Michael Vieau CISSP CEH Kevin Bong GSE PMP QSA GCIH GCIA GPPA GSEC GCFA GAWN About Sikich Security amp Compliance A fullservice information security and compliance consulting practice within ID: 635875
Download Presentation The PPT/PDF document "Demystifying RFID Technology" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Demystifying RFID Technology
Michael Vieau, CISSP, CEH
Kevin Bong,
GSE
,
PMP
, QSA,
GCIH
,
GCIA
,
GPPA
,
GSEC
,
GCFA
,
GAWNSlide2
About Sikich Security & Compliance
A full-service information security and compliance consulting practice within SikichAudits and assessmentsPenetration testingForensicsHandle anything having to do with security or protecting data, including:
Credit card data (PCI DSS)Patient data (HIPAA/HITECH)Financial Information (
FFIEC
/
GLBA
)
Service provider reviews (
SOC
1/2/3)
Federal information security standards (
NIST
/
FISMA
)Slide3
About Michael & Kevin
Penetration testers in the Security & Compliance practice at SikichHardware hacking hobbyistsCreators/maintainers of the “MiniPwner” penetration testing drop box projectSlide4
Agenda
What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide5
Agenda
What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide6
What is RFID?
RFID = Radio Frequency IDentificationThe system is made of two main partsTag (transmitter)
Reader (receiver)Basically a trackingand inventory systemSlide7
Passive vs. Active Tags
Passive TagsDo not have a power sourceDraw power from the readerInexpensive to produceWidely used in many industries
Active TagsHas a built-in power source
Can work at greater distances than a passive tag
Can offer added security (challenge response)Slide8
Passive Tag Active TagSlide9
Agenda
What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide10
Where is RFID used?RFID is used in many different industries, from transportation to health care and even sports
More recently, people have begun to use near-field communication (NFC) to pay for shopping using a mobile deviceSlide11
RFID Usage Examples
Securitydoor locksTransportationBus or train passesiPass systemPassportsMedicalVeriChip
(PositiveID)Equipment trackingFarmingAnimal tracking
Libraries
Book inventory and checkout systems
Museums
eXspot
exhibits system
Sports
Fitness tracking
Race timing
Schools
Taking attendance
Student trackingSlide12
Agenda
What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide13
How RFID Works
We will demonstrate using Prox from HID Global, a common access badge systemThe reader generates a 125 kHz sine wave electromagnetic (EM) fieldAn antenna in the card is brought into that fieldA bit of the power in that field is “tapped” to power the cardThe card’s antenna is tuned and dampened to create the HID message
The strength of the field in the reader’s antenna changes with the dampening of the cardSlide14
Oscilloscope DemoSlide15
Carrier – Zoomed OutSlide16
Amplitude Modulated SignalSlide17
What is the Envelope?Slide18
Modulated and Decoded SignalsSlide19
Frequency Shift Keying of the EnvelopeSlide20
Manchester Encoding
Now you have the envelope, which produces a stream of 0s and 1sWhat does it mean?It is Manchester encodedSlide21
Manchester EncodingSlide22
Manchester Encoding
Example: 1101001010101010110010101011001100101101010101010101001110 = '1'01 = '0'11 = Invalid!00 = Invalid!Slide23
Why is Manchester Encoding Cool?
Self-clockingYou can determine the start/end of each bit without a separate clock signalError detection“000” and “111” would never be validAbility to transmit ‘0’Distinguished
from silenceSlide24
HID Card Format
Convert the 16-bit card number from binary to decimal to get the card number printed on the card Slide25
Agenda
What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide26
Proxmark III
Enables sniffing, reading and cloning of RFID tagsWorks at 125 Khz, 134 Khz and 13.56 Mhz
Multiple protocol support (HID, NFC, MiFare)Slide27
Badge Spoofing Demo
Use a Proxmark to capture a HID RFID badgeSlide28
Capturing HID Codes (RFID Snooper)
We’re going to take the cheap 125 kHz RFID lock, tap into the signal generated by the antenna and decode that signal with an Arduino to read HID card codesSlide29
Replaying HID Codes (RFID Spoofer)
We’re going to use the Arduino, a few electronic components and one of the blue key tags as an antennaSlide30
Building a Spoofer - Materials
Arduino (Nano recommended)RFID key tag1 2N3904 transistor1 560 pf capacitor1 10K resistorPCB or ProtoboardSlide31
How the Tag Modulates the Field
LC (inductor and capacitor) circuit in the cardSlide32
RFID Spoofer CircuitSlide33
Spoofer VideoSlide34
Agenda
What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide35
Securing RFID is Hard
Minimal computing powerNo clockLimited entropyOne-way communicationLimited or no read/write memorySlide36
Case Study: MiFare
MiFare Classic uses challenge-responseRequires two-way communicationVerifies the reader and the cardStill a number of weaknesses that allow card cloningPoor random number generationWeak 48-bit keys
MiFare Ultralight C3DES authentication proves that two entities have the same secret and each entity can be seen as a reliable partner for the coming
communicationSlide37
Case Study: HID iClass
High-security version of the HID cardUses encryption to protect card dataBroken due to key management mistakesMaster encryption key embedded in readersKey was not changed even after it was exposed
Key rotation would require clients to replace readers and cardsSlide38
Case Study: NFC Contactless Payments
NFC transmissions are not secureRelies upon other security controlsVirtual account numberCryptogramRead distancePIN entrySlide39
Agenda
What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide40
Biohacking
RFID chips are widely used to “chip” pets so they can be returned to their ownersIn December 2004, the “Implantable Radiofrequency Transponder System for Patient Identification and Health Information” was approved by the FDASlide41
Implantable Radiofrequency Transponder
A VeriChip can be used to identify a patient with a 16-digit number (10 quadrillion possibilities)The ID from the chip is used to lookup the patient information in a databaseThe chip does not store your medical historyThe
VeriChip was used between 2004 and 2010There are ~300 people with VeriChip implantsSlide42
Types of Implants
RFID tags (125 kHz)NFC tags (13.65 MHz)MagnetsThermometerLED compassLED backlighting tattoosTritium (alternative to radium)Slide43
Why are people doing this?
Most commonly to authenticate to doorsReplacing RFID access cards (such as HID)Medical reasonsLifestyleSlide44
Biohacking Experience
I have an RFID (125 kHz) chip in my left handCurrently it is used to unlock doors at our officeIs it secure?Testing has shown it is very difficult to “read” the chip from something like a ProxmarkBadge readers can “see” it fine (most of the time)
However, someone could cut off my handSlide45
Just After ImplantingSlide46
A Few Weeks Later
After a few weeks, the implant can still be seen under the skinSlide47
Implant Quick Facts
The implant cannot be programmed while in the syringe (you must implant it first)It might not work for a few daysA Proxmark can write to the chip, but not read itMake sure you get one that is rewritableYou might find it difficult to get someone to implant it for youSlide48
Biohacking Demo
Using my implant to trigger the HID card reader and display it on screenSlide49
Questions?
Michael Vieaumvieau@sikich.com877.403.5227 x360
Kevin Bongkbong@sikich.com
877.403.5227 x349