really a security tool. They are a troubleshooting tool for engineers in the field for RFID stuff, but just two USB sticks, one high frequency, one low frequency, that if you have a card that doesn't have any physical indications as to what type of technology it is, you don't know what type of card it is, you could use these things to quickly find out what type of card something is, which is extremely useful. So getting into the high frequency stuff, some of the must have tools, does it look a little blurry? Yeah, anybody, a little blurry? So some of the stuff you'll wanna have in your toolkit are one, how many people have the Proxmark? Three, Proxmark's one of the main tools that you get, but basically making sure that you have the high frequency antenna to use that for some of its tools. The one on the bottom left there, this is basically like your Swiss Army knife of high frequency hacking. For using that i-class cloner that I referenced there, that works with this reader. You could use this reader to read credit cards, you could use this reader for all sorts of things. People have got to work them with Cali Linux, and it's kind of like your number one tool to interact with almost every type of high frequency card. In the top right there, you got a nice little USB stick that works with libNFC, if you're gonna do some NFC hacking, there's not a lot of hardware that actually works with it. So if you wanna use some libNFC tools, that little USB stick is a good one. We're seeing, in the last year or two, there's been an explosion of great mobile platforms for doing penetration testing. How many people here have done a wireless pen test before we had to carry around the big laptop and the big Yagi, and you're walking around like this, and that was until three years ago, that was still pretty much the standard. People are like, what are you looking for? Yeah, nobody, like it's a nerd detector. Yeah. Beep, beep, beep, beep, beep, beep, beep, beep, beep. But it's been great. In the last couple of years, you've seen the Pony Express through the Pone plug released, the Pone pad, which is an Android Nexus 7 with their custom edge already on it with a lot of pen testing tools, including some RFID hacking tools, wireless tools, Bluetooth tools. Even more recent, and I think, even less people probably know. How many of you guys have heard of Cali's NetHunter? Decent amount, maybe like 10% of the crowd or something. It's relatively new. I think it's probably less than a year old, but basically Cali released some images for some various Android tablets that you could just load onto the Nexus 7 or Nexus 10 there, and it's Cali Linux on an Android phone. So things are finally getting good, and you can see how this is appealing from a RFID hacking standpoint where you're physically trying to break into a site, you're physically at Starbucks, like Christian Slater, trying to pull and move, to have like small portable devices that are actually highly functional. This is, you know, it's a good step in the right direction. Also the Proxmark, which I mentioned, there's again the slide to have a number of references to all these blog posts on people that have put this together for, you know, how to run the Proxmark from your Android phone or something like that. So if you're using that to make your fake copies, you could just pull out your phone, connect it, and you know, it's a little more convenient than carrying around a big laptop. Cool. I mentioned before the Proxmark, this is just a set of some of the commands in terms of high frequency, just to give you an overview. The Proxmark's like a Swiss Army knife of, it can read cards, simulate cards, clone cards, emulate cards, has a high frequency and low frequency antenna. Basically, it can do anything. It's one limitation, it's always been distance, which is why we came up with the task of RFID thief to be able to steal somebody's badge from further away. But that's pretty much one of its only limitations. It can pretty much do everything. This is some of the overview of the high frequency commands. The RFID scripts from Adam Wari always updated the library of Python scripts for doing various RFID hacking things and come to load it with Cali Linux. So if you want to get up and running really quickly, you can just download the Cali Linux VM image and get some hardware that works with it and be up and running extremely quickly. And the readers, which I mentioned, the RFID is tools, which you could use to scan to figure out, you know, this is my card for work or this is my card for my parking lot of my apartment or something. Like, it doesn't have anything on it but let me know what type of technology it is. You can just use these with no software to figure out what type of technology it is so that you can then steal it, make a fake copy and get free parking at your university or your friends or whatever you want to do type of thing. That's what it's good for. So just getting into some of the stuff that we covered again with a lot of these things and especially with the high frequency stuff. It's getting harder. The iClass, there was a reader that I showed, but it's again coming back to one of the biggest limitations is getting distance. Even as people come up with ways of breaking some of these technologies, what we've always seen is, oh