This document provides an agenda for an RFID security workshop. The agenda includes topics such as RFID hardware operating frequencies, active vs passive tags, LibNFC software, low and high frequency tags, Mifare classic memory organization and security, and real world examples of RFID usage. The workshop aims to educate attendees on RFID technology fundamentals and security aspects.
The Google Nexus S offers support for Near Field Communication (NFC), an extension to an RFID smart card protocol popularly used for secure access, metro passes (Oyster/Clipper), and electronic money (FeliCa/Octopus). NFC in smartphones promises adding these features to the phone you carry by allowing the it to emulate both RFID tag and reader.
NFC additionally adds new capabilities like exchanging configuration data such as WiFi settings, trading vCard contact information, reading URLs, triggering SMS text messages or initiating calls, and secure bi-directional communication between NFC devices.
This session will cover what NFC and RFID is and is not, what Android on the Nexus S is currently capable of, and some examples of how to add NFC to your apps.
http://where2conf.com/where2011/public/schedule/detail/18443
RFID and NFC Transponder from Global Tag. Here you can find many different type of tag transponder LF, HF, UHF and also BLE
#RFID #NFC #BLE #IoT #TAG #LF #HF #UHF
On Relaying NFC Payment Transactions using Android devicescgvwzq
Ā
NFC (Near Field Communication) defines the set of RFID standards designed to bidirectionally communicate via wireless and interchange data point-to-point between devices in proximity, normally a few centimeters (up to 10cm). Services that use NFC communications as contactless payments are exponentially growing: Public transport, parkings, fast supermarket cashers, vending machines and even NFC-capable credit/debit cards.In this talk, we investigate relay attacks in NFC-capable credit/debit cards. This attack exploits the communication proximity principle in NFC, which is shown to be non secure. Although a lot of attack countermeasures exist, they do not face with this attack vector since up to date special hardware was required to perform it. However, the story is rewritten with the NFC-capable mobile devices available in the market.
This work shows how nowadays a relay attack in NFC-capable credit/debit cards is possible using an NFC-capable Android device without further modifications (i.e., no root permissions, custom firmware, or custom OS are required). A PoC app implementing the attack is shown in the talk, as well as distributed relay attack scenarios that might become real before long.
The Google Nexus S offers support for Near Field Communication (NFC), an extension to an RFID smart card protocol popularly used for secure access, metro passes (Oyster/Clipper), and electronic money (FeliCa/Octopus). NFC in smartphones promises adding these features to the phone you carry by allowing the it to emulate both RFID tag and reader.
NFC additionally adds new capabilities like exchanging configuration data such as WiFi settings, trading vCard contact information, reading URLs, triggering SMS text messages or initiating calls, and secure bi-directional communication between NFC devices.
This session will cover what NFC and RFID is and is not, what Android on the Nexus S is currently capable of, and some examples of how to add NFC to your apps.
http://where2conf.com/where2011/public/schedule/detail/18443
RFID and NFC Transponder from Global Tag. Here you can find many different type of tag transponder LF, HF, UHF and also BLE
#RFID #NFC #BLE #IoT #TAG #LF #HF #UHF
On Relaying NFC Payment Transactions using Android devicescgvwzq
Ā
NFC (Near Field Communication) defines the set of RFID standards designed to bidirectionally communicate via wireless and interchange data point-to-point between devices in proximity, normally a few centimeters (up to 10cm). Services that use NFC communications as contactless payments are exponentially growing: Public transport, parkings, fast supermarket cashers, vending machines and even NFC-capable credit/debit cards.In this talk, we investigate relay attacks in NFC-capable credit/debit cards. This attack exploits the communication proximity principle in NFC, which is shown to be non secure. Although a lot of attack countermeasures exist, they do not face with this attack vector since up to date special hardware was required to perform it. However, the story is rewritten with the NFC-capable mobile devices available in the market.
This work shows how nowadays a relay attack in NFC-capable credit/debit cards is possible using an NFC-capable Android device without further modifications (i.e., no root permissions, custom firmware, or custom OS are required). A PoC app implementing the attack is shown in the talk, as well as distributed relay attack scenarios that might become real before long.
ACR128 Dualboost Contact and Contactless Smart Card Reader - product presentation by Advanced Card Systems Ltd. Feel free to visit www.acs.com.hk or www.acr128.com
Overview of NXP MIFARE product portfolio. Product families include: MIFARE Classic, MIFARE Plus, MIFARE DESFire and MIFARE Ultralight. Details the evolution and innovation of the various product families are given.
NFC - The technology behind the metro cards used in Indian metro trains. Also, this technology has the capability to convert your smartphone into a virtual wallet like Google Wallet.
Near Field Communication is a very Versatile wireless technology. It has its range up to just 10-20 cm, but its short range is its advantage. Lets explore this technology and try to exploit it.
Near Field Communications (NFC) is an evolution of contactless data exchange which is being employed in mobile phone applications for data exchange and payment processing, among other applications. This presentation covers the evolution and technical details of this communications protocol along with compliance testing requirements.
Learn more: http://wireless-connectivity-test.com
ACR128 Dualboost Contact and Contactless Smart Card Reader - product presentation by Advanced Card Systems Ltd. Feel free to visit www.acs.com.hk or www.acr128.com
Overview of NXP MIFARE product portfolio. Product families include: MIFARE Classic, MIFARE Plus, MIFARE DESFire and MIFARE Ultralight. Details the evolution and innovation of the various product families are given.
NFC - The technology behind the metro cards used in Indian metro trains. Also, this technology has the capability to convert your smartphone into a virtual wallet like Google Wallet.
Near Field Communication is a very Versatile wireless technology. It has its range up to just 10-20 cm, but its short range is its advantage. Lets explore this technology and try to exploit it.
Near Field Communications (NFC) is an evolution of contactless data exchange which is being employed in mobile phone applications for data exchange and payment processing, among other applications. This presentation covers the evolution and technical details of this communications protocol along with compliance testing requirements.
