 Some of you may have noticed, I'm not David Litchfield, so I'm not David Litchfield. He's supposed to be speaking now. This is David Litchfield. Okay, I'm under cover. So I won't be offended if you all get up and run away now. I was basically in the bar last night and I was told David wasn't going to make it and someone heard me speaking and they said, oh, you're British, you'll do. Just get up on stage, do something. Because all Brits look alike, right? Yeah, and sound alike. And we know about cricket, by the way. Allegedly. By the way, what is the most feared question that the Englishman faces by a Yen is something he would rather die than answer? Anyone else? What? No. No, but thank you for the money. Would you please explain the rules of cricket? Would you explain the rules of cricket was the question, so. So, yeah, if you want to run away, alternatively, if you want to get on the phone and quickly tell all your friends to come in and fill up the room, so they actually pay attention to my CFP next time, I'd be delighted. So this talk is called Aliens Cloned My Sheep. You may have already seen it as RF idiots. When I sent my CFP and I had this great idea that I was going to do some really wacky talk about cloning that it must be aliens because I'm being told it's not humanly possible to clone RFID chips. So, since I'm cloning them, obviously it's the aliens. But since my CFP kind of vaporized, I didn't get a chance to prepare it. So I've just changed the front page and the rest of it is pretty much the same talk as I've given on RFID. So if you've already seen that, again, I will not be horribly offended and have the goons track you down if you leave, so feel free. Damn, they're all leaving. Are the slides going to be on the website or is the video? The whole thing's videoed, so I guess it'll be on the website. You can come and watch it in about a year's time when they get around to posting it, I guess. The slides, yeah. I'll create a PDF and make sure it gets posted, yeah. So you're free to leave now. So I'm sorry, I haven't had time to plug in either. Okay. Right, quick introduction to who I am. Until fairly recently I worked for a company in the UK that does secure hosting. We buy up ex-military nuclear bunkers and convert them for civilian use. They're pretty cool. You get to see where the UK government spent all our tax money on hiding underground in dark holes with lots of very thick concrete walls. But, you know, very high tech. So they spent millions and millions of pounds doing these places up. And then as soon as it was ready, they closed them down and sold them to us. So, thank you, Mr. Government. As you probably know, I'm a death congoon. Yeah. And recently I've been doing stuff on Bluetooth, RFID, but I'm now a full-time freelance. So I'm still involved in the hosting company. I don't work there day-to-day. So I'm available for freelance work. I do weddings, bar mitzvahs. So normally when I'm speaking to a more corporate audience, I try and give an explanation of the kind of stuff we get up to at events like this. And I've got a little video I'm going to show you. I'm almost embarrassed to show it here because we've got, you know, people like Deviant and Mouse and so on who are expert lock pickers. This was just a little attempt that I made when staying in a hotel recently in Miami. But it has a couple of other relevant issues that I'm going to show it to you anyway. And one of them is the law. In the UK, they've just changed the Computer Misuse Act. So it used to be illegal to break into computers. What's happening now is it's illegal to develop tools that may be used to break into computers. So basically what this is doing is looking at, well, what if you applied that logic to the physical world? If we applied the exact same logic to the physical world, would that make things like paper clips and pliers illegal tools? So this is just a sort of quick illustration of that. The other thing is that I talk about not believing what manufacturers tell you. You should always check security for yourself. And just because someone says something secure doesn't mean it is. And don't discount the obvious. You know, go for the simple attacks first. In this case, this hotel in Miami was not just some old dive. It was a brand new state-of-the-art hotel. And so it had a brand new state-of-the-art hotel safe in it. And I'm going to show you a little video of when me and the safe had a little fun together. Now, one of the other things I do when I'm speaking on Bluetooth is I have a couple of other co-presenters. And they... We have a kind of competition going. Who can get the most hands raised in the audience? And you can't just say raise your hand because that's lame. You have to actually ask a question that's relevant to the subject you're about to discuss. So I've come up with one which I think is going to get me ahead in the competition. So my question is, raise your hands. How many of you have ever stayed in a hotel? Excellent. I win. How many of those have ever used the hotel safe? Wow, lots of you. How many of those believe that it's secure? None of you. So why do you use it? That's crazy. You're all insane. Okay, so anyway, this little video, it won't take long. It's just showing me when I got left alone in my room and I had time to fiddle with my safe, you guys. The