RFID HACKING AN INTRODUCTION D3SRE, BSIDES LONDON, 2014

CONTENT

• First step

• RFID technology need to know

• Next steps to play around

• RFID reader

• The «playful»

• The «intermediate»

• The «deluxe»

• References

• Questions

RFID Hacking - An Introduction 2

FIRST STEP

• What is your goal?

• Set up «Home RFID System»?

• Learn about the technology?

• Read a specific card?

• Type of card

• Encryption used

RFID Hacking - An Introduction 3

Source: RFID Handbook, Finkenzeller, fig 2.18

RFID TECHNOLOGY NEED TO KNOW

• ISO 14443 Standard on 13.56 MHz

• Mifare Classic 1k

• 16 sectors, each 4 blocks

• Last block of each sector has

access key

• Up to 2 access keys/sector

(with different permissions)

• 1st block (0) has UID, usually

write protected

• Crypto 1 encryption

RFID Hacking – An Introduction – BSides London 2014 4

Source: http://www.adafruit.com/blog/wp-content/uploads/2011/05/tagassortment_LRG.jpg

RFID TECHNOLOGY NEED TO KNOW

• Authentication for Mifare Classic 1k

• Authentication per Sector

RFID Hacking – An Introduction – BSides London 2014 5

Reader Card

1. Authentication

2. Send card UID

3. Send card UID + Sector Key

4. Send card UID + Data

5. Send further command

6. Send further reply

2566 possibilities

NEXT STEPS TO PLAY AROUND

• 1. Find Authentication Key

• Try default keys first …

• Don’t try brute force, rather

• Eavesdrop communication (needs antenna & receiver)

• Emulate tag (e.g. with XBee, OpenPICC, Proxmark3)

• 2. Read Data block (probably encrypted)

• 3. Decrypt Data block (probably Crypto 1 hacked)

• 4. Clone card

• Important Keywords are «Mifare classic UID eBay»

RFID Hacking – An Introduction – BSides London 2014 6

RFID READER - THE «PLAYFUL»

• Arduino or Raspberry Pi Shields

• Comply with Standard

• Write protocol code yourself

• Might have hardware limitations

• Quality of documentation varies

• Examples

• XBee

• XBee communication shield €15

• XBee NFC/RFID module €50

• Seeed Studio RFID module $29.50

RFID Hacking – An Introduction – BSides London 2014 7

Source: http://www.cooking-hacks.com/documentation/tutorials/rfid-13-56-mhz-nfc-module-for-arduino

RFID READER - THE «INTERMEDIATE»

• ACR122U USB

• Manuals for use with Backtrack

• $59.00

• OpenPCD

• Famous from CCC talks

• Open Source Development

• Trainings available/Live System

• 46.22 €

RFID Hacking – An Introduction – BSides London 2014 8

Source: http://www.openpcd.org/OpenPCD_2_RFID_Reader_for_13.56MHz

RFID READER - THE «DELUXE»

• Proxmark 3

• Big active community

• Antennas for LF & HF

• Supports emulating, cloning

& eavesdropping

• $399 (enclosed version),

antenna $59

RFID Hacking – An Introduction – BSides London 2014 9

Source: http://www.proxmark3.com/item_pm3.html

REFERENCES

• http://en.wikipedia.org/wiki/MIFARE

• http://www.backtrack-linux.org/wiki/index.php/RFID_Cooking_with_Mifare_Classic#RFID_Cooking_with_Mifare_Classic

• http://penturalabs.wordpress.com/2013/07/15/access-control-part-2-mifare-attacks/

• http://www.proxmark.org/documents/mifare_weakness.pdf

• http://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2008-21/SAR-PR-2008-21_.pdf

• http://www.cs.virginia.edu/~kn5f/Mifare.Cryptanalysis.htm

• http://www.eng.tau.ac.il/~yash/kw-usenix06/

• http://www.rfidblog.org.uk/Hancke-JoCSSpecialRFIDJune2010.pdf

• http://www.rfidblog.org.uk/Hancke-RFIDsec08-Eavesdropping.pdf

• http://www.securestate.com/Downloads/whitepaper/All-is-MIFARE-in-Love-and-War.pdf

• http://www.openpcd.org/OpenPCD_2_RFID_Reader_for_13.56MHz

RFID Hacking – An Introduction – BSides London 2014 10

QUESTIONS?

Desiree Sacher

@d3sre

RFID Hacking – An Introduction – BSides London 2014 11

HAVE FUN THANK YOU FOR LISTENING