Demystifying RFID Technology Michael Vieau CISSP CEH Kevin

  • Slides: 49
Download presentation
Demystifying RFID Technology Michael Vieau, CISSP, CEH Kevin Bong, GSE, PMP, QSA, GCIH, GCIA,

Demystifying RFID Technology Michael Vieau, CISSP, CEH Kevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GSEC, GCFA, GAWN

About Sikich Security & Compliance » A full-service information security and compliance consulting practice

About Sikich Security & Compliance » A full-service information security and compliance consulting practice within Sikich » Audits and assessments » Penetration testing » Forensics » Handle anything having to do with security or protecting data, including: » » » Credit card data (PCI DSS) Patient data (HIPAA/HITECH) Financial Information (FFIEC/GLBA) Service provider reviews (SOC 1/2/3) Federal information security standards (NIST/FISMA)

About Michael & Kevin » Penetration testers in the Security & Compliance practice at

About Michael & Kevin » Penetration testers in the Security & Compliance practice at Sikich » Hardware hacking hobbyists » Creators/maintainers of the “Mini. Pwner” penetration testing drop box project

Agenda » » » What is RFID? Where is RFID used? How does RFID

Agenda » » » What is RFID? Where is RFID used? How does RFID work? Hacking RFID Securing RFID Biohacking with RFID

Agenda » » » What is RFID? Where is RFID used? How does RFID

Agenda » » » What is RFID? Where is RFID used? How does RFID work? Hacking RFID Securing RFID Biohacking with RFID

What is RFID? » RFID = Radio Frequency IDentification » The system is made

What is RFID? » RFID = Radio Frequency IDentification » The system is made of two main parts » Tag (transmitter) » Reader (receiver) » Basically a tracking and inventory system

Passive vs. Active Tags Passive Tags Active Tags » » » Has a built-in

Passive vs. Active Tags Passive Tags Active Tags » » » Has a built-in power source » Can work at greater distances than a passive tag » Can offer added security (challenge response) Do not have a power source Draw power from the reader Inexpensive to produce Widely used in many industries

Passive Tag Active Tag

Passive Tag Active Tag

Agenda » » » What is RFID? Where is RFID used? How does RFID

Agenda » » » What is RFID? Where is RFID used? How does RFID work? Hacking RFID Securing RFID Biohacking with RFID

Where is RFID used? » RFID is used in many different industries, from transportation

Where is RFID used? » RFID is used in many different industries, from transportation to health care and even sports » More recently, people have begun to use nearfield communication (NFC) to pay for shopping using a mobile device

RFID Usage Examples » Security » door locks » Transportation » Bus or train

RFID Usage Examples » Security » door locks » Transportation » Bus or train passes » i. Pass system » Passports » Medical » Veri. Chip (Positive. ID) » Equipment tracking » Farming » Animal tracking » Libraries » Book inventory and checkout systems » Museums » e. Xspot exhibits system » Sports » Fitness tracking » Race timing » Schools » Taking attendance » Student tracking

Agenda » » » What is RFID? Where is RFID used? How does RFID

Agenda » » » What is RFID? Where is RFID used? How does RFID work? Hacking RFID Securing RFID Biohacking with RFID

How RFID Works » We will demonstrate using Prox from HID Global, a common

How RFID Works » We will demonstrate using Prox from HID Global, a common access badge system » The reader generates a 125 k. Hz sine wave electromagnetic (EM) field » An antenna in the card is brought into that field » A bit of the power in that field is “tapped” to power the card » The card’s antenna is tuned and dampened to create the HID message » The strength of the field in the reader’s antenna changes with the dampening of the card

Oscilloscope Demo

Oscilloscope Demo

Carrier – Zoomed Out

Carrier – Zoomed Out

Amplitude Modulated Signal

Amplitude Modulated Signal

What is the Envelope?

What is the Envelope?

Modulated and Decoded Signals

Modulated and Decoded Signals

Frequency Shift Keying of the Envelope

Frequency Shift Keying of the Envelope

Manchester Encoding » Now you have the envelope, which produces a stream of 0

Manchester Encoding » Now you have the envelope, which produces a stream of 0 s and 1 s » What does it mean? » It is Manchester encoded

Manchester Encoding

Manchester Encoding

Manchester Encoding » Example: 110100101011001011001011 010101010011 » 10 = '1' » 01 = '0'

Manchester Encoding » Example: 110100101011001011001011 010101010011 » 10 = '1' » 01 = '0' » 11 = Invalid! » 00 = Invalid!

Why is Manchester Encoding Cool? » Self-clocking » You can determine the start/end of

Why is Manchester Encoding Cool? » Self-clocking » You can determine the start/end of each bit without a separate clock signal » Error detection » “ 000” and “ 111” would never be valid » Ability to transmit ‘ 0’ » Distinguished from silence

HID Card Format Convert the 16 -bit card number from binary to decimal to

HID Card Format Convert the 16 -bit card number from binary to decimal to get the card number printed on the card

Agenda » » » What is RFID? Where is RFID used? How does RFID

Agenda » » » What is RFID? Where is RFID used? How does RFID work? Hacking RFID Securing RFID Biohacking with RFID

Proxmark III » Enables sniffing, reading and cloning of RFID tags » Works at

Proxmark III » Enables sniffing, reading and cloning of RFID tags » Works at 125 Khz, 134 Khz and 13. 56 Mhz » Multiple protocol support (HID, NFC, Mi. Fare)