voiceover is taken from the website. So this is the manufacturer telling you how marvellous their product is while we have a look at their product. So here we go. Through the past three decades, we have developed the largest line of in-room hotel safes in the world, specifically designed with the particular needs of the hospitality industry in mind. Our safes are available in a wide variety of dimensions and colors, with either electronic or mechanical locking systems. Manufacturer continuously researches the development of new features, functions, options, and designs for its products. From removable core locks to a variety of electronic systems with digital keypad, credit card readers, or chip cards, manufacturer offers you products in the forefront technology. Our safes are installed in the most prestigious hotels and cruise lines throughout the world, which have recognized manufacturer for its quality, warranty, and superb technical service. Our uncompromising pledge of satisfaction to the client. Uncompromising quality. So if you ever get your mini bar and you're safe confused, you know where to come, right? So yeah, who's the criminal there? It's me, the guy that made the paper clip, or the guy that made the safe. I can't figure it out. Okay, so what we're really here to talk about, and again if some of you want to jump up and run from the room screaming, I'll understand, is RFID. And what I'm going to talk about is not the low-level technology, how RFID works, but some of the stuff I've found, we're actually using it against itself. So again, don't believe what the manufacturers say, see what we can do with it ourselves, and how we can bypass stuff using the actual devices without building extra circuits and so on. The original talk was RFID hacking without soldering irons, and that's the main point here. It's important to understand a little about how RFID works, and in this case we're looking at passive chips that get activated by the reader. So RFID is a little bit of a misnomer. It's not actually sending a radio signal. What it's doing is interfering with the signal coming from the reader. So the reader creates a field, an energy field, you put the tag into it, it charges up from that field, and then it shunts its own antenna and interferes with the antenna of the reader, and by modulating that interference it sends a message. So it's not actually sending out RF. That's relevant because it limits the range at which you can attack these things from. So it's not like you can just get a bigger antenna and a great big amplifier and expect to attack it from hundreds of feet away. That's just not possible because you can't deliver the energy. So that's the only reason I mentioned that stuff. Okay, so we've got two basic classes of RFID tags that I've been looking at. The dumb ones and the smart ones. So the dumb ones, they just spit out an ID, so a number, say I'm tag number 1234, possibly some data blocks. The smart cards, the smart ones are essentially smart cards. You just remove the contact chip, put an antenna in its place, and you have a smart card that can talk RFID. But they behave just like a traditional smart card, and those are used for things like payment cards. We have a system in the UK called the Oyster, which is the London Transport debit or pre-payment card system, and the new biometric passports, which we'll look at specifically as well. So the kind of things that it's getting used for, animal ID is probably one of the first. We're now seeing it in things like hotel keys as a replacement for the Magstripe, car immobilizers, everyone's familiar with that, events, things like ski passes and so on, one-off event passes. And one of the things I'm really interested in is the human implants. So actually sticking these things in humans instead of animals. Anyone here implanted, by the way? Don't laugh, that's probably several. If they knew that I was doing this talk, I'm sure the room would be full of people with implants. If anyone knows someone, or there is someone here that has an implant, particularly a very chip implant, I would really like to drag you up on stage and see what we can do with you. If there isn't, I do have the equipment with me, so. Okay, so looking at actually installing human implants, I don't know, is that too blurry to read at the back there? Yes? Okay, so in the wrong section he's saying, the big burly guy's saying, we want to implant this tag in you. And the little kid's saying, oh, that violates my rights. So he says, okay, we want to implant this tag in you. And it's also a cell phone, a digital camera and an MP3 player. He's going cool. Which I thought was pretty funny. I guess not if it's blurry. Okay, so here's a guy. The guy at the top is a journalist. Works for a Spanish radio station. He's reporting on a beach where they've set up a scheme where you can have a prepaid digital wallet. And all of the vendors along the beach front, so the ice cream parlours, the bars, the deck chair sellers and so on, and nightclubs and so on, will all subscribe to this system and you can have a chip implanted in your arm and you go and put money on it. And the idea is you then go to the beach and you don't have to take your wallet with you where it's going to get stolen from the beach. You can leave it safely in your hotel safe, for example. Seemed