SlideShare a Scribd company logo

RFID Security Module

C
cgvwzq

RFID Security Module

1 of 33
Download to read offline
RFID SECURITY MODULE
20th december 2017
pepe vila
@cgvwzq pepe.vila@imdea.org vwzq.net
2
• Introduction
• Readers: PM3,ACR122U,SmartPhones
• Tags: Specs + Examples
• HID,MIFARE Ultralight,Classic,Desfire EV1
• Relay Attacks
3
What is RFID?
Radio-frequency identification (RFID)
“method of uniquely identifying items using radio waves”
(Origin: distinguish enemy aircraft during WWII)
Passive
vs.
Active Tags
• LowFrequency (LF): 125-134kHz
• HighFrequency (HF): 13.56mHz
• UltraHighFrequency (UHF): 856-960mHz
4
Tons of Technologies
Keyless Cars
Authentication
Credit Cards/Payments
Vending Machines
Ticketing systems Biodevices
Tracking/Logistics
identification
5
How It Works?
[Taken from 13.56 MHz RFID Proximity Antennas (http://www.nxp.com/documents/application_note/AN78010.pdf)]
Proximity

Inductive

Coupling

Card
Proximity

Coupling

Device
6
How It Works?
(MODULATION FOR ISO-14443-2)
We will abstract from all these details,but if you are interested here is a recent and nice introduction to RF and SDR:
https://www.elttam.com.au/blog/intro-sdr-and-rf-analysis/

Recommended

Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
	 InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...	 InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...Bishop Fox
 
OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)Tech4 Helper
 
Android NFC Workshop MobDevCon 2013
Android NFC Workshop MobDevCon 2013Android NFC Workshop MobDevCon 2013
Android NFC Workshop MobDevCon 2013James Elsey
 

More Related Content

What's hot

Ce hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesCe hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesVi Tính Hoàng Nam
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardBishop Fox
 
Forti gate 90d
Forti gate 90dForti gate 90d
Forti gate 90dhape01
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]RootedCON
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
Security Level 3 (SL3) Capabilities
Security Level 3 (SL3) CapabilitiesSecurity Level 3 (SL3) Capabilities
Security Level 3 (SL3) CapabilitiesNXP MIFARE Team
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllersardiri
 

What's hot (19)

Ce hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologiesCe hv6 module 60 firewall technologies
Ce hv6 module 60 firewall technologies
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID Hard
 
Forti gate 90d
Forti gate 90dForti gate 90d
Forti gate 90d
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFC
 
Security Level 3 (SL3) Capabilities
Security Level 3 (SL3) CapabilitiesSecurity Level 3 (SL3) Capabilities
Security Level 3 (SL3) Capabilities
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
 
07security
07security07security
07security
 
SL1SL3 MixMode Feature
SL1SL3 MixMode FeatureSL1SL3 MixMode Feature
SL1SL3 MixMode Feature
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllers
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101
 
Fred server
Fred serverFred server
Fred server
 
Transaction MAC Feature
Transaction MAC FeatureTransaction MAC Feature
Transaction MAC Feature
 

Similar to RFID Security Module

Electronic Access Control Security / Безопасность электронных систем контроля...
Electronic Access Control Security / Безопасность электронных систем контроля...Electronic Access Control Security / Безопасность электронных систем контроля...
Electronic Access Control Security / Безопасность электронных систем контроля...Positive Hack Days
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightAndy Gelme
 
Chapter 7 security tools i
Chapter 7   security tools iChapter 7   security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...Mikael Falkvidd
 
TULIPP overview
TULIPP overviewTULIPP overview
TULIPP overviewTulipp. Eu
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
Industrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine LearningIndustrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine LearningVEDLIoT Project
 
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdfmicrocontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdfadfadfadf
 
NFC: Naked Fried Chicken (PHDays VI)
NFC: Naked Fried Chicken (PHDays VI)NFC: Naked Fried Chicken (PHDays VI)
NFC: Naked Fried Chicken (PHDays VI)Opposing Force S.r.l.
 
