The document is a presentation on RFID hacking, discussing the basics of RFID badges, existing hacking tools, and methods to exploit RFID systems. It includes various attack approaches, defenses against such attacks, and recommendations for improving RFID security. It emphasizes the vulnerabilities of commonly used RFID technologies and suggests implementing stronger, encrypted systems for better protection.

1. RFID Hacking
Live Free or RFID Hard
01 Aug 2013 – Black Hat USA 2013 – Las Vegas, NV
Presented by:
Francis Brown
Bishop Fox
www.bishopfox.com

2. Agenda
2
• Quick Overview
• RFID badge basics
• Hacking Tools
• Primary existing RFID hacking tools
• Badge stealing, replaying, and cloning
• Attacking badge readers and controllers directly
• Planting Pwn Plugs and other backdoors
• Custom Solution
• Arduino and weaponized commercial RFID readers
• Defenses
• Protecting badges, readers, controllers, and more
O V E R V I E W

3. Introduction/Background
3
GETTING UP TO SPEED

4. Badge Basics
4
Name Frequency Distance
Low Fequency (LF) 120kHz – 140kHz <3ft (Commonly under 1.5ft)
High Frequency (HF) 13.56MHz 3-10 ft
Ultra-High-Frequency (UHF) 860-960MHz (Regional) ~30ft
F R E Q U E N C I E S

5. Legacy 125kHz
5
S T I L L K I C K I N
80%
• “Legacy 125-kilohertz proximity technology is still in place at around
70% to 80% of all physical access control deployments in the U.S.
and it will be a long time” - Stephane Ardiley, HID Global.
• “There is no security, they’ve been hacked, there’s no protection of
data, no privacy, everything is in the clear and it’s not resistant to
sniffing or common attacks.”

6. Opposite of Progress
6
T A L K M O T I V A T I O N S
2007
2013
HID Global - Making the Leap from Prox to Contactless ID Cards
https://www.hidglobal.com/blog/making-leap-prox-contactless-id-cards

7. How a Card Is Read
7
P O I N T S O F A T T A C K
Card Reader
Controller
Wiegand output
Host PC
EthernetCard • Broadcasts 26-37 bit card number
Reader • Converts card data to “Wiegand Protocol”
for transmission to the controller
• No access decisions are made by reader
Controller • Binary card data “format” is decoded
• Makes decision to grant access (or not)
Host PC • Add/remove card holders, access privileges
• Monitor system events in real time

8. Badge Types
8
• The data on any access card is simply a string of binary numbers (ones and
zeros) of some fixed configuration and length, used to identify the cardholder
• HID makes different types of cards capable of carrying this binary data including:
• Magnetic Stripe
• Wiegand (swipe)
• 125 kHz Prox (HID & Indala)
• MIFARE contactless smart cards
• iCLASS contactless smart cards
* Multi-technology cards
H I D P R O D U C T S

9. Badge Types
9

10. Badge Basics
10
C A R D E L E M E N T S
Card – “Formats” Decoded
• Card ID Number
• Facility Code
• Site Code (occasionally)
*Note: if saw printed card number on badge, could potentially
brute force the 1-255 facility code (for Standard 26 bit card)

11. Badge Formats
11
HID ProxCard II “Formats”
• 26 – 37 bit cards
• 44 bits actually on card
• 10 hex characters
• Leading 0 usually dropped
D A T A F O R M A T S
HID Global – Understanding Card Data Formats (PDF)
http://www.hidglobal.com/documents/understandCardDataFormats_wp_en.pdf

12. Badge Formats
12
D A T A F O R M A T S

13. RFID Other Usage
13
W H E R E E L S E ?

14. RFID Hacking Tools
14
P E N T E S T T O O L K I T

15. Methodology
15
3 S T E P A P P R O A C H
1. Silently steal badge info
2. Create card clone
3. Enter and plant backdoor

16. Distance Limitations
16
A $ $ G R A B B I N G M E T H O D
Existing RFID hacking tools only work when
a few centimeters away from badge

17. Proxmark3
17
R F I D H A C K I N G T O O L S
Single button, crazy flow diagram on
lone button below
$399
• RFID Hacking swiss army knife
• Read/simulate/clone RFID cards

18. ProxBrute
18
R F I D H A C K I N G T O O L S
• Custom firmware for the Proxmark3
• Brute-force higher privileged badges,
like data center door

19. RFIDiot Scripts
19
R F I D H A C K I N G T O O L S

20. RFIDeas Tools
20
R F I D H A C K I N G T O O L S
• No software required
• Identifies card type and data
• Great for badges w/o visual
indicators of card type
$269.00

21. Tastic Solution
L O N G R A N G E R F I D S T E A L E R

22. Tastic RFID Thief
22
• Easily hide in briefcase or messenger bag,
read badges from up to 3 feet away
• Silent powering and stealing of RFID badge
creds to be cloned later using T55x7 cards
L O N G R A N G E R F I D S T E A L E R

23. Tastic RFID Thief
23
• Designed using Fritzing
• Exports to Extended-Gerber
• Order PCB at www.4pcb.com
• $33 for 1 PCB
• Much cheaper in bulk
L O N G R A N G E R F I D S T E A L E R

