RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 - PowerPoint PPT Presentation

RFID Hacking Live Free or RFID Hard 24 Mar 2015 – InfoSec World 2015 – Orlando, FL Presen sented ed b by: Francis Brown & Rob Ragan Bishop Fox www.bishopfox.com

Agenda O V E R V I E W • Qu Quic ick k Over erview ew • RFID badge basics • Hackin king T g Tool ools • Primary existing RFID hacking tools • Badge stealing, replaying, and cloning • Attacking badge readers and controllers directly • Planting Pwn Plugs and other backdoors • Cus Custom S Solu lution • Arduino and weaponized commercial RFID readers • Def efens enses es • Protecting badges, readers, controllers, and more 2

Methodology 3 S T E P A P P R O A C H 1. Silently steal badge info 2. Create card clone 3. Enter and plant backdoor 3

Distance Limitations A $ $ G R A B B I N G M E T H O D Existing RFID hacking tools only work when a few centimeters away from badge 4

Introduction/Background GETTING UP TO SPEED 5

Badge Basics F R E Q U E N C I E S 6

Legacy 125kHz S T I L L K I C K I N • “Legacy 125-kilohertz proximity technology is still in place at around 70% t % to 80% % of all physical access control deployments in the U.S. and it will be a long time” - Stephane Ardiley, HID Global. • “There is no no security ty, the they’ y’ve b been ha n hacked, there’s no protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks.” 80% 7

Opposite of Progress T A L K M O T I V A T I O N S 2007 2013 HID Global - Making the Leap from Prox to Contactless ID Cards 8 https://www.hidglobal.com/blog/making-leap-prox-contactless-id-cards

How a Card Is Read P O I N T S O F A T T A C K Controller Wiegand output Reader Card Ethernet • Broadcasts 26-37 bit card number Card • Converts card data to “Wiegand Protocol” Reader for transmission to the controller • No access decisions are made by reader • Binary card data “format” is decoded Controller • Makes decision to grant access (or not) • Add/remove card holders, access privileges Host PC • Monitor system events in real time Host PC HID Global – How a HID Card is “Read” (PDF) 9 https://info.hidglobal.com/WP-How-an-HID-Card-is-Read_Request.html

Badge Types 10

Badge Basics C A R D E L E M E N T S Card – “Formats” Decoded • Card ID Number • Facility Code • Site Code (occasionally) *Note: if saw printed card number on badge, could potentially brute force the 1-255 facility code (for Standard 26 bit card) 11

Badge Formats D A T A F O R M A T S HID ID ProxCar ard II II “F “Format ats” • 26 26 – 37 bi 37 bit c car ards ds • 44 bi 44 bits ac actual ally o y on c n car ard • 10 10 hex hex c char harac acters • Le Leadi ading 0 g 0 usually ally dr droppe pped HID Global – Understanding Card Data Formats (PDF) 12 https://www.hidglobal.com/sites/hidglobal.com/files/hid-understanding_card_data_formats-wp-en.pdf

Badge Formats D A T A F O R M A T S HID Global – MaxiProx 5375 – Install Guide (PDF) 13 http://www.hidglobal.com/sites/hidglobal.com/files/resource_files/maxiprox_ins_en.pdf

RFID Other Usage W H E R E E L S E ? 14

RFID Hacking Tools P E N T E S T T O O L K I T 15

Proxmark3 R F I D H A C K I N G T O O L S • RFID Hacking swiss army knife • Read/simulate/clone RFID cards $399 Single button, crazy flow diagram on lone button below 16

ProxBrute R F I D H A C K I N G T O O L S • Custom firmware for the Proxmark3 • Brute-force higher privileged badges, like data center door 17

RFIDiot Scripts R F I D H A C K I N G T O O L S 18

RFIDeas Tools R F I D H A C K I N G T O O L S • No software required $269.00 • Identifies card type and data • Great for badges w/o visual indicators of card type 19

Tastic Solution L O N G R A N G E R F I D S T E A L E R

Tastic RFID Thief L O N G R A N G E R F I D S T E A L E R • Easily hide in briefcase or messenger bag, read badges from up t p to 3 f 3 feet aw away • Silent powering and stealing of RFID badge creds to be cloned later using T55x7 cards 21

Tastic RFID Thief L O N G R A N G E R F I D S T E A L E R • Designed using Fritzing • Exports to Extended-Gerber • Order PCB at www.4pcb.com • $33 for 1 PCB • Much cheaper in bulk 22

Custom PCB T A S T I C R F I D T H I E F Custom PCB – easy to plug into any type of RFID badge reader 23

