Today we're talking about RFID Fuzzing, and we will use the Flipper Zero RFID fuzzer app. What is RFID fuzzing? Let's break it down. RFID stands for Radio Frequency Identification. Fuzzing, in the context of computer security, is a testing technique where you input a large amount of random or unexpected data, called fuzz, into a system in an attempt to provoke unintended results. The idea here is to find vulnerabilities that could be exploited by malicious parties. So RFID fuzzing is a process where you test an RFID system by sending lots of random unexpected data to it. The goal is to find any weaknesses or vulnerabilities in a system that could be exploited. This is especially important in security-sensitive contexts like access control systems. The primary purpose of a RFID fuzzer is to identify vulnerabilities in RFID systems. Fuzzing allows you to test how robust an RFID system is. By observing how the system handles a wide variety of inputs, you can get a sense of its overall reliability and resilience. By identifying vulnerabilities, you can take steps to address them and improve the overall security of the RFID system. This could involve patching software, updating hardware, or changing the system configurations. In some industries, regular penetration testing is a requirement for compliance with certain regulations or standards. Using an RFID fuzzer as part of your pentesting toolkit can help ensure that you meet these requirements. Many RFID systems are used for access control, such as key cards for buildings or secure areas. Of course, if an attacker can exploit a vulnerability in such a system, they could gain unauthorized access. Let's take a look at the FlipperZero app. First of all, you will need to install the RFID phaser app from the app store. You can select from four popular low-frequency protocols. Typically, you want to use the same protocol as the reader, of course, but you can also try different ones. Let's check the four options on the app. Default values. In this mode, you are using the values of the dictionary from the app. BF customer ID iterates over the selected byte with the remaining bytes equal to 0. Load file. Loading new IDs from flipper format key file with the ability to edit and further iterate over the selected byte. And finally, load your IDs from file. You can load your custom dictionary from the SD card. Once you have selected the protocol, you can configure two options. These values are critical both independently and collectively. Different values will have different effects on different systems. Time delay. TD. Td it idle time between UID submissions. Emulation time. EMT. It is the transmission time of one UID. For this example, we will use a low-frequency RFID reader using EM4100 technology. I set a card already for this system. I will use it and I will clone it with the Icopy X to generate an emulation with another UID so like that we will have a wrong card. So now I'm changing the UID. I will go to the last digit and just modify it. Like that. So now, as you can see, I have a wrong card. So this is the right card. Opens. Wrong card. It's not opening. What we know when we set up a system is that to register new keys or functions, we need to press the asterisk button or the hashtag symbol, followed by the master password. So it's a series of numbers and number representing a command like adding a card, change the master passwords, etc. So to get lucky and get our fuzz working, we need to keep that in mind and use it when testing. So we will use the flipper zero RFID fuzzer app now. We will use the default dictionary. So the time delay here is set to 0.4 and the emulation time is 0.5. You can see that there is no reading here. We will let it finish its batch. You will notice that the reader is in a really weird state right now. So now it's finished. We will test with our right card. Nothing is happening. And first glitch, we have an opening with the wrong card. So we go back to the right card and we still in a weird state. So we just press the asterisk again to get out of that mode. So now we have a reading with the right card. We will try again to glitch in that state. So now we have openings with everything. So it opens, it opens, it opens, it opens and it opens. So it's glitching completely. And now our wrong card is opening. Right card is opening. Wrong card is opening. So we go back to the... exit again and now look at that. It definitely glitched and register our wrong card as a right card. We verify that the values of the default fuzz dictionary are not registered as positive cards for this reader. It doesn't seem like it. This fuzz did its job though. We successfully identified a vulnerability and we are able to get an opening. RFID fuzzing, while a powerful tool for identifying vulnerabilities in RFID systems, does have several limitations. First, it's time consuming. Fuzzing involves sending a large number of inputs to a system to see how it responds. This can be a time consuming process, particularly if the system has a large number of potential inputs. Second one, there is no guarantee of finding all vulnerabilities. While fuzzing can help identify many types of vulnerabilities, it's not guaranteed to find all potential issues. Some vulnerabilities may only be exposed under specific conditions that aren't covered by the fuzzing process. Three, requires expertise to interpret results. Understanding whether a particular response indicates a vulnerability often requires a deep understanding of the system being tested. Four, potential for false positives. Fuzzing can sometimes lead to false positives, where a particular input causes an unusual response but doesn't actually indicate a vulnerability. Five, limited by hardware and software. The effectiveness of RFID fuzzing can be limited by the hardware and software used. For example, some RFID readers may have a building protection that limits the rate of which they accept inputs, slowing down the fuzzing process. Physical proximity required. Unlike some other forms of penetration testing, RFID fuzzing requires physical proximity to the system being tested. This can limit its usefulness in certain scenarios. Seven, potential to disrupt normal operations. If not done carefully, fuzzing can potentially disrupt the normal operation of the RFID system being tested. Of course, this is particularly a concern in live environments where the system is in active use. Fuzzing and brute forcing are different. Fuzzing tests systems with random data to find weaknesses. Brute forcing tries all options to access a system. Other tools for RFID fuzzing include the Proxmark III, the Chameleon family, the Chameleon Mini, Chameleon Tiny, SDR tools like the Hack-RF, and the infamous RFIDier. Remember to always use these tools responsibly and ensure that you have permission before testing any systems. And that brings us to the end of our deep dive into the world of RFID fuzzing. If you found this video useful or informative, please like it and share it, and don't forget to subscribe to this channel. Be sure to visit LAB401.com to get your flipper zero and accessories with the best service and the best price. Once again, thank you for watching and see you in the next video.
