Demystifying RFID Technology - PowerPoint Presentation

Slide1

Demystifying RFID Technology

Michael Vieau, CISSP, CEH

Kevin Bong,

GSE

,

PMP

, QSA,

GCIH

,

GCIA

,

GPPA

,

GSEC

,

GCFA

,

GAWNSlide2

About Sikich Security & Compliance

A full-service information security and compliance consulting practice within SikichAudits and assessmentsPenetration testingForensicsHandle anything having to do with security or protecting data, including:

Credit card data (PCI DSS)Patient data (HIPAA/HITECH)Financial Information (

FFIEC

/

GLBA

)

Service provider reviews (

SOC

1/2/3)

Federal information security standards (

NIST

/

FISMA

)Slide3

About Michael & Kevin

Penetration testers in the Security & Compliance practice at SikichHardware hacking hobbyistsCreators/maintainers of the “MiniPwner” penetration testing drop box projectSlide4

Agenda

What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide5

Agenda

What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide6

What is RFID?

RFID = Radio Frequency IDentificationThe system is made of two main partsTag (transmitter)

Reader (receiver)Basically a trackingand inventory systemSlide7

Passive vs. Active Tags

Passive TagsDo not have a power sourceDraw power from the readerInexpensive to produceWidely used in many industries

Active TagsHas a built-in power source

Can work at greater distances than a passive tag

Can offer added security (challenge response)Slide8

Passive Tag Active TagSlide9

Agenda

What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide10

Where is RFID used?RFID is used in many different industries, from transportation to health care and even sports

More recently, people have begun to use near-field communication (NFC) to pay for shopping using a mobile deviceSlide11

RFID Usage Examples

Securitydoor locksTransportationBus or train passesiPass systemPassportsMedicalVeriChip

(PositiveID)Equipment trackingFarmingAnimal tracking

Libraries

Book inventory and checkout systems

Museums

eXspot

exhibits system

Sports

Fitness tracking

Race timing

Schools

Taking attendance

Student trackingSlide12

Agenda

What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide13

How RFID Works

We will demonstrate using Prox from HID Global, a common access badge systemThe reader generates a 125 kHz sine wave electromagnetic (EM) fieldAn antenna in the card is brought into that fieldA bit of the power in that field is “tapped” to power the cardThe card’s antenna is tuned and dampened to create the HID message

The strength of the field in the reader’s antenna changes with the dampening of the cardSlide14

Oscilloscope DemoSlide15

Carrier – Zoomed OutSlide16

Amplitude Modulated SignalSlide17

What is the Envelope?Slide18

Modulated and Decoded SignalsSlide19

Frequency Shift Keying of the EnvelopeSlide20

Manchester Encoding

Now you have the envelope, which produces a stream of 0s and 1sWhat does it mean?It is Manchester encodedSlide21

Manchester EncodingSlide22

Manchester Encoding

Example: 1101001010101010110010101011001100101101010101010101001110 = '1'01 = '0'11 = Invalid!00 = Invalid!Slide23

Why is Manchester Encoding Cool?

Self-clockingYou can determine the start/end of each bit without a separate clock signalError detection“000” and “111” would never be validAbility to transmit ‘0’Distinguished

from silenceSlide24

HID Card Format

Convert the 16-bit card number from binary to decimal to get the card number printed on the card Slide25

Agenda

What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide26

Proxmark III

Enables sniffing, reading and cloning of RFID tagsWorks at 125 Khz, 134 Khz and 13.56 Mhz

Multiple protocol support (HID, NFC, MiFare)Slide27

Badge Spoofing Demo

Use a Proxmark to capture a HID RFID badgeSlide28

Capturing HID Codes (RFID Snooper)

We’re going to take the cheap 125 kHz RFID lock, tap into the signal generated by the antenna and decode that signal with an Arduino to read HID card codesSlide29

Replaying HID Codes (RFID Spoofer)

We’re going to use the Arduino, a few electronic components and one of the blue key tags as an antennaSlide30

Building a Spoofer - Materials

Arduino (Nano recommended)RFID key tag1 2N3904 transistor1 560 pf capacitor1 10K resistorPCB or ProtoboardSlide31

How the Tag Modulates the Field

LC (inductor and capacitor) circuit in the cardSlide32

RFID Spoofer CircuitSlide33

Spoofer VideoSlide34

Agenda

What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide35

Securing RFID is Hard

Minimal computing powerNo clockLimited entropyOne-way communicationLimited or no read/write memorySlide36

Case Study: MiFare

MiFare Classic uses challenge-responseRequires two-way communicationVerifies the reader and the cardStill a number of weaknesses that allow card cloningPoor random number generationWeak 48-bit keys

MiFare Ultralight C3DES authentication proves that two entities have the same secret and each entity can be seen as a reliable partner for the coming

communicationSlide37

Case Study: HID iClass

High-security version of the HID cardUses encryption to protect card dataBroken due to key management mistakesMaster encryption key embedded in readersKey was not changed even after it was exposed

Key rotation would require clients to replace readers and cardsSlide38

Case Study: NFC Contactless Payments

NFC transmissions are not secureRelies upon other security controlsVirtual account numberCryptogramRead distancePIN entrySlide39

Agenda

What is RFID?Where is RFID used?How does RFID work?Hacking RFIDSecuring RFIDBiohacking with RFIDSlide40

Biohacking

RFID chips are widely used to “chip” pets so they can be returned to their ownersIn December 2004, the “Implantable Radiofrequency Transponder System for Patient Identification and Health Information” was approved by the FDASlide41

Implantable Radiofrequency Transponder

A VeriChip can be used to identify a patient with a 16-digit number (10 quadrillion possibilities)The ID from the chip is used to lookup the patient information in a databaseThe chip does not store your medical historyThe

VeriChip was used between 2004 and 2010There are ~300 people with VeriChip implantsSlide42

Types of Implants

RFID tags (125 kHz)NFC tags (13.65 MHz)MagnetsThermometerLED compassLED backlighting tattoosTritium (alternative to radium)Slide43

Why are people doing this?

Most commonly to authenticate to doorsReplacing RFID access cards (such as HID)Medical reasonsLifestyleSlide44

Biohacking Experience

I have an RFID (125 kHz) chip in my left handCurrently it is used to unlock doors at our officeIs it secure?Testing has shown it is very difficult to “read” the chip from something like a ProxmarkBadge readers can “see” it fine (most of the time)

However, someone could cut off my handSlide45

Just After ImplantingSlide46

A Few Weeks Later

After a few weeks, the implant can still be seen under the skinSlide47

Implant Quick Facts

The implant cannot be programmed while in the syringe (you must implant it first)It might not work for a few daysA Proxmark can write to the chip, but not read itMake sure you get one that is rewritableYou might find it difficult to get someone to implant it for youSlide48

Biohacking Demo

Using my implant to trigger the HID card reader and display it on screenSlide49

Questions?

Michael Vieaumvieau@sikich.com877.403.5227 x360

Kevin Bongkbong@sikich.com

877.403.5227 x349