Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Electronic	
  Access	
  Control
Securiy
Matteo	
  Beccaro ||	
  May	
  17th,	
  2016
Me	
  ||
§ Matteo	
  Beccaro
§ Founder &	
  Chief	
  Technology	
  Officer	
  at	
  Opposing	
  Force
§ The	
  first	
 ...
What	
  do	
  you	
  need?	
  ||
Download	
  the	
  zip:
<zip	
  url>
Inside	
  you’ll	
  find:
• VM	
  with	
  all	
  too...
Agenda	
  ||
§ Module	
  1: Introduction
§ Historical	
  introduction	
  on	
  access	
  control	
  attacks
§ Module	
 ...
Agenda	
  ||
§ Module	
  3:	
  Attacking	
  RF	
  communications
§ Radio	
  Frequency	
  and	
  EAC	
  Systems
§ Explor...
Agenda	
  ||
Module	
  1:	
  Introduction
Introduction	
  ||
§ What	
  was an	
  Access	
  Control	
  system?
Introduction	
  ||
§ First	
  access	
  control	
  hackers?
Magicians
Introduction	
  ||
§ First	
  access	
  control	
  hackers?
Social	
  Engineers
Introduction	
  ||
§ What	
  is an	
  Access	
  Control	
  system?
Introduction	
  ||
What	
  is	
  an	
  Electronic	
  Access	
  Control	
  system?
§ It	
  may	
  employ	
  different	
  t...
Agenda	
  ||
Module	
  2:	
  Attacking	
  NFC
Agenda	
  ||
§ Module	
  2:	
  Attacking	
  NFC
§ NFC:	
  what	
  are	
  we	
  talking	
  about?
§ Weapons	
  for	
  NF...
What	
  is	
  NFC?	
  ||
§ NFC	
  stands	
  for	
  Near	
  Field	
  Communication
§ Frequency	
  at	
  13.56	
  MHz
§ 3...
Notorious	
  NFC	
  families||
§ MIFARE
§ MIFARE	
  Classic
§ MIFARE	
  Ultralight
§ MIFARE	
  DesFire
§ HID	
  iClas...
MIFARE	
  Classic	
  ||
§ 1-­‐4	
  KB	
  memory	
  storage	
  device
§ Strong access	
  control	
  mechanisms
§ A	
  ke...
MIFARE	
  Ultralight	
  ||
§ 64	
  byte	
  memory	
  storage	
  device
§ Basic	
  security	
  mechanisms
§ OTP	
  (One-...
MIFARE	
  DesFire ||
§ 2	
  KB,	
  4KB	
  or	
  8	
  KB	
  memory	
  size
§ Advanced	
  security	
  mechanisms	
  (3DES,...
HID	
  iClass ||
§ Same	
  encryption	
  and	
  authentication	
  keys	
  are	
  shared	
  across	
  
every	
  HID	
  iCl...
NFC-­‐based	
  Electronic	
  Access	
  Control	
  systems||
§ We	
  need	
  to	
  create	
  a	
  common	
  methodology
§...
NFC-­‐based	
  Electronic	
  Access	
  Control	
  systems||
The	
  token	
  ||
§ Usually	
  a	
  NFC	
  card
§ MIFARE	
  Ultralight
§ MIFARE	
  Classic
§ HID
§ The	
  card	
  ca...
The	
  token	
  ||
§ What	
  about	
  MIFACE	
  Classic?
§ It	
  is	
  just	
  BROKEN
§ What	
  about	
  MIFARE	
  Ultr...
Readers	
  ||
§ Can	
  operate	
  offline	
  or	
  online
§ Wire	
  or	
  wireless	
  connected	
  to	
  the	
  controll...
Controller||
§ Connected	
  both	
  to	
  readers	
  and	
  backend
§ Wiegand,	
  ethernet,	
  rs232
§ Receives	
  data...
The	
  backend	
  ||
§ It	
  can	
  be	
  cloud-­‐based	
  or	
  not
§ Usually	
  wired	
  connected
§ RS232,	
  Ethern...
Agenda	
  ||
§ Module	
  2:	
  Attacking	
  NFC
§ NFC:	
  what	
  are	
  we	
  talking	
  about?
§ Weapons	
  for	
  NF...
Tools	
  of	
  the	
  trade	
  ||
§ HydraNFC
§ ProxMark3
§ ChameleonMini
§ NFCulT
HydraNFC ||
§ HydraNFC (~90	
  €)	
  