Learn more: http://wireless-connectivity-test.com
Mobifyer - Creating Deeper Mobile Relationships. Mobifyer offers Mobile Contactless, RFID, and NFC products and resources to help you engage customers with style and function. We offer mobile eGrips with contactless, mobile skins, and Bluetooth to NFC devices with strategy, development, planning, and busines development.
NXP MIFARE Webinar: Secure Closed Loop Payments In An Open Environment NXP MIFARE Team
Ā
This webinar shows you how you can use NXP's innovative MIFARE Plus and MIFARE DESFire products for secure closed loop payments in multi-vendor systems.
ACR122L is a plug-and-play device that does not require any driver installation. It is a serial interface NFC contactless reader with LCD developed based on the 13.56 MHz RFID technology and the ISO/IEC 18092 NFC standard, and supports ISO 14443 Type A and B cards, Mifare, and all four types of NFC tags.
NXP MIFARE Webinar: Introduce The Future In Your Today's System- How To Ensur...NXP MIFARE Team
Ā
Discover how you can realize a smooth system migration of your contactless smart card system to a higher security level, including the benefits of using MIFARE Plus products.
At the end of this presentation, you will learn:
-Different types of smart cards
-What are differences between MIFARE family members
-How and where to use each technology in payment solutions
-The NFC business ecosystem, use-cases and secure elementās basics
-How to secure e-banking and e-commerce authentication
-The differences between Apple Pay and Android Pay
-Why the world is migrating to EMV
-What are the emerging payment technologies
SmartWorld is an ISO 9001:2008 IT solutions provider focused in card solutions and secure identification domain. With expertise in card personalization solutions , EMV Testing Tools & Consultancy , e-security & physical access control products, logical access control solutions, SmartWorld provides unrivalled customer service by truly understanding unique secure identification needs. With a passion for providing high quality, innovative products, and an in-depth understanding of the solution application, SmartWorld has earned a name as a trusted identification expert.
SmartWorld has partnered with leading brands such as MAGICARD , CARD EXCHANGE , INGERSOLL RAND SECURITY TECHNOLOGIES , IDTECH etc that positions us to serve the needs of the customer providing turnkey solutions.
Specialties
MAGICARD ID Card Printers, SmartCard Readers, Card Management and Personalization, Schlage Access Control Readers, Badging Solutions, BRITON Electromagnetic Locks, EMV Testing tools, training & consultancy, MIFARE Encoding, Mobile Readers, Smartcard Encoding, NFC
Contact US: enquiries@smartworld.ae
NXP MIFARE Webinar: Complement Use Cases With Mobiles And WearablesNXP MIFARE Team
Ā
NXP MIFARE mobile solutions, explaining MIFARE4Mobile and how NXP has integrated mobiles and wearable technology into an ever increasing contactless world.
Zigbee Based Indoor Campus Inventory Tracking Using Rfid ModuleIJERA Editor
Ā
This is a very useful application of RFID (Radio-frequency identification) and is very commonly used in institutes, offices, homes and so on. An RFID system consists of a reader device and a transponder. A transponder or tag has a unique serial number which is identified by the reader. Here RFID has been interfaced with ARM Processor to provide secured access. The relevant messages are also displayed on a 16x2 LCD.RFID automated access for door controls to buildings, departments, rooms, secured closets (wiring, PBX, etc.) and cabinets is very cost effective and secure to use. Many people do not realize how easy it is to implement card access systems such as card access door or doors using RFID readers and RFID Cards or Key fobs for Secured Access Control Management. You can even use smart readers for computer rooms and securing individual computers. RFID tags are categorized as either active or passive. Active tags are powered by an internal battery and are typically read/write,i.e tag data can be rewritten or modified. Passive tags operate without a separate external power source and obtain operating power generated from the reader.
Radio-Frequency Identification (RFID) is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders
My presentation explores how RFID system works and describes briefly about history of RFID, active & passive tags, modes of transmission of data and applications
Here is a Whitepaper I wrote way back in 2011 for the the Steel Industry. The industry has only started capitalizing on the RFID Technology for Inventory Tracking and Realtime Location Tracking. I see a lot of potential in exploiting the usage of RFID Technology in our day to day operations.
Happy Reading..!
The RFID has been still an evolution in many parts of the world.This presentation gives you an overview about the RFID technology and helps you to implement in your projects and other stuff..Take a look at it and gain knowledge yourself..If you want identification RFID is the best technology employable.
Radio Frequency Identification(RFID) is one of the most exciting technology that revolutionize the working practices by increasing efficiencies and improving profitability.
Business Valuation Principles for EntrepreneursBen Wann
Ā
This insightful presentation is designed to equip entrepreneurs with the essential knowledge and tools needed to accurately value their businesses. Understanding business valuation is crucial for making informed decisions, whether you're seeking investment, planning to sell, or simply want to gauge your company's worth.
Explore our most comprehensive guide on lookback analysis at SafePaaS, covering access governance and how it can transform modern ERP audits. Browse now!
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
Ā
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...PaulBryant58
Ā
This article provides a comprehensive guide on how to
effectively manage the convert Accpac to QuickBooks , with a particular focus on utilizing online accounting services to streamline the process.
Memorandum Of Association Constitution of Company.pptseri bangash
Ā
www.seribangash.com
A Memorandum of Association (MOA) is a legal document that outlines the fundamental principles and objectives upon which a company operates. It serves as the company's charter or constitution and defines the scope of its activities. Here's a detailed note on the MOA:
Contents of Memorandum of Association:
Name Clause: This clause states the name of the company, which should end with words like "Limited" or "Ltd." for a public limited company and "Private Limited" or "Pvt. Ltd." for a private limited company.
https://seribangash.com/article-of-association-is-legal-doc-of-company/
Registered Office Clause: It specifies the location where the company's registered office is situated. This office is where all official communications and notices are sent.