Badge Spoofing Demo » Use a Proxmark to capture a HID RFID badge

Badge Spoofing Demo » Use a Proxmark to capture a HID RFID badge

Capturing HID Codes (RFID Snooper) We’re going to take the cheap 125 k. Hz

Capturing HID Codes (RFID Snooper) We’re going to take the cheap 125 k. Hz RFID lock, tap into the signal generated by the antenna and decode that signal with an Arduino to read HID card codes

Replaying HID Codes (RFID Spoofer) We’re going to use the Arduino, a few electronic

Replaying HID Codes (RFID Spoofer) We’re going to use the Arduino, a few electronic components and one of the blue key tags as an antenna

Building a Spoofer - Materials » » » Arduino (Nano recommended) RFID key tag

Building a Spoofer - Materials » » » Arduino (Nano recommended) RFID key tag 1 2 N 3904 transistor 1 560 pf capacitor 1 10 K resistor PCB or Protoboard

How the Tag Modulates the Field » LC (inductor and capacitor) circuit in the

How the Tag Modulates the Field » LC (inductor and capacitor) circuit in the card

RFID Spoofer Circuit

RFID Spoofer Circuit

Spoofer Video

Spoofer Video

Agenda » » » What is RFID? Where is RFID used? How does RFID

Agenda » » » What is RFID? Where is RFID used? How does RFID work? Hacking RFID Securing RFID Biohacking with RFID

Securing RFID is Hard » » » Minimal computing power No clock Limited entropy

Securing RFID is Hard » » » Minimal computing power No clock Limited entropy One-way communication Limited or no read/write memory

Case Study: Mi. Fare » Mi. Fare Classic uses challenge-response » Requires two-way communication

Case Study: Mi. Fare » Mi. Fare Classic uses challenge-response » Requires two-way communication » Verifies the reader and the card » Still a number of weaknesses that allow card cloning » Poor random number generation » Weak 48 -bit keys » Mi. Fare Ultralight C » 3 DES authentication proves that two entities have the same secret and each entity can be seen as a reliable partner for the coming communication

Case Study: HID i. Class » High-security version of the HID card » Uses

Case Study: HID i. Class » High-security version of the HID card » Uses encryption to protect card data » Broken due to key management mistakes » Master encryption key embedded in readers » Key was not changed even after it was exposed » Key rotation would require clients to replace readers and cards

Case Study: NFC Contactless Payments » NFC transmissions are not secure » Relies upon

Case Study: NFC Contactless Payments » NFC transmissions are not secure » Relies upon other security controls » » Virtual account number Cryptogram Read distance PIN entry

Agenda » » » What is RFID? Where is RFID used? How does RFID

Agenda » » » What is RFID? Where is RFID used? How does RFID work? Hacking RFID Securing RFID Biohacking with RFID

Biohacking » RFID chips are widely used to “chip” pets so they can be

Biohacking » RFID chips are widely used to “chip” pets so they can be returned to their owners » In December 2004, the “Implantable Radiofrequency Transponder System for Patient Identification and Health Information” was approved by the FDA

Implantable Radiofrequency Transponder » A Veri. Chip can be used to identify a patient

Implantable Radiofrequency Transponder » A Veri. Chip can be used to identify a patient with a 16 -digit number (10 quadrillion possibilities) » The ID from the chip is used to lookup the patient information in a database » The chip does not store your medical history » The Veri. Chip was used between 2004 and 2010 » There are ~300 people with Veri. Chip implants

Types of Implants » » » » RFID tags (125 k. Hz) NFC tags

Types of Implants » » » » RFID tags (125 k. Hz) NFC tags (13. 65 MHz) Magnets Thermometer LED compass LED backlighting tattoos Tritium (alternative to radium)

Why are people doing this? » Most commonly to authenticate to doors » Replacing

Why are people doing this? » Most commonly to authenticate to doors » Replacing RFID access cards (such as HID) » Medical reasons » Lifestyle

Biohacking Experience » I have an RFID (125 k. Hz) chip in my left

Biohacking Experience » I have an RFID (125 k. Hz) chip in my left hand » Currently it is used to unlock doors at our office » Is it secure? » Testing has shown it is very difficult to “read” the chip from something like a Proxmark » Badge readers can “see” it fine (most of the time) » However, someone could cut off my hand

Just After Implanting

Just After Implanting

A Few Weeks Later » After a few weeks, the implant can still be

A Few Weeks Later » After a few weeks, the implant can still be seen under the skin

Implant Quick Facts » The implant cannot be programmed while in the syringe (you

Implant Quick Facts » The implant cannot be programmed while in the syringe (you must implant it first) » It might not work for a few days » A Proxmark can write to the chip, but not read it » Make sure you get one that is rewritable » You might find it difficult to get someone to implant it for you

Biohacking Demo » Using my implant to trigger the HID card reader and display

Biohacking Demo » Using my implant to trigger the HID card reader and display it on screen

Questions? Michael Vieau mvieau@sikich. com 877. 403. 5227 x 360 Kevin Bong kbong@sikich. com

Questions? Michael Vieau mvieau@sikich. com 877. 403. 5227 x 360 Kevin Bong kbong@sikich. com 877. 403. 5227 x 349