like a good idea at the time, I guess. The guy at the bottom is working for, I believe, the Mexican government. And what they're doing is they're implanting people and you need the implant to get access to certain parts of the government infrastructure, so buildings and certain restricted areas. And the reader in this picture is recognizably a very cheap reader, so that's the technology they're using. And again, I will discuss that specifically. So the whole premise of these dumb tags, which do ID only, is that they have a unique ID. So it's absolutely guaranteed to be the only one of this tag with that number, right? If you go and read the manufacturer's websites, the white papers and all the descriptions will describe great detail, how their patented algorithm cannot be cloned, cannot be cloned, impossible to clone, blah, blah, blah. So, of course, we've seen people have come out with devices that will actually clone these. So last year, Jonathan West, who gave a presentation here, he built a device that would clone a very cheap. He's since come out with do-it-yourself kit. So this kit you can download from the link there. And for about 20 bucks worth of components, you can build a device that will clone the chip. So we all know it can be done. So what happens when something like this happens? The industry, of course, always has a defense. So I like to sort of imagine what happened last year when Jonathan gave his presentation, and there was probably some kid from very cheap here who saw the presentation, went back and went, oh, my God, it's game over. They're cloning our chips. The bosses say, oh, that's not a problem, don't worry. We'll come up with something. We'll sort it out. So this is what they came up with. So we're now into semantics world. We don't have to worry that they actually open doors and they are effectively the ID because they don't look like the original. So not a problem. Second line of defense, if that isn't good enough. Some of you may remember or may have heard of, there was a talk going to be given that Cat Federal had got pulled at the last minute. There's no one from HID here, is there? No? Okay, I'm safe. So IOActive, they produced a cloning unit that would do the same thing for HID devices and mysteriously at the last minute pulled their talk and the two have been sort of pointing fingers at each other and saying, you told me not to talk. No, I didn't tell you, blah, blah, blah. So full story is there. Whether they did or didn't, I don't know. I believe they sort of kissed and made up now, but they still haven't given the full talk. But the bottom line is that a reader can't see what the device looks like, so effectively if it's spitting out the same ID, it is that tag. So when I was researching this talk, I did some, you know, searching on the internet and there are loads of these things. This is not a new problem. They've been producing devices that can clone tags for years and in fact this last one on the bottom right is a weekend sort of do-it-yourself circuit from circuit seller. Build yourself an RFID cloning kit over the weekend. But as you can see, none of them look like the original chip, so not a problem. We're all safe, nothing to see here. So I took that as a challenge. I like a challenge. Can I get away from the whole semantic argument and create a true clone that really looks like the original and has the same ID? So first to do that, we have to actually understand, you know, what makes up an RFID tag and how do you send the ID? The thing with these circuits is that they just, they don't need to understand what they're seeing. They see a signal, they record it, they play it back. If I'm going to try and program a device to be an arbitrary ID, I really have to understand what that ID looks like, you know? So the nice thing is that we're using industry standards. ISO 11784 tells us exactly what this ID looks like, how it's constructed. So the way it works is if the reader and the tag communicate with certain parameters that match, then the exchange will take place. So they use a particular frequency, 125 kilohertz, in the case of the dumb tags, 1356, typically in the case of the smart tags. They'll use a particular data bit rate, which is going to be the radio frequency divided by some factor of two, and they'll encode it in a particular way, so match, store, by phase, and then you obviously have the actual data pattern. So if we look at an example, if you were to take an animal tag and read it on a dumb reader that doesn't try and interpret the data, what you would get is eight bytes of data, and you then have to do a bit of tweaking. So you reverse it, you reverse the nibbles, you do a bit of left shifting and so on. So I put these examples into the slides just so that you can follow it right through from beginning to end. So here's an example, 8-bit raw ID, turn it back to front, reverse each nibble, and then I end up with a number which I can pull the three fields out of. So I've got the application ID 8000 that says you're an animal, country code F65, which you then right shift and converts decimal. That will then be a number which is, if it's below 900, that's an ISO standard country code, if it's above 900 then it's an icar.org manufacturer code. And you can just go to icar.org and download the table and look them up. So