Objective Clause: This clause delineates the main objectives for which the company is formed. It's important to define these objectives clearly, as the company cannot undertake activities beyond those mentioned in this clause.
www.seribangash.com
Liability Clause: It outlines the extent of liability of the company's members. In the case of companies limited by shares, the liability of members is limited to the amount unpaid on their shares. For companies limited by guarantee, members' liability is limited to the amount they undertake to contribute if the company is wound up.
https://seribangash.com/promotors-is-person-conceived-formation-company/
Capital Clause: This clause specifies the authorized capital of the company, i.e., the maximum amount of share capital the company is authorized to issue. It also mentions the division of this capital into shares and their respective nominal value.
Association Clause: It simply states that the subscribers wish to form a company and agree to become members of it, in accordance with the terms of the MOA.
Importance of Memorandum of Association:
Legal Requirement: The MOA is a legal requirement for the formation of a company. It must be filed with the Registrar of Companies during the incorporation process.
Constitutional Document: It serves as the company's constitutional document, defining its scope, powers, and limitations.
Protection of Members: It protects the interests of the company's members by clearly defining the objectives and limiting their liability.
External Communication: It provides clarity to external parties, such as investors, creditors, and regulatory authorities, regarding the company's objectives and powers.
https://seribangash.com/difference-public-and-private-company-law/
Binding Authority: The company and its members are bound by the provisions of the MOA. Any action taken beyond its scope may be considered ultra vires (beyond the powers) of the company and therefore void.
Amendment of MOA:
While the MOA lays down the company's fundamental principles, it is not entirely immutable. It can be amended, but only under specific circumstances and in compliance with legal procedures. Amendments typically require shareholder
Unveiling the Secrets How Does Generative AI Work.pdfSam H
Ā
At its core, generative artificial intelligence relies on the concept of generative models, which serve as engines that churn out entirely new data resembling their training data. It is like a sculptor who has studied so many forms found in nature and then uses this knowledge to create sculptures from his imagination that have never been seen before anywhere else. If taken to cyberspace, gans work almost the same way.
Buy Verified PayPal Account | Buy Google 5 Star Reviewsusawebmarket
Ā
Buy Verified PayPal Account
Looking to buy verified PayPal accounts? Discover 7 expert tips for safely purchasing a verified PayPal account in 2024. Ensure security and reliability for your transactions.
PayPal Services Features-
š¢ Email Access
š¢ Bank Added
š¢ Card Verified
š¢ Full SSN Provided
š¢ Phone Number Access
š¢ Driving License Copy
š¢ Fasted Delivery
Client Satisfaction is Our First priority. Our services is very appropriate to buy. We assume that the first-rate way to purchase our offerings is to order on the website. If you have any worry in our cooperation usually You can order us on Skype or Telegram.
24/7 Hours Reply/Please Contact
usawebmarketEmail: support@usawebmarket.com
Skype: usawebmarket
Telegram: @usawebmarket
WhatsApp: +1āŖ(218) 203-5951ā¬
USA WEB MARKET is the Best Verified PayPal, Payoneer, Cash App, Skrill, Neteller, Stripe Account and SEO, SMM Service provider.100%Satisfection granted.100% replacement Granted.
What are the main advantages of using HR recruiter services.pdfHumanResourceDimensi1
Ā
HR recruiter services offer top talents to companies according to their specific needs. They handle all recruitment tasks from job posting to onboarding and help companies concentrate on their business growth. With their expertise and years of experience, they streamline the hiring process and save time and resources for the company.
Enterprise Excellence is Inclusive Excellence.pdfKaiNexus
Ā
Enterprise excellence and inclusive excellence are closely linked, and real-world challenges have shown that both are essential to the success of any organization. To achieve enterprise excellence, organizations must focus on improving their operations and processes while creating an inclusive environment that engages everyone. In this interactive session, the facilitator will highlight commonly established business practices and how they limit our ability to engage everyone every day. More importantly, though, participants will likely gain increased awareness of what we can do differently to maximize enterprise excellence through deliberate inclusion.
What is Enterprise Excellence?
Enterprise Excellence is a holistic approach that's aimed at achieving world-class performance across all aspects of the organization.
What might I learn?
A way to engage all in creating Inclusive Excellence. Lessons from the US military and their parallels to the story of Harry Potter. How belt systems and CI teams can destroy inclusive practices. How leadership language invites people to the party. There are three things leaders can do to engage everyone every day: maximizing psychological safety to create environments where folks learn, contribute, and challenge the status quo.
Who might benefit? Anyone and everyone leading folks from the shop floor to top floor.
Dr. William Harvey is a seasoned Operations Leader with extensive experience in chemical processing, manufacturing, and operations management. At Michelman, he currently oversees multiple sites, leading teams in strategic planning and coaching/practicing continuous improvement. William is set to start his eighth year of teaching at the University of Cincinnati where he teaches marketing, finance, and management. William holds various certifications in change management, quality, leadership, operational excellence, team building, and DiSC, among others.
2. ā¢āÆ Daytime job at an Insurance Company in Buenos Aires, AR
ā¢āÆ (Web) Application Security specialist & enthusiast
ā¢āÆ Many vulnerabilities discovered in Open Source and Commercial
software: Vmware, Websense, OSSIM, Cacti, McAfee, Oracle VM, etc.
ā¢āÆ Gadgets and Electronics Lover (RFID!)
ā¢āÆ EC-Council C|EH, CompTIA Security+ and Private Pilot License
ā¢āÆ http://ar.linkedin.com/in/nahuelgrisolia
ā¢āÆ http://cintainfinita.com.ar
ā¢āÆ http://www.exploit-db.com/author/?a=2008
ā¢āÆ http://www.proxmark.org/forum/profile.php?id=3000
2
3. Motivation
from The Hacker Ethic and the Spirit of the Information Ageā¦
Pekka Himanen
Enthusiastic, passionate attitude to the work that is
enjoyed
Creativity, wish to realize oneself and one's ability,
often in teams that are formed spontaneously (project
orientation)
Wish to share one's skills with a community having
common goals
3
5. 1.āÆ What is true about RFID?
2.āÆ What is NOT true about RFID?
3.āÆ Real Life Examples?
4. RFID Hardware
!āÆ Operating Frequencies (LF, HF, UHF)
!āÆ Active vs. Passive Tags
!āÆ Types, Shapes, Sizes and Colors!