New use cases thanks to adding crypto to RFID tags
New use cases thanks to adding crypto to RFID tagsNew use cases thanks to adding crypto to RFID tags
New use cases thanks to adding crypto to RFID tagsIhar Bayarenka
 
Meetup -- RFID
Meetup -- RFIDMeetup -- RFID
Meetup -- RFIDKevin2600
 
Coco co-desing and co-verification of masked software implementations on cp us
Coco   co-desing and co-verification of masked software implementations on cp usCoco   co-desing and co-verification of masked software implementations on cp us
Coco co-desing and co-verification of masked software implementations on cp usRISC-V International
 

Similar to RFID Security Module (20)

09
0909
09
 
Electronic Access Control Security / Безопасность электронных систем контроля...
Electronic Access Control Security / Безопасность электронных систем контроля...Electronic Access Control Security / Безопасность электронных систем контроля...
Electronic Access Control Security / Безопасность электронных систем контроля...
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! night
 
Chapter 7 security tools i
Chapter 7   security tools iChapter 7   security tools i
Chapter 7 security tools i
 
D4 Project Presentation
D4 Project PresentationD4 Project Presentation
D4 Project Presentation
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
RFID/NFC for the Masses
RFID/NFC for the MassesRFID/NFC for the Masses
RFID/NFC for the Masses
 
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secu...
 
SFScon19 - Francesco La Spina -7 Steps to Industry 40
SFScon19 - Francesco La Spina -7 Steps to Industry 40SFScon19 - Francesco La Spina -7 Steps to Industry 40
SFScon19 - Francesco La Spina -7 Steps to Industry 40
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
TULIPP overview
TULIPP overviewTULIPP overview
TULIPP overview
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
Industrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine LearningIndustrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine Learning
 
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdfmicrocontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
microcontrollersstm32wlseriesproductwebinarpresentation1625231766205.pdf
 
NFC: Naked Fried Chicken (PHDays VI)
NFC: Naked Fried Chicken (PHDays VI)NFC: Naked Fried Chicken (PHDays VI)
NFC: Naked Fried Chicken (PHDays VI)
 
New use cases thanks to adding crypto to RFID tags
New use cases thanks to adding crypto to RFID tagsNew use cases thanks to adding crypto to RFID tags
New use cases thanks to adding crypto to RFID tags
 
Meetup -- RFID
Meetup -- RFIDMeetup -- RFID
Meetup -- RFID
 
Rfid Basics Qed
Rfid Basics QedRfid Basics Qed
Rfid Basics Qed
 
Coco co-desing and co-verification of masked software implementations on cp us
Coco   co-desing and co-verification of masked software implementations on cp usCoco   co-desing and co-verification of masked software implementations on cp us
Coco co-desing and co-verification of masked software implementations on cp us
 

Recently uploaded

killing camp 주차장 나누기-2 topology sort.pdf
killing camp 주차장 나누기-2 topology sort.pdfkilling camp 주차장 나누기-2 topology sort.pdf
killing camp 주차장 나누기-2 topology sort.pdfssuser82c38d
 
Cybersecurity Measures For Remote Workers.pdf
Cybersecurity Measures For Remote Workers.pdfCybersecurity Measures For Remote Workers.pdf
Cybersecurity Measures For Remote Workers.pdfCIOWomenMagazine
 
Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024Kaya Weers
 
How AI is preventing account fraud at web scale
How AI is preventing account fraud at web scaleHow AI is preventing account fraud at web scale
How AI is preventing account fraud at web scaleAmir Moghimi
 
LLMOps with Azure Machine Learning prompt flow
LLMOps with Azure Machine Learning prompt flowLLMOps with Azure Machine Learning prompt flow
LLMOps with Azure Machine Learning prompt flowNaoki (Neo) SATO
 
Workshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con FlinkWorkshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con Flinkconfluent
 
Implementing Docker Containers with Windows Server 2019
Implementing Docker Containers with Windows Server 2019Implementing Docker Containers with Windows Server 2019
Implementing Docker Containers with Windows Server 2019VICTOR MAESTRE RAMIREZ
 
Open Source vs Closed Source LLMs. Pros and Cons
Open Source vs Closed Source LLMs. Pros and ConsOpen Source vs Closed Source LLMs. Pros and Cons
Open Source vs Closed Source LLMs. Pros and ConsSprings
 
Automation for Bonterra Impact Management (fka Apricot)
Automation for Bonterra Impact Management (fka Apricot)Automation for Bonterra Impact Management (fka Apricot)
Automation for Bonterra Impact Management (fka Apricot)Jeffrey Haguewood
 
Agile & Scrum, Certified Scrum Master! Crash Course
Agile & Scrum,  Certified Scrum Master! Crash CourseAgile & Scrum,  Certified Scrum Master! Crash Course
Agile & Scrum, Certified Scrum Master! Crash CourseRohan Chandane
 
