>> This episode of the Modern Rogue brought to you by Privacy. >> Go to privacy.com/rogue and get five dollars of free money. >> Yeah, what's up, free money. Hi, knock knock, who's there? Free money, ya like it? Take it. >> Come on in. All right, we're back
with Red Team Alliance. >> Hey brother. >> It's Babak Javadi and Deviant Ollam, thank you for joining us, gentlemen. >> So last time, you guys
took us on a deep dive of what all's in a mag stripe. Help me understand why
RFIDs are any better, or are they even better? >> Marginally. [laughing] >> Well, that's a ringing endorsements. >> I am a little bit more kind. I think they are better in a lot of ways, but it's important to
understand the limitations, just like any of the stuff
that we've talked about in the past, with locks,
hotel safes, or otherwise. >> Would it be fair to
say that a mag stripe is basically a piece of paper with numbers written down on it? >> Absolutely, that would be fair. >> And then this would be, what? A miniature computer, basically, or? >> That's actually very close, yeah. So, what we're doing, when they moved away from mag stripe technology to RFID, they were looking for long-term
reliability and convenience. And also security. Go ahead. >> RFID is radio frequency identification? >> Radio frequency
identification, that is correct. Now, it is important
to understand, though, that the R, radio, in
RFID, is different than how a lot of people can think about radio. So normally, like, you know, if you're listening to the FM radio, you have a station transmitting
and then you have receiving. And that can happen over
a distance of, you know, miles, tens of miles. >> Right, you have a power source-- >> Exactly.
>> In fact, as we learned about with HAM radio licenses, sometimes very intense power sources. And then other people
receiving the signal. >> Right, with RFID, it's
not a similar situation. You can't really do like
super-long range transmissions. >> Yeah, it's not broadcasting radio. >> That's right. So you know, we talked
about how on the mag stripe, it's just magnetizing parts of that rust, that dark rust basically.
>> Like a barcode. >> Exactly, right. And instead, they, you
know, back in the '70s, developed a technology that allowed them to electromagnetically couple with a coil that powers up this chip. And then that chip is able
to talk back to the reader just by modulating its power draw. >> Wait, that's been
around since the '70s, but it was only introduced into debit and credit cards in the United
States a couple of years ago? >> Broadly, so, that's, this is like the predecessor to what you see today. >> Gotcha. >> So this is like old, old
original generation technology. And then now what you have today is a lot of other stuff added on top of it. >> An iteration of it, okay. >> Yes, many iterations, actually. >> Am I right, and forgive me
if I'm so wrong about this, but is this the same kind of thing that charges my toothbruth, where it's like there's a magnet-- >> Same kind of technology. >> Okay.
>> Exactly. >> And so this is--
>> And your phone as well. >> Look at this, with his
fancy electronic toothbrush! >> No, but like, I remember, I
remember in elementary school building a generator, right? You take a magnet and you
spin it around or whatever, so there's waves, and
then this is looks like the receiving part of the generator. >> Similar idea, in fact, we have something that can show you. So, this is super cool, a lot of people have
made devices like this. This is basically just a circuit
board with some LEDs on it, and some coils. >> I'm going to be honest with you, this looks like this grants you access to some crazy supervillain club. >> It could, or it could just be a card that when you present
it in front of a reader, you'll notice that the LEDs that light up indicate that a reader is
somewhere in the vicinity, and it's able to draw that
power from the reader. >> So that card has no battery in it. >> That's correct.
>> That card doesn't have its own power source. Whenever you see a reader like this, it's always offering power right
into the world right there. >> So anybody who's weird
about electromagnetic radiation better be scared of these
all the time, you know. >> I promise you they already are. >> So these guys are
radiating power at all times. >> Yes, within a very small bubble, if that makes you feel
any better, but yeah. >> Sure, the RFID card, I didn't know that it had an actual chip. For some reason, I thought it
was just a number basically, similar to a mag stripe. >> In effect, what we're
doing is we're changing how that number is transmitted. It is still just a number, but instead of it being
read off a magnetic stripe, it's just being transmitted wirelessly. The actual content is not changing, the means by which we transmit
the content is changing. It's the difference between
me writing down a note and handing it to you and me
telling it to you verbally. >> So, in other words,
this thing is asleep until you hold it and it gets power, then it wakes up and it goes, hello, I am 1266742! >> Over and over and over
and over again, you got it. >> Is it re-programmable, though? >> Some are, the newer versions are. >> Okay, so some of them
have actual memory in them. >> Yes, we're actually going to see how we can take advantage of that. >> Ooh, ooh, ooh, ooh. >> Yes, yes, be excited. >> All right, and since
this is the Modern Rogue, why should I be afraid? >> I would actually
call it being informed. Here's why you should be informed, right? For example, Dev there has our friendly baggage handler's badge. >> From your local airport? >> From your local airport. >> BRIAN: Got it, okay. >> And that grants him access
to that particular door. Now, what we're going to do is we're going to walk through a very basic card cloning technique just to show you how easily that number that we
discussed can be duplicated. So right now, we have this
card here and that works. And this card here, again, this is the same as
any other kind of card, the only difference is
we had these custom made with clear PVC, just so you
can see all the goodies inside. >> Now, I that the kind of
microchip where all it does is shout out a number?