5. LibNFC
!āÆ What?
!āÆ Compatible Devices
!āÆ Resources
!āÆ Examples of usage
6.āÆ Proxmark3
!āÆ What?
!āÆ Community Forum
!āÆ Examples of usage
Agenda
5
6. 7.āÆ Low Frequency Tags
!āÆ Intro
!āÆ Types
!āÆ Examples of Emulation & Cloning
!āÆ Bypassing a Door Lock
8.āÆ High Frequency Tags
!āÆ Intro
!āÆ NXP Mifare
"āÆ What?
"āÆ Practical Applications
9. Mifare Classic
!āÆ Memory Organization
!āÆ Access Keys and Bits, Security
"āÆ Crypto1
!āÆ Well-known attacks
"āÆ mfoc, mfcuk, crapto1
10. Use Cases
!āÆ Real World Examples using Mifare Classic
!āÆ Public Transport in Argentina using Mifare Classic
11. Resources & moreā¦
Agenda
6
8. What is true about RFID?
RFID is a generic term that is used to describe a system that transmits the identity (in the
form of a unique serial number) of an object or person wirelessly, using radio waves. It's
grouped under the broad category of automatic identification technologies.
RFID stands for Radio-Frequency IDentification. The acronym refers to electronic devices
that consist of a small chip and an antenna.
RFID devices will work within a few cm. of the scanner. For example, you could just put
all of your groceries or purchases in a bag, and set the bag on the scanner. It would be able
to query all of the RFID devices and total your purchase immediately.
8
9. What is true about RFID?
A typical RFID tag consists of a microchip attached to a radio
antenna mounted on a substrate.
To retrieve the data stored on an RFID tag, you need a reader. A
typical reader is a device that has one or more antennas that emit
radio waves and receive signals back from the tag.
The reader then passes the information in digital form to a master
system.
9
Note: not always true - the reader might be a self-contained system, doing
logic (eg. check if card/tag authorized) and actions (eg. unlock the door, buzz
the buzzer, light the led) on it's own without master system
10. Some common problems with RFID are reader collision and tag
collision.
Reader collision occurs when the signals from two or more readers
overlap.
The tag is unable to respond to simultaneous queries. Systems must be
carefully set up to avoid this problem.
Tag collision occurs when many tags are present in a small area; but
since the read time is very fast, it is easier for vendors to develop
systems that ensure that tags respond one at a time.
Other Problems: low computing power, no RTC on tags, bad RNG on
tags, critical timing requirements, low bandwidth, etc.)
What is true about RFID?
10
11. NFC (Near Field Communication) is an open platform technology
standardized in some ISO specs, specifying modulations schemes,
coding, transfer speeds, data exchange methods (NDEF ā sort of MIME
- by NFC Forum), etc.
Form/subset of RFID (Radio Frequency IDentification) given that is
uses radio waves for identification purposes.
NFC works at 13.56 MHz in accordance with inductive coupling
principles and allows communications at very short ranges (a few cm).
It provides Card Emulation, Peer-to-Peer and Reader/Writer mode.
What is true about NFC?
11
12. NDEF Standard (NFC Data Exchange Format)
NFC-Forum Tags:
ā Type 1: Innovision Topaz/Jewel (ISO14443-3A)
ā Type 2: NXP Mifare Ultralight (ISO14443-3A)
ā Type 3: Sony FeliCa
ā Type 4: ISO7816-4 on ISO14443-4 A or B
(e.g. DesFire EV1)
What is true about NFC?
12
13. What is true about NFC?
13
#āÆ Define and Stabilize Technology
#āÆ Develop standards that ensure interoperability among devices and
services
#āÆ Encourage the development of products within NFC Forum
Specs.
#āÆ Educate the Market
#āÆ Ensure that NFC products follow NFC Forum Specs.
#āÆ Promote End User usage
NFC Forum Mission
17. What is NOT true about RFID?
I can clone any card!
Mueheheā¦
Wellā¦ not that muchā¦ =)
125KHz~135KHz RFID Card Copier / Duplicator (1 x 6F22/9V)
17
18. What is NOT true about RFID?
Iām fully featured!!ā¦
18
19. Real Life Examples?
Electronic Payments, Physical Access to
buildings, Tolls, Passports, Medical Supplies
and Equipment Tracking,
Clothes, almost everywhere!
19
20. Real Life Examples?
Electronic Payments, Physical Access to
buildings, Tolls, Passports, Medical Supplies
and Equipment Tracking,
Clothes, almost everywhere!
20
24. RFID Hardware
A Radio-Frequency IDentification system has three basic
parts:
ā¢āÆA transponder - the RFID tag - that has been programmed
with information.
ā¢āÆA scanning antenna
ā¢āÆA transceiver with a decoder to interpret the data
The scanning antenna puts out radio-frequency signals in a relatively short range.
The RF radiation does two things:
It provides a means of communicating with the transponder (the RFID tag) AND
It provides the RFID tag with the energy to communicate (in the case of passive RFID tags).
How does RFID work?
24
25. When an RFID tag passes through the field of the scanning antenna,
it detects the activation signal from the antenna. That āpowers-up"
the RFID chip, and it transmits the information on its microchip to be
picked up by the scanning antenna.
In addition, the RFID tag may be of one of two types:
$āÆActive RFID tags have their own power source; the advantage of
these tags is that the reader can be much farther away and still get
the signal. Even though some of these devices are built to have up
to a 10 year life span, they have limited life spans.
$āÆPassive RFID tags, however, do not require batteries, and can be
much smaller and have a virtually unlimited life span.
RFID HardwareHow does RFID work?
25
26. Because RFID systems generate and radiate electromagnetic waves, they are
justifiably classified as radio systems. The function of other radio services must
under no circumstances be disrupted or impaired by the operation of RFID
systems.
It is particularly important to ensure that RFID systems do not interfere with
nearby radio and television, mobile radio services (police, security services,
industry), marine and aeronautical radio services and mobile telephones.