Globus for System Administrators
Globus for System AdministratorsGlobus for System Administrators
Globus for System AdministratorsGlobus
 
Joseph Yoder : Being Agile about Architecture
Joseph Yoder : Being Agile about ArchitectureJoseph Yoder : Being Agile about Architecture
Joseph Yoder : Being Agile about ArchitectureHironori Washizaki
 
Alluxio Monthly Webinar | Why a Multi-Cloud Strategy Matters for Your AI Plat...
Alluxio Monthly Webinar | Why a Multi-Cloud Strategy Matters for Your AI Plat...Alluxio Monthly Webinar | Why a Multi-Cloud Strategy Matters for Your AI Plat...
Alluxio Monthly Webinar | Why a Multi-Cloud Strategy Matters for Your AI Plat...Alluxio, Inc.
 
No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!Anthony Dahanne
 
Machine Learning Basics for Dummies (no math!)
Machine Learning Basics for Dummies (no math!)Machine Learning Basics for Dummies (no math!)
Machine Learning Basics for Dummies (no math!)Dmitry Zinoviev
 
killingcamp longest common subsequence.pdf
killingcamp longest common subsequence.pdfkillingcamp longest common subsequence.pdf
killingcamp longest common subsequence.pdfssuser82c38d
 
Welcome to AltTask - the nexus where innovation converges with empowerment!
Welcome to AltTask - the nexus where innovation converges with empowerment!Welcome to AltTask - the nexus where innovation converges with empowerment!
Welcome to AltTask - the nexus where innovation converges with empowerment!alttaskcom
 
CSS Notes in PDF, Easy to understand. For beginner to advanced. ...
CSS Notes in PDF, Easy to understand. For beginner to advanced.              ...CSS Notes in PDF, Easy to understand. For beginner to advanced.              ...
CSS Notes in PDF, Easy to understand. For beginner to advanced. ...syedfaisal759877
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentThierry Gayet
 

Recently uploaded (20)

killing camp 주차장 나누기-2 topology sort.pdf
killing camp 주차장 나누기-2 topology sort.pdfkilling camp 주차장 나누기-2 topology sort.pdf
killing camp 주차장 나누기-2 topology sort.pdf
 
Cybersecurity Measures For Remote Workers.pdf
Cybersecurity Measures For Remote Workers.pdfCybersecurity Measures For Remote Workers.pdf
Cybersecurity Measures For Remote Workers.pdf
 
Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024
 
How AI is preventing account fraud at web scale
How AI is preventing account fraud at web scaleHow AI is preventing account fraud at web scale
How AI is preventing account fraud at web scale
 
LLMOps with Azure Machine Learning prompt flow
LLMOps with Azure Machine Learning prompt flowLLMOps with Azure Machine Learning prompt flow
LLMOps with Azure Machine Learning prompt flow
 
2024 Trends Transforming Enterprise Resource Planning
2024 Trends Transforming Enterprise Resource Planning2024 Trends Transforming Enterprise Resource Planning
2024 Trends Transforming Enterprise Resource Planning
 
Workshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con FlinkWorkshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con Flink
 
Implementing Docker Containers with Windows Server 2019
Implementing Docker Containers with Windows Server 2019Implementing Docker Containers with Windows Server 2019
Implementing Docker Containers with Windows Server 2019
 
Open Source vs Closed Source LLMs. Pros and Cons
Open Source vs Closed Source LLMs. Pros and ConsOpen Source vs Closed Source LLMs. Pros and Cons
Open Source vs Closed Source LLMs. Pros and Cons
 
Automation for Bonterra Impact Management (fka Apricot)
Automation for Bonterra Impact Management (fka Apricot)Automation for Bonterra Impact Management (fka Apricot)
Automation for Bonterra Impact Management (fka Apricot)
 
Agile & Scrum, Certified Scrum Master! Crash Course
Agile & Scrum,  Certified Scrum Master! Crash CourseAgile & Scrum,  Certified Scrum Master! Crash Course
Agile & Scrum, Certified Scrum Master! Crash Course
 
Globus for System Administrators
Globus for System AdministratorsGlobus for System Administrators
Globus for System Administrators
 
Joseph Yoder : Being Agile about Architecture
Joseph Yoder : Being Agile about ArchitectureJoseph Yoder : Being Agile about Architecture
Joseph Yoder : Being Agile about Architecture
 
Alluxio Monthly Webinar | Why a Multi-Cloud Strategy Matters for Your AI Plat...
Alluxio Monthly Webinar | Why a Multi-Cloud Strategy Matters for Your AI Plat...Alluxio Monthly Webinar | Why a Multi-Cloud Strategy Matters for Your AI Plat...
Alluxio Monthly Webinar | Why a Multi-Cloud Strategy Matters for Your AI Plat...
 
