DEF CON 25 - Dennis Maldonado - Real time RFID Cloning in the Field

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so who here's for their RFID talk everyone so it's gonna be it's gonna be a quick 20 minute talk it's something I've been working on for a while it's it's not a hundred percent complete yet so you'll see a lot of like a kind of missing things or something where I'll say hey this is not perfect but I'm working on it but yeah so real-time are Freddie cloning in the field this is not something new but it's just it's a different way of doing things and you'll see me fiddling with this thing the whole time because I'm trying to get it to work before the demo slide comes on so they sound really cool and they start up I always get weird looks from people like I'm about to die alright alright so that may not be me stealing someone's badge so Who am I I'm not gonna spend too much time I'm Dennis a lot of you know me who here has been to one of my other talks before I spoke twice everyone yeah I'm an adversarial engineer at Lars consulting and for I'm an I am a Houstonian a current Houstonian and I found whoo I found it Houston locks port a lock-picking Club we just hang out drink beers and pick locks and ha ha Houston area hackers anonymous or association or whatever you want to call it for those who are if you're in Houston you find yourself in Houston around the same time we do any of those meetups totally stop by it's awesome I spoke previously at Def Con 23 and Def Con 24 okay so yeah demos totally not going to work but RFID radio frequency identification so you all know what RFID is right who here has an RFID card on them don't lie all of you guys I mean who here staying at this hotel all right RFID cards so just a little bit background what radio frequency identification is it's electronic access control for many companies and organizations hotels and what-have-you even some homes personal homes have it if you have like a one of the Samsung smart locks it supports RFID technology it's a contact list form of authentication so you have a wireless badge kind of like what I have in my hand here it's either a tag or a badge they come in many different form factors and you present it to a reader on the wall or on the door and if it's the correct correct card it lets you win as far as it's hard technology-wise there's two different types of technologies that's going to require two different types of readers you have the low frequency technology that runs on 125 kilohertz and that's typically your HIV procs and dala flex IO products and some other manufacturers and vendors that make that kind of technology it's the older technology it is commonly referred to as less secure because it doesn't support cool things like cryptography and stuff but then you have high frequency which operates on a thirteen point five six megahertz and that's where HIV iCLASS comes in Mifare logic and others that you've heard of this is the technology that actually supports cryptography and mathematics and a lot of other things between the card and reader to make it harder to clone a card and attack the reader you'll hear commonly referred to as credentials card stickers tags you guys have all different sorts of media that have this technology embedded in it and a lot of devices may have an RFID tag in it and you may not even know it if you ever gone like a garage remote or a smart key from an apartment there might be an RFID tag in there for the key management computer or something so here's just some examples you see employee badges Isis back windows called Isis now what is it called the Vegas the Cyril Figgis detection thing you see something like that whatever but you have these badges that people will wear on their person at all times even when they're not at work you have people wearing it on their lanyard on over the neck and it's swinging around or they have it on their either a left side or right side just pinned to their belt and and what that allows us to do as as as pen testers I'm gonna assume everyone here is legit or pen testers are not like black hat hackers but as pen testers if we're targeting a specific company we want to get in physically then we can see how they're wearing their badges and target that so if we have a device like one of these long-range readers I'm gonna talk about and we see that they're wearing their badge on their left side hip then we can put our Freddie reader in a backpack and walk by someone passing by their left side and try to get a good badge read from that so here's kind of there you go here's kind of the sneaky little random person I don't know who's sitting who knows this guy has a badge so I sit next to it and in my backpack is one of these RFID readers and I'm just close enough to get a quick read and I'm acting nonchalant I'm trying not to be suspicious other than the fact that I look like me and just walk away and now I have that person's badge so what did I use I used one of these long-range readers so there's a few different types of long-range readers that you that you guys have probably seen like I said this is nothing new Bishop Fox came like did a talk like this what two three years ago where they talked about weaponizing one of these long-range readers so you have the maxi