The need to exercise care with regard to other radio services
significantly restricts the range of suitable operating frequencies
available to an RFID system.
RFID HardwareRadio Regulation
26
27. It is usually only possible to use frequency ranges that
have been reserved specifically for industrial, scientific or
medical applications or for short range devices.
These are the frequencies classified worldwide as ISM
frequency ranges (Industrial-Scientific-Medical) or SRD
(Short Range Device) frequency ranges, and they can also
be used for RFID applications.
Frequency Ranges
RFID Hardware
27
30. An RFID tag is an active tag when it is equipped with a battery that
can be used as a partial or complete source of power for the tag's
circuitry and antenna.
Some active tags contain replaceable batteries for years of use; others
are sealed units. (Note that It is also possible to connect the tag to an
external power source.)
Generally operate in UHF.
Active RFID Tag
RFID Hardware
30
31. Active RFID tags may have all or some of the following features:
$āÆlongest communication range of any tag
$āÆthe capability to perform independent monitoring and control
$āÆthe capability of initiating communications
$āÆthe capability of performing diagnostics
$āÆthe highest data bandwidth
$āÆactive RFID tags may even be equipped with autonomous
networking; the tags autonomously determine the best
communication path.
Active RFID Tag
RFID Hardware
31
32. The major advantages of an active RFID tag are:
$āÆ It can be read at distances of one hundred meters or more, greatly improving the utility of
the device.
$āÆ It may have other sensors that can use electricity for power.
The problems and disadvantages of an active RFID tag are:
$āÆ The tag cannot function without battery power, which limits the lifetime of the tag.
$āÆ The tag is typically more expensive, often costing $20 or more each.
$āÆ The tag is physically larger, which may limit applications.
$āÆ The long-term maintenance costs for an active RFID tag can be greater than those of a
passive tag if the batteries are replaced.
$āÆ Battery outages in an active tag can result in expensive misreads.
Active RFID Tag
RFID Hardware
32
33. A passive tag is an RFID tag that does not contain a battery; the power is supplied by by the reader's EM
field.
The tag enters a magnetic field when itās near the readerās field.
The tag draws power from it, energizing the circuits in the tag.
The tag then sends the information (by load modulation, varying its resistance and therefore its
consumption of energy) encoded in the tag's memory.
The reader is able to do a variation of energy in order to communicate with the tag.
Passive RFID Tag
RFID Hardware
33
https://en.wikipedia.org/wiki/Transformer#Basic_principles
34. The major disadvantages of a passive RFID tag are:
$āÆ The tag can be read only at very short distances, typically a few meters at most.
$āÆ This greatly limits the device for certain applications.
$āÆ It may not be possible to include sensors that can use electricity for power.
$āÆ The tag remains readable for a very long time, even after the product to which the tag is attached has
been sold and is no longer being tracked.
The advantages of a passive tag are:
$āÆ The tag functions without a battery; these tags have a useful life of twenty years or more.
$āÆ The tag is typically much less expensive to manufacture
$āÆ The tag is much smaller (some tags are the size of a grain of rice). These tags have almost unlimited
applications in consumer goods and other areas.
Passive RFID Tag
RFID Hardware
34
36. Tags, cards, key rings, wristbands and more!
VeriChip human ID implant.
RFID Hardware
36
37. Tags, cards, key rings, wristbands and more!
http://adafruit.com/products/365
MiFare Classic (13.56 MHz) tag assortment - 1KB
RFID Hardware
37
38. Tags, cards, key rings, wristbands and more!
Kodak has filed this patent application for
RFID tagged capsules that could be
swallowed to track activity in a patientās
digestive system.
Monitor a patientās medication history, or to
transmit other medical information to a nearby
RF data collector.
Potential to reduce the need for invasive
medical procedures
Ensure that patients take the proper dosage of
their medicines.
RFID Hardware
38
39. Low Frequency Tags
Low-frequency RFID systems are typically 125 KHz, though there are
systems operating at 134 KHz as well. This frequency band provides a
shorter read range (< 0.5m) and slower read speed than the higher
frequencies.
LF RFID systems have the strongest ability to read tags on objects with
high water or metal content compared to any of the higher frequencies.
LF systems tend to be less sensitive to interference than higher frequency
options.
Typical low-frequency RFID applications are access control, animal
tracking, vehicle immobilizers, healthcare applications, product
authentication and various point-of-sale applications.
39
41. High Frequency Tags
The ISO/IEC 14443 standard is a four-part international standard for
contact-less smart cards operating at 13.56 MHz in close proximity
(~10cm) with a reader antenna.
This ISO standard describes the modulation and transmission
protocols between card and reader to create interoperability for
contact-less smart card products.
There are two main communication protocols supported by the
ISO/IEC 14443 standard, they are addressed as Type A and Type B.
41
42. High Frequency Tags
ISO/IEC 14443 Type A
Near Field Communication devices implement native support for
ISO14443-A tags. The NFC Forum refers to these tags as Type 1
and Type 2 tags.
The Anti-Collision describes the initialization messages used to
set up a communication channel and to retrieve the identifier and
supported features from a tag.
During the anti-collision phase, three or four different frames are
received from a tag (ATQA, UID, SAK and optional ATS).
42
43. High Frequency Tags
The ATQA, SAK and ATS values can be used to
identify the manufacturer, tag type and application.
By the way, it's not recommended to rely on ATQA due
to potential collision when more than one target are in
the field.
These values can be used to identify the manufacturer,
tag type and application.
43
46. LibNFC
Itās an Open Source library for Near Field Communication (NFC).
ālibnfc is the first libre low level NFC SDK and Programmers API released under the
GNU Lesser General Public License.ā
It provides complete transparency and royalty-free use for everyone.
https://code.google.com/p/libnfc/
What?
46
47. All major operating systems are supported, including GNU/
Linux, Mac OS X and Windows. Compilation should work out
of the box on POSIX-systems. (YEAH! TRUE! :)
This library supports various NFC hardware devices: dongles,
flat and OEM devices.
