 So we need a couple volunteers, I think six or four volunteers, hands, hands, okay. So if you could find David and tell him you want to sign up for Hacker Jeopardy, he was here a second ago, I think you can sign up online. We have, oh there he is, so wait, keep your hands up, keep your hands up. Where did you go? Come on. Okay, there's still room for a couple more teams at Hacker Jeopardy, so please see David, please enjoy Hacker Jeopardy, because if there's not enough team, it'll probably get all left up. What? Do it. Do it. So, up next we've got David, Brian, aka Video Man, who is returning to Torcon yet again to speak with us. I think the reason he does come back to Torcon is actually because it's a whole lot warmer than Minnesota. So he is a pen tester with IBM's X-Force Red. He establishes tools and processes for doing, for his clients to do pen testing, and part of tools and processes sometimes means taking hard to use tools and making them easy to use tools. So in line with that, we've got some stuff, some work here where instead of using a Proxmark and a bunch of other stuff, he simplified all that and we'll show you that card cloning doesn't have to be hard. Thanks. Thank you. So a couple of shout outs first to the Torcon crew. Thank you for putting this conference on. Super important. Also to my wife for putting up with me, as crazy as I am in the shit that I do. What we're going to talk about, a little intro about me. Talk about some of the history of access controls, access cards that are out there. And talk about some of the current systems, as well as some of the issues with some of those systems. And then do a little demo. So hopefully the demo works and the demo gods won't fail me today. I volunteer for a lot of things. I probably shouldn't, but I do. Thoughtcon is a conference I help run in Chicago. It's a good conference. If you're in or near Chicago, you should come by or maybe even plan to come. We have VIP tickets, which basically gets you free booze all day. So it's kind of like this, but we also have some sponsors. But they don't get any say in the conference. They only get say in the after party, which is great. I've been a goon for 21 years now. It's been fun. It's been a lot of def cons, a lot of craziness. But basically if you sit in your hotel room and watch any of the talks, that's because my team, we've got a team of about seven of us that come out every year and set up the video. And yeah, it's great. Also tour camp is coming up. Right. Tour camp 2018 was a lot of fun. So tour camp is coming up. I help support that. Also get involved in your local DEF CON groups, DC communities, DEF CON communities, or 2600 to some degree. Some of them are not so great. Some of them are much better. But the DEF CON groups tend to be more computer security focused, rather than criminals. I mean, I also really dislike large ISPs to the point that I started my own Pico ISP in my neighborhood. I've got about, I think, 50 clients or so that I serve us. And then I'm a pen tester with IBM. So external customers. I recently was in Japan testing ATMs, right? So all sorts of stuff like that. All right. So tour camp is awesome. You should register. If you haven't registered, why haven't you? Bring a modem. Oh yeah, bring a modem. Okay. So I've just been informed to bring a modem. Somebody will have a BBS. The shady tell people are fucking awesome. They run a twisted pair to everybody's camp with a form in triplicate to request your stuff. It's fucking beautiful. Anyway, access control. Why? Right? Everybody has a building. Everybody has something that they need to protect. And in order to have protections, you have access control systems, access control mechanisms. Physical keys are great from the perspective that, you know, you have to have a physical key supposedly, right? Locks can be picked. Not everybody knows how to pick locks. But you have to have a key. So in order to facilitate that, you might have a master key and you might have subkeys. The master key systems make your locks even more vulnerable to attack. And now you can't watch who's actually entered your building unless you've got a lock that, you know, essentially part of the key stays in the lock and then you can go and interrogate the lock. Those are extremely expensive, hard to maintain, hard to manage, all sorts of stuff that is just wrong with them. And the biggest problem is what happens when an employee loses their key? Do you rekey all your fucking locks at, you know, $300 a pop? Probably not, right? Especially if you've got a large number of locks on your building. So come in the next phase, electronic access control, right? Because you want to be able to remove their code or remove the user immediately if they lose their card or maybe they're terminated, right, from an employee's perspective. So really, it's a savior, right? It's the way to make it so it's easy for someone to come in and revoke credentials, change out credentials, maybe put restrictions on when a user can actually enter the building because you can't really do that with a physical key. A physical key, someone's going to come in anytime, right, 24-7. So I say it's a savior and a blight and it's a blight from the perspective that a lot of the manufacturers have basically used security through obscurity to protect your building, right? The obscurity is the card manufacturers, or the obscurity is the protocol, right, the protocol on the back end. So there's basically a UL, so underwriter laboratories, has a scale that works, I think it's the Loa-Locksmith Union, there's a scale for how long it takes to maintain access to a safe. It's like TTL 15, right, which is tools, torches, and time of 15, right? You want to make sure that whatever you're trying to get into has the appropriate amount of controls, right? So a safe 15 minutes to get in if you don't have the combination, probably reasonable, 15 minutes, 30 minutes, whatever it is, right? An access door, that's totally not reasonable. You should be able to probably drill the core to get into it if you lose the key, right, at the least, and you're going to see that someone is up at your door