RFID Hacking

Live Free or RFID Hard

03 Aug 2013 – DEF CON 21 (2013) – Las Vegas, NV

Presented by:
Francis Brown
Bishop Fox
www.bishopfox.com
Agenda
OVERVIEW

• Quick Overview
• RFID badge basics

• Hacking Tools
• Primary existing RFID hacking tools
• Badge stealing, replaying, and cloning
• Attacking badge readers and controllers directly
• Planting Pwn Plugs and other backdoors

• Custom Solution
• Arduino and weaponized commercial RFID readers

• Defenses
• Protecting badges, readers, controllers, and more

2
Introduction/Background
G E T T I N G UP T O S P E E D

3
Badge Basics
FREQUENCIES

Name Frequency Distance

Low Fequency (LF) 120kHz – 140kHz <3ft (Commonly under 1.5ft)
High Frequency (HF) 13.56MHz 3-10 ft
Ultra-High-Frequency (UHF) 860-960MHz (Regional) ~30ft

4
Legacy 125kHz
STILL KICKIN

• “Legacy 125-kilohertz proximity technology is still in place at around

70% to 80% of all physical access control deployments in the U.S.
and it will be a long time” - Stephane Ardiley, HID Global.
• “There is no security, they’ve been hacked, there’s no protection of
data, no privacy, everything is in the clear and it’s not resistant to
sniffing or common attacks.”

80% 5
Opposite of Progress
TALK MOTIVATIONS

2007

2013

HID Global - Making the Leap from Prox to Contactless ID Cards 6

https://www.hidglobal.com/blog/making-leap-prox-contactless-id-cards
How a Card Is Read
POINTS OF ATTACK
Controller

Wiegand output

Card Reader

Card • Broadcasts 26-37 bit card number Ethernet

Reader • Converts card data to “Wiegand Protocol”
for transmission to the controller
• No access decisions are made by reader
Controller • Binary card data “format” is decoded
• Makes decision to grant access (or not)
Host PC • Add/remove card holders, access privileges
• Monitor system events in real time

Host PC
7
Badge Types
HID PRODUCTS
• The data on any access card is simply a string of binary numbers (ones and
zeros) of some fixed configuration and length, used to identify the cardholder
• HID makes different types of cards capable of carrying this binary data including:
• Magnetic Stripe
• Wiegand (swipe)
• 125 kHz Prox (HID & Indala)
• MIFARE contactless smart cards
• iCLASS contactless smart cards
* Multi-technology cards

8
Badge Types

9
 Badge Basics
CARD ELEMENTS

Card – “Formats” Decoded

• Card ID Number
• Facility Code
• Site Code (occasionally)

*Note: if saw printed card number on badge, could potentially

brute force the 1-255 facility code (for Standard 26 bit card)

10
Badge Formats
DATA FORMATS

HID ProxCard II “Formats”

• 26 – 37 bit cards
• 44 bits actually on card
• 10 hex characters
• Leading 0 usually dropped

HID Global – Understanding Card Data Formats (PDF)

http://www.hidglobal.com/documents/understandCardDataFormats_wp_en.pdf 11
Badge Formats
DATA FORMATS

12
RFID Other Usage
WHERE ELSE?

13
RFID Hacking Tools
P E N T E S T T O O L K I T

14
Methodology
3 STEP APPROACH

1. Silently steal badge info

2. Create card clone

3. Enter and plant backdoor

15
Distance Limitations
A$$ GRABBING METHOD
Existing RFID hacking tools only work when
a few centimeters away from badge

16
 Proxmark3
RFID HACKING TOOLS

• RFID Hacking swiss army knife

• Read/simulate/clone RFID cards

$399

Single button, crazy flow diagram on

lone button below

17
ProxBrute
RFID HACKING TOOLS

• Custom firmware for the Proxmark3

• Brute-force higher privileged badges,
like data center door

18
RFIDiot Scripts
RFID HACKING TOOLS

19
RFIDeas Tools
RFID HACKING TOOLS

$269.00 • No software required

• Identifies card type and data
• Great for badges w/o visual
indicators of card type

20
Tastic Solution
LONG RANGE RFID STEALER
Tastic RFID Thief
LONG RANGE RFID STEALER

• Easily hide in briefcase or messenger bag,

read badges from up to 3 feet away
• Silent powering and stealing of RFID badge
creds to be cloned later using T55x7 cards

22
 Tastic RFID Thief
LONG RANGE RFID STEALER

• Designed using Fritzing

• Exports to Extended-Gerber
• Order PCB at www.4pcb.com
• $33 for 1 PCB
• Much cheaper in bulk