The library currently supports modulations for ISO/IEC 14443
(A and B), FeliCa, Jewel tags and Data Exchange Protocol (P2P)
as target and as initiator. ĀæAnd Emulationā¦?
LibNFC
What?
47
48. Manufacturer Product
NFC
Controller
Host bus Depends Driver Tested Support
SCM
Microsystems
SCL3710 PN531 v4.2 USB libusb PN53X_USB YES YES
SCL3711 PN533 v2.7 USB libusb PN53X_USB YES YES
LibNFC
Compat, Dongle
48
49. Manufacturer Product
NFC
Controller
Host bus Depends Driver Tested Support
ASK LoGO PN533 v2.7 USB libusb PN53X_USB YES LIMITED
ACS ACR122U101 PN532 v1.4 USB PCSC ACR122 YES LIMITED
ACR122U206 PN532 v1.4 USB PCSC ACR122 YES LIMITED
tikitag ACR122U102 PN532 v1.4 USB PCSC ACR122 YES LIMITED
touchatag ACR122U102 PN532 v1.4 USB PCSC ACR122 YES LIMITED
LibNFCCompat, Flat
49
50. LibUSB and PC/SC
libusb is a C library that gives applications easy access to USB
devices on many different operating systems.
libusb is an open source project, the code is licensed under the āGNU
Lesser General Public License version 2.1 or later.
libusb latest release doesn't support officially Microsoft Windows due
to lack of knowledgeable developers on that platform.
Middleware to access a smart card using SmartCard API (PC/SC).
pcsc-tools on GNU/Linux & OSX
Source code available from: http://pcsclite.alioth.debian.org/pcsclite.html
pcsclite
50
54. The Proxmark III is a device developed by Jonathan Westhues
that enables sniffing (both ways), reading, writing, emulating and
cloning of RFID (Radio Frequency Identification) tags.
He wanted to look at the communication of Mifare Classic cards.
He made an implementation of the ISO14443 type A standard for
the Proxmark since Mifare is based on this communication
standard.
The findings of this research are published on arxiv.org as A
Practical Attack on the Mifare Classic
Proxmark3What?
54
59. Proxmark3
125Khz and 13.56Mhz
antennas info
http://www.proxmark.org/forum/index.php
āHardware Developmentā
http://www.proxmark.org/forum/viewtopic.php?id=260 http://www.proxmark.org/forum/viewtopic.php?id=273
Do not forget to ātuneā your antennaā¦ -> hw tune
59
60. Proxmark3
The Proxmark III firmware has been modified to allow more commands:
Connected units:
1. SN: ChangeMe [bus-0/.libusb0-0001--0x9ac4-0x4b8f]
proxmark3> hf
help This help
14a { ISO14443A RFIDs... }
14b { ISO14443B RFIDs... }
15 { ISO15693 RFIDs... }
epa { German Identification Card... }
legic { LEGIC RFIDs... }
iclass { ICLASS RFIDs... }
mf { MIFARE RFIDs... }
tune Continuously measure HF antenna tuning
Customize me!
Flashing the Proxmark
http://code.google.com/p/proxmark3/downloads/list
See: Compiling Proxmark source and firmware upgrading v1.pdf
https://www.troopers.de/wp-content/uploads/2011/04/TR11_Kuhn_Thumann_Integration_of_the_nPA.pdf
60
61. Proxmark3
The Proxmark III firmware has been modified to allow more (many more!) commands:
proxmark3> lf
help This help
cmdread <off period> <'0' period> <'1' period> <command> ['h'] -- Modulate LF reader field to send
command before read (all periods in microseconds) (option 'h' for 134)
em4x { EM4X RFIDs... }
flexdemod Demodulate samples for FlexPass
hid { HID RFIDs... }
indalademod ['224'] -- Demodulate samples for Indala 64 bit UID (option '224' for 224 bit)
indalaclone <UID> ['l']-- Clone Indala to T55x7 (tag must be in antenna)(UID in HEX)(option 'l' for 224
UID
read ['h'] -- Read 125/134 kHz LF ID-only tag (option 'h' for 134)
sim [GAP] -- Simulate LF tag from buffer with optional GAP (in microseconds)
simbidir Simulate LF tag (with bidirectional data transmission between reader and tag)
simman <Clock> <Bitstream> [GAP] Simulate arbitrary Manchester LF tag
ti { TI RFIDs... }
vchdemod ['clone'] -- Demodulate samples for VeriChip
Customize me!
Flashing the Proxmark
61
62. Proxmark3proxmark3> hf mf
help This help
dbg Set default debug mode
rdbl Read MIFARE classic block
rdsc Read MIFARE classic sector
dump Dump MIFARE classic tag to binary file
restore Restore MIFARE classic binary file to BLANK tag
wrbl Write MIFARE classic block
chk Test block keys
mifare Read parity error messages. param - <used card nonce>
nested Test nested authentication
sniff Sniff card-reader communication
sim Simulate MIFARE card
eclr Clear simulator memory block
eget Get simulator memory block
eset Set simulator memory block
eload Load from file emul dump
esave Save to file emul dump
ecfill Fill simulator memory with help of keys from simulator
ekeyprn Print keys from simulator memory
csetuid Set UID for magic Chinese card
csetblk Write block into magic Chinese card
cgetblk Read block from magic Chinese card
cgetsc Read sector from magic Chinese card
cload Load dump into magic Chinese card
csave Save dump from magic Chinese card into file or emulator
Customize me!
Flashing the Proxmark
62
63. Proxmark3If something went wrongā¦
JTAG Recovery Procedure
http://www.segger.com/jlink.html
If for whatever reason the USB upgrade
procedure failed and the Proxmark will no
longer boot, you will need to load the bootrom
on to the Proxmark using the JTAG interface.
This procedure assumes that you have a Segger
J-LINK for the recovery process and J-Flash
ARM installed on a PC (Microsoft Windows).