my God, this is so broken and makes all the headlines and it ends up being that you have to get within a centimeter or two to actually steal somebody's badge information. And it was just kind of lost over, which is, for those of you who might have talked before, I refer to it as the ass grabbing method of RFID hacking, that in every, this is from a lot of slides, videos, presentations, like, it's always like, this technology is so broken. Look how easy it is to steal somebody's information. It's like, okay, yeah, you can actually read it and clone it and all, but distance is always a problem and it makes it what's really a risk, what's really practical that you need to worry about versus something that is, you know, the probably you got if Jonathan West used there, the creator of the Proxmark and the corner is walking around your campus, you know, grab-bassing, you're gonna catch them. It's not really that big of a risk. So we have these circuit boards that we saw earlier that weaponize existing RFID readers. Some of the early problems that the tools that got talked about, there's a million things for, some of the main reasons they never got released were due to being threatened with basically patent disputes. Like, oh, you're creating a reader that reads these cards to steal them. That reads this type of card? Well, we have a patent on a device that reads these cards. You know, you can't create a reader of your own. And that's what kind of stifled a lot of the release of the tools from 2007 to only a couple of years ago. So with this circuit board, you're not creating a reader of your own. You're weaponizing an existing reader. You're just tapping into the output of an existing reader. It's kind of how we got around that and we're able to, you know, build tools that are actually practical for penetration tests. And what we're seeing here is, you know, basically you could put it, looks like that's my sketch of Christian Slater walking with his backpack. And basically I designed this thing to just easily plug into any reader to weaponize it and it just taps into the output of the reader of any badge that it reads, what the badge value is. And it's, I created it for only one reader to begin with but it now plugs in the high frequency readers. It's still applicable. And basically I just changed it now to be a backdoor device that you could plug in and interpret the results of readers as well. So, and basically the circuit board's still pretty effective and it just takes in power, takes in the output of the reader and now puts it to an SD card and to the screen. And for the newer version it just outputs it over Bluetooth to your phone. And what we're looking at here is what it's tapping into this main weekend output of any reader that reads a badge for the most part when it comes to physical security, takes it, interprets it and sends it to a controller like we saw over the internet all those controllers and it's just data one and data zero just green and white wires for sending ones and zeros for badge value. And that's just what we're tapping into. I mentioned here, now I'm thinking about this. Hitglobal is the number one, they are like a monopoly of physical security when it comes to RFID. And they basically have like four major product families of RFID that they have. They have too low frequency and too high frequency. Now there's more than this but for the most part it's these four major families of technology. And we have hitprox and dolloprox for the low frequency and i-class and my third desk fire for the high frequency. Basically they've released long range readers for three out of four of their product families there. So we were able to weaponize three out of four and have long range readers and basically it could do the Mr. Robot attack for three out of the major four product families of RFID were covered. So that whole long range problem is solved for those three. Unfortunately they don't have a long range commercial, my fair desk fire reader to weaponize. So that's, you know, I have to wait for them to come out with something like that to weaponize it to avoid patent issues. And I showed you guys the R of Duino which is awesome. But in terms of extending the functionality of these things, there's a million Bluetooth devices as well as, I don't know if you guys have seen Adafruit has probably the smallest the smallest cell phone add on basically that I've seen yet, they're normally pretty bulky to do basically send you the cards that it finds over, you know, send you a text message with every card that it finds. So as these devices are getting smaller and easier to use, I mean, now you don't have to create it yourself like the R of Duino was, hey, let's make a smaller version that has Bluetooth already on it. Each week it's getting easier and easier to just buy something that just works for a lot of these types of attacks. Again, this is the one that we saw in the beginning. This is the HIT iCas R90 long range reader. Most of these you could buy on eBay for a couple hundred bucks and just plug and play with the circuit board. So basically getting into high frequency hacking for physical access control systems. You have the, my favorite is firing the i-Class to product families of high frequency physical security systems for the most part. And there's a lot