>> Yes, it is. >> But I'm going to
guess that maybe it's-- >> It's re-programmable,
it's re-programmable. >> Yeah, so it's basically that
plus a little bit of memory-- >> Correct.
>> So that you can change it. >> 100% right.
>> Got it, got it. >> Exactly. So right now, this card
here doesn't work, right? So, what we're going to
do is we're going to use a open-source tool called the Proxmark 3, and we're going to read
the data off of that card. >> And I assume this is
available via the internet. >> It is, it is available
indeed on the internet. So here we have the
number that we discussed is actually saved inside this card, and that's what's being presented to the reader anytime it powers up. >> Now, how complicated are those numbers? Are we talking like four-digit, or it something lengthy and complex? >> Not as long as you might think. Anywhere between 26 and
44 bits of binary data, which is not a very long number. >> Yeah, yeah, what about
the technical side of things? Because this looks pretty, like, if I could buy one of these, I assume this software is
not terribly complicated. >> Unfortunately this particular software is a little bit more
clunky than I would like. >> It's open source, man!
>> Yeah. >> It's going to work better.
>> You can just fix it. >> Yeah, exactly.
>> Got it, okay, so, get ready for 20
minutes when all of a sudden anybody can do any of this. >> It's all totally
understandable and graspable if you're willing to invest the time. >> So at this point,
we've captured the number. I assume it's just like
the mag stripe thing. You're going to do something
where you program the thing. >> I am going to do something. Right, the first something I'm going to do is I'm going to turn this into a card. >> Okay. >> So, because this can be reprogrammed to behave as a reader or as a card, I can actually tell it instead of reading, what I'll do is I'll give it a command to simulate that same data. >> So right now, it's just blasting. It's using its own source of power, it's not drawing from that--
>> That's correct. >> Okay, it's just
screaming those numbers. >> All right, so we've gone
ahead and begun the transmission. So I'm actually just
going to hand this to you. Go ahead and present it to
that reader on the left. >> Okay. [beeps] >> Boom, simple, you're authorized. >> Simple, but like-- >> And you looked so legit doing it. >> We can't have him running around the facility like this, right? >> I wouldn't recommend it. >> I would love to see that, he's like pretending
he's delivering a pizza, but he's got a laptop in there. >> I've known people that
like wire it down their sleeve and there, they got a
backpack laptop going on. >> Instead, remember this card? >> Yeah. >> That currently does not work. So we're going to place that back on here. >> These blank programmable
cards, totally legal? Are they, how much do they cost? >> Yeah, so, they're super
cheap, a couple bucks. >> Yeah.
>> Yeah, yeah. So we're actually going to tell it instead to reprogram this card and
we're going to check to see if it wrote correctly,
it looks like it did. Go ahead and grab that card and present it to the
reader for me, please. [beeps]
>> Magic, it's voodoo! >> What do these run? >> About $300.
>> $300. >> Okay.
>> Yeah. >> So, a little pricey, but not-- >> Not terrible. >> Achievable. >> Now, to be fair, there
are like, there's a bunch of different RFID card
technologies out there. We're just talking about like
some of the more basic ones like Prox, for example,
is what you're holding. For Prox specifically, because
it's such an old technology, there's really cheap,
like, readers out there, cloners available out
there for like 20 bucks on like AliExpress and stuff. >> They're like a little
blue gun, kind of. >> They're going to do nothing but Prox. And if that's your only
game is cloning Prox, then that's going to be much easier. But this is cool because this
basically a research tool. This allows you to interact with almost any kind of credential if you're willing to put
in the time and effort. >> If you're trying to
penetrate a building, do you go up to the card reader and have to do research and determine, okay, it's this type, and so I have to get the right type of these? >> Yes and no, so, you do
need to do some reconnaissance and intelligence gathering. That's one of the things
that we actually cover when we teach other
professionals on how to do this is we spend a lot of time
on how to remotely identify different card technologies
and readers at a distance just by taking photos. Dev has taken tons of photos, so we can [snaps] just like that see what kind of card it is. >> Question, question, a key fob is just one of these with a battery in it? >> No battery.
