Brett DeWall presents his project called "Skim Job", a standalone RFID skimming tool designed to eliminate the need for employee interaction. The Skim Job uses a Raspberry Pi Zero Wireless, Proxmark3, voltage controlled USB hub, and custom wound antenna enclosed in a polycase. It is able to remotely cut power to an RFID reader using the USB hub, allowing it to overlay as a reader and extract card data from badges without damaging equipment or requiring physical access. The total cost is around $191 and it provides a proof-of-concept for a more refined standalone RFID skimming device.
2. INTRODUCTION
• BRETT DEWALL (OSCP, OSWP, GWAPT)
• GRADUATED FROM ST. CLOUD STATE UNIVERSITY (MINNESOTA)
• BACHELORS OF SCIENCE – INFORMATION SYSTEMS
• STAFF SPECIALIST - WHITE OAK SECURITY
• SPARE TIME:
• SPOON FLOWER DYNASTY
• CAR ENTHUSIAST
• BUG BOUNTIES / RESEARCH
• PARTICIPATED IN DEFCON SECTF – 2015
• 3RD PLACE
• HAS PERFORMED OVER 50 ONSITE SOCIAL ENGINEERING ENGAGEMENTS
3. WHAT AM I TALKING ABOUT
• INTRODUCTION
• RFID OVERVIEW
• CURRENT RFID SOCIAL ENGINEERING ATTACKS
• SKIM JOB
• QUESTIONS
4. RFID Overview
• WHAT IS RFID?
• RADIO-FREQUENCY IDENTIFICATION
• WIRELESS SYSTEM (TAG & READER)
• USES?
• TONS! (SUPPLY CHAIN VISIBILITY, TRACKING, ACCESS CONTROL, ETC..)
• IS THIS TALK SPECIFIC TO A RFID TECHNOLOGY?
• YES! SPECIFICALLY HID PROX PRODUCTS (125KHZ – LOW FREQUENCY)
5. CURRENT RFID SOCIAL ENGINEERING ATTACKS
• PROXMARK3
• BISHOP FOX – LONG RANGE READER
• BLEKEY / ESPKEY
6. PROXMARK3
• DEVELOPED BY JONATHAN WESTHUES
• SNIFFING, READING, CLONING OF RFID TAGS
• COMMUNITY DRIVEN – OPENSOURCE!
• MODES
• CONNECTED
• STANDALONE
7. PROXMARK3 CONT.
• PROS
• SUPPORTS MULTIPLE RFID TECHNOLOGIES
• OPEN SOURCE
• BRUTEFORCE
• READ, WRITE, AND CLONE
• CONS
• READ RANGE VERY LIMITED – 1-2 INCHES
8. BISHOP FOX – LONG RANGE READER
• ROBERT FRANCIS PRESENTED “LIVE FREE OR RFID HARD” AT DEFCON 21
• DESIGNED TO READ 125KHZ LOW-FREQUENCY RFID CARDS
• LONG RANGE - UP TO 36 INCHES
9. BISHOP FOX – LONG RANGE READER CONT.
• PROS
• LONG RANGE
• OPEN SOURCE
• EASY TO USE
• STANDALONE
• CONS
• READER ONLY
• EXPENSIVE
• REQUIRES PHYSICAL INTERACTION
10. BLEKEY / ESPKEY
• ERIC EVENCHICK & MARK BASEGGIO PRESENTED THE BLEKEY AT DEFCON 23
• DESIGNED TO BE INSTALLED IN LESS THAN 60 SECONDS (IDEAL SITUATION)
• INSTALLED IN-LINE WITH THE RFID READER
• UNIVERSAL SUPPORT
• WIRELESS LAN COMMUNICATION
11. BLEKEY / ESPKEY CONT.
• PROS
• SMALL FORM FACTOR
• ATTACKS THE PHYSICAL DEVICE
• CAN STORE MULTIPLE RFID CARDS (THOUSANDS)
• CONS
• CUTS THE WIRE SHEATH WHEN INSTALLING (PREMATURE FAILURE?)