§ http://hydrabus.com/hydranfc-­‐1-­‐0-­‐specifications/
§ Users	
  Texas	
  Inst...
ProxMark3	
  ||
§ ProxMark3	
  (~200	
  €)	
  
§ HF	
  and	
  LF	
  capabilities
§ Very	
  large	
  community
§ http:/...
ChameleonMini ||
§ ChameleonMini (~100	
  €)	
  
§ http://kasper-­‐oswald.de/gb/chameleonmini/
§ HF	
  (13.56MHz)	
  on...
Opposing	
  Force	
  own	
  weapon	
  ||
§ NFCulT (~0	
  €)
§ Aimed	
  for	
  ticketing	
  systems,	
  can	
  be	
  also...
The	
  custom	
  editing	
  feature	
  ||
§ The	
  features	
  is	
  useful	
  to	
  better	
  understand
the	
  structur...
What	
  are	
  we	
  looking	
  for?	
  ||
Agenda	
  ||
§ Module	
  2:	
  Attacking	
  NFC
§ NFC:	
  what	
  are	
  we	
  talking	
  about?
§ Weapons	
  for	
  NF...
The	
  token||
Attack Surface Attacks to	
  Perform Impact
NFC Interface
Analyze	
  the	
  authentication	
  
mechanisms
S...
What	
  are	
  we	
  looking	
  for?	
  ||
The	
  reader	
  ||
Attack Surface Attacks to	
  Perform Impact
NFC Interface
Analyze	
  the	
  authentication	
  
mechani...
What	
  are	
  we	
  looking	
  for?	
  ||
The	
  controller	
  ||
Attack Surface Attacks to	
  Perform Impact
Hardware	
  board
Analyze the	
  exposed	
  
interface...
What	
  are	
  we	
  looking	
  for?	
  ||
The	
  backend||
Attack Surface Attacks to	
  Perform Impact
Web	
  application(s)
Classic	
  web	
  app-­‐related
attacks...
What	
  are	
  we	
  looking	
  for?	
  ||
Agenda	
  ||
§ Module	
  2:	
  Attacking	
  NFC
§ NFC:	
  what	
  are	
  we	
  talking	
  about?
§ Weapons	
  for	
  NF...
Agenda	
  ||
Fire	
  up	
  your	
  VM
Agenda	
  ||
§ Module	
  2:	
  Attacking	
  NFC
§ NFC:	
  what	
  are	
  we	
  talking	
  about?
§ Weapons	
  for	
  NF...
MIFARE	
  Ultralight	
  ticketing	
  system	
  ||
MIFARE	
  Ultralight	
  ticketing	
  system	
  ||
MIFARE	
  Ultralight	
  ticketing	
  system	
  ||
Lock	
  bit	
  for	
  the	
  OTP	
  sector	
  is	
  
not	
  checked	
  b...
MIFARE	
  Classic	
  hotel	
  door	
  lock	
  ||
MIFARE	
  Classic	
  hotel	
  door	
  lock	
  ||
MIFARE	
  Classic	
  door	
  lock	
  ||
Card’s	
  UID
Room	
  number:	
  