in this case the chip is digital angel which is now known as Verichip. And they will then program the national ID. So this is what gives you the uniqueness. You've got control of the country code and the individual country or manufacturer has to control the unique ID. So obviously if I want to create an ID I just reverse the decoding process. So I take the 64-bit ID, add a header, add some bits. What they've got here is the header is 9 zeros. So to make sure you don't accidentally get a header in the data stream they chop the data up into 4-bit chunks into one in between each chunk. So it's impossible to have 9 zeros in a row. So now we have 128 bits of raw data with all the headers and everything we need in it. How do we deliver it? So I thought about this from the manufacturer's point of view. If I was a manufacturer getting into this industry where there's a plethora of new standards coming out and all these different RFID applications what I would do is make a sort of super tag that could be programmed, set the parameters, make it behave the way that each application wants it to behave because that will make my on-going cost much, much lower. So if I can think of that then obviously manufacturers can too and indeed when I searched the market I found a couple of tags that actually matched that requirement. So there's one called the Q5. Q5 you can independently configure each of those parameters. So you can set the bit rate, you can set the modulation, it has 224 bits of data storage that I can put my ID into and you can tell it how many blocks to dump when it wakes up. So the way these things work is when it goes in the field it will just sit there constantly barfing out its ID. High tag 2 made by Philips is the same idea except they've just got three sets of parameters that they call public mode. So public mode A is a particular modulation and a particular bit rate and the data constructed in a particular way and that matches the animal tags. The second type is door entry systems and the third type is car immobilizers. So the three sort of common uses of the system. So great, we found some tags that potentially could be programmed to be another one. So then I had a bit of luck. I started writing software to look at this stuff and I discovered that my own office tag was indeed a Q5. So I now had a device that I could potentially program to be another device. So all I have to do is figure out the bit rate, the modulation and so on that I need to set. Give it the data and so on and we're off. So I'll give you a demonstration of sort of what happened next. I'm going to look at first an access control system. Is that readable? Is there any way we can do anything about the focus on these projectors? It's the projector, okay. Blame the projector. Okay, so what I'm going to try and do is this is my door entry tag and I'm going to try and reprogram this to open this door entry system. So what I've got here is an example of an entry system. So I've got some logic, a little battery. This would normally be connected to a door opener but I've put it onto an LED so you can see it lighting up and a reader. Actually, how many of you flew here? I flew here with this. So you can imagine going through security was fairly interesting. I actually carry it in my hand luggage because if I put it in my checked-on luggage I'm really concerned that they're going to find it and take one look at it and take my bag out the back and blow it to smithereens. So I carry it in my hand luggage to make sure I can actually explain what the hell it is, right? So I was going through security and there was a couple in front of me with a newborn child and they had a whole shitload of stuff with them. They had bags, they had nappies, they had milk, they had prams, they had everything. So anyway, they start pushing all this stuff through and the baby goes through and the bag and nappies goes through and everything goes through and all that's left is the husband and the milk. And the guy behind the scanning machine says, well, you can't take fluids on board. He's like, well, we've got a newborn baby, we're going on a 12-hour flight, we really need to take the milk along. So he calls over his supervisor and the supervisor says, yeah, of course they can take milk on, that's exempted, that's fine, so I'm thinking, okay, what kind of milk is that? And the husband then has to taste each bottle and prove that it's real milk, which he does. So obviously he loves his wife and he takes a sip of each bottle. And I mean, who knows what they get up to normally. This may be completely unusual for them. Anyway, eventually the milk goes through and the husband goes through but by now, as you can imagine, the dog has built up at the scanner. And in the meantime, my bag's been sitting there for a while while he's drinking milk with all kinds of shit on the screen. Boxes, batteries, circuit boards, wires. And now we've got the supervisor, we've got the original guy, we've got the guy who runs the screen and we've got this big crowd of agitated people who just want to get through and me standing there. And I'm thinking, you know, now everything would be cool. So I'm thinking this is going to be trouble and these three guys are just staring intently at this screen. And eventually one of them looks at the screen and he looks at me