No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!
 
Machine Learning Basics for Dummies (no math!)
Machine Learning Basics for Dummies (no math!)Machine Learning Basics for Dummies (no math!)
Machine Learning Basics for Dummies (no math!)
 
killingcamp longest common subsequence.pdf
killingcamp longest common subsequence.pdfkillingcamp longest common subsequence.pdf
killingcamp longest common subsequence.pdf
 
Welcome to AltTask - the nexus where innovation converges with empowerment!
Welcome to AltTask - the nexus where innovation converges with empowerment!Welcome to AltTask - the nexus where innovation converges with empowerment!
Welcome to AltTask - the nexus where innovation converges with empowerment!
 
CSS Notes in PDF, Easy to understand. For beginner to advanced. ...
CSS Notes in PDF, Easy to understand. For beginner to advanced.              ...CSS Notes in PDF, Easy to understand. For beginner to advanced.              ...
CSS Notes in PDF, Easy to understand. For beginner to advanced. ...
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
 

RFID Security Module

  • 1. RFID SECURITY MODULE 20th december 2017 pepe vila @cgvwzq pepe.vila@imdea.org vwzq.net
  • 2. 2 • Introduction • Readers: PM3,ACR122U,SmartPhones • Tags: Specs + Examples • HID,MIFARE Ultralight,Classic,Desfire EV1 • Relay Attacks
  • 3. 3 What is RFID? Radio-frequency identification (RFID) “method of uniquely identifying items using radio waves” (Origin: distinguish enemy aircraft during WWII) Passive vs. Active Tags • LowFrequency (LF): 125-134kHz • HighFrequency (HF): 13.56mHz • UltraHighFrequency (UHF): 856-960mHz
  • 4. 4 Tons of Technologies Keyless Cars Authentication Credit Cards/Payments Vending Machines Ticketing systems Biodevices Tracking/Logistics identification
  • 5. 5 How It Works? [Taken from 13.56 MHz RFID Proximity Antennas (http://www.nxp.com/documents/application_note/AN78010.pdf)] Proximity
 Inductive
 Coupling
 Card Proximity
 Coupling
 Device
  • 6. 6 How It Works? (MODULATION FOR ISO-14443-2) We will abstract from all these details,but if you are interested here is a recent and nice introduction to RF and SDR: https://www.elttam.com.au/blog/intro-sdr-and-rf-analysis/
  • 7. 7 vs Near Field Communication is a RFID technology “NFC standards cover communications protocols and data exchange formats and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443 and FeliCa." Builds upon HF RFID (13.56mHz) Usually restricted to ~10cm range (closeness = inherent security?) Some NFC devices can operate in P2P mode or be emulated
  • 8. 8 Readers PROXMARK 3 ACR122u Android SmartPhones
  • 9. 9 Proxmark 3 Fully OpenSource: https://github.com/Proxmark/proxmark3 Support for LF and HF FPGA + ARM for modulation/demodulation and coding/decoding Active Community: http://www.proxmark.org/forum/index.php Costs 200-300eur
  • 10. 10 ACR122U NFC Tools: http://nfc-tools.org/index.php?title=ACR122 Basic NFC USB READER Only HF (13.56mHz) Support for a few specs (iso 14443 a/b,MIFARE,FeliCa…) Cost ~20eur OpenSource libraries (like LibNFC[https://github.com/nfc-tools/libnfc] ) Compatible with Android
  • 11. No Cost if you already have one… NXP PN5xx vs.BCM2079x Chips Play Store Recommended Apps: NFC Tag Info https://play.google.com/store/apps/details?id=at.mroland.android.apps.nfctaginfo&hl=en UltraManager Lite https://play.google.com/store/apps/details?id=io.github.darkjoker.ultramanagerlite&hl=en MIFARE DESFire EV1 NFC Tool https://play.google.com/store/apps/details?id=com.skjolberg.mifare.desfiretool&hl=en Credit Card Reader NFC (EMV) https://play.google.com/store/apps/details?id=com.github.devnied.emvnfccard&hl=en Real ID https://play.google.com/store/apps/details?id=nl.innovalor.nfciddocshowcase&hl=en 11 Android SmartPhones
  • 14. 14 The NFC zoo Mirror: http://vwzq.net/download/nfczoo.pdf