of research on this, so I won't go into too much, but basically for i-Class, the big problem that they had was the security was completely based on people not knowing what a certain key value was, keeping a secret value and somebody was able to dump the firmware of a reader, extract the secret key from it and then it was just game over. And then it just made it possible to do all the same types of attacks that we saw before with the step one and step two and step three just because of that. Again, for like 200 bucks, you can just get order from xfpga.com, this i-Class cloner to send money over PayPal even though it doesn't say it and it's the easiest by far to just point click, make a copy of an i-Class card. This guy's done a lot of work to prevent reverse engineering of his tool. And he put a lot of restrictions on it. I would say it doesn't allow, you can't attach a debugger to it, it doesn't run in a VM, but you fault, which sucks because if you wanted to, it has a physical USB dongle for licensing, this guy's pretty hardcore with protecting his product, which if you want to share it with people in your company, you don't have to physically pass around a laptop with this cloner on it or ship it out to somebody if you're doing a pen test, it's kind of a problem. But I have in there, there's a couple, there's basically one VMware setting that you could set to get around being able to do it in a VM. Oh, and it's the thing that killed me is it has to be for, it's using an older version of software and it's 32-bit and it won't run in Windows 64 bit and it won't run in a VM either. So I had to go physically get a different laptop to be able to use the tool because I had to get a 32-bit system until I figured out there's just one setting of VMware to get around it, which are in my notes. So if you guys buy this and you can check it out so you can run it in VM. And it's kind of funny that he went to all that trouble because actually all it is is basically an older version of HID's contactless demo application that came with their API, an older version of it. He basically just copied that, this demo code from HIG Global and then just altered it. And if you just looked at his executable, it still said contactlessdemovc.exe in his actual executable. So he basically just copied it anyway of somebody else. So I don't feel so bad about breaking his VMware thing now. The guy from XFPGA, you're not in the crowd, are you? Yeah, good, I got you. Fingerprint reader, there's some newer stuff now, but that's business just come out, but for the most part, it's pretty ridiculous. The threat is, okay, Christian Slater's walking by you in Starbucks and he picks up your card value. Now you have everything you need to break in to EvilCorp impenetrable, right? So by adding biometrics and fingerprint and pin, at least I can't walk by you in Starbucks and get everything I need. He didn't know what his pin is, if that's what it had. He didn't have his fingerprint yet. So it makes it harder to execute that type of attack, except for the fact this came from Proxclone. He didn't release tools to do this, but you can basically piece it together from his white paper. Basically, by default, this bio-class, the i-class biometric stuff, it only, it basically, when you put your fingerprint, when you put your finger down, it just validates that your fingerprint that's right on there right now is the same fingerprint that's on the card. So like say, Christian Slater took that guy's thing and it came up and it had that. Christian Slater would make a copy with that guy's card value that he stole, but with Christian Slater's fingerprint and Christian Slater's favorite pin number, and it only validates it as the same on the card. So it completely makes it useless. So if you get one of these readers, you can create your own pin and take your own fingerprint and have those values, and then use some of those cloning tools like the XFPJA when you're making a fake copy to write your values for your fingerprint when you're doing it as well. So completely getting by most of that. And this white paper is listed there, has the exact values and where you would do that. Although biometrics in general, I mean, Dan Petro in here, Dan, Dan the man. Dan has a lot of funny things to say about biometrics, but they really shouldn't be used in general when it comes to physical security, things like that. It's like a password that you could never change and that you leave behind on everything that you touch. You know, you can't revoke it. It's the worst ever. You can't hash the values of those passwords because fingerprints aren't exact. So there has to be some fudge factor and because of that you can't hash them to somebody. You have to keep them in readable format. They're just terrible in general when it comes to trying to physically secure something. So reader and controller attacks. So fortunately, those guys came up with that eyeclass hack to make some of these traditional attacks against the cards, still extremely viable, but I gave you guys a preview. That Brad Intanovich that I mentioned, I'll have this thing here in a second, he's come up with some pretty cool tools and I was to use as well on if, you know, if once your kids all start rocking the RFID blocking skinny jeans and like, you know, there's nothing you can