and he goes, there's no fluids in there are there? No, fine, okay, on you go. Take your little bomb thing with you. So the world we live in now, everyone's ticking the fluids box something that actually just looks like a bomb. That's fine. So I'm just going to quickly wire this up so you can see what I'm doing. Okay, so the way this works is hopefully you can see the little red light. If I use the right tag, so this is the real tag, if I do that red light comes on. Can you all see that at the back? Yes, red light off on. Okay, so if I use my own tag, nothing happens, right? This is my door entry tag for my office. So it's not going to open this door. So plan A is I try and reprogram this to open this door. So this is what's called a keyboard wedge. This is a really cheap little reader. Stick it in the USB port. You present a tag to it and it just acts as if you've typed it at the keyboard. So if I do that, that's my tag number. So I'm now going to try and write the tag with that. So this is a little off the shelf reader writer compact flash unit. Stick it in PCI adapter. Get all this crap out of the way. Should get bigger podiums up here. Okay, so these tags are sold under one of the brand names that's used is Unique because it's got a Unique code, right? So I've written a little program called Unique. So in theory, I've now reprogrammed this tag to have the idea of the other tag. So I'm going to go back to my door. See the light? Can you see the light? And I'm in. So if that was your door and you just walked out of the office and I walk past you with my little scanner can scan your key as I go by or potentially I could wire up a door or a couple of gates and you walk through them and I get all the tags that go through and then I have a nice little supply of tag numbers to get into buildings with. So that's door entry systems. The other demonstration I was going to do is animal implants or in particular cow implants. I live in the country, we're surrounded by cows. So I was going to bring my cow Daisy along, but she got stopped at security at Heathrow Airport. Something to do with fluids I think. So what I brought instead is my little mouse friend here. I quickly implanted him with a chip. This is a little handheld sort of veterinarian's scanner. Incidentally is anyone here got a dog or a cat that's implanted? Okay, my dog was implanted. I have a female dog, she's about four years old now and when we got her as a puppy we had her implanted and the tag was put in the back of the neck. I think that's the normal place. When I got this I thought I wonder what her tag number is. I'm going to see if it's compatible and scan it. So I scanned it and I couldn't find it. And when I got a bit more confident that I really knew what I was doing and it should actually work, I tried again and I scanned it and eventually I did find it and it was here. Okay, so it's just above her elbow. So it was put here, it's now here three years later. So if you're thinking of getting an implant, choose your location carefully. These things travel. It could get uncomfortable. Okay, so basically the way this works is you press scan. It'll go beep, hopefully. What I'm going to do is plug it into a screen so you can see what I'm seeing. So if I scan our friend, let me just make this bigger. If I scan the mouse so you'll see it gives us, or you may not see, because that's bad. So it says it's an FDXB country code 968 and that's the ID 47, etc. Okay, so what I'm going to do now is try and reprogram my tag. Now when I first started doing this you know how when you're playing with something you get it right a few times and you get a bit overconfident and then you start trying all sorts of other things. And then you get it wrong and then you find you've bricked your device. I managed to do that to this card fairly quickly so not only could I not clone cards anymore but I couldn't even get into my own office building anymore. So then I discovered well actually I can just buy blanks on the web. So I bought 10 blanks and pretty soon I'd bricked all of those too so I couldn't do any more research and I was on a train on a really long journey and I really wanted to get this fixed and carry on working on it. So I kind of put my mind to it and eventually I did come up to fix them. So before I reflasher I have to reset it I actually found the master sort of reset to get it back to normal. So I wrote a little program for that. So that's now reset I can reprogram it to be the mouse. Actually well when I said at the beginning we're going to do I'm trying to emulate the same form factor so I'm going to go one step further. I've actually got one of these implanted in my wrist. So I'm going to reprogram myself the mouse. So just to show you there's nothing up my sleeves as they say. If I scan myself now so scan my wrist nothing happening. Just scan the mouse again. So I've got his ID so country code 968 that's the number 8000 because I'm going to become an animal 968 unique ID I want to write that okay so it's waiting for a blank okay so in theory I've now reprogrammed my wrist to be the mouse so if you remember this number 4708897 just clear the screen do the scan so I am now that mouse can you spot the difference my wife can't say again I'm a different form factor I'm not a true clone it's true I'm working on it okay or actually