ProximityLabIntro

all right guys uh I'm going to get started uh real quick so thanks for coming out this is Ste City hacker Ste City Inc my name is John Zola this is the proximity attacks lab we have a couple different stations set up to play with things and we can just kind of talk about it if You' like it's a pretty laid-back event uh couple things really quickly so I wanted to say big shout out to Arista for providing the money for us to be able to do this and for me to be able to buy a lot of these toys that we have thank you orisa and they also bought us the beer so big

shout out to the Beer big shout out to Jamie in the back for uh thank you to lyns for giving us the venue and they also purchased all the food so that was very nice of them I also uh wanted to just bring mention something really quickly so um because this is kind of a community group I've been I came AC up upon a uh technology I guess a new company called cwar recently they're doing work in threat Intel and threat sharing like locally in Pittsburgh and they're trying to make communities to do threat sharing similar to like an ISAC if you guys are communed ISAC so if you're interested in that at all just let me know and I can uh yeah

we can talk about it afterwards so um so this is going to be a really quick talk usually I don't I try not to talk too much at these Labs it's mostly about getting Hands-On with the equipment but I did want to level set a little bit if you really want more of the technical details we did have a talk last month that was recorded and put up online where we talk about the problem with procs the problem with proximity of uh cards and things like that so I accidentally a house recently so I apologize for all of the the lack of effort that I was able to put into the clbs tonight I went to an open house and

then I bought it I wasn't really looking to buy a house I just was going for fun and then I ended up buying the house so that's actually the house and I moved like less than a week from today so things have been crazy like with mortgage and you know different things so we'll talk about this a little bit later but I ran into a lot of issues I just wasn't able to fix because I didn't have time to so I apologize for that but I will be updating the GitHub after this event and hopefully fixing a lot of the issues that I ran into so the the basic premise of this talk is one of the 10 you know immutable

laws of security hey guys and that is if a bad guy has unrestricted physical access to your computer it's not your computer anymore right so if you have unrestricted physical access to something it's not yours essentially right and that's and that's what this uh this event hopefully will prove or at least show in a couple different ways is that given enough time and physical access and effort you're going to get it so what this talk is not this talk is not or this lab is not about Wi-Fi we've covered that before I have scripts up uh regarding it I'd be more than happy to talk about it some other time tonight we're we're focusing on different things

this is also not about Bluetooth although I do have some I beacons and Ed Stone things back there I decided that Bluetooth is enough of its own animal that I might just do a whole another quarter on Bluetooth because there's tons of fun things I picked up a an ubertooth recently I know we've got people in the crowd have a couple of them too there were some really cool iot hacks at Defcon and black hat this year regard that that are B and Bluetooth low energy and Bluetooth that I think we could do a whole quarter on that and be really interesting stuff so I pushed that out of what we're talking about here really

the focus is going to be on two technologies mag stripes and RFID so we'll start with mag Stripes really briefly hit rid really briefly and then we can kind of break out and play with things so the way Max trps work is they essentially have three tracks on them uh track one track two track three you know pretty obvious and it stores the data using magnetism right and and to show kind of what that exactly looks like this is a card that Samy kard kind of stuck in a bag of a ferris material and you can see like these lines up there that's actually the data and that's just little things sticking to the magnets and not sticking

to the magnets so it shows you like at the top I think that's track one and this is maybe track two and uh that that's that's what it is right it's just you know ones and zeros in magnets that get red as you swipe through and this this came out uh with Samy's mag spoof project where he was able to make a device I don't know if you can kind of see it whenever he brings it up at the front but you just put it close to something that's meant that you you typically put a card through and it will it will create the right um magnet uh magnetic field at the right frequency to spoof a device and

actually I have all of the equipment to make one of those if anyone's interested you know we could do a breakout thing and build those I I'm waiting on like a little button to be able to say like do the you know start um other than and those were just back ordered for like a month so I wasn't able to get them by today but I I have all the equipment to do this and it's like $10 a per so if you want to give me 10 bucks we can work on or I can just do Frey whatever so that so that's pretty cool um so a couple other quick things about how the tracks are set up like I said

there's three tracks and there's kind of a set format for them one thing that's interesting you know this is the format for track one there's different formats this is format B which is typically used for credit cards and debit cards and there's this service code uh in there and then also if you track two there's also the same service code actually track one and track two are very similar they have most of the same information you can see you know discretionary data literally says the same as track one uh the sentinol are a little bit different you know a semicolon and a question mark whereas here it's a percent and then they use a a carat and question mark so