do anymore, you know, from that attack vector, you have to start going after the actual readers and popping the lids off them. People mention this one all the time, the gecko from Zach Franken and he basically, unless you're friends with him and he let you borrow it, it's not very much used to you and never got released, but it was one of the first concepts of this back door device to implant and do replays as well. So not only is it recording the values that it sees, but you can walk up with your phone and say, hey, you know, instead of the reader sending the controller a valid badge value, you just send one of the valid badge values you know about to the controller directly and it opens the door for you. So it's like, you know, one of those, you know, smart home locks, but for, you know, you're not supposed to have access or you can open up doors without having a badge. So Zach Franken kind of like talked about these and created his own. I just saw at this past Black Hat, these guys came up with the BLE key, which is basically similar functionality as well, extremely small. You could just plant it into a reader at a target facility. It sits there and collects the information. You can come up with Bluetooth and vary your phone, dump all the list of values that it's seen so far as well as open the door by replaying some of those values. Someone said, the BLE guys in here? It's pretty cool. So this just came out a couple of days ago. You can see how small it is there. Come and cover these, the R of D we know. So that's attacking the reader basically. You're coming up in the middle of the night, you're popping the lid off the reader, you're putting something in there or tampering with it in some way. The reader talks to the controller, makes all the access decisions. So going into the controller, basically that's Brad's one of his talks that he released these things on his GitHub. They're basically a number of R2 we know tools to basically do brute forcing to the controller. Instead of doing it over the air, like the Prox Brute, going up to the reader, physically plugging in and brute forcing values, which is like five times faster as well as a back door device of his own. And here's a few of them, that basically being able to brute force do the skimmer and emulator, which is similar to the BLE key and things that we mentioned, as well as a number of scripts too. If you have access to it, just open all the doors or dump out the cache of the controller and all these things. Basically, if you have network access to the controller at all, it's his game over for physical security. Remember other tools, HID released some tools for scanning to identify these things on the network. How many people here run our physical security for a company? Two, three. So you guys are just all pentazards. Nobody here is just trying to figure out how to actually defend against these things. So I mean, when you look at these things, most physical security people I know are X-cops. They didn't come from an IT background. I mean, they're X-cops. It's typically things that are products that are purchased outside of the traditional IT purchasing infrastructure. You know, you got IT buys and gets licenses for everything except for these physical security guys who are picking out these technologies and running with them. And almost invariably, even though these networks are not supposed to be hooked up to any corporate network, the physical security networks, you shouldn't be able to be sitting in a cube and ping the bad reader at the front door. But these guys are sitting in a shack all night, watching cameras, they want to check out what's going on with their fantasy football stats. They want to browse the web, they're sitting in a shack. They're on the network that is the physical network. Every single time they end up getting bridged in some way. Just because of that. Oh, I can look at it as the camera and the badges. Like I'm sitting here in a shack all night. I want to check what my team's doing. So eventually these things, that's how they end up on the internet. That's how, like when showed in, you find a few hundred buildings that are open on the internet, that's how that happens. But, and they're getting easier to find because you have these tools, like this discovery tool that goes out and the network finds them, they have their own querying language, as well as HID Global was nice enough to go ahead and register their MAC address. So basically, if you scan a bunch of devices, you can identify any physical security device on the network if it begins with 00680, which makes it nice. So as people do these like mass scanning projects of the internet and more and more huge data repositories of every single device on the internet, I inquire in them that it makes it a lot easier to go ahead and sort through them to find physical security devices, that's what you're looking for. Again, root pass, if you have access to a telnet web, slog them at root pass, it's going to be root pass, they can't change it for any of the major ones. You can, at that point, you can open all the doors, close all the doors to whatever you want. Dump badge values, so this is some of the, for those of you who hadn't seen the PowerPone before, this is the PowerPone, which slides old, it was two grand before the end