>> No battery? >> No, same exact, just
a smaller form factor. >> Yeah. >> Smaller coil, smaller enclosure. >> Today, I learned. >> That's it, today, we all learned. >> And much like your key
fob may have branding on it, your card may have branding on it. Many times the readers have branding and certain very unique visual elements. We say, oh well, look,
the three colored lights, well, that's IO Prox. Oh, look at this, the light
bar, okay, the I-Class. >> So in both of these examples, you get your hands on the credentials and then you duplicate them. Is there a version, let's
say you have access to the, I don't know, the gizmo,
but not the credentials. What can you do then? >> Well, you know how with credit cards, skimming is such a problem?
>> Sure. >> Yeah, same problem exists
in access control as well. >> That doesn't seem
right because a skimmer, you just put a thing over the thing and then they slide through the thing. >> Or putting it behind the thing. >> Yeah.
>> Got it. >> There's different things
to put in different places. >> Imagine a big company
that's here in the Austin area, you can think of a couple, that has one of these scanner devices just outside, unprotected. You could go up to any number of those and put something in there. 60 seconds and no one
would be able to stop you, no one would know. >> Yeah, you get two guys
who are dressed the same, matching polo shirts, one
of them holding a clipboard, kind of look like you belong there. He's watching me, make
sure I do my job correctly and I'm just underneath it, swinging, push, punch, reload, gone. >> This is the moment you realize that that's way too polished to
be just a theoretical story. That is definitely a factual
story that you guys have done. All right, so walk me through this. You guys show up wearing
a couple of orange fluorescent pennies
and having clipboards-- >> Sure, whatever works. >> Doing whatever this
fake maintenance is. >> So, what Dev is going to
do is he's going to go ahead and take the reader off the mount. It's important to consider that, you know, this type of problem
that we're demonstrating is valid on almost any card reader. It's not specific to
these models or brands. >> I would not have thought
it would be this easy to bust one of these open. >> And now what you're seeing is on the back of the reader, we
just have a couple of wires, so we have our power and our ground, our LED control, and then
data zero and data one. These two wires, the white and green ones, these are the two wires
that are used by the reader to send that card
information from the reader back to the door controller,
which actually controls whether or not that
door is open or closed. >> Okay now, in this
case, it turned yellow. I assume that's what, like a tamper alarm? >> That's a tamper alarm that I installed. Truth be told, 99% of
installations never use tamper. But I installed it
because I wanted to show how easy some of these tamper
mechanisms are to defeat. >> DEV: If you look at
the back of this reader, in addition to the wires, do you see something else
potted into the metal there? >> That's a magnet because
on this side I'm seeing what looks like a house alarm there. >> Oh yeah.
>> That's right. >> Wait, so of course, you
defeat it with a magnet! >> [beep]ing magnets, how do they work? >> Magnets are behind 99% of penetrations. >> Go ahead and put that reader back on and if you put the magnet,
hold it there against the wall as you take the reader off-- >> It's very "Indiana Jones." >> Yes, yes! Okay, and so I see
there's a gizmo in here. I assume you installed something. >> That's correct, this is actually one of these devices here. >> Right here.
>> So this is an ESP key. This is a kind of interception tool. It's a credential skimmer,
not a card skimmer, but a credential skimmer. So this is installed on the
wires behind the reader. >> You mentioned the
green and white wires, is it just those? >> Well, and power as well. So this, because it
doesn't have a battery, siphons its power off of the same power that goes to the reader. >> But it does have wifi.
>> It does. >> And so, you're storing stuff here and sending it to your phone, I guess, or a computer.