Wiegand Input T A S T I C R F I D T H I E F Tastic Custom PCB – reads from Wiegand output of RFID badge reader: • Outputs a badge binary number by sending electrical pulses for ‘0’ and ‘1’ on wires Data 0 and Data 1 • Wiegand Interface consists of 3 lines: “Data 0”, “Data 1”, “Data Return” (Ground) • To send a ‘0’-bit, a pulse is sent on DATA 0 (Green) • To send a ‘1’-bit, a pulse is sent on DATA 1 (White) • Every HID reader has a Wiegand output available Wiegand Interface 24 https://en.wikipedia.org/wiki/Wiegand_interface

Commercial Readers T A S T I C R F I D T H I E F Long-range commercial RFID readers to weaponize: 3 out of 4 HID RFID product families covered 25

Commercial Readers T A S T I C R F I D T H I E F ~$400 - $500 on ebay • HID ID Max axiProx 5375 5375AGN00 • Indal Indala L a Long ng-Ran ange R Reade eader 620 620 ~$400 - $500 on ebay 26

Commercial Readers T A S T I C R F I D T H I E F ~$345 on ebay • HID D iCLASS SS – R90 90 – Lon Long R g Range ge Reade eader • Tastic PCB in R90 will pick up iCLASS card if target company is using default “Standard Security”. Chaos27th-Analyzing a Modern Cryptographic RFID System-Dec2010 27 http://events.ccc.de/congress/2010/Fahrplan/events/4114.en.html

iCLASS Cloner X F P G A . C O M - F R O M C H I N A • http://www.xfpga.com/html_products/iclass- card-cloner-en-82.html • Read/Write iCLASS cards using “Standard Security” only (not “High” or “Elite”) • Requires older 32bit driver, and won’t let you run in a VM (so Win32 actual install necessary) • Built from original ContactlessDemoVC.exe • USB hardware licensing dongle shipped ~$218 USD Uses: OmniKey CardMan 5321 USB - RFID Reader (13.56 Mhz ) 28

Indala Cloning E X A M P L E I N P R A C T I C E 29

Tastic Solution: Add-ons M O D U L E S T O P O T E N T I A L L Y A D D • Arduino NFC Shield • Arduino BlueTooth Modules • Arduino WiFly Shield (802.11b/g) • Arduino GSM/GPRS shields (SMS messaging) • WIZnet Embedded Web Server Module • Xbee 2.4GHz Module (802.15.4 Zigbee) • Parallax GPS Module PMB-648 SiRF • Arduino Ethernet Shield • Redpark - Serial-to-iPad/iPhone Cable 30

Forward Channel Attacks P A S S I V E E A V E S D R O P P I N G R F I D 31

Droppin’ Eaves B A D G E B R O A D C A S T S MIT Proximity Card Culnerabilities http://www.josephhall.org/tmp/mit_prox_vulns.pdf MIT 6.857 - RFID Security and Privacy 02Nov2004 32 http://groups.csail.mit.edu/cis/crypto/classes/6.857/papers/rfid.ppt

Cloner 2.0 by Paget E A V E S D R O P P I N G A T T A C K • Chris Paget talked of his tool reach ching g 10 feet feet for this type of attack • Tool never actually released, unfortunately • Una naware of any p ny pub ublic t tools that exist for this attack currently Black Hat 2007 - RFID for Beginners - Chris Paget 33 https://www.blackhat.com/presentations/bh-usa-07/Paget/Presentation/bh-usa-07-paget.pdf

RFID Card Cloning C A R D P R O G R A M M I N G 34

Programmable Cards Simulate data and and behav behavior of any badge type • T55x7 Cards • Q5 cards (T5555) Emu Emulat lating: g: HID 26bi 26bit car card 35

Programmable Cards Cloning to T55x T55x7 C Car ard using Proxmark3 • T55x 55x7 7 Car ards ds • Q5 car 5 cards ds (T5555 5555) • Simulate data an and be d behavior of any badge type • HID Prox Cloning – example: • Indala Prox Cloning – example: • ioProx Cloning – example: 36

Reader and Controller Attacks D I R E C T A P P R O A C H 37

Reader Attacks J A C K E D I N • Dump private keys, valid badge info, and more in few seconds • Plant backdoor devices in reader • Brute-force badge numbers over the wire via Wiegand (5x faster) 38

Reader Attacks G E C K O – M I T M A T T A C K Never publicly released • Insert in door reader of target building – record badg badge #s #s • Tastic R RFI FID Th Thief ief’s P PCB could be used similiarly for MITM attack Black Hat D.C. 2008 - Biometric and Token-Based Access Control Systems - Franken 39 http://www.blackhat.com/presentations/bh-dc-08/Franken/Presentation/bh-dc-08-franken.pdf

Reader Attacks T A S T I C – M I T M A T T A C K + • Insert in door reader of target building – record badg badge #s #s • Tastic R RFI FID Th Thief ief’s P PCB could be used similiarly for MITM attack 40

Controller Attacks J A C K E D I N Shmoocon 2012 - Attacking Proximity Card Systems - Brad Antoniewicz 41 http://www.shmoocon.org/2012/videos/Antoniewicsz-AttackingCardAccess.m4v