Presentation is loading. Please wait.

Presentation is loading. Please wait.

Demystifying RFID Technology Michael Vieau, CISSP, CEH Kevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GSEC, GCFA, GAWN.

Similar presentations


Presentation on theme: "Demystifying RFID Technology Michael Vieau, CISSP, CEH Kevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GSEC, GCFA, GAWN."— Presentation transcript:

1 Demystifying RFID Technology Michael Vieau, CISSP, CEH Kevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GSEC, GCFA, GAWN

2 About Sikich Security & Compliance »A full-service information security and compliance consulting practice within Sikich »Audits and assessments »Penetration testing »Forensics »Handle anything having to do with security or protecting data, including: »Credit card data (PCI DSS) »Patient data (HIPAA/HITECH) »Financial Information (FFIEC/GLBA) »Service provider reviews (SOC 1/2/3) »Federal information security standards (NIST/FISMA)

3 About Michael & Kevin »Penetration testers in the Security & Compliance practice at Sikich »Hardware hacking hobbyists »Creators/maintainers of the “MiniPwner” penetration testing drop box project

4 Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID

5 Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID

6 What is RFID? »RFID = Radio Frequency IDentification »The system is made of two main parts »Tag (transmitter) »Reader (receiver) »Basically a tracking and inventory system

7 Passive vs. Active Tags Passive Tags »Do not have a power source »Draw power from the reader »Inexpensive to produce »Widely used in many industries Active Tags »Has a built-in power source »Can work at greater distances than a passive tag »Can offer added security (challenge response)

8 Passive Tag Active Tag

9 Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID

10 Where is RFID used? »RFID is used in many different industries, from transportation to health care and even sports »More recently, people have begun to use near- field communication (NFC) to pay for shopping using a mobile device

11 RFID Usage Examples »Security »door locks »Transportation »Bus or train passes »iPass system »Passports »Medical »VeriChip (PositiveID) »Equipment tracking »Farming »Animal tracking »Libraries »Book inventory and checkout systems »Museums »eXspot exhibits system »Sports »Fitness tracking »Race timing »Schools »Taking attendance »Student tracking

12 Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID

13 How RFID Works »We will demonstrate using Prox from HID Global, a common access badge system »The reader generates a 125 kHz sine wave electromagnetic (EM) field »An antenna in the card is brought into that field »A bit of the power in that field is “tapped” to power the card »The card’s antenna is tuned and dampened to create the HID message »The strength of the field in the reader’s antenna changes with the dampening of the card

14 Oscilloscope Demo

15 Carrier – Zoomed Out

16 Amplitude Modulated Signal

17 What is the Envelope?

18 Modulated and Decoded Signals

19 Frequency Shift Keying of the Envelope

20 Manchester Encoding »Now you have the envelope, which produces a stream of 0s and 1s »What does it mean? »It is Manchester encoded

21 Manchester Encoding

22 »Example: 110100101010101011001010101100110010110 10101010101010011 »10 = '1' »01 = '0' »11 = Invalid! »00 = Invalid!

23 Why is Manchester Encoding Cool? »Self-clocking »You can determine the start/end of each bit without a separate clock signal »Error detection »“000” and “111” would never be valid »Ability to transmit ‘0’ »Distinguished from silence

24 HID Card Format Convert the 16-bit card number from binary to decimal to get the card number printed on the card

25 Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID

26 Proxmark III »Enables sniffing, reading and cloning of RFID tags »Works at 125 Khz, 134 Khz and 13.56 Mhz »Multiple protocol support (HID, NFC, MiFare)

27 Badge Spoofing Demo »Use a Proxmark to capture a HID RFID badge

28 Capturing HID Codes (RFID Snooper) We’re going to take the cheap 125 kHz RFID lock, tap into the signal generated by the antenna and decode that signal with an Arduino to read HID card codes

29 Replaying HID Codes (RFID Spoofer) We’re going to use the Arduino, a few electronic components and one of the blue key tags as an antenna

30 Building a Spoofer - Materials »Arduino (Nano recommended) »RFID key tag »1 2N3904 transistor »1 560 pf capacitor »1 10K resistor »PCB or Protoboard

31 How the Tag Modulates the Field »LC (inductor and capacitor) circuit in the card

32 RFID Spoofer Circuit

33 Spoofer Video

34 Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID

35 Securing RFID is Hard »Minimal computing power »No clock »Limited entropy »One-way communication »Limited or no read/write memory

36 Case Study: MiFare »MiFare Classic uses challenge-response »Requires two-way communication »Verifies the reader and the card »Still a number of weaknesses that allow card cloning »Poor random number generation »Weak 48-bit keys »MiFare Ultralight C »3DES authentication proves that two entities have the same secret and each entity can be seen as a reliable partner for the coming communication

37 Case Study: HID iClass »High-security version of the HID card »Uses encryption to protect card data »Broken due to key management mistakes »Master encryption key embedded in readers »Key was not changed even after it was exposed »Key rotation would require clients to replace readers and cards

38 Case Study: NFC Contactless Payments »NFC transmissions are not secure »Relies upon other security controls »Virtual account number »Cryptogram »Read distance »PIN entry

39 Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID

40 Biohacking »RFID chips are widely used to “chip” pets so they can be returned to their owners »In December 2004, the “Implantable Radiofrequency Transponder System for Patient Identification and Health Information” was approved by the FDA

41 Implantable Radiofrequency Transponder »A VeriChip can be used to identify a patient with a 16-digit number (10 quadrillion possibilities) »The ID from the chip is used to lookup the patient information in a database »The chip does not store your medical history »The VeriChip was used between 2004 and 2010 »There are ~300 people with VeriChip implants

42 Types of Implants »RFID tags (125 kHz) »NFC tags (13.65 MHz) »Magnets »Thermometer »LED compass »LED backlighting tattoos »Tritium (alternative to radium)

43 Why are people doing this? »Most commonly to authenticate to doors »Replacing RFID access cards (such as HID) »Medical reasons »Lifestyle

44 Biohacking Experience »I have an RFID (125 kHz) chip in my left hand »Currently it is used to unlock doors at our office »Is it secure? »Testing has shown it is very difficult to “read” the chip from something like a Proxmark »Badge readers can “see” it fine (most of the time) »However, someone could cut off my hand

45 Just After Implanting

46 A Few Weeks Later »After a few weeks, the implant can still be seen under the skin

47 Implant Quick Facts »The implant cannot be programmed while in the syringe (you must implant it first) »It might not work for a few days »A Proxmark can write to the chip, but not read it »Make sure you get one that is rewritable »You might find it difficult to get someone to implant it for you

48 Biohacking Demo »Using my implant to trigger the HID card reader and display it on screen

49 Questions? Michael Vieau mvieau@sikich.com 877.403.5227 x360 Kevin Bong kbong@sikich.com 877.403.5227 x349


Download ppt "Demystifying RFID Technology Michael Vieau, CISSP, CEH Kevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GSEC, GCFA, GAWN."

Similar presentations


Ads by Google