procs 537 five and that's the low frequency long range reader that hid manufactured and sold at some point and it can read hid procs cards and it can actually read it from a range of 18 to 24 inches that's that's somewhere between like two to three feet it's actually pretty good it's a good read range so you don't actually you don't have to like get up to someone and touch your butt to get a card read damn who said that you pay you just have to be close enough like that bench I was a few feet away from that person with that bench or maybe in an elevator so here's your's here's what it looks like except it I took it apart it's got a big antenna coil that's energized and will constantly send out power and like yeah I'm not a physics major but radio frequencies I'm gonna try to fake it and if a card is present within the field close enough it will power that card and that card will respond back with its information and we get a read same thing with the r9d those are for the high frequency cards the iCLASS cards and and those because of the the the technology and the physics and the science it doesn't read as long of a range as the low frequency so it's kind of 12 to 16 inches but it's still good enough for what we want to do and that's this one here this thing and these are devices these aren't like hacker devices these are devices by the way they're small enough to fit in a backpack and you can find them on eBay howbeit they're probably expensive but you can find on eBay these devices aren't hacker devices they are devices that manufacture or like building owners and anyone who has a facility can buy or vendor can buy to allow legitimate users to scan their badge from a distance for example if they're in the car you don't want the user to have to get out and go to the reader and scan their badge but if they can do it from their car the long range reader is gonna provide enough of a read range to do that and so you see them all over the place if you pay attention go to like garages or some apartments that have those are like parking lots for companies they'll have those long range readers now don't go stealing those because they're connected somewhere so you'll create a lot of damage but often like maybe a building gets decommissioned or demolished and they take these and they sell them or they donate them to some warehouse electronic parts warehouse so you can go look for them so what I'm one of these look like so this is what one kind of looks like normally you see got that big antenna coil and all that circuitry hidden behind that white piece of paper that's the normal circuitry that it comes with two kind of power that coil and do all of its magic mumbo jumbo to make RFID reading work and then there's just often just four wires sometimes is more but the minimum is four you got two wires for power and ground and you got two wires for the weekend data one and weekend data zero and those will often feed all the way back to some wall through through some wall to some controller that interprets that information so what we can do is if we were to grab one of these we can modify it so you can see here on this picture I put extra circuitry in there the first one on the bottom being a battery source in this case I'm using 18 650 batteries I'll kind of go into detail a little later but that battery source is autonomy to power this reader on its own and not have to be connected to an external source and then there's a series of DC boost converters or buck converters sounds advanced but it really isn't but just to kind of do power management like boost the voltage up to 12 volts to power the reader then back down to 5 volts to power Raspberry Pi and then we have the Raspberry Pi which is the brains of this operation here what the Raspberry Pi does is it allows for wireless connectivity so like it can spin up a Wi-Fi access point by the way that's a new Raspberry Pi 0 W it's awesome it's ten bucks and it has Wireless built in and I can I can host servers it's a Linux operating systems I can host like web pages and servers and stuff and what what this Raspberry Pi will do is it'll it's connected to the weekend data wires of this reader and it'll interpret and automatically decode with Python code that has been released to like ten minutes ago you I'll talk about it it's terrible code don't plan while you're clapping I'm gonna see if my demo is gonna work probably not turn off your Wi-Fi devices please and whoever is trying to crack that in that work stop so it's gonna automatically decode and interpreting the code the week and the data and it's going to get present oh it worked present all that information for you well don't clap yet cuz I haven't started the demo yet so I'm gonna speed through it to get to the demo so the breath requires the brains of the operation it does everything so let's let's see if this is gonna work for me so I am connected to something oh yes OOP Wow let's see you let's see open okay so what I have here now is I had to use my backup reader but this is a high frequency reader and what it's it's currently powered on powered by these batteries and there's a Raspberry Pi the it's connected to the Raspberry Pi has Wi-Fi enabled so it has an access point and I am connected to that access point I'm just gonna