I know I'll feed him up that'll be easier okay so the other demonstration that I was going to do but it's basically the same thing and since we don't have any real humans to try it against one last call is there anyone here with a verichip implant implant okay so I wanted to clone a verichip now I believe that I can do that because they're using the exact same standard okay but they're selling it as a security device so there must be something about it that's unique and difficult to reproduce and yes there is remember I said it's a three digit country code verichip go to 4 so that's it can't be cloned because it's got 4 chips and 4 numbers and the standard says 3 and actually that's true of commercial software I've gone to commercial vendors and said can you program me a chip with a 4 digit country code and they're like why would you want to do that and actually no we can't our software won't let us do that obviously mine since I wrote it will do whatever I tell it to so if I put a code 102.2 in that's verichip's unique code and it will quite happily do that there's actually room for I think about 6 digits in that field even if they add another one it's not going to save them so as far as I can tell that is their security mechanism I have cloned chips and I have used readers to read verichip clones and it come out fine so what are the threats behind that obviously if I can read other people's implanted chips I can track them I can track them I can target them I can impersonate them to gain access or spend their money on the beach and run out of money from their wallet gain access to restricted areas and actually it works both ways so impersonating someone isn't always just to get you in somewhere it can also be used to prove that you were somewhere where you're not of course so if we were to start using these devices in things like probation proving people within the country I could start offering a service if anyone wants to contact me afterwards where I just pop into the police station for you and obviously worst case smart bombs that only go off when the right person or the right number of people or the right class of person comes along okay so how do we protect against that simple answer don't use just straightforward ideas put something else on top the biometric passport is a very good example of that we've got up to 48 items valuable data stored in there fingerprints are going to be out in the UK passports in 2010 it's already got your image your facial image potentially it's going to have the document that you use to get the ID in the first place so your birth certificate or whatever document you produce home number, phone profession and so on so very very sensitive information incidentally people ask me how do you tell if you've got a chip in your passport that the clue is this little logo here that's an international standard if your passport has that logo at the bottom then you've got a chip in it if you're from the UK there's another clue which is there's this damn great chip in it looks like that not all countries it's that visible sometimes they're hidden in the the cover some countries have like a thick plastic page and it's embedded in there so we've got some stuff in there we need to protect it, how do we protect it well they do two things one is unlike the unique ID devices they do exactly the opposite they deliberately don't give a unique ID so they don't want me to be able to say well I've seen that passport before I know that Joe Schmo is now stood in front of me so if I ask the passport for its ID and nothing else it will just give me a different number every time, pseudo random number the other thing is strong authentication so before I can read any data from the passport I have to actually log in and authenticate to it and I do that using a standard called basic access control the important thing to understand about basic access control is you don't have to do it but if you do it you have to do it according to the standard so every country will follow the exact same procedure for locking down the passport and they use a three days algorithm for that in addition to that you can encrypt the content that's called extended access control I haven't seen any passports doing it but if you do it it's up to you, there is no standard how you do it so the standard that defines the passport application says you may do this but you don't have to do it in any particular way so I don't think it's going to be particularly useful until that standard's agreed and once it's agreed it's going to be widely known and therefore presumably anyone can do it but if we look back at basic access control you see it's using three days so anyone know what kind of cipher three days is broken, well maybe it's a symmetric cipher so you have the same key on both sides so unlike public key where you have a public private key both sides have to know the key so in order to be able to read this passport I have to know what the key is we got all this super safe data in there so we're going to store our key somewhere really safe, right? Yeah, we print it on the passport so the way you derive the key for the passport is you read the MRZ which is the machine readable zone you take the passport number the expiry date and the date of birth you glue them together and that's your key that's the