Cool post:
http://www.proxmark.org/forum/viewtopic.php?id=1490
63
64. Proxmark developers community
Research, development and trades concerning
the powerful Proxmark3 device!
http://www.proxmark.org/forum/index.php
http://www.proxmark.org/files/
Proxmark3Community Forum
64
70. MIFARE is a trademark of NXP Semiconductors.
With more than 5 billion smart card and ticket ICs and 50
million reader components sold, MIFARE is a technology that
has been selected for most contactless smart card projects
w o r l d w i d e a n d t h e r e f o r e , b e c a m e t h e m o s t
successful platform within the automatic fare collection industry.
In addition, its compelling product portfolio includes perfect
solutions for other applications next to automatic fare collection
such as loyalty, road tolling, access management and gaming.
Mifare Classic
70
72. MIFAREā¢ Classic 1K
MIFARE Classic 1K was the first IC to be used in high volume
public transport ticketing in a major transport project in Seoul,
Korea.
Continuing this success, cities such as SĆ£o Paulo, Buenos Aires,
Taipei, Pusan and many more are adopting MIFARE as the
contactless interface platform for the present and future.
MIFARE Classic 1K is primarily used in closed systems as fixed
value tickets (e.g. weekly or monthly travel passes) or as tickets
where value is extracted from the card by the service provider.
Mifare Classic
72
73. Mifare Classic
Key features
1 kbyte EEPROM (768 Byte free
available)
Unique serial number (4 Byte ā
not unique anymore - and 7
Byte)
16 separated sectors supporting
multi-application
Each sector consists 4 blocks
with a length of 16 Byte
2 x 48 bit keys per sector for key
hierarchy
A c c e s s c o n d i t i o n s f r e e
configurable based on 2 keys
Number of single write
operations: 100.000
Data retention: 10 years
73
74. http://www.nxp.com/documents/application_note/AN1304.pdf
The memory area of the MIFARE 1k is organized in 16 numbered sectors from 0 to 15.
Each sector contains 4 blocks (block 0 to 3).
Block 3 of each sector is called sector trailer and contains information (called access bits)
to handle the sector access conditions and the secret keys (key A and key B). Depending on
the setting of the access bits the Reader device has to perform an authentication with key A
or key B to read or write the sector.
Block 0 of sector 0 (i.e. Manufacturer Block also called Manufacturer Data) contains the IC
manufacturer data, and the Unique Identifier (UID, also called Serial Number, see [ISOIEC
14443-3] for a detailed definition).
Mifare Classic
74
77. MIFARE Classic 1K,
MIFARE Classic 4K
The MIFAREā¢ Classic Crypto algorithm
is a highly cost efficient authentication
and data encryption method. It has been
designed for maximum performance while
providing basic levels of data security. In
combination with a sophisticated key
diversification technique and appropriate
system level security measures, this
product can be used for reloadable time-
based smart cards or stored-value fare
collection concepts.
24th Chaos Communication Congress
December 27th to 30th, 2007
Nohl and Plotz gave a presentation on MiFare's
security vulnerabilities.
To hack the chip, Nohl and Plotz reverse-
engineered the cryptography on the MiFare
chip through a painstaking process. They
examined the actual MiFare Classic chip in
exacting detail using a microscope and the
open-source OpenPCD RFID reader and
snapped several in-depth photographs of the
chip's architecture.
The chip is tiny -- about a 1-millimeter-square
shred of silicon -- and is composed of several
layers.
Mifare Classic
77
78. The 48-bit key used in Mifare cards makes
brute-force key searches feasible. Cheaper than
brute-force attacks, however, are possible
because of the cipherās weak cryptographic
structure.
In a brute-force attack an attacker records two
challenge-response exchanges between the
legitimate reader and a card and then tries all
possible keys for whether they produce the
same result.
Less than 50min in an FPGA array (see Pico
Computing ;)
The random numbers on
Mifare Classic tags are
generated using a linear
feedback shift register with
constant initial condition.
Each random value,
therefore, only depends
on the number of clock
cycles elapsed between
the time the tag is
powered up (and the
register starts shifting)
and the time the random
number is extracted.
http://static.usenix.org/event/sec08/tech/full_papers/nohl/nohl_html/
Mifare Classic
Problems here?ā¦ first approaches
78
79. Crypto1 consists of:
one 48-bit feedback shift register for the main secret state of the cipher,
a linear function,
a two-layer 20-to-1 nonlinear function and
a 16-bit LFSR which is used during the authentication phase (which also serves as the pseudo
random number generator on some card implementations).
Mifare Classic
Crypto1
http://www.doc.ic.ac.uk/~mgv98/MIFARE_files/report.pdf
Practical Attacks on the MIFARE Classic
by Wee Hon Tan
79
http://en.wikipedia.org/wiki/LFSR
80. Three
well-known
attacksā¦
1.āÆ Sniff a valid trace (Proxmark!) and use Crapto1
2.āÆ Default keys? Got one key? Get the others! ā Nested! (mfoc)
3.āÆ No default keys? Get a key! - DarkSide attack (mfcuk)
Mifare Classic
80
83. http://code.google.com/p/p/mfoc
Mfoc
Open source implementation of "offline (card only) nested" attack.
Mifare Classic
Practical Attacks ā mfcuk & mfoc
http://code.google.com/p/mfcuk/
MfCuk
Toolkit containing samples and various tools based on and around libnfc and crapto1,
with emphasis on Mifare Classic NXP/Philips RFID cards.
http://www.libnfc.org/community/topic/98/mifare-classic-key-recovery-tool-dark-side-attack/
83
84. Hint 1: Drop down the field of a while and add a 100-250ms delay
Hint 2: Put a book between your antenna and the tag (seems to clean up the field-power better)
Hint 3: Restart the full anti-collision after getting a nonce
Hint 4: Try to keep your code clean and let it take the same branches to avoid timing differences wink
Hint 5: Try not to use an extension cable
84
85. The necessary information was extracted from the papers:
http://www.sos.cs.ru.nl/applications/rfid/2008-esorics.pdf
Finalized. (recover keys with a valid reader)
http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf
Support for the fourth attack mentioned. (escalating from 1 key to any
without a valid reader).
http://eprint.iacr.org/2009/137
Support for the 'common prefix' attack. Retrieves a key without a valid
reader. Requires more communication than the previous attack and accurate
timing.