there's some differences but it's very very similar and then there's a third track which I'm not going to really talk about here but one interesting about uh the third track is that's what's used in hotel chains very frequently so you could actually have a single card and I have one over there that is both a credit card or debit card and hotel Key in one because it's just using the first two tracks for one and the third track for the other so that's pretty cool and I I made one of those using the device in the back so that that third digit so I was talking about the service code the three digits um the third of the three

digits have kind of these options 0 through seven is what that number could represent and you know there's different like pin required you could essentially just take the card rip the information off of it change this third pin to say no restrictions write it to another card and now you just remove the restrictions from a credit card or a debit card it's really as easy as that and this is really this is the reason why or one of the many reasons why we're moving to Chip and pin or chiping signature because this is complete garbage right this this this is this is a joke right also one thing I want to point out this ATM only pin required so a lot of people

whenever they make a bank account especially in security they're like I just want an ATM card I don't want a credit card or a debit card I don't want it to be proded for anything other than going to an ATM and some people some some uh financial institutions will say that's not possible we can't do that uh you can you can definitely do that you just literally make that a three and it's done yeah are most Merchants would most merchants accept a credit card that had the Restriction flag disabled I mean it's restriction disabled you you just said you wipe that restriction pin you have an unrestricted card if you set it to one if you set oh if you set it to one

yeah like you can remove so on the device whenever you're swiping it it makes the decision right then what it has to what sort of restrictions it put on you do you need to have a pin do you need a sign things like that the signature is all the signature is actually a little bit different sorry but the like do you need to do a pin that decision is made right then and actually with this device one of the things that he kind of announced which was kind of known before this was that you can so for chip cards there's a there's a bite on there that says I have a chip force me to use the chip right

you can just disable that and you won't have to use the chip it you can just say I don't have a chip force me to use the ma strike right and they can choose to not accept that right they don't have to accept the card but most people are because they want your money right so if you wanted to steal someone's card that has a chip in it you take that change that bit so it doesn't says that it doesn't have a um chip on it and use it so why do doesn't it authenticate doesn't it you know dial up and send data to the bank and authenticate that actually have right P or something um well if it's a debit card

there's no pin if it's a credit card there no pin exactly right so running things as credit as opposed to debit and things like that there is definitely some validation that goes on in the back end like going off site and validating to like your Merchant and things like that yeah but it doesn't the people you validate to don't enforce the same bits that not always yeah so sometimes though uh you can do like offline transactions in those sorts of scenarios too uh to support doing transactions whenever like the internet's down and things like that and in those situations you could definitely get past with you know just altering this information and kind of doing whatever another another scenario

are things like ATMs and stuff like that there's there's been a lot of attacks on like ATMs where like you go behind it and you just like pull the plug out and then you do stuff same thing with like coin stars and things like that you can you can manipulate them to do different things by simulating an internet outage Coin Star like they have like the fee that they take but if you go to whatever do it a certain I forget exactly the details but you go to do it a certain way but you unplug it at a certain point it's like oh oh oh sorry my bad this is my fault so I'm just not going to take

the fee out and I'm going to I'm going to give you the cash without taking my percentage very similar for other scenarios as well y I've seen this in plenty of other people but it still shocks me when I encounter a new domain realize just how how much it's tied together with rubber band yeah you have a question as the side um I can't say if it's good for all TOS but if you want to see the mag patterns you just spr toner on the back stripe and you can just read that thing or you can take a photograph and decode it yeah that's what this is that's exactly what that is yeah well it's not toner but it's very similar

yeah all right so that's pretty much it for magstripe we can talk more about it afterwards so RFD you know here's some information you know you guys pretty much know this you know it's used in credit cards it's used in the magic bands which I have a couple Magic bands over there it's used in all kinds of things I have like a link card that comes with newer routers to set up your key you know there's tons of uses for this there's low frequency high frequency ultra high frequency really the point is that that that is where the emphasis that at least I've seen the emphasis be is kind of in the low and the high frequency not as much as ult