>> Yes, yes. So right now, that little guy
is recording any credential, anytime someone uses their card to get in, they, to them, everything is normal. But that ESP key is now
recording that information and because I can
connect to it wirelessly, I can actually connect to it here. So we're connected right
now to this little guy. So this webpage is not being
displayed from the internet, this is being served up
by that little ESP key. >> And that's a log of everybody
who's been coming and going. >> This is a log of everyone
who's come and gone into here. So I can actually just on
any one of these credentials and when I want to come in,
I can just be like, replay. I don't even have to clone their card. I can just walk up to the door, tap the credential I want,
hit replay, and I'm in. >> So not only can you get access, but you could decide
who to fool the computer into thinking is coming and coming. >> Correct, oh yeah. >> You don't just have a key,
you control the lock too. >> Yes.
>> Yeah. And when we dump that kind
of data on a penetration job, if we look and say, oh
look, somebody, look, look at all these people
coming back from lunch. Not only does that tell us things like, well, when the building is empty, but if we see someone
hitting the door at one AM, and then 2:30, and then
four AM, we're like, that's a guard doing a guard tour. If I want to be somebody,
I want to be them. >> It didn't even occur
to me until just now that there's value in just
installing one of these, letting it run for a month,
and then removing it, never penetrating anything
because now you know the habits and the comings
and goings of people. >> And I have all those credentials, I can take this same card information and I can use that Proxmark
tool to make myself a new card. >> That is extraordinary. >> And it's not just one,
it's any number of them. >> That's correct.
>> Yeah. >> How much does one of these cost? >> 08 bucks. >> Goddammit, it's just, it's
always two dollars and a taco, and I can't believe it, how cheap this is. >> I don't know that I'll ever
be able to do this myself, but--
>> I know, and you could. >> Well, I would very much like
to carry one of these around and just kind of going. [laughing] Do you have the briefcase? >> Oh yeah, let's say Jason Murphy did want to become an expert, what would be the best
way for him to train? >> We actually have professional
trainings that we do. You can over to readteamalliance.com to check out our schedule. In fact, if you take the
access control class, I'll probably be your instructor. >> Nice! Gentlemen, thank you so much,
that was freaking amazing! >> Absolutely, guys. >> Murphy, I'm losing
my god[beep]ing mind! >> Wow, okay, I'll handle
this, it's cool, it's cool. What's going on? >> Everybody on the internet! They're all like, oh,
there's got to be some scam, some kind of switcheroo,
some kind of gotcha moment with freaking privacy! What they don't understand is that every credit card company out
there is double-tapping you, they're making all their money on the fact that they're charging you for interest, they're charging the vendors
to make everything happen, and then on top of that, they sell all of your
information behind your back! Except for one institution, privacy.com! >> I order comic books from
sketchy sources sometimes that I'm not real
comfortable giving my actual debit or credit card information. Like, it's a ship in international waters filled with "X-Men" trade paperbacks that fell off of a truck. >> This took a very
unexpected turn, keep going. >> But I do that and I'm like, well, I'm don't want to put my actual card information in there,
but it's a really good price! >> What you wish is that
there was a magic button you could press that would
cause a one-time burner card that you could use to buy that stuff that would never, ever
be traced back to you! >> Oh yeah, it is so good, just go to privacy.com/rogue, get five free dollars to spend on it. Try it out with those five free dollars! It is so worth it! You're protecting yourself,
peace of mind, do it! [static]
[beeping] >> You guys know that every week, we do a free giveaway in the
pinned comment down below. This week, it's super special! What are we getting? >> Want to give them a couple
of ESP keys for people? >> We could do that, we'll
give you some ESP keys. And I'll do you one better, I'll give you some of
our clear credentials that we had made for us. >> Yes, yes! >> Can I put it in my
skull and get telepathy? >> Please don't.
>> ESP, would that work? >> I don't recommend it. >> I wouldn't paying attention.
While we're here: Deviant is the guest on InRangeTV's January Q&A, gets a question about working with the Modern Rogue, and shouts the team out as "sweethearts you can't say enough good things about".
Anyone got a link to the $300 reader? I'm curious if I can read my key fobs and then write them to an implanted RFID. If it was guaranteed to work for most fobs I'd definitely give it a try!
It was odd that there wasn't an app shown that allowed a phone with NFC (near-field communication) to both clone and impersonate a dumb RFID card. I assumed they were on the same frequency, using the same protocol.
And I thought most of those cards has an microcontroller inside with an algorithm running. The Mobile "speedpass" works like this. The exploits against the speedpass are to get close enough to it and silently querry it a bunch of times until it's cracked, then clone it. As soon as that was published, they started requiring you to key in your zip code too, which didn't make it any faster than paying by credit/debit card.