Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RFID Treehouse of Horror

2,167 views

Published on

Published in: Technology, Business
  • Be the first to comment

RFID Treehouse of Horror

  1. 1. RFID Treehouse of Horror Adrian “atrox” Dabrowski Picture Source: http://audisondesigns.blogspot.co.at/
  2. 2. Outline ● Central Key Systems in .at and Vienna ● 65000, WEZ2000, Z/BG, BEGEH ● RFID ● What is it? ● Other Systems ● BEGEH details ● RFID Sniffer and Simulator ● Analysis-Methods ● BEGEH Key types and vulnerabilities ● Field Test Conclusion and Lessons Learned
  3. 3. WEZ-2000 Source: Yolosiedler.info Source: Wikicommons “Wiener Einheitszylinder 2000”
  4. 4. Key #61005 ● Installation Cabinets (In- & Outdoor) ● Power metering ● (Floor level) fuses ● Circuit breakers ● Gas ● Heating ● Water
  5. 5. Z / BG key ● History ● Up until 1957: caretaker needed to be physically present ● 2000: no designated caretakers necessary ● Front door intercom systems
  6. 6. The Solution: “BEGEH” Card ● BEGEH BASIC ● RFID based ● 10+1 Groups ● BEGEH SECURITY ● 128 Groups ● Log-file ● BEGEH SECURITY PLUS ● Subscription Fee ● Blacklist updates
  7. 7. Claims (Manufacturer)
  8. 8. CHALLENGE ACCEPTED
  9. 9. What is RFID? ● Radio Frequency Identification – Near field communication ● Frequency ● 125 kHz, 13.56 MHz, 433 MHz, 900 Mhz, 2.45 GHz ● Power ● Passive, semi-passive, active ● Coupling ● Inductive, Backscatter, Capacitive ● Return Channel ● Load Modulation, Sub-carriers, Harmonics ● Carrier is... ● Power supply ● Clock supply ● Downstream ● Base for upstream signal
  10. 10. How does RFID work ● Radio Frequency Identification – Near field communication ● Frequency ● 125 kHz, 13.56 MHz, 433 MHz, 900 Mhz, 2.45 GHz ● Power ● Passive, semi-passive, active ● Coupling ● Inductive, Backscatter, Capacitive ● Return Channel ● Load Modulation, Sub-carriers, Harm. ● Carrier is... ● Power supply ● Clock supply ● Downstream ● Base for upstream signal A ~ A ~ A ~ A ~
  11. 11. Functionality morefunctionality Burglary Alarm e.g. EM4102 e.g. Mifare Ultralight, Tag-IT e.g. Mifare Classic & DESfire e.g. SmartMX (JCOP)
  12. 12. Tools (expensive!) IAIK DemoTag Proxmark IIIComprion
  13. 13. Wiener Linien ● Buy tickets with your mobile NFC phone ● Passive NFC stickers
  14. 14. Wiener Linien
  15. 15. ● Mifare Hacks, Cafe and Co ● Wiener Linien ● UID Based ● EM4102 ● T5556 ● Android ● TI Lab
  16. 16. Coffee anyone?
  17. 17. Coffee anyone? ACR122u == TikiTag == Touchatag + libnfc (mfoc)
  18. 18. EM4102 & co.
  19. 19. Atmel T5557 T5567 T5551
  20. 20. Atmel T5557 T5567 T5551
  21. 21. EM4102 cloning
  22. 22. UID-Based Security: TI-LAB Cumulative distribution function
  23. 23. EM4102 sniffing with a PC ● Modulated Data ~4khz ● Sampling with USB Audio adapter ● Milosch Meriac / bitmanufaktur (openbeacon, openpcd, ...)
  24. 24. EM4102 sweep with your phone
  25. 25. The Solution: “BEGEH” Card ● BEGEH BASIC ● RFID based ● 10+1 Groups ● BEGEH SECURITY ● 128 Groups ● Log-file ● BEGEH SECURITY PLUS ● Subscription Fee ● Blacklist updates
  26. 26. Hardware
  27. 27. Build a Sniffer
  28. 28. Build a Sniffer
  29. 29. Long Range Reader?
  30. 30. How to Get Samples ? ~25cm
  31. 31. How to Get Samples ? Source: post.at
  32. 32. Programming a Simulator ● Fuzzing ● Systematic Tests ● Later: UID Emulation and Card Replay
  33. 33. Simple RF Frontend Resonant circuit Rectifier Prot. Mod- ulation Evelope Detector Input Buffer.
  34. 34. How BEGEH Basic works
  35. 35. BEGEH Basic: How it works ● Card Types ● User cards – Encrypted data, 3 Sectors ● Master card „ownership“ – Based on UID ● Programming cards – Need a master card ● Baucard (former Testcard) – Only uses the first sector – checksum, but not encrypted
  36. 36. Fieldtest
  37. 37. Results
  38. 38. BEGEH Circumvention
  39. 39. Updates Source: facebook.com/Begehcard
  40. 40. BEGEH Conclusion ● Stolen key management ● Blacklist only once/year ● Only for „Security“ product line ● Card copy without knowledge of holder ● Expiration ● Only for „Security“-Variant, since 2011 ● Duplication prevention ● BAUCARD: €2 ● Emulator(build): €20 ● Wrong technology ● (Default) configuration error ● Design error ● Blacklist update labor intense ● Subset of installations ● Implementation/Production
  41. 41. General Conclusion: The undead...
  42. 42. Source: freepsdfiles.net I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background.
  43. 43. RFID Treehouse of Horror Adrian Dabrowski adabrowski@sba-research.org atrox@seclab.tuwien.ac.at Picture Source: http://audisondesigns.blogspot.co.at/

×