int(0x17ea,	
  16)	
  =	
  6122
Agenda	
  ||
Module	
  3:	
  Attacking	
  RF	
  
communications
Agenda	
  ||
§ Module	
  3:	
  Attacking	
  RF	
  communications
§ Radio	
  Frequency	
  and	
  EAC	
  Systems
§ Explor...
Radio	
  Frequency	
  and	
  EAC	
  Systems	
  ||
§ Radio	
  Frequency	
  identification	
  is	
  widely	
  used	
  to	
 ...
Radio	
  Frequency	
  and	
  EAC	
  Systems	
  ||
§ Different	
  technologies	
  based	
  on	
  operating	
  frequency	
 ...
Radio	
  Frequency	
  and	
  EAC	
  Systems	
  ||
Low	
  Frequency	
  band
§ Tags
§ Access	
  control	
  token
Radio	
  Frequency	
  and	
  EAC	
  Systems	
  ||
High	
  Frequency	
  band
§ Door	
  locks
§ Ticketing	
  systems
Radio	
  Frequency	
  and	
  EAC	
  Systems	
  ||
Ultra	
  High	
  Frequency	
  band
§ Automated	
  Gates
§ Keyless	
  E...
Radio	
  Frequency	
  and	
  EAC	
  Systems	
  ||
§ Common	
  technologies	
  and	
  protocols
§ Fixed	
  and	
  rolling...
Agenda	
  ||
§ Module	
  3:	
  Attacking	
  RF	
  communications
§ Radio	
  Frequency	
  and	
  EAC	
  Systems
§ Explor...
Exploring	
  Radio	
  Frequency	
  communication	
  ||
§ How	
  to	
  explore	
  wireless	
  communications?
§ Software	...
Exploring	
  Radio	
  Frequency	
  communication	
  ||
Device Frequency Range Bandwidth Cost
RTL-­‐SDR	
  Dongle 24	
  MHz...
Exploring	
  Radio	
  Frequency	
  communication	
  ||
§ GNU	
  Radio
§ Platform	
  to	
  develop	
  radio	
  applicatio...
Exploring	
  Radio	
  Frequency	
  communication	
  ||
§ GNU	
  Radio
§ Possibility	
  to	
  create	
  custom	
  C++	
  ...
Exploring	
  Radio	
  Frequency	
  communication	
  ||
§ GRC	
  Interface
Exploring	
  Radio	
  Frequency	
  communication	
  ||
§ “Hello	
  World”	
  in	
  GNU	
  Radio
Exploring	
  Radio	
  Frequency	
  communication	
  ||
§ “Hello	
  World”	
  in	
  GNU	
  Radio
Exploring	
  Radio	
  Frequency	
  communication	
  ||
§ RTL-­‐SDR	
  Source	
  Block
Exploring	
  Radio	
  Frequency	
  communication	
  ||
§ WX	
  GUI	
  FFT	
  Sink	
  Block
Agenda	
  ||
§ Module	
  3:	
  Attacking	
  RF	
  communications
§ Radio	
  Frequency	
  and	
  EAC	
  Systems
§ Explor...
Hands-­‐on:	
  receiving	
  your	
  first	
  trasmission ||
Build	
  a	
  FM	
  receiver
Fire	
  up	
  your	
  VM
Agenda	
  ||
§ Module	
  3:	
  Attacking	
  RF	
  communications
§ Radio	
  Frequency	
  and	
  EAC	
  Systems
§ Explor...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Define	
  a	
  methodology	
  to	
  study	
  real	
  world	
  signals
§ Three	
  ...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Define	
  a	
  methodology	
  to	
  study	
  real	
  world	
  signals
§ Three	
  ...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ GQRX
§ SDR	
  receiver	
  and	
  spectrum	
  analyzer	
  based	
  on	
  GNU	
  
R...
SIGINT	
  with	
  GNU	
  Radio	
  ||
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Intercept a	
  black-­‐box	
  signal
§ If frequency is not known,	
  search power...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Define	
  a	
  methodology	
  to	
  study	
  real	
  world	
  signals
§ Three	
  ...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Modulation
§ Impress a	
  waveform,	
  called carrier,	
  with	
  another signal ...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Signal IdentificationGuide
www.sigidwiki.com/wiki/Signal_Identification_Guide
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Audacity
§ Useful to	
  study recorded
signals
§ Support RAW	
  data	
  files
us...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Case	
  Study:	
  Remote	
  control	
  at 433	
  MHz
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Case	
  Study:	
  Remote	
  control	
  at 433	
  MHz
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Case	
  Study:	
  Remote	
  control	
  at 433	
  MHz
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Study of	
  signal
§ Amplitude Modulation (AM)
§ Only two amplitude levels
§ Bi...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Define	
  a	
  methodology	
  to	
  study	
  real	
  world	
  signals
§ Three	
  ...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Focus	
  on	
  a	
  single	
  train
§ First	
  pulse indicates start	
  of	
  mes...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Message	
  transmitted is 001010010001
§ Short pulses	
  represent	
  binary	
  ‘...
Agenda	
  ||
§ Module	
  3:	
  Attacking	
  RF	
  communications
§ Radio	
  Frequency	
  and	
  EAC	
  Systems
§ Explor...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Case	
  study’s solution security
§ Remote	
  control	
  always sends same fixed ...
SIGINT	
  with	
  GNU	
  Radio	
  ||
§ Rolling Code
§ Remote	
  control	
  always sends a	
  different code
§ Sender an...
Agenda	
  ||
Module	
  4:	
  The	
  Challenge
Agenda	
  ||
§ Module	
  4:	
  The	
  Challenge
§ Introduction
§ The	
  challenge	
  