drilling it, destroying it, whatever it might be. So access cards and access control has to have appropriate controls, I guess is what I'm trying to say. You can't put Fort Knox in front of your door that everybody comes in every five minutes. All right, so this is what's called a Wegan card, right? So the reason, well, I'll get to the reason why I'm presenting this in just a moment, but this is one of the original access cards, and you can see down here, we've actually got little bits of wire that are embedded in this card, and what happens is this card passes over a read head, there's a magnet that drops a charge on the wire and then drops it on the read head, and there's two lines of these little wires. One is a zero line, and one is a one line. As those drop on, the reader on the back end goes, oh, that's a, you know, one, that's a zero, okay, now we know what card number it is, essentially, right? And that's a physical card. This is a proximity card, which is magnetically coupled. So the coil, in this case, in the card, enters into the reader's field, and the reader clamps down, or not the card, sorry, the card clamps down on the field, and then the reader goes, oh, okay, that's a one, oh, that's a zero, oh, that's a one, right? It does this at a frequency, a resonant frequency of 125 kilohertz. There's a manufacturer that basically sold these cards with facility codes, right? So if you knew that you wanted a secure site, you would buy one of the cards that had a very specific facility code for your building, or for your site, right? It's a neat idea of security, and it's security through obscurity, right, especially when we start to talk about the Proxmark stuff. There's also a mode inside of the Proxmark where you can tell it a facility code, and it'll just go through and brute-force all the combinations, right? That's super, super useful. So RFID is a little different from the perspective that you are actually energizing the tag at 13.56 megahertz, and then the device is sending data back to you at exactly half the frequency, right? So it's an active device. You can do a lot more with RFID stuff than you can with the 125 kilohertz stuff. For example, passports, right? Your passport is encrypted with a bunch of the stuff at the bottom of the text that's inside your passport. You can store, like, there's a photo, and there's all the passport data that's on your passport stored in the RFID chip inside of your passport. Encrypted cards, they do exist. However, in a lot of implementations, they don't change the key, right? So you have an encrypted card or a card that has some sort of encryption on it. Encryption, I say that with air quotes to some degree, because it really depends on the implementation. But the readers will all have the same key that's deployed out, and it's probably a default key, right? Which is a little crazy. Myfairclassic obviously is broken. Myfairdesfire, for the moment we know, works pretty well. It uses a challenge mechanism where it sends some data to the card. The card then has to send data back, right? And that data back, if the key is the same, the data should be correct, right? There's a chance that if you had access to the physical reader, you could still do some side-channel attacks to recover that key. So I just think about that. Like if a reader goes missing on your building, maybe it's time to change the keys, hopefully, if someone knows how to do that. That's the hardest part. All right, so the reason I mentioned the original weekend protocol with the wires is because that's what all these readers use on the back end, just a one and a zero line to transmit the data to the access control unit. And then the access control unit is the thing that has the relay that energizes the door strike, right? It's not encrypted. Very rarely will someone actually hook up the tamper lines, right? Because that's an extra step. It involves two pieces of electronic components that need to go in at the door strike or at the reader. Basically, it's called a monitored input, right? They actually have that technology in a lot of the modern systems to monitor that reader input, that one and zero line. And if it gets clipped, it then sends an alarm. Most people don't use that. So there's a couple of people. Zach Franken and Major Melfunction, they put together in 2008 a PIC controller called GECO that you could basically insert in between the Wigan line, pick it up. I think one of their versions had Bluetooth, but by default it would just wait for one of their cards, and when it saw one of their cards, it would then replay the last card that was seen from the device. Last known good read, because it also tracked the LED, so if the LED flashed green, oh yeah, that's a valid card, so let's store that in our memory. And now there is actually this tool. I found this out recently, ESP RFID tool. I think you can interrogate it with Bluetooth as well. It's just an ESP chip. I thought it was pretty ingenious that they made this little tiny board. So when you're talking about, okay, we've got all these fun security things up front that use these cards. The back end is still weak-hand, and you're not monitoring your inputs and you're not monitoring your tamper, you're still going to have this problem where your stuff is going to be tampered with, or at least replayed, very easily replayed. I think one of the last things is putting the reader behind glass is actually not a bad idea. Because now you know if that glass is broken, well someone's probably fucked with the reader and we should probably figure out what's going on. Maybe we've got some camera footage of it. We can go back and try to figure out if they actually stole the reader so they could get the keys. Or if they implanted a device, for example. All right. So now let's go on to card cloning. So this is the worst card cloner in the world. It goes through and actually will write a pin. A lot of these will write a pin to the card, so you can only reprogram it using this card. The Proxmark actually has a function built into it that you can go through and try and brute force the pin on these cards. The reprogrammable cards