Mifare ClassicPractical Attacks
Note: This papers are in Proxmark Files folder too =)
85
86. We supply the cards below:
Works exactly like the Mifare S50, with 16 Sectors and 4 Blocks each Sector, but the
Sector 0 Block 0 known as Manufacturers Block where the Chip UID is stored, can be
re programmed to any UID you wish.
It's advantage;
This is a perfect solution for a lost irreplaceable Mifare Cards ID, you don't need to re-
enroll new cards. Just program this new Mifare 1K's UID to the UID of lost card then
you have a new Exactly the same card.
Popular applications;
Loyalty
Ticketing
Identification
Access Control
if you need please contact us:
ouyangweidaxian@live.cn
http://www.proxmark.org/forum/viewtopic.php?id=896
āMagic Chineseā Mifare Classic
86
87. ā¢āÆ Recent MFC don't leak NAKs anymore
ā¢āÆ Recent MFC don't use 16-bit LFSR anymore
ā¢āÆ Recent MFC use true random at startup
ā¢āÆ Still remains the use of crypto1 weak cipher.
Mifare ClassicGood news from NXP
87
MIFARE Plus is there to replace MFC wherever you need more security
ā¢āÆ 3 levels, level1 is MFC compatible, level3 is full AES
ā¢āÆ EAL4+ certified
ā¢āÆ Privacy-friendly:
ā¢āÆ Random ID possible
ā¢āÆ Distance-bounding protocol (against relay attacks)
http://www.nxp.com/documents/leaflet/75016722.pdf
89. Use Cases
1996 ā First transport scheme in Seoul using MIFARE Classic 1k.
http://en.wikipedia.org/wiki/MIFARE
89
90. Full Disclosure
In March 2008 the Digital Security research group of
the Radboud University Nijmegen made public that
they performed a complete reverse-engineering and
were able to clone and manipulate the contents of a
OV-Chipkaart (The Netherlands) which is a
MIFARE Classic card.
October 2011 the company TLS, responsible for the
OV-Chipkaart announced that the new version of the
card will be better protected against fraud
OV-Chipkaart.me
Hackers website voor de OV-Chipkaart
90
91. Full Disclosure
The researchers say their security flaw can be used to
copy cards. They claim to have even been able to
adjust the amount of credit stored on a pre-pay card.
Shashi Verma, director of fares and ticketing at
Transport For London, told the BBC its system
spotted the security breach.
"We knew about it before we were informed by the students," said Mr Verma
He stressed that the Mifare Classic chip in the Oyster card is only part of a larger
system. "A number of forensic controls run within the back office systems which is
something that customers and these students have no ability to touch.ā
"We will carry on making improvements to the security of the Oyster system."
91
92. Use CaseBuenos Aires, Argentina, using Mifare 1K
There is a lot of information that you can check in Govās RFPās ;)
92
93. Use CaseBuenos Aires, Argentina, using Mifare 1K
93
RFID Pedestrian Barriers Tripod Turnstile
95. Resources
Everything you need to know to look like you know everything!
PROXMARK3
http://www.proxmark.org/
http://cq.cx/proxmark3.pl
http://code.google.com/p/proxmark3/
TOOLS & DEPENDENCES
http://www.nfc-tools.org/
http://www.libusb.org/
http://pcsclite.alioth.debian.org/pcsclite.html
MIFARE
http://www.nxp.com/
http://en.wikipedia.org/wiki/MIFARE
ATTACKS
http://code.google.com/p/crapto1/
http://code.google.com/p/mfcuk/
http://code.google.com/p/mfoc/
SHOPPING
http://www.javacardsdk.com (Futako Co.)
http://adafruit.com/
http://proxmark3.com/
http://www.smartcardfocus.com/
http://www.segger.com/jlink.html
http://www.xfpga.com
95
http://rfidshop.com.hk (20% off! Mentioning this Workshop!)
SHOPPING
96. More ResourcesEverything you have to take a look!
Want more!? Gimme More, More & More! Random stuff, Projects, etc.
Arduino + RFID = Mfocuino! (Christophe Duvernois)
http://elecfreaks.com/store/download/datasheet/NFC/rfid_guide.pdf
http://elecfreaks.com/store/download/datasheet/NFC/Introduction_to_NFC_v1_0_en.pdf
HF RFID Demo Tag, http://jce.iaik.tugraz.at/sic/Products/RFID-Components/HF-RFID-Demo-Tag
Check Rfidiot stuff!
http://code.google.com/p/epassportviewer/ &
http://freeworld.thc.org/thc-epassport/
JCOP Cards!
http://wiki.yobi.be/wiki/RFID => veeeeeeery cool wiki!
Rfid Zappers!
http://code.google.com/p/micmd/
Command line utility, built on libnfc, which allows to interactively manipulate
mifare classic tags.
96
98. And we didnāt cover many other attacks likeā¦
Relay Attacks on ISO 14443 Contactless Smart Cards
http://www.sec.in.tum.de/assets/studentwork/finished/Weiss2010.pdf
NFC āphishingā attacks
NFC ātouchā attacks
http://www.mulliner.org/nfc/feed/nfc_ndef_security_ninjacon_2011.pdf
NDEF hackingā¦
See ConTags (e-ticketing of the Frankfurt area public transport system)
Google Wallet?
Steal info from +RFID Credit Cards?
98
99. Some quick nā dirty Countermeasures
Lots of info from NXP regarding the implementation of a secure payment system using their
Mifare (Classic) tags, SAMās, etc. Try their ANās.
RFID Blocker!
Your grandma always tells you: Do not to scan any QR code on the street!ā¦
remember her advise for Smartposters, NFC marketing, etc.
If you see someone with an antenna, just
run far away or put yourself inside a
Faraday cage :P
Use your own well-know encryption?
99
100. Iād like to give Special Thanks toā¦
PHDaysāIII crew!
Phil Teuwen
The people from Proxmark forum
&
Researchers, who share all their knowledge!
&
&
&