Brett DeWall presents his project called "Skim Job", a standalone RFID skimming tool designed to eliminate the need for employee interaction. The Skim Job uses a Raspberry Pi Zero Wireless, Proxmark3, voltage controlled USB hub, and custom wound antenna enclosed in a polycase. It is able to remotely cut power to an RFID reader using the USB hub, allowing it to overlay as a reader and extract card data from badges without damaging equipment or requiring physical access. The total cost is around $191 and it provides a proof-of-concept for a more refined standalone RFID skimming device.

1. SKIM JOB:
SKIMMING YOUR WAY IN
BY: BRETT DEWALL / @XBADBIDDYX

2. INTRODUCTION
• BRETT DEWALL (OSCP, OSWP, GWAPT)
• GRADUATED FROM ST. CLOUD STATE UNIVERSITY (MINNESOTA)
• BACHELORS OF SCIENCE – INFORMATION SYSTEMS
• STAFF SPECIALIST - WHITE OAK SECURITY
• SPARE TIME:
• SPOON FLOWER DYNASTY
• CAR ENTHUSIAST
• BUG BOUNTIES / RESEARCH
• PARTICIPATED IN DEFCON SECTF – 2015
• 3RD PLACE
• HAS PERFORMED OVER 50 ONSITE SOCIAL ENGINEERING ENGAGEMENTS

3. WHAT AM I TALKING ABOUT
• INTRODUCTION
• RFID OVERVIEW
• CURRENT RFID SOCIAL ENGINEERING ATTACKS
• SKIM JOB
• QUESTIONS

4. RFID Overview
• WHAT IS RFID?
• RADIO-FREQUENCY IDENTIFICATION
• WIRELESS SYSTEM (TAG & READER)
• USES?
• TONS! (SUPPLY CHAIN VISIBILITY, TRACKING, ACCESS CONTROL, ETC..)
• IS THIS TALK SPECIFIC TO A RFID TECHNOLOGY?
• YES! SPECIFICALLY HID PROX PRODUCTS (125KHZ – LOW FREQUENCY)

5. CURRENT RFID SOCIAL ENGINEERING ATTACKS
• PROXMARK3
• BISHOP FOX – LONG RANGE READER
• BLEKEY / ESPKEY

6. PROXMARK3
• DEVELOPED BY JONATHAN WESTHUES
• SNIFFING, READING, CLONING OF RFID TAGS
• COMMUNITY DRIVEN – OPENSOURCE!
• MODES
• CONNECTED
• STANDALONE

7. PROXMARK3 CONT.
• PROS
• SUPPORTS MULTIPLE RFID TECHNOLOGIES
• OPEN SOURCE
• BRUTEFORCE
• READ, WRITE, AND CLONE
• CONS
• READ RANGE VERY LIMITED – 1-2 INCHES

8. BISHOP FOX – LONG RANGE READER
• ROBERT FRANCIS PRESENTED “LIVE FREE OR RFID HARD” AT DEFCON 21
• DESIGNED TO READ 125KHZ LOW-FREQUENCY RFID CARDS
• LONG RANGE - UP TO 36 INCHES

9. BISHOP FOX – LONG RANGE READER CONT.
• PROS
• LONG RANGE
• OPEN SOURCE
• EASY TO USE
• STANDALONE
• CONS
• READER ONLY
• EXPENSIVE
• REQUIRES PHYSICAL INTERACTION

10. BLEKEY / ESPKEY
• ERIC EVENCHICK & MARK BASEGGIO PRESENTED THE BLEKEY AT DEFCON 23
• DESIGNED TO BE INSTALLED IN LESS THAN 60 SECONDS (IDEAL SITUATION)
• INSTALLED IN-LINE WITH THE RFID READER
• UNIVERSAL SUPPORT
• WIRELESS LAN COMMUNICATION

11. BLEKEY / ESPKEY CONT.
• PROS
• SMALL FORM FACTOR
• ATTACKS THE PHYSICAL DEVICE
• CAN STORE MULTIPLE RFID CARDS (THOUSANDS)
• CONS
• CUTS THE WIRE SHEATH WHEN INSTALLING (PREMATURE FAILURE?)
• NEED TO GAIN ACCESS TO WIRING TO INSTALL

12. PREVIOUS TECHNOLOGIES RECAP
• NONE OF THESE DEVICES ARE BAD
• THEY ALL WORK IN THEIR OWN WAY
• THIS IS NOT TO DETER ANYONE FROM USING THEM

13. SKIM JOB

14. SKIM JOB – WHY?
• WANTED TO ELIMINATE THE EMPLOYEE INTERACTION
• SOMETIMES NOT ABLE TO GET NEAR A BADGE
• PROJECT TIMEFRAME (SHORT DURATION)
• RFID ENABLED DOORS ARE BECOMING THE NORM FOR EMPLOYEES
ACCESSING BUILDINGS

15. SKIM JOB – WHY? CONT.
• DIDN’T WANT TO DAMAGE THE READER WIRING
• BLEKEY / ESPKEY
• QUICK TO DEPLOY
• TRYING TO TAKE AN IDEA AND MAKE IT REAL

16. SKIM JOB…. SO WHAT IS IT?
• 100% STANDALONE DEPLOYABLE TOOL
• ”SMART” OR SOMEWHAT I GUESS
• EQUIPMENT INCLUDES:
• PROXMARK3
• VOLTAGE CONTROLLED USB HUB
• RASPBERRY PI ZERO WIRELESS
• CUSTOM WOUND ANTENNA
• POLYCASE ENCLOSURE
• HAND MADE USB CABLES