go ahead and get a read now just in case network ah it's something broke so what happened what's happening is every time it gets a read it's gonna automatic - so you connect to this over Wi-Fi we have your phone or your laptop and you go to this webpage and it's just WebSockets what it has is it has a table with all the weekend information in it and that's gonna be your wig in binary your weekend hex data and your card number facility code right now this is an unknown card so let me get a quick legitimate card and see what happens and what's cool about this is for those who remember who have ever even made the Bishop Fox one the Bishop Fox when it's great and it gave me kind of the incentive to to make it better because with with the Bishop Fox one when you get a card read you have to go back to your base or wherever take to take the SD card out decode the Wiegand binary data as you see there and just you know figure out how to decode that and and go from there but what mine does is if you see in the bottom reads here I'm actually not going to read this card because I realize it's probably not a number I should be displaying but if you see this over here you see this is the weakened data stream this is the weekend binary you'll typically get with the Bishop Fox from the SD card what it'll do is it'll give you the hex data and this is cool because you don't have to do anything you don't have to automatically decode that by hand it'll actually give you this and this is what you need for the proxmark all you do is you pass this code to the proxmark and boom you've cloned a card and then it'll even decode this number these numbers for you 18 2 2 1 that's facility code that's a card number and in case it's a specific format it's a card this is a card number without the facility code so this will automatically decode based on the specific format for those who are familiar with HID there's different formats like 26 bit 35 bit 37 bit this will do all that magic for you all you got to do is get a card read and then copy and paste this into proxmark super easy what I also have if this didn't die on me haha let's see there we go oops oh that's not my dog that's that's Doug's dog he's Doug from Austin her name is River she's cute so let's say I have this thing in my backpack there's a bag here and I'm I'm in the elevator and I want to get someone's read I don't but I don't know if I'm positioned right so what you do is this is an Android app it's on my phone and what I'll do is I will get close enough to that person to get a read you can still see it and let's where's my card it's just a good part of it so you get a read and what happens is it automatically pops up on that screen and as you heard you get a notification so even when you're not focused on it I got a notification of course don't let it sound let it vibrate but now but now you have you have in your pocket it's vibrating yes I got a good read and by the way I have a Pebble watch and I got it on my Pebble watch too so I can see facility code and card number on there so I know exactly who I just got and and that's that's pretty much there's an Android app the Android app we're still kind of working on I haven't had time to finish it but that will be released real soon once I get that finished so that's pretty much the meat of it now there is another cool thing unfortunately let me try to get it one cool thing I really want to show you guys but I don't think it will be able to because of Wi-Fi is not working is with the low frequency reader and I'm slowly working in the high frequency reader I have this this is currently very big there's a Raspberry Pi in there it's a proxmark in there and a battery what this will do is it's the satellite system it's when you turn this on which I'm going to turn it on right now it's a it's a battery powered who have five minutes thank you it's a it's a battery powered Raspberry Pi this wirelessly connects to that access point from that reader so let's say Tim and I are on an assessment and Tim has the RFID reader and I have this satellite kind of at least what thirty feet away from him when he gets a read it's gonna automatically send that information to this satellite system it's not like pi and it's gonna automatically write a card so all you do is just take it out and you have coppy so I'm gonna I'm gonna I'm gonna try like for one second see if this is gonna work let's find out yeah this too much Wireless here so unfortunately I can't demo it but what I can do is I will mmm someone if someone wants to offer a village I can hang out with tomorrow I can have all this stuff up and you guys can I'll play with it but it hit me up on Twitter tomorrow I have all this stuff and I'll bring it somewhere probably a lockpick village and I'll just let you guys see how all this works but yeah what this will automatically do is it'll automatically clone that card and so in seconds you you steal someone's badge and you have a complete copy and you just walk into the building that's pretty much it for that so I'm gonna I'm gonna rush through making your own I don't have a lot of detail here because the reason for that is I'm posting most of the detail on github I've already written quite a bit of detail on there once Timm Timm right there ten MacGuffin