high frequency and that you get into iclass devices and things like that and there's four basic components to an RFID you know environment when we talking about for Access Control there's your host PC controller there's the card and there's a reader and we I can kind of show you that stuff I have all of that except for the reader over there unfortunately I don't have a reader we'll talk about that in a minute and so this is this is pretty much what it looks like so I RI this from the documentation for the actual controller that I have so this is this is the controller right there this is kind of your device where you configure

the controller this would be the reader which you put in your unprotected area on the outside of the door to badge in and you connect all with a switch and then you have connections to like your your mag locks or your door switches or whatever to to actually open the door whenever you badge it and then you have a re switch which is a request exit which just means like for fire code reasons and stuff you always have to be able to get out of the building you can't lock someone into a building there always has to be a way to get out those are sometimes buttons sometimes they're motion detectors sometimes they IR you

know there's tons of different ways to do that that's also a great way to manipulate these is people will like throw things under a door you know inflate a balloon on the other side of the door take uh the what are this um ecigarette things and like blow through like the middle of the doors and it will'll will catch that motion on the other side and open up things like that and the Port Authority has been advertising connect cards so I haven't looked into these too much but I've been told that they're the high frequency stuff uh the 13456 MZ cards so are those cards that will destroy the bus yeah yeah exactly and they're supposed to

give you a discount too so they're kind of pushing people towards them supposed to make they're changing all kinds of things up recently I mean I'm sure you guys have heard like it's going to be one zone instead of two always pay on and pretty much use connect card so lab time uh a couple quick things so I bought these em4100 cloner kits or I bought one and uh Jamie was great and he kind of bought his own to help me out with us a little bit so that's what it looks like I have one over there uh the thought is it's supposed to be able to clone and replay uh em4100 cards which is the 125 khz how

much is that so yeah this is the cheap one it's like 30 bucks I think it was 30 bucks so I got one and he got one and we you know we solder it all together or he solded it all together it's over there and it completely didn't work at all neither of them worked so that was that was pretty cool so um Jamie had an exchange with the manufacturer and there's potential that there's uh some sort of a bridge during manufacturing that that happens some sometimes so there might actually be like a manufacturing issue I haven't looked into exactly what it what that problem might be so so this is another interesting thing so the controller that

I have over there I was reading the documentation just to play around and I was like all right yeah Optical tamper it was making a you know it was making some noises we had it like all ripped apart and we turned it on it's beeping at me like crazy I'm like oh you know tamper thing is is triggering how do I fix this and I figured out how to fix it and it doesn't beep anymore it's actually on right now but what was really interesting was when I read the documentation it said it ships with head with these jumpers pre-installed so it's it's pre-installed to disable the optical tamper which I thought was pretty funny uh so fail that's another

that's another fail here's another fail so this is me purchasing the hi procs Pro which would have worked great it was supposed to be here on Tuesday they actually try in air quotes tried to deliver it on Monday but um because of a long story short I didn't end up getting it I actually bought another one now it's going to come tomorrow that's going to be really helpful that I have that tomorrow um so yeah so much try so hard fail uh I tried and then here's here's another thing that's interesting so a lot of these cards will have the information printed on the outside so they have your your F ID or your facility code or some

of them do the facility code or um and then the badge IDs a lot of times they'll just have the badge IDs on them though and you'll have to guess kind of the fact ID which that's only three bytes which is not super hard to to guess and um so yeah so face palm there so I thought okay cool you know if I if I could figure out what the fact code is or if it's on the card and if I can get the um can get the badge ID this will be great there's this a little device that was s of Defcon this year called a hack ID you type in what it is on this pin

pad and you hit okay and it'll it'll it'll clone it or it'll um you know send it uh you can also Brute Force forward and backwards so the thought there is these are pretty much incremental so they'll have the card ID and it'll go up in numbers or down in numbers a lot of times you might want to go down in numbers because it's someone who's been at the company longer would have a lower number they probably have more access so that's pretty cool it's 80 bucks you know I played with it there uh totally didn't work so I have it over there it doesn't even turn on uh so that's pretty great so lots of failures this is this

is fun stuff and then money throw away yeah allegedly it's supposed to work like I said I did play with one that actually did work and I tested it and all that stuff so I don't know what's what's going on with this one and then the last thing I just a quick funny story before we kind of break out is uh actually one of my co-workers told me about this this week I thought it was pretty funny so for RSA this past year somebody found out that the towels in their room had little RFID chips in them and that they could be essentially reprogrammed and that the access the the um I don't think it was actually the