§ Awards	
  J
Challenge	
  introduction||
You	
  are	
  part	
  of	
  a	
  Red	
  Team,	
  enganged to	
  strike	
  into	
  a	
  high	
 ...
Agenda	
  ||
§ Module	
  4:	
  The	
  Challenge
§ Introduction
§ The	
  challenge	
  
§ Awards	
  J
Awards||
The	
  first	
  three	
  to	
  complete	
  the	
  challenge	
  will	
  win	
  a:
RTL-­‐SDR	
  Dongle	
  from	
  h...
Q&A	
  ||
Feedback	
  please,
Don’t	
  be	
  shy..
Thank	
  you
Contacts	
  – engage@opposingforce.it	
  ||	
  www.opposingoforce.it	
  ||	
  @_opposingforce
Upcoming SlideShare
Loading in …5
×

Electronic Access Control Security / Безопасность электронных систем контроля доступа

1,340 views

Published on

Ведущий: Маттео Беккаро

Мастер-класс посвящен эксплуатации уязвимостей электронных систем контроля доступа. Ведущий расскажет о наиболее распространенных технологиях, их уязвимостях и возможных способах атаки. Участникам, которым удастся провести атаку, достанутся аппаратные гаджеты Opposing Force.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Electronic Access Control Security / Безопасность электронных систем контроля доступа