17. SKIM JOB – SMART?
• HOW IS THIS TOOL SMART?
• OVERLAYING A RFID READER ON TOP OF A RFID READER DOESN’T
WORK
• CAN WE CUT POWER ON THE FLY?
• VOLTAGE CONTROLLED USB HUB (THANK YOU SWITCHDOC LABS)
• REMOTELY CONTROL THE DEVICE
• WIFI NETWORK – INITIAL ACCESS
• WEB SERVER- PROJECT EXECUTION / LOG VIEWER / RFID SIMULATOR

18. SKIM JOB – SMART?

19. SKIM JOB – FORM ITERATIONS
• RASPBERRY PI ZERO WITHOUT WIFI
• NEEDED A SEPARATE USB ADAPTER
• RASPBERRY PI ZERO WITH A WIFI HAT
• RASPBERRY PI ZERO WIRELESS (CURRENT)

20. SKIM JOB - EQUIPMENT
• RASPBERRY PI ZERO WIRELESS
• THE ”BRAINS”
• TONS OF CAPABILITIES FOR FUTURE IMPLEMENTATION
• PROXMARK3 RDV2 KIT
• RFID READER
• EASY INTERFACE
• DETACHABLE ANTENNA

21. SKIM JOB - EQUIPMENT
• SWITCHDOC USB POWERCONTROL BOARD
• CUT THE POWER REMOTELY VIA VOLTAGE SIGNAL
• LIPO BATTERY
• GIVE ME SOME JUICE!
• ADAFRUIT POWERBOOST
• SUPPLY THE JUICE
• POLYBASE COVER
• CONCEAL THE COMPONENTS

22. SKIM JOB - COST
• RASPBERRY PI ZERO W - $10.00
• PROXMARK3 RDV2 - $115.00
• SWITCHDOC POWERCONTROL USB BOARD - $15.99
• ADAFRUIT POWERBOOST - $9.95
• LIPO BATTERY - $14.95
• POLYCASE - $10.31
• MISC ITEMS (USB CONNECTORS / CABLES) - $15.00
• TOTAL: $191.20

23. SKIM JOB – PUTTING IT TOGETHER
• LOW FREQUENCY ANTENNA CREATION
• CREATED A NAIL SQUARE THE SIZE OF THE POLYCASE COVER
• UTILIZED PROXMARK3 TO “TUNE” THE ANTENNA

24. SKIM JOB – PUTTING IT TOGETHER

25. SKIM JOB – PUTTING IT TOGETHER

26. SKIM JOB – HOW IT WORKS
The
Schematics

27. SKIM JOB – HOW DOES IT WORK?
• RASPBERRY PI ZERO – “THE BRAIN”
• CONTROLLER OF ALL THE THINGS
• WIFI NETWORK
• PYTHON SCRIPT
• PROXMARK3 – “THE READER”
• RFID MAGIC
• SWITCHDOC USB POWERCONTROL BOARD – “SWITCHABLE
POWER”
• CUTS POWER THROUGH VOLTAGE OUTPUT

28. SKIM JOB – IN USE

29. SKIM JOB – IN USE

30. SKIM JOB - VIDEO
• VIDEO

31. TROUBLES
• NOT A “SOLDERING” EXPERT (50$ MISTAKE)
• RESULTED IN A BROKEN USB HUB
• PAD BEING RIPPED OFF OF BOARD
• NEEDED TO CREATE MULTIPLE SHORTENED USB CABLES
• CONDENSING THE ENTIRE PROJECT
• SLIMMING ALL OF THE ELECTRONICS

32. TROUBLES CONT.
• TIME
• WAS PUT ON THE BACK BURNER FOR MULTIPLE YEARS
• LIFE, FAMILY, OTHER HOBBIES
• IDENTIFYING CASES TO USE
• 3D PRINT?

33. FUTURE WORK
• CONDENSE
• MAKE EVERYTHING SMALLER
• FASTER “BRAIN”
• RASPBERRY PI ALTERNATIVES
• RFID MODULES
• MORE CONVINCING COVER
• OPEN FOR IDEAS!

34. FUTURE WORK CONT.
• LED LIGHTS
• SIMULATE A REAL RFID READER
• WEB SERVER
• CENTRAL COMMAND CENTER
• CURRENTLY IN PROGRESS

35. SUGGESTIONS
• ANY SUGGESTIONS / QUESTIONS / FEEDBACK
• PLEASE REACH OUT!
• HACKERS HELPING HACKERS
• EVERYTHING TALKED ABOUT IS AVAILABLE VIA GITHUB

36. SHOUTOUTS
• @W3S.H4RD3N
• @OCTETSTREAM
• DONQUIXOTE
• SLEESTAKOVERFLOW
• WHITE OAK SECURITY GROUP

37. THANKS!
• CONTACT:
• BRETT DEWALL
• BRETT.DEWALL@WHITEOAKSECURITY.COM
• @XBADBIDDYX
• LINKEDIN
• HTTPS://WWW.LINKEDIN.COM/IN/BRETT-DEWALL-912A8139
• GITHUB
• HTTPS://GITHUB.COM/WHITEOAKSECURITY/SKIMJOB

38. QUESTIONS
?

39. REFERENCES
• HTTPS://PROXMARK.COM/
• HTTPS://RESOURCES.BISHOPFOX.COM/RESOURCES/TOOLS/RFID-HACKING/ATTACK-
TOOLS/
• HTTPS://FRITZING.ORG/
• A BEACON ANALYSIS-BASED RFID READER ANTI-COLLISION PROTOCOL FOR DENSE READER
ENVIRONMENTS
• ALI ASSARIANA, AHMAD KHADEMZADEHB, MEHDI HOSSEINZADEHC, SAEED SETAYESHIE
• HTTPS://PASSIVE-COMPONENTS.EU/WHAT-IS-RFID-HOW-RFID-WORKS-RFID-EXPLAINED-
IN-DETAIL/