are TI 5577 cards. That's the model number. So let's talk a little bit about the evolution because I think it's important to see where some of this stuff has come from. I think this is a knockoff of a Proxmark. I mean, it's all open source hardware, right? But the first version started out fairly big, fairly bulky, not exactly easy to use with all the connectors. And we had another version. Proxmark 3, RDV. We're now into RDV4. Well, now it's RDV4. So this is the RDV4, which is the size of a pack of cigarettes, kind of, you know, pretty small, right? So the idea is that if I was an evil asshole, I would come up and surreptitiously read your badge from your bag, right? Run the wire up my arm, on my sleeve. And actually, the guys who created this have now come out with a module that's Bluetooth enabled and has a battery on it. So, yeah, you don't even need the wire anymore. Now just bloop. Pretty cool stuff. Yeah, I was actually very happy about this module. The other modules are very bulky. Like, you would know that somebody is carrying a giant PCB and wants to touch your card. So back about February or so, I was like, hey, I really want one of these. This card badge printer, because, like, you know, I think it would be fun to play with. I think it would be fun to have. It could be definitely useful in a bunch of our pen test engagements, right? So I went to marketing and said, hey, buy me one of these printers. And they said, okay, make me a demo. So for Black Hat, I put together a demo, a couple of demos, where we had some stations where people would come up. We'd take a picture of them. They'd get a badge printed out. The default badge could allow them to go and make coffee. So at the Black Hat booth, in order to make coffee, you had to have a badge. It was hilarious, because people didn't understand it. They're like, what? I have to have a badge? Yes. But then there was also a part where I had a badge on my person. They could walk up to me. I'd walk over and we would surreptitiously have them read my badge, right? And then write it to their badge. And then they could go over to this prize wall, which was, you know, 3x3 cube of all sorts of little trinkets. And if they'd scanned or cloned my badge, they could scan it there and one of the doors would open up. Sweet. But I had to make sure that this was idiot-proof, right? The last thing I want is someone sitting at a command line. What do I type? Yeah. L-F-Space-R-E-A-D. Oh, no. No. That's not going to work. That is totally not going to work. So I came up with a web interface. And the idea is that you can walk up. Someone can hit read my card. And then they can hit clone that card. Done. Super simple. Super easy. And then last week I did a talk in Tokyo, this talk. And I was like, I think I want to add some functionality to this. Because this could be a really nasty tool. So I basically put in a database and then added the ability to clone any of the cards that are in the database back to a new blank card or simulate it. All right. So now we're going to do a demo and hope it doesn't fail. Oh, yeah. So I'm also doing, I brought my card printer with. So I will be doing that demo tomorrow. So if you, I don't know where I'm going to set it up, but I have the card printer. I have the badge cloner. I have all the stations. We'll set it up somewhere and people can come by and take pictures and clone cards. It should be pretty fun. All right. Let's see here. Nope. I don't want that. What are you doing? All right. So this is the web interface. Let's see. I got a card here. I can hold it up to my thing and go read card. Yeah. That'd be awesome. And hopefully it reads it. Yes, it did. Look at that. We've got to read. So I'm going to decode 42-1337. And also, I can do this on my phone. Uh-oh. There we go. So I should be able to say read card. I don't know if we'll be able to see it here easily enough. Oh, I wonder. So I've got to connect to it first. So I created a basically a Bluetooth pan on this device in my pocket, which is a Raspberry Pi Zero. So a tiny little device with a Bluetooth personal area network. Connect to it over IP. Pop it into a web browser. I can say, all right, let's read that card. All right. So there we go. 42-1337. I can now go to all the cards that I've read. Red. Prior. And go through and say, all right, let's simulate. Right. And so now the Proxmark goes into simulate mode. And then just push the button. Stop simulating. Pretty simple, pretty easy. Oh, I also translated it into Japanese. So because I figure if I'm going to Japan, I might as well make the interface easy for people to read. But that also means that we could translate whatever language we want. So it was a lot of work, but it was a lot of fun. Yeah, so come on over and play. I have probably 300 cards that I brought with. So if anybody wants their picture on some sort of fun card, I think by default I've got this template going. But if you've got another template, we might be able to put it on there. And the code I pushed to GitHub, I don't know if it works on anything else, but I mean, at least pull it down and try to work with it. It only works with the RDV4, which is the latest version. And the way that the Proxmarks work is it's not just a serial connection directly to the Proxmark. There's actually a binary that runs that then talks to the Proxmark to get it to do the things. So you have to have the right code set for the Proxmark 3 RDV4. If you don't and you try and flash it, you will brick it. I bricked mine and then had to pull out my JTAG, a bus pirate basically, the bus pirate, to talk to it over JTAG to re-upload firmware. It was a pain in the ass. So anyway, I think that's about all I have. Two minutes left and thank you. Okay, thanks very much. If you have any questions, we're going to shuffle outside in just a few minutes. We have a short break between now and whatever's next. Lightning talks. So yeah, we have lightning talks coming up here in just a couple minutes. So take a quick break, but in about three minutes or so, we'll have Aaron Browning talking about token up, keeping hands out of the cookie jar. So see you back in a couple minutes.