same for every passport in the world so I'll give you a quick demonstration of that just have to quickly edit my conflict file so again I'm using a commercial off the shelf reader runs at a slightly higher speed now normally the procedure would be you hand this to the guy at the passport control he swiped it through an MRZ and then he reads it I don't have one so I'm going to type it in but I've pre-typed it so you won't fall asleep while I do this okay so it's logged in it's read some data I'm reading the rest of it so you can see it's got the basic name, date of birth, passport number and so on it's now reading one of the biometric files so that's the image stored in the passport as you can see I was much better looking when that picture was taken actually that's my son's passport he's not allowed to travel when I'm speaking so in fact he was actually in Estonia last week nothing to do with the problems they've been having out there and I was a bit worried what am I going to do for my talk I don't have his passport so I arranged that my flight left the day he was coming in and I called him up and I said you're flying into Gatwick, I'm flying out of Gatwick I'll meet you, we'll have coffee it'll be nice, we'll have breakfast it's his birthday next week I'll give him some attention so he shows up and I meet him at the gate and he's like hi dad how are you let me see your passport a second so I've got his passport he's going nowhere so basically I've read all the data out of that I now have an exact digital copy of the data that's stored in this passport it's already been demonstrated you can just write that back to a blank there are no anti-cloning mechanisms and it will be indistinguishable from the original there's also no anti-brookforce mechanism so if I didn't know the whole of that number I could say put two question marks there instead and it'll just keep trying so you've got a challenge response challenge response, fail, fail, fail and I'm going to be in there in a minute so one of the questions I get asked is okay so you can read it but you can't change it so what's the big deal and until recently the answer was well you can change it because on the passport that the way it works is these files there's a cryptographic hash, okay so they're all signed so I read the file that has the name and address and so on I read the file that has the image I read another file that's called the security object security object has within it a certificate and a bunch of signatures and what you do is you check the signatures against the signatures on the files and then you check the signature against the certificate and if they all match then you know it's genuine can anyone spot the deliberate mistake there okay the thing I'm checking and the thing I'm checking it against have both been delivered to me by the thing now so why don't I just sign it with my own certificate and put the new certificate on on the device okay so there is actually a cure for that now which is good there is a thing called the PKD the public key directory so that you can now connect to the PKD and you can download a certificate that the one on the passport is actually the valid one that's only true of April this year these things have been out what three four years now in some countries there are 28 countries participating in this type of passport program and yet there's only 15 countries currently using the PKD I think they only ratified the design for the PKD in sort of July of last year so I'm very dubious as to you know how well this project is actually maintained but anyway before that happened I had a look at how hard it would be to create a fake certificate and do the signing so this is one I pulled off a New Zealand passport and this is my forgery so if I flip between the two you can see the only thing that's changing is the crypto modulus very easy to produce a fake that looks the same yeah so again the threats that come from this we found that the key data because there's no anti-brute forcing if you can obtain some of the key data through other channels then you can reduce the brute force to such a small space that it's actually doable I believe in Holland they've got it down to two hours so they can actually brute force an arbitrary passport in about two hours two minutes the other thing is passport profiling so even though I can't read the passport where it came from so without logging in because of the implementation differences I can say that's an American or that's an Australian or that's an English passport which again could be bad I've got to wind up really quickly so this software everything I've used today is published it's open source it's on rfidiot.org feel free to download it the hardware I use is available also from that site you probably find some supplies in the US that are going to be cheaper than buying them from me but if you want to buy them from me that will help support further research it interfaces to those manufacturers so ACG, Frosh, PCSC Devices, so OmniKey for example and there's a cool project coming along called OpenPCD which is a completely open source implementation of an RFID reader I'll take one question before I wind up where's the bar yes why do I have a chip in me okay I'm crazy but I'm not that crazy it's not really it's in my watch trap okay that's me I'm done