  1. 1. Electronic  Access  Control Securiy Matteo  Beccaro ||  May  17th,  2016
  2. 2. Me  || § Matteo  Beccaro § Founder &  Chief  Technology  Officer  at  Opposing  Force § The  first  Italian  company  specialize  in  offensive  physical  security § Twitter:  @_bughardy_  |  @_opposingforce
  3. 3. What  do  you  need?  || Download  the  zip: <zip  url> Inside  you’ll  find: • VM  with  all  tools  and  libraries  for  the  hands-­‐on  part • Virtualbox installer • Virtualbox guest-­‐additions username:  opposingforce password:  opfor2016
  4. 4. Agenda  || § Module  1: Introduction § Historical  introduction  on  access  control  attacks § Module  2:  Attacking  NFC § NFC:  what  are  we  talking  about? § Weapons  for  NFC-­‐based  solutions § Penetration  test  methodology § Hands-­‐on § Case  studies
  5. 5. Agenda  || § Module  3:  Attacking  RF  communications § Radio  Frequency  and  EAC  Systems § Exploring  Radio  Frequency  communication  in  practice § Hands-­‐on:  receiving  your  first  transmission § SIGINT  with  GNU  Radio § Understanding  RF  communication  security § Module  4:  The  Challenge § Introduction § The  challenge   § Awards  J
  6. 6. Agenda  || Module  1:  Introduction
  7. 7. Introduction  || § What  was an  Access  Control  system?
  8. 8. Introduction  || § First  access  control  hackers? Magicians
  9. 9. Introduction  || § First  access  control  hackers? Social  Engineers
  10. 10. Introduction  || § What  is an  Access  Control  system?
  11. 11. Introduction  || What  is  an  Electronic  Access  Control  system? § It  may  employ  different  technologies: § NFC § RF § Biometrics § Mag-­‐stripe § Mobile  phones § etc
  12. 12. Agenda  || Module  2:  Attacking  NFC
  13. 13. Agenda  || § Module  2:  Attacking  NFC § NFC:  what  are  we  talking  about? § Weapons  for  NFC-­‐based  solutions § Penetration  test  methodology § Hands-­‐on § Case  studies
  14. 14. What  is  NFC?  || § NFC  stands  for  Near  Field  Communication § Frequency  at  13.56  MHz § 3-­‐5  cm  of  range § Widely  used  for § Access  control  systems § Electronic  ticketing  systems § Mobile  phone  applications
  15. 15. Notorious  NFC  families|| § MIFARE § MIFARE  Classic § MIFARE  Ultralight § MIFARE  DesFire § HID  iClass § Calypso § FeliCa
  16. 16. MIFARE  Classic  || § 1-­‐4  KB  memory  storage  device § Strong access  control  mechanisms § A  key  is  required  to  access  data  sectors § Use  of  Crypto1 Crapto1 algorithm § Sadly  broken.. § ..but  still  so  widely  used  (!)  – RFID  door  tokens,  transport  tickets,  etc.
  17. 17. MIFARE  Ultralight  || § 64  byte  memory  storage  device § Basic  security  mechanisms § OTP  (One-­‐Time-­‐Programmable)  sector § Lock  bytes  sector § Mostly  used  for  disposable  tickets § It  has  some  more  secure  children: • ULTRALIGHT  C • ULTRALIGHT  EV
  18. 18. MIFARE  DesFire || § 2  KB,  4KB  or  8  KB  memory  size § Advanced  security  mechanisms  (3DES,  AES,  etc.) § File  system  structure  is  supported § Several  variants  are  available § DESFIRE § DESFIRE  EV1 § DESFIRE  EV2
  19. 19. HID  iClass || § Same  encryption  and  authentication  keys  are  shared  across   every  HID  iClass Standard  Security  installations  (!) § Keys  have  already  been  extracted  (!!) § Two  variants § iClass Standard  (very  common) § iClass High  Secure  (not  that  common) § Both  variants  are  BROKEN
  20. 20. NFC-­‐based  Electronic  Access  Control  systems|| § We  need  to  create  a  common  methodology § We  need  tools to  effectively  assess  these  systems § We  need  secure  architecturesas  references  and  best  practices
  21. 21. NFC-­‐based  Electronic  Access  Control  systems||
  22. 22. The  token  || § Usually  a  NFC  card § MIFARE  Ultralight § MIFARE  Classic § HID § The  card  can  store § Timestamp  of  the  last  stamping § Details  on  the  location  where  we  used  the  token § Credentials,  access  level,  etc
  23. 23. The  token  || § What  about  MIFACE  Classic? § It  is  just  BROKEN § What  about  MIFARE  Ultralight? § Well,  it’s  bleeding.. § Lock  attack § Time  attack § Reply  attack.. § HID § BROKEN,  again
  24. 24. Readers  || § Can  operate  offline  or  online § Wire  or  wireless  connected  to  the  controller § RS232,  Ethernet,  etc § Usually  supports  multiple  standards § Can  store  secrets  and  keys  used  for  authentication § Usually  it: § Reads  token(s)  data § Sends  token  data  to  the  controller § Gives  a  feedback