  • 15. 15 ISO/IEC-14443 A/B Specification (most common in Europe and USA) • ISO/IEC 14443-1:2016 Part 1: Physical characteristics • ISO/IEC 14443-2:2016 Part 2: Radio frequency power and signal interface • ISO/IEC 14443-3:2016 Part 3: Initialization and anticollision • ISO/IEC 14443-4:2016 Part 4: Transmission protocol ISO specs are not free,by default…
  • 16. 16 a few more… • ISO/IEC 15693 (vicinity cards) • FeliCa (by Sony was proposed for ISO-14443 Type C) • LOTS OF PROPRIETARY PROTOCOLS (like NXPs) NFCIP (or ECMA 352 & 340)
  • 17. 17 OSINT(Open Source Intelligence) First step of an investigation is data gathering: - DataSheets (http://www.datasheetcatalog.com/) - Specifications - Patents (https://www.google.com/patents) - News (photos) - … Google Dorks (e.g.: filetype:pdf) can help a lot! You would be surprised of how much info there is exposed on manufacturers web pages (DataSheets, internal docs,screenshots of internal tools,software…)
  • 18. 18 Let's see some tags •HID Prox •MIFARE Ultralight •MIFARE Classic •MIFARE Desfire EV1
  • 19. 19 predominant in identification and access control Lower read range and communication speed Low-cost and low-security with simple UIDs or KEYs Some Examples: • EM4x • ATA55xx/T55xx • HID Prox • HiTag2 (used by cars: https://www.usenix.org/system/files/conference/usenixsecurity12/ sec12-final95.pdf) Interesting: t5577 have multiple parameters allowing to emulate/ simulate other tags RFID hacking with the Proxmark 3: https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/ LF Tags
  • 20. 20 Tag Example: HID Prox HID Prox TAG ID: 020f58dd777 HID cards store 44 bits (11 hex digits) (start always with“02”for Customer Code) Sales Order Number (next to Card Number) 00000010 00 00111101011000110 1110101110111011 1 Customer Padding Facility Card Number P
 02 31430                60347 Data formats: http://www.proxmark.org/files/proxclone.com/ iCLASS%20Wiegand%20Data%20Formats_26-37.pdf (Online Calculator: https://www.brivo.com/support/card-calculator) Only secret Support for many data formats. The only question is which one… This seems to be Quadrakey (by Honeywell),which is equivalent to Wiegand 34-bit (N10002):
  • 21. 21 Exercise: Read MIFARE Ultralight Specification Tag Example: Ultralight HF Low-Cost No crypto Built in top of ISO-14443-3A 512 bits of memory (16 pages x 4 bytes): • 80 bits manufacturer + 16 bits config • 32 OTP bits + 384 bits for r/w data
  • 22. 22 Online vs.Offline systems: - on: Higher control and security - off: More expensive installation,not always possible No data stored-> no need to reverse engineer Possible to clone UID by using special tags (~10 eur) also possible to emulate (and brute force)… Tag Example: Ultralight
  • 23. 23 2001: MIFARE Ultralight introduced https://www.nxp.com/docs/en/data-sheet/MF0ICU1.pdf 2008: MIFARE Ultralight C (support for Triple DES Authentication) https://www.nxp.com/docs/en/data-sheet/MF0ICU2.pdf 2012: MIFARE Ultralight EV1 (backwards compatible with extra security) https://www.nxp.com/docs/en/data-sheet/MF0ULX1.pdf Tag Example: Ultralight
  • 24. 24 Classic Introduced in 1994 (NXP previously known as Philips) Communication layer based on ISO 14443 Proprietary crypto (security by obscurity always ends badly…) CRYPTO1 by NXP Semiconductors More than 3.5 billion cards produced 1k version: 1024 bytes split into 16 sectors 4k version: 4096 bytes split into 40 sectors Keys: 6 bytes Access control: 3 bits Data block: 16 bytes Tag Example: Classic
  • 25. 25 Dec 2007-Nohl et al.partial RE in CCC (https://www.youtube.com/watch?v=QJyxUvMGLr0) (from: https://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html) Classic Crypto 1: Stream Cipher weakness on pseudorandom generator,the 32-bit nonces used for authentication have only 16 bits of entropy More: http://www.cs.ru.nl/~flaviog/ publications/Attack.MIFARE.pdf Tag Example: Classic