once he helps me figure out how to draw a schematic diagram I'll draw a somatic diagram on how you can make one of these your own but it's fairly simple so making your own all you need is you need of course you need one of these readers buy it on eBay or whatever if you pay me enough money I can give you that one that's a lot of money you need a battery source battery can be anything it has to support three amps so if you just use like a few double A's probably not gonna work but a bunch of double A's will work just like Bishop Fox's but I like to use the 18 650 batteries my batteries support 10 amps each they're awesome and they have a protection circuit so when you screw something up and I've screwed something up the protection circuit will hopefully prevent your reader from dying and that's happened that's another story for later then all you need it I've got a read who who read my card then you need a DC boost converter so if you have a battery source like these two batteries here only support seven volts the boost converter will boost it up to twelve volts so it can actually power the reader but then you need a buck converter so you don't burn your Raspberry Pi that's gonna that's gonna bring the twelve volts down to 5 volts to power the pie and then of course you get the PI zero with all the magic and of course wire so to wit the PI zero just install raspbian jesse light I see everyone taking pictures so I'm going to upload this to the github after this but there's a there's a github yet take a picture that fine there's the github link download raspberry Jessie Jessie light install an SD card put on the Raspberry Pi and there's Python code and in a setup script all you do is you run the setup script after you install raspbian jesse light and that should install everything for you it should install and setup a Wi-Fi access point and install the Python code necessary to to to get all this to work and then on the github alpha I'll tell I'll show you how to wire the GPIO pins to get that to go it's five simple pins power ground D data 1 data 0 4 pins f5 and then for the automatic cloning none of that's going to be on github yet cuz I'm still working on it but it's simple it's just a proxmark any version with the Raspberry Pi and battery that's all it is so if you go to my github which I've just made this public how do I switch tabs I can't see my mouse there it is here you'll see there is a set of scripts down here so once you get raspbian jesse light on a Raspberry Pi just run that setup script it should do everything automatically I'm gonna be working on getting a Raspberry Pi a raspbian image that has all this done I already have that image but it's a 16 gig DD of a SD card I have to figure out how to make it a 2 gig SD card without actually having unless someone has a 2 gig SD card they can lend me now ok but down here there's a bunch of information on how to set it up and as the day as the weeks as time goes by I'm gonna be updating it making it more clear and adding more diagrams to get it to work it's been pretty busy last few months so I haven't had a lot of time but I'm gonna focus on that so that's pretty much it I am out of time so questions questions I guess I'm out of time so I'm gonna have to like step down here while I then I can ask answer questions or outside in the hall so is there anything else Anita all right thank you so much sorry for the demo fail but I'll have it tomorrow thank you [Applause]
Info
Channel: DEFCONConference
Views: 40,986
Rating: 4.9317584 out of 5
Keywords: DEF CON, DEFCON, DEF CON 2017, DEF CON 25, hackers, dennis Maldonado, RFID, RFID Cloning, security conference
Id: kUduHIygbY8
Channel Id: undefined
Length: 20min 33sec (1233 seconds)
Published: Thu Nov 02 2017
Related Videos
DEF CON 24 - Weston Hecker - Hacking Hotel Keys and Point of Sale Systems
DEFCONConference
162K
Cloning and Emulating RFID cards with Proxmark3
Hacker Warehouse
145K
Defcon 19: DIY Non-Destructive-Entry
Schuyler Towne
613K
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
DEF CON 26 - Christopher Domas - GOD MODE UNLOCKED Hardware Backdoors in redacted x86
DEFCONConference
44K
DEF CON 25 Wifi Village - Balint Seeber - Hacking Some More of the Wireless World
DEFCONConference
37K
DEF CON 23 - Ryan Castellucci - Cracking CryptoCurrency Brainwallets
DEFCONConference
50K
Defcon 21 - Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
HackersOnBoard
273K
How to Bypass RFID Badge Readers (w/ Deviant Ollam and Babak Javadi)
The Modern Rogue
950K
DEF CON 25 - Matt Wixey - See no evil, hear no evil: Hacking invisibly & silently with light & sound
DEFCONConference
29K
Black Hat USA 2013 - Let's get physical: Breaking home security systems & bypassing controls
Black Hat
8.9K
Flywheel Battery
Tom Stanton
3M
USB Drive That Steals Files
The Modern Rogue
440K
DEF CON 29 - Roy Davis - No Key No PIN No Combo No Problem Pwning ATMs For Fun and Profit
DEFCONConference
30K
5 Years Living Off Grid Building A Sustainable Smallholding
Kris Harbour Natural Building
2.6M
Bill Graydon - Duplicating Restricted Mechanical Keys - DEF CON 27 Conference
DEFCONConference
92K
DEF CON 25 - Caleb Madrigal - Controlling IoT devices with crafted radio signals
DEFCONConference
18K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.