24. Custom PCB
24
T A S T I C R F I D T H I E F
Custom PCB – easy to plug into any type of RFID badge reader

25. Wiegand Input
25
Custom PCB – reads from Wiegand output of reader
T A S T I C R F I D T H I E F

26. Commercial Readers
26
• Indala Long-Range Reader 620
• HID MaxiProx 5375AGN00
T A S T I C R F I D T H I E F

27. Indala Cloning
27
E X A M P L E I N P R A C T I C E

28. Tastic Solution: Add-ons
28
M O D U L E S T O P O T E N T I A L L Y A D D
• Arduino NFC Shield
• Arduino BlueTooth Modules
• Arduino WiFly Shield (802.11b/g)
• Arduino GSM/GPRS shields (SMS messaging)
• WIZnet Embedded Web Server Module
• Xbee 2.4GHz Module (802.15.4 Zigbee)
• Parallax GPS Module PMB-648 SiRF
• Arduino Ethernet Shield
• Redpark - Serial-to-iPad/iPhone Cable

29. Forward Channel Attacks
29
E A V E S D R O P P I N G R F I D

30. Droppin’ Eaves
30
B A D G E B R O A D C A S T S

31. Cloner 2.0 by Paget
31
E A V E S D R O P P I N G A T T A C K
• Chris Paget talked of his tool reaching 10 feet for this type of attack
• Tool never actually released, unfortunately
• Unaware of any public tools that exist for this attack currently

32. RFID Card Cloning
32
C A R D P R O G R A M M I N G

33. Programmable Cards
33
Simulate data and behavior of any badge type
• T55x7 Cards
• Q5 cards (T5555) Emulating: HID 26bit card

34. Programmable Cards
34
Cloning to T55x7 Card using Proxmark3
• HID Prox Cloning – example:
• Indala Prox Cloning – example:

35. Reader and Controller Attacks
35
D I R E C T A P P R O A C H

36. Reader Attacks
36
J A C K E D I N
• Dump private keys, valid badge
info, and more in few seconds

37. Reader Attacks
37
G E C K O – M I T M A T T A C K
• Insert in door reader of target
building – record badge #s
• Tastic RFID Thief’s PCB could be
used similiarly for MITM attack

38. Controller Attacks
38
J A C K E D I N
Shmoocon 2012 - Attacking Proximity Card Systems - Brad Antoniewicz
http://www.shmoocon.org/2012/videos/Antoniewicsz-AttackingCardAccess.m4v

39. Backdoors and Other Fun
39
L I T T L E D I F F E R E N C E S

40. Pwn Plug
M A I N T A I N I N G A C C E S S
40

41. Pwn Plug
M A I N T A I N I N G A C C E S S
• Pwn Plug Elite: $995.00
• Power Pwn: $1,495.00
41

42. Raspberry Pi
42
M A I N T A I N I N G A C C E S S
• Raspberry Pi - credit card sized, single-board computer – cheap $35

43. Raspberry Pi
43
M A I N T A I N I N G A C C E S S
• Raspberry Pi – cheap alternative (~$35) to Pwn Plug/Power Pwn
• Pwnie Express – Raspberry Pwn
• Rogue Pi – RPi Pentesting Dropbox
• Pwn Pi v3.0

44. Little Extra Touches
44
G O A L O N G W A Y
• Fake polo shirts for target company
• Get logo from target website
• Fargo DTC515 Full Color ID Card ID Badge Printer
• ~$500 on Amazon
• Badge accessories
• HD PenCam - Mini 720p Video Camera
• Lock pick gun/set

45. Defenses
45
A V O I D B E I N G P R O B E D

46. RFID Security Resources
46
S L I M P I C K I N S . . .
• RFID Security by Syngress
• Not updated since July 2005
• NIST SP 800-98 – Securing RFID
• Not updated since April 2007
• Hackin9 Magazine – Aug 2011
• RFID Hacking, pretty decent

47. Defenses
47
R E C O M M E N D A T I O N S
• Consider implementing a more secure, active RFID
system (e.g. “contactless smart cards”) that
incorporates encryption, mutual authentication, and
message replay protection.
• Consider systems that also support 2-factor
authentication, using elements such as a PIN pad
or biometric inputs.
• Consider implementing physical security intrusion
and anomaly detection software.
HID Global - Best Practices in Access Control White Paper (PDF)
https://www.hidglobal.com/node/16181

48. Defenses
48
R E C O M M E N D A T I O N S
• Instruct employees not to wear their badges in
prominent view when outside the company premises.
• Utilize RFID card shields when the badge is not in use
to prevent drive-by card sniffing attacks.
• Physically protect the RFID badge readers by using
security screws that require special tools to remove the
cover and access security components.
• Employ the tamper detect mechanisms to prevent
badge reader physical tampering. All readers and
doors should be monitored by CCTV.

49. Defenses (Broken)
49
S O M E D O N ’ T . . . E X A M P L E . . .
USA - Green Card Sleeve
• Since May 11, 2010, new Green
Cards contain an RFID chip
• Tested Carl’s “protective sleeve”,
doesn’t block anything.
• False sense of security

50. Thank You
50
Bishop Fox – see for more info:
http://www.bishopfox.com/resources/tools/rfid-hacking/