  25. 25. Controller|| § Connected  both  to  readers  and  backend § Wiegand,  ethernet,  rs232 § Receives  data  from  the  reader § Support  multiple  readers § Sends  the  data  to  the  backend § Open  the  door § Deny  the  access
  26. 26. The  backend  || § It  can  be  cloud-­‐based  or  not § Usually  wired  connected § RS232,  Ethernet,  etc § Performs  multiple  operations § Provide  token  validation  “logic” § Statistics § Logs
  27. 27. Agenda  || § Module  2:  Attacking  NFC § NFC:  what  are  we  talking  about? § Weapons  for  NFC-­‐based  solutions § Penetration  test  methodology § Hands-­‐on § Case  studies
  28. 28. Tools  of  the  trade  || § HydraNFC § ProxMark3 § ChameleonMini § NFCulT
  29. 29. HydraNFC || § HydraNFC (~90  €)   § http://hydrabus.com/hydranfc-­‐1-­‐0-­‐specifications/ § Users  Texas  Instrument  TRF7970A NFC  chipset  (13.56MHz  only) § MIFARE  1k  and  14443A  UID  emulation § ISO  14443A  sniffing  (also  autonomous  mode) § 2  different  raw  modes
  30. 30. ProxMark3  || § ProxMark3  (~200  €)   § HF  and  LF  capabilities § Very  large  community § http://proxmark.org/forum/index.php § Supports  almost  every  known  RFID  tags § Support  sniffing  and  emulation
  31. 31. ChameleonMini || § ChameleonMini (~100  €)   § http://kasper-­‐oswald.de/gb/chameleonmini/ § HF  (13.56MHz)  only § Almost  same  capabilities  as  HydraNFC § Different  chipset § The  firmware  is  only  available  for  old revision
  32. 32. Opposing  Force  own  weapon  || § NFCulT (~0  €) § Aimed  for  ticketing  systems,  can  be  also  used  for  generic  EAC   system § Mobile  app  for  NFC-­‐enabled  Android  smartphones § Implements  Lock,  Time  and  Reply  attacks § A  “custom  edit  mode”  is  available  for  bit  by  bit  data  editing § The  app  currently  supports  the  MIFARE  Ultralight  format  only § MIFARE  Classic  support  will  be  released  during  summer  2016
  33. 33. The  custom  editing  feature  || § The  features  is  useful  to  better  understand the  structure  of  data  stored  onto  the  token § Quick  encoding  from  hex  to  bin  and  back § The  app  allows  token  bit  per  bit  data  editing
  34. 34. What  are  we  looking  for?  ||
  35. 35. Agenda  || § Module  2:  Attacking  NFC § NFC:  what  are  we  talking  about? § Weapons  for  NFC-­‐based  solutions § Penetration  test  methodology § Hands-­‐on § Case  studies
  36. 36. The  token|| Attack Surface Attacks to  Perform Impact NFC Interface Analyze  the  authentication   mechanisms Secrets  extraction,  MiTM attacks Hardware  board Side  channel attacks Secrets  dumping  or   guessing Memory Assess  logic  vulnerabilities in  the  implementation Bypass  security   mechanisms
  37. 37. What  are  we  looking  for?  ||
  38. 38. The  reader  || Attack Surface Attacks to  Perform Impact NFC Interface Analyze  the  authentication   mechanisms Secrets  extraction,  MiTM attacks Hardware  board Analyze the  exposed   interface  (JTAG,  UART,  etc.) Firmware  or secrets   dumping Eth,  Wiegand, etc Is  MITM  possible? Intercepting the  exchanged   data Intercepting secrets  or   sensitive  data
  39. 39. What  are  we  looking  for?  ||
  40. 40. The  controller  || Attack Surface Attacks to  Perform Impact Hardware  board Analyze the  exposed   interface  (JTAG,  UART,  etc.) Firmware  or secrets   dumping Eth,  serial,  etc Interfaces Is  MITM  possible? Intercepting the  data Intercepting secrets  or   sensitive  data   Computer  Application Analyzing exposed  network   services Complete control  of  the   machine  (  e.g.  add  new   users  )
  41. 41. What  are  we  looking  for?  ||
  42. 42. The  backend|| Attack Surface Attacks to  Perform Impact Web  application(s) Classic  web  app-­‐related attacks Data  exfiltration,  service   interruption,  etc. Network service(s) Classic  network   services-­‐related attacks Data  exfiltration,  service   interruption,  etc. Physical location Try  to  get  physical access  to  the  servers Basically,  heavily   PWNED
  43. 43. What  are  we  looking  for?  ||
  44. 44. Agenda  || § Module  2:  Attacking  NFC § NFC:  what  are  we  talking  about? § Weapons  for  NFC-­‐based  solutions § Penetration  test  methodology § Hands-­‐on § Case  studies