  • 26. 26 March 2008-Research group from Radbond University completely Reverse Engineered the Crypto-1 cipher Paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.437.2501&rep=rep1&type=pdf Slides: http://www.sos.cs.ru.nl/applications/rfid/2008-esorics-slides.pdf Card only attack! (critical) NXP tried to stop the disclosure…Court decides to allow publication Oct 2008-Crypto-1 implementation is open sourced MIFARE Plus announced as a drop-in replacement based on 128-bit AES new"hardened"cards have been released in and around 2011 (MIFARE Classic EV1),not susceptible to previous known card-only attacks 2015: Card Only attacks against hardened MIFARE Classic: http://cs.ru.nl/~rverdult/Ciphertext- only_Cryptanalysis_on_Hardened_Mifare_Classic_Cards-CCS_2015.pdf Classic Tag Example: Classic
  • 27. 27 Public Attack Implementations: • Nested Attack: mfoc Src: https://github.com/nfc-tools/mfoc Slides: https://nethemba.com/resources/mifare-classic-slides.pdf • Dark-side Attack: mfcuk Src: https://github.com/nfc-tools/mfcuk Paper: https://eprint.iacr.org/2009/137.pdf Classic Tag Example: Classic
  • 28. 28 DESFire Introduced in 2002 • 3DES with 4KB of storage • AES (2,4 or 8KB; see MIFARE DESFire EV1) Protocol compliant with ISO-14443-4 Supports“native commands”AND ISO-7816 APDUs (Smart Card Application Protocol Data Unit) Tag Example: DESFire
  • 29. 29 DESFire Wide Set of Commands: SELECT, READ/WRITE BINARY, GET DATA, GET CHALLENGE, GENERATE APP CRYPTOGRAM… Used to interact with Smart Card Applications and the FileSystem Select Application (or Directory File) by its AID (3 bytes) List File IDs and Key Settings 3 access levels: PICC or Card level,application level and file level Keys also used for establishing a session key and encrypt communication More details: https://brage.bibsys.no/xmlui/bitstream/handle/11250/262988/742061_FULLTEXT01.pdf (section 3) Tag Example: DESFire
  • 30. 30 2011-MIFARE DESFire (MF3ICD40) vulnerable to Correlation Power Analysis side-channel attack Breaking mifare DESFire MF3ICD40: power analysis and templates in the real world http://www.emsec.rub.de/media/crypto/veroeffentlichungen/2011/10/10/ desfire_2011_extended_1.pdf “The full key recovery attack takes ~250,000 traces,which require about 7 hours to collect.” NXP's response: https://www.mifare.net/update-on-mifare-desfire-mf3icd40/ DESFire Discontinued in favour of DESFire EV1 (introduced in 2008 Common Criteria EAL 4+) Tag Example: DESFire
  • 31. 31 DESFire No known attacks against DESFire EV1,only a recent study: 201 7-“Bias in the MIFARE DESFire EV1 TRNG”by D Hurley-Smith Relay Attack = violates the“closeness”assumption (Masther thesis on DESFire Ev1 relay: https://brage.bibsys.no/xmlui/bitstream/handle/ 11250/262988/742061_FULLTEXT01.pdf) MIFARE DESFire EV2 introduced in 2016 with a proximity check John Conway (1976) relay of a correspondence chess game Tag Example: DESFire
  • 32. 32 Relay Attacks NFC relay attacks with Android mobile devices http://vwzq.net/relaynfc/ Mitigation- Distance Bounding Protocols (establish bounds based on timing delays) (https://www.youtube.com/watch?v=qMQc_snB_yE)
  • 33. 33 Interesting Links NFC Glossary: https://www.nfc-research.at/index.php@id=40.html RFID Handbook: Fundamentals and Applications in Contactless Smart Cards,Radio Frequency Identification and Near-Field Communication Proxmark 3 forum: http://www.proxmark.org/forum/index.php RFIDIDIOt (Python lib): http://rfidiot.org/ Chasing Cars: Keyless Entry System Attacks https://conference.hitb.org/hitbsecconf2017ams/sessions/chasing-cars- keyless-entry-system-attacks/ A few more not so RFID… OpenSesame: http://samy.pl/opensesame/ Injecting RDS-TMC Traffic Information Signals: https://github.com/abarisani/abarisani.github.io/tree/master/ research/rds (video: https://www.youtube.com/watch?v=xgGgRKi1CGo)