• NEED TO GAIN ACCESS TO WIRING TO INSTALL
12. PREVIOUS TECHNOLOGIES RECAP
• NONE OF THESE DEVICES ARE BAD
• THEY ALL WORK IN THEIR OWN WAY
• THIS IS NOT TO DETER ANYONE FROM USING THEM
14. SKIM JOB – WHY?
• WANTED TO ELIMINATE THE EMPLOYEE INTERACTION
• SOMETIMES NOT ABLE TO GET NEAR A BADGE
• PROJECT TIMEFRAME (SHORT DURATION)
• RFID ENABLED DOORS ARE BECOMING THE NORM FOR EMPLOYEES
ACCESSING BUILDINGS
15. SKIM JOB – WHY? CONT.
• DIDN’T WANT TO DAMAGE THE READER WIRING
• BLEKEY / ESPKEY
• QUICK TO DEPLOY
• TRYING TO TAKE AN IDEA AND MAKE IT REAL
16. SKIM JOB…. SO WHAT IS IT?
• 100% STANDALONE DEPLOYABLE TOOL
• ”SMART” OR SOMEWHAT I GUESS
• EQUIPMENT INCLUDES:
• PROXMARK3
• VOLTAGE CONTROLLED USB HUB
• RASPBERRY PI ZERO WIRELESS
• CUSTOM WOUND ANTENNA
• POLYCASE ENCLOSURE
• HAND MADE USB CABLES
17. SKIM JOB – SMART?
• HOW IS THIS TOOL SMART?
• OVERLAYING A RFID READER ON TOP OF A RFID READER DOESN’T
WORK
• CAN WE CUT POWER ON THE FLY?
• VOLTAGE CONTROLLED USB HUB (THANK YOU SWITCHDOC LABS)
• REMOTELY CONTROL THE DEVICE
• WIFI NETWORK – INITIAL ACCESS
• WEB SERVER- PROJECT EXECUTION / LOG VIEWER / RFID SIMULATOR
19. SKIM JOB – FORM ITERATIONS
• RASPBERRY PI ZERO WITHOUT WIFI
• NEEDED A SEPARATE USB ADAPTER
• RASPBERRY PI ZERO WITH A WIFI HAT
• RASPBERRY PI ZERO WIRELESS (CURRENT)
20. SKIM JOB - EQUIPMENT
• RASPBERRY PI ZERO WIRELESS
• THE ”BRAINS”
• TONS OF CAPABILITIES FOR FUTURE IMPLEMENTATION
• PROXMARK3 RDV2 KIT
• RFID READER
• EASY INTERFACE
• DETACHABLE ANTENNA
21. SKIM JOB - EQUIPMENT
• SWITCHDOC USB POWERCONTROL BOARD
• CUT THE POWER REMOTELY VIA VOLTAGE SIGNAL
• LIPO BATTERY
• GIVE ME SOME JUICE!
• ADAFRUIT POWERBOOST
• SUPPLY THE JUICE
• POLYBASE COVER
• CONCEAL THE COMPONENTS
23. SKIM JOB – PUTTING IT TOGETHER
• LOW FREQUENCY ANTENNA CREATION
• CREATED A NAIL SQUARE THE SIZE OF THE POLYCASE COVER
• UTILIZED PROXMARK3 TO “TUNE” THE ANTENNA
27. SKIM JOB – HOW DOES IT WORK?
• RASPBERRY PI ZERO – “THE BRAIN”
• CONTROLLER OF ALL THE THINGS
• WIFI NETWORK
• PYTHON SCRIPT
• PROXMARK3 – “THE READER”
• RFID MAGIC
• SWITCHDOC USB POWERCONTROL BOARD – “SWITCHABLE
POWER”
• CUTS POWER THROUGH VOLTAGE OUTPUT
31. TROUBLES
• NOT A “SOLDERING” EXPERT (50$ MISTAKE)
• RESULTED IN A BROKEN USB HUB
• PAD BEING RIPPED OFF OF BOARD
• NEEDED TO CREATE MULTIPLE SHORTENED USB CABLES
• CONDENSING THE ENTIRE PROJECT
• SLIMMING ALL OF THE ELECTRONICS
32. TROUBLES CONT.
• TIME
• WAS PUT ON THE BACK BURNER FOR MULTIPLE YEARS
• LIFE, FAMILY, OTHER HOBBIES
• IDENTIFYING CASES TO USE
• 3D PRINT?
33. FUTURE WORK
• CONDENSE
• MAKE EVERYTHING SMALLER
• FASTER “BRAIN”
• RASPBERRY PI ALTERNATIVES
• RFID MODULES
• MORE CONVINCING COVER
• OPEN FOR IDEAS!
34. FUTURE WORK CONT.
• LED LIGHTS
• SIMULATE A REAL RFID READER
• WEB SERVER
• CENTRAL COMMAND CENTER
• CURRENTLY IN PROGRESS
35. SUGGESTIONS
• ANY SUGGESTIONS / QUESTIONS / FEEDBACK
• PLEASE REACH OUT!
• HACKERS HELPING HACKERS
• EVERYTHING TALKED ABOUT IS AVAILABLE VIA GITHUB