  45. 45. Agenda  || Fire  up  your  VM
  46. 46. Agenda  || § Module  2:  Attacking  NFC § NFC:  what  are  we  talking  about? § Weapons  for  NFC-­‐based  solutions § Penetration  test  methodology § Hands-­‐on § Case  studies
  47. 47. MIFARE  Ultralight  ticketing  system  ||
  48. 48. MIFARE  Ultralight  ticketing  system  ||
  49. 49. MIFARE  Ultralight  ticketing  system  || Lock  bit  for  the  OTP  sector  is   not  checked  by  the  stamping   machine Absence  of  a  UID  blacklist  in   the  backend Timestamp  are  not   encrypted  nor  signed
  50. 50. MIFARE  Classic  hotel  door  lock  ||
  51. 51. MIFARE  Classic  hotel  door  lock  ||
  52. 52. MIFARE  Classic  door  lock  || Card’s  UID Room  number:   int(0x17ea,  16)  =  6122
  53. 53. Agenda  || Module  3:  Attacking  RF   communications
  54. 54. Agenda  || § Module  3:  Attacking  RF  communications § Radio  Frequency  and  EAC  Systems § Exploring  Radio  Frequency  communication  in  practice § Hands-­‐on:  receiving  your  first  transmission § SIGINT  with  GNU  Radio § Understanding  RF  communication  security
  55. 55. Radio  Frequency  and  EAC  Systems  || § Radio  Frequency  identification  is  widely  used  to  control   physical  accesses § Advantages § Automatic  identification § High  reliability § High  security
  56. 56. Radio  Frequency  and  EAC  Systems  || § Different  technologies  based  on  operating  frequency  band § Low  Frequency  (LF)  – 125  KHz § High  Frequency  (HF)  – 13.56  MHz § Ultra  High  Frequency  (UHF)  – 433  MHz,  860-­‐960  MHz  and   2.4  GHz
  57. 57. Radio  Frequency  and  EAC  Systems  || Low  Frequency  band § Tags § Access  control  token
  58. 58. Radio  Frequency  and  EAC  Systems  || High  Frequency  band § Door  locks § Ticketing  systems
  59. 59. Radio  Frequency  and  EAC  Systems  || Ultra  High  Frequency  band § Automated  Gates § Keyless  Entry  Systems § Alarms § Smart  Locks
  60. 60. Radio  Frequency  and  EAC  Systems  || § Common  technologies  and  protocols § Fixed  and  rolling  code § NFC § Bluetooth § ZigBee § Z-­‐Wave
  61. 61. Agenda  || § Module  3:  Attacking  RF  communications § Radio  Frequency  and  EAC  Systems § Exploring  Radio  Frequency  communication  in  practice § Hands-­‐on:  receiving  your  first  transmission § SIGINT  with  GNU  Radio § Understanding  RF  communication  security
  62. 62. Exploring  Radio  Frequency  communication  || § How  to  explore  wireless  communications? § Software  Defined  Radio  (SDR)  devices  with  GNU  Radio § Software  implementation  of  most  parts  of  a  radio  system § Cheap  hardware § High  flexible
  63. 63. Exploring  Radio  Frequency  communication  || Device Frequency Range Bandwidth Cost RTL-­‐SDR  Dongle 24  MHz  – 1.76  GHz   2.4  MHz ~  20  € HackRF 1  MHz  – 6  GHz 20  MHz ~  300  € USRP B200 70  MHz  – 6  GHz 56  MHz ~  700  € • Three  SDR-­‐compatible  devices
  64. 64. Exploring  Radio  Frequency  communication  || § GNU  Radio § Platform  to  develop  radio  applications,  called  flowgraphs § Series  of  connected  signal  processing  blocks § GNU  Radio  library  includes  many  blocks  to  perform  signal   processing
  65. 65. Exploring  Radio  Frequency  communication  || § GNU  Radio § Possibility  to  create  custom  C++  blocks § GNU  Radio  Companion  (GRC) § Graphical  UI  to  program  GNU  Radio  applications § Support  creation  of  UI  for  applications
  66. 66. Exploring  Radio  Frequency  communication  || § GRC  Interface
  67. 67. Exploring  Radio  Frequency  communication  || § “Hello  World”  in  GNU  Radio
  68. 68. Exploring  Radio  Frequency  communication  || § “Hello  World”  in  GNU  Radio
  69. 69. Exploring  Radio  Frequency  communication  || § RTL-­‐SDR  Source  Block
  70. 70. Exploring  Radio  Frequency  communication  || § WX  GUI  FFT  Sink  Block
  71. 71. Agenda  || § Module  3:  Attacking  RF  communications § Radio  Frequency  and  EAC  Systems § Exploring  Radio  Frequency  communication  in  practice § Hands-­‐on:  receiving  your  first  transmission § SIGINT  with  GNU  Radio § Understanding  RF  communication  security
  72. 72. Hands-­‐on:  receiving  your  first  trasmission || Build  a  FM  receiver Fire  up  your  VM