there, which now you get a free version. There's, you can download the Cali Linux Raspberry Pi image as well as Pony Express's Raspberry Pone. There's links to a number of good things here. So basically, you just get a Raspberry Pi, download the SD card image for one of these, basically, Pone plug type images and 3D print, the files that we'll have up on our site, and for like 40 bucks, you're good to go with your own realistic looking back door, so you don't have to be like Mr. Robot and pull the wall apart and do all that stuff. And putting together, I mean, you guys have seen the Nintastic 3D print that Nintendo on, basically it's altered that, but this is like the longest thing I've ever printed. So I was like, I had to put those like discs on them to keep them from curling up. If you're wondering what those discs are, they just snap off, but you build them in really long pressure kind of bows. But it's all taken care of, you just download it and print. What are we doing on time? Cool, getting close on time here. In doing this kind of stuff, push these to the end, credit cards, because quite frankly, the first question any reporter asks for this type of thing is, so tell me about mobile payment systems, tell me about credit cards and RFID. It's the first question everybody asks. In all honesty, I mean, they're pretty locked down. It's probably like the least sexy RFID hacking that there is. There's really not a lot you can do to get over on the credit card companies. And it's interesting, and I'm always like, Google alerts going, and you'll see some news article about critical vulnerability found in Apple Pay. And these researchers do this and then you read them through it and you get five paragraphs in. And I just was reading this one and it was basically people set up a rogue wireless access point and redirected their web browser traffic and said, please enter your credit card number. And it was for an iPhone. So they're like, so that's the headline for like Apple Pay, you know, vulnerability, all this stuff and it had nothing to do with it whatsoever. So, and people were kind of stretching for that. The credit card companies, there's basically not a lot you could do. There's a good blog there. It's highlighted at the actual URL from Brad who went through and analyzed what's on your card versus what's on it. The two best resources are that blog post there as well as Kristen Pageant's talk on credit card fraud. If you read that one blog post and watch that one talk, it's pretty much gives you the best overall view of credit card hacking. For the most part, there's things like dynamic, CBV. So if you're gonna order a pizza and you put in your credit card number, your name, the expiration date and your security code, when you're doing RFID, the security code is different every single time. And the credit card companies know what those values are gonna be in order. So if I walked by you and I skimmed your badge value and every transaction, I have to walk by you four times if I wanted to charge to your credit card four times because I'd have to get the next four security codes. And then if you went and bought pizza or something with RFID before I did that, now you've presented a newer version of it and I go present an old version in the lockdown, like your card just gets locked down. There's like not a lot you could do, so it's not really sexy. Passports and travel documents in general, there's a million tools for dumping out all the information on those. What's even scarier really is the ultra high frequency stuff which are in, so you have passport books and you have passport cards and the books are high frequency and the cards are ultra high frequency and green cards are ultra high frequency, a lot of travel documents, one minute. And they serve no practical purpose except for human behavior, pattern of life establishment, tracking what aisle in Walgreens you went up and went down, where you went throughout the city. You can track them from miles away, putting them in your enhanced driver's license, something you can't destroy because it's a federal ID, something you have on your person at all times, they can track wherever you're going. That's the only real purpose that it serves. It's, I mean, it's ridiculous and it has no security to it whatsoever. I mean, anybody could, it's just a nine to six bit value. And we see here, this is a tool you could use, pretty cheap to read and clone. They're also using ski passes. We made some copies of my buddy's ski pass so you can just put in your helmet and go and go to the ski lodge and that's how they read you. And it's just, if you can read it at all from several miles away, you could just read and copy it. I made a copy of my buddy's screen card too because anyone's looking for a green card. Got it, got it. You could, yep, so defenses, you guys could read about these slides later. Oh, here's the skinny jeans and even blazers now, RFID blocking blazers for the business person on the go. But you guys can check out this and thanks everybody. Okay, the email is, are you ready for this? For the, the Tastic Backdoor Devices, Backdoor Lover at BishopFox.com. Backdoor Lover at BishopFox.com. All one word. And go. I'm gonna be writing you guys love letters for the next couple of years as well. But you will also get a circuit board.