23
Custom PCB
TASTIC RFID THIEF

Custom PCB – easy to plug into any type of RFID badge reader

24
Wiegand Input
TASTIC RFID THIEF

Custom PCB – reads from Wiegand output of reader

25
Commercial Readers
TASTIC RFID THIEF

• HID MaxiProx 5375AGN00

• Indala Long-Range Reader 620

26
Indala Cloning
EXAMPLE IN PRACTICE

27
 Tastic Solution: Add-ons
MODULES TO POTENTIALLY ADD

• Arduino NFC Shield

• Arduino BlueTooth Modules
• Arduino WiFly Shield (802.11b/g)
• Arduino GSM/GPRS shields (SMS messaging)
• WIZnet Embedded Web Server Module
• Xbee 2.4GHz Module (802.15.4 Zigbee)
• Parallax GPS Module PMB-648 SiRF
• Arduino Ethernet Shield
• Redpark - Serial-to-iPad/iPhone Cable

28
Forward Channel Attacks
EAVESDROPPING RFID

29
Droppin’ Eaves
BADGE BROADCASTS

30
Cloner 2.0 by Paget
EAVESDROPPING ATTACK

• Chris Paget talked of his tool reaching 10 feet for this type of attack
• Tool never actually released, unfortunately
• Unaware of any public tools that exist for this attack currently

31
RFID Card Cloning
C A R D P R O G R A M M I N G

32
Programmable Cards
Simulate data and behavior of any badge type
• T55x7 Cards
• Q5 cards (T5555) Emulating: HID 26bit card

33
Programmable Cards
Cloning to T55x7 Card using Proxmark3
• HID Prox Cloning – example:

• Indala Prox Cloning – example:

34
Reader and Controller Attacks
DIRECT APPROACH

35
Reader Attacks
JACKED IN

• Dump private keys, valid badge

info, and more in few seconds

36
Reader Attacks
GECKO–MITM ATTACK

• Insert in door reader of target

building – record badge #s
• Tastic RFID Thief’s PCB could be
used similiarly for MITM attack
37
Controller Attacks
JACKED IN

Shmoocon 2012 - Attacking Proximity Card Systems - Brad Antoniewicz

38
http://www.shmoocon.org/2012/videos/Antoniewicsz-AttackingCardAccess.m4v
Backdoors and Other Fun
LITTLE DIFFERENCES

39
Pwn Plug
MAINTAINING ACCESS

40
Pwn Plug
MAINTAINING ACCESS

• Pwn Plug Elite: $995.00

• Power Pwn: $1,495.00

41
 Raspberry Pi
MAINTAINING ACCESS

• Raspberry Pi - credit card sized, single-board computer – cheap $35

42
 Raspberry Pi
MAINTAINING ACCESS

• Raspberry Pi – cheap alternative (~$35) to Pwn Plug/Power Pwn

• Pwnie Express – Raspberry Pwn
• Rogue Pi – RPi Pentesting Dropbox
• Pwn Pi v3.0

43
 Little Extra Touches
GO A LONG WAY

• Fake polo shirts for target company

• Get logo from target website
• Fargo DTC515 Full Color ID Card ID Badge Printer
• ~$500 on Amazon
• Badge accessories
• HD PenCam - Mini 720p Video Camera
• Lock pick gun/set

44
Defenses
A V O I D B E I N G P R O B E D

45
 RFID Security Resources
SLIM PICKINS...

• RFID Security by Syngress

• Not updated since July 2005

• NIST SP 800-98 – Securing RFID

• Not updated since April 2007

• Hackin9 Magazine – Aug 2011

• RFID Hacking, pretty decent

46
 Defenses
R E C O M M E N D A T I O N S

• Consider implementing a more secure, active RFID

system (e.g. “contactless smart cards”) that
incorporates encryption, mutual authentication, and
message replay protection.

• Consider systems that also support 2-factor

authentication, using elements such as a PIN pad
or biometric inputs.

• Consider implementing physical security intrusion

and anomaly detection software.

HID Global - Best Practices in Access Control White Paper (PDF)

47
https://www.hidglobal.com/node/16181
 Defenses
R E C O M M E N D A T I O N S

• Instruct employees not to wear their badges in

prominent view when outside the company premises.

• Utilize RFID card shields when the badge is not in use

to prevent drive-by card sniffing attacks.

• Physically protect the RFID badge readers by using

security screws that require special tools to remove the
cover and access security components.

• Employ the tamper detect mechanisms to prevent

badge reader physical tampering. All readers and
doors should be monitored by CCTV.

48
 Defenses (Broken)
SOME DON’T...EXAMPLE...

USA - Green Card Sleeve

• Since May 11, 2010, new Green
Cards contain an RFID chip
• Tested Carl’s “protective sleeve”,
doesn’t block anything.
• False sense of security

49
Thank You

Bishop Fox – see for more info:

http://www.bishopfox.com/resources/tools/rfid-hacking/

50