Download presentation
Presentation is loading. Please wait.
Published byBernadette Potter Modified over 7 years ago
1
Demystifying RFID Technology Michael Vieau, CISSP, CEH Kevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GSEC, GCFA, GAWN
2
About Sikich Security & Compliance »A full-service information security and compliance consulting practice within Sikich »Audits and assessments »Penetration testing »Forensics »Handle anything having to do with security or protecting data, including: »Credit card data (PCI DSS) »Patient data (HIPAA/HITECH) »Financial Information (FFIEC/GLBA) »Service provider reviews (SOC 1/2/3) »Federal information security standards (NIST/FISMA)
3
About Michael & Kevin »Penetration testers in the Security & Compliance practice at Sikich »Hardware hacking hobbyists »Creators/maintainers of the “MiniPwner” penetration testing drop box project
4
Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID
5
Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID
6
What is RFID? »RFID = Radio Frequency IDentification »The system is made of two main parts »Tag (transmitter) »Reader (receiver) »Basically a tracking and inventory system
7
Passive vs. Active Tags Passive Tags »Do not have a power source »Draw power from the reader »Inexpensive to produce »Widely used in many industries Active Tags »Has a built-in power source »Can work at greater distances than a passive tag »Can offer added security (challenge response)
8
Passive Tag Active Tag
9
Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID
10
Where is RFID used? »RFID is used in many different industries, from transportation to health care and even sports »More recently, people have begun to use near- field communication (NFC) to pay for shopping using a mobile device
11
RFID Usage Examples »Security »door locks »Transportation »Bus or train passes »iPass system »Passports »Medical »VeriChip (PositiveID) »Equipment tracking »Farming »Animal tracking »Libraries »Book inventory and checkout systems »Museums »eXspot exhibits system »Sports »Fitness tracking »Race timing »Schools »Taking attendance »Student tracking
12
Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID
13
How RFID Works »We will demonstrate using Prox from HID Global, a common access badge system »The reader generates a 125 kHz sine wave electromagnetic (EM) field »An antenna in the card is brought into that field »A bit of the power in that field is “tapped” to power the card »The card’s antenna is tuned and dampened to create the HID message »The strength of the field in the reader’s antenna changes with the dampening of the card
14
Oscilloscope Demo
15
Carrier – Zoomed Out
16
Amplitude Modulated Signal
17
What is the Envelope?
18
Modulated and Decoded Signals
19
Frequency Shift Keying of the Envelope
20
Manchester Encoding »Now you have the envelope, which produces a stream of 0s and 1s »What does it mean? »It is Manchester encoded
21
Manchester Encoding
22
»Example: 110100101010101011001010101100110010110 10101010101010011 »10 = '1' »01 = '0' »11 = Invalid! »00 = Invalid!
23
Why is Manchester Encoding Cool? »Self-clocking »You can determine the start/end of each bit without a separate clock signal »Error detection »“000” and “111” would never be valid »Ability to transmit ‘0’ »Distinguished from silence
24
HID Card Format Convert the 16-bit card number from binary to decimal to get the card number printed on the card
25
Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID
26
Proxmark III »Enables sniffing, reading and cloning of RFID tags »Works at 125 Khz, 134 Khz and 13.56 Mhz »Multiple protocol support (HID, NFC, MiFare)
27
Badge Spoofing Demo »Use a Proxmark to capture a HID RFID badge
28
Capturing HID Codes (RFID Snooper) We’re going to take the cheap 125 kHz RFID lock, tap into the signal generated by the antenna and decode that signal with an Arduino to read HID card codes
29
Replaying HID Codes (RFID Spoofer) We’re going to use the Arduino, a few electronic components and one of the blue key tags as an antenna
30
Building a Spoofer - Materials »Arduino (Nano recommended) »RFID key tag »1 2N3904 transistor »1 560 pf capacitor »1 10K resistor »PCB or Protoboard
31
How the Tag Modulates the Field »LC (inductor and capacitor) circuit in the card
32
RFID Spoofer Circuit
33
Spoofer Video
34
Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID
35
Securing RFID is Hard »Minimal computing power »No clock »Limited entropy »One-way communication »Limited or no read/write memory
36
Case Study: MiFare »MiFare Classic uses challenge-response »Requires two-way communication »Verifies the reader and the card »Still a number of weaknesses that allow card cloning »Poor random number generation »Weak 48-bit keys »MiFare Ultralight C »3DES authentication proves that two entities have the same secret and each entity can be seen as a reliable partner for the coming communication
37
Case Study: HID iClass »High-security version of the HID card »Uses encryption to protect card data »Broken due to key management mistakes »Master encryption key embedded in readers »Key was not changed even after it was exposed »Key rotation would require clients to replace readers and cards
38
Case Study: NFC Contactless Payments »NFC transmissions are not secure »Relies upon other security controls »Virtual account number »Cryptogram »Read distance »PIN entry
39
Agenda »What is RFID? »Where is RFID used? »How does RFID work? »Hacking RFID »Securing RFID »Biohacking with RFID
40
Biohacking »RFID chips are widely used to “chip” pets so they can be returned to their owners »In December 2004, the “Implantable Radiofrequency Transponder System for Patient Identification and Health Information” was approved by the FDA
41
Implantable Radiofrequency Transponder »A VeriChip can be used to identify a patient with a 16-digit number (10 quadrillion possibilities) »The ID from the chip is used to lookup the patient information in a database »The chip does not store your medical history »The VeriChip was used between 2004 and 2010 »There are ~300 people with VeriChip implants
42
Types of Implants »RFID tags (125 kHz) »NFC tags (13.65 MHz) »Magnets »Thermometer »LED compass »LED backlighting tattoos »Tritium (alternative to radium)
43
Why are people doing this? »Most commonly to authenticate to doors »Replacing RFID access cards (such as HID) »Medical reasons »Lifestyle
44
Biohacking Experience »I have an RFID (125 kHz) chip in my left hand »Currently it is used to unlock doors at our office »Is it secure? »Testing has shown it is very difficult to “read” the chip from something like a Proxmark »Badge readers can “see” it fine (most of the time) »However, someone could cut off my hand
45
Just After Implanting
46
A Few Weeks Later »After a few weeks, the implant can still be seen under the skin
47
Implant Quick Facts »The implant cannot be programmed while in the syringe (you must implant it first) »It might not work for a few days »A Proxmark can write to the chip, but not read it »Make sure you get one that is rewritable »You might find it difficult to get someone to implant it for you
48
Biohacking Demo »Using my implant to trigger the HID card reader and display it on screen
49
Questions? Michael Vieau mvieau@sikich.com 877.403.5227 x360 Kevin Bong kbong@sikich.com 877.403.5227 x349
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.