  73. 73. Agenda  || § Module  3:  Attacking  RF  communications § Radio  Frequency  and  EAC  Systems § Exploring  Radio  Frequency  communication  in  practice § Hands-­‐on:  receiving  your  first  transmission § SIGINT  with  GNU  Radio § Understanding  RF  communication  security
  74. 74. SIGINT  with  GNU  Radio  || § Define  a  methodology  to  study  real  world  signals § Three  main  steps Interceptand record  signal Study characteristics Reverse   transmitteddata
  75. 75. SIGINT  with  GNU  Radio  || § Define  a  methodology  to  study  real  world  signals § Three  main  steps Interceptand record  signal Study characteristics Reverse   transmitteddata
  76. 76. SIGINT  with  GNU  Radio  || § GQRX § SDR  receiver  and  spectrum  analyzer  based  on  GNU   Radio  and  QT  Graphical  toolkit § User-­‐friendly  interface § Support  include  rtl-­‐sdr,  HackRF and  USRP  devices § Record  signal  to  WAV  file
  77. 77. SIGINT  with  GNU  Radio  ||
  78. 78. SIGINT  with  GNU  Radio  || § Intercept a  black-­‐box  signal § If frequency is not known,  search power peaks in  the  spectrum
  79. 79. SIGINT  with  GNU  Radio  || § Define  a  methodology  to  study  real  world  signals § Three  main  steps Interceptand record  signal Study characteristics Reverse   transmitteddata
  80. 80. SIGINT  with  GNU  Radio  || § Modulation § Impress a  waveform,  called carrier,  with  another signal that contain data  to  be  transmitted
  81. 81. SIGINT  with  GNU  Radio  || § Signal IdentificationGuide www.sigidwiki.com/wiki/Signal_Identification_Guide
  82. 82. SIGINT  with  GNU  Radio  || § Audacity § Useful to  study recorded signals § Support RAW  data  files used in  USRP  and  HackRF utilities
  83. 83. SIGINT  with  GNU  Radio  || § Case  Study:  Remote  control  at 433  MHz
  84. 84. SIGINT  with  GNU  Radio  || § Case  Study:  Remote  control  at 433  MHz
  85. 85. SIGINT  with  GNU  Radio  || § Case  Study:  Remote  control  at 433  MHz
  86. 86. SIGINT  with  GNU  Radio  || § Study of  signal § Amplitude Modulation (AM) § Only two amplitude levels § Binary transmission using On-­‐Off  Keying (OOK)   modulation § Repeated trains of  pulses § Different lengths to  encode bit  ‘0’  and  ‘1’
  87. 87. SIGINT  with  GNU  Radio  || § Define  a  methodology  to  study  real  world  signals § Three  main  steps Interceptand record  signal Study characteristics Reverse   transmitteddata
  88. 88. SIGINT  with  GNU  Radio  || § Focus  on  a  single  train § First  pulse indicates start  of  message
  89. 89. SIGINT  with  GNU  Radio  || § Message  transmitted is 001010010001 § Short pulses  represent  binary  ‘0’  while  long  pulses  binary   ‘1’  
  90. 90. Agenda  || § Module  3:  Attacking  RF  communications § Radio  Frequency  and  EAC  Systems § Exploring  Radio  Frequency  communication  in  practice § Hands-­‐on:  receiving  your  first  transmission § SIGINT  with  GNU  Radio § Understanding  RF  communication  security
  91. 91. SIGINT  with  GNU  Radio  || § Case  study’s solution security § Remote  control  always sends same fixed code § Malicious people can  record  and  replay  signal to  have unauthorized accesses § Solution § Rolling code
  92. 92. SIGINT  with  GNU  Radio  || § Rolling Code § Remote  control  always sends a  different code § Sender and  receiver are  synchronized with  an  internal counter § Hardware  algorithm calculates ‘next’  code  from  counter § Widely used algorithm is KeeLoq
  93. 93. Agenda  || Module  4:  The  Challenge
  94. 94. Agenda  || § Module  4:  The  Challenge § Introduction § The  challenge   § Awards  J
  95. 95. Challenge  introduction|| You  are  part  of  a  Red  Team,  enganged to  strike  into  a  high   security  facilities  of  a  super  secret  criminal  organization  known   as:  h4k3rs  team Your  task  is  to  open  the  external  gate  of  building’s  perimeter,  and   thus  allow  your  Team  mates  to  enter  the  facilities  and  retrive sensitive  information. Fire  up  your  VM!
  96. 96. Agenda  || § Module  4:  The  Challenge § Introduction § The  challenge   § Awards  J
  97. 97. Awards|| The  first  three  to  complete  the  challenge  will  win  a: RTL-­‐SDR  Dongle  from  http://www.rtl-­‐sdr.com
  98. 98. Q&A  || Feedback  please, Don’t  be  shy..
  99. 99. Thank  you Contacts  – engage@opposingforce.it  ||  www.opposingoforce.it  ||  @_opposingforce

×