access it was the U the way that they track you in the vendor area was via rid chip so like all right well you know what what about I take my valid you know my valid ID and I put it on my towel and I can go in and use my towel to check and and F it's like maybe I should just come in with just my towel they didn't do that but they kind of postulated in the blog and so you know the guy was able to to use his towel to uh to like badge in at uh vendor areas at RSA this year so that was kind of funny I thought so and

then really briefly a couple honorable mentions so these are a bunch of tools and if you go to the GitHub page that I'll send out after this there's a ton of Links at the bottom way more than this but there's a couple really cool ones so key sweeper is something we did as a lab before it's actually I have one sitting back there it intercepts Microsoft keyboards and decrypts on on the Fly the b key you know I'll skip through the ones that we actually have here silent pocket uh is a pretty cool company that I I actually met the guy who founded it at Defcon and they do just tons of really cool faay bags like

uh backpacks and wallets and things that actually work they're way more expensive than the cheap ones you find online for like 10 bucks but they actually work which is a plus instead of just buying a wallet that says it does RFID block I think it doesn't at all the RFID Garden so this is like a 8-year-old project um but what the point of it what what it actually what it does is it's a device that you kind of keep on you and the thought was that we would have tons of RFID chips on us at all times one in each each device each piece of clothing multiple devices you know what in your wallet you have like 10 of them whatever

but you don't always want everybody to be able to read them which is how RFID works right provide Power get signal back that's is pretty much how it works except for some of the nicer ones that do handshaking the the way that that thing did is it monitored the airwaves for people trying to read RFID tags that you program into it are yours and then it would jam this Jam the airwaves whenever they were trying to be read unless they were it was authorized so that was a really cool project it was like a a bunch of really smart people I think in Germany were working on that a while ago because you know Germany really privacy

focused company uh but rest in peace I don't I haven't seen any development since like 2009 on that project but it was really cool and I thought it was going to be awesome whenever came out but just didn't take off like it did um I'll talk about real quick about the boss cloner too so the boss cloner they're trying to commercialize the long distance uh hid um low low frequency reading and uh I think I don't know if it does high frequency or not but it gets it out to like 3 feet and they kind of put it in this like parcel bag and they make it like very easy to use and to reprogram a

card they have like compartments so that the reading doesn't interfere with the writing so you can kind of do it almost at the exact same time and and some cool stuff like that which I thought was cool they they kind of like streamlined the process of walking past someone walking out of a building cloning their badge grabbing it out of your thing and instantly being able to badge in as that person they have an app on your phone that makes like a text message sound whenever it was successful so it doesn't seem conspicuous at all that's pretty cool it's it's a little pricey it's like 900 bucks 900 to 12200 depending on how many orders he gets on uh how many

people are interested in it so that was cool and then we could talk about all these other ones too the prox Mark III is kind of the Cadillac of them I have one over there and I think we have a second one right yes we have two of them sitting around they're really nice they have tons of features they can do you know tons of you can kind of plug in different antennas to them they there's like patches for them and add-ons and you can do group forcing on them there's like whole laundry list you can do like Spectrum analysis stuff they have graphs it's great so uh that that's pretty much it so real quick so this table over here

is all rid stuff I have the uh a laptop with plugged into a proxmark I've got a controller which you can see the web UI for if you'd like to see what it looks like on the back end there's actually like buttons to unlock doors and you can hear it kind of clicking unlocking the door and locking the door that's also a model that's vulnerable to an attack um like this uh UDP packet that you can send out that they use for Discovery but it can be manipulated to like remote code execution essentially and you can it's it's a funny attack so really quickly what the attack is is you're able to do remote code execution and you

use that it's essentially CGI in the website you use that to open all of the doors and then it changes the binary that allows you to open and close doors and removes the execute bit so you can't ever close them again so they're just like permanently open so that's that's a kind of funny vulnerability that one's actually vulnerable too but I hav't I haven't done it because I have to give that back to somebody and you trust us with it what's that and you trust us with it yeah well I don't I don't know if I do uh but I'm doing it anyways I've got a bunch of shields over there too if you guys want

to put like a card in a shield see if it actually works I can almost guarantee you that like none of them will cuz those are all the cheap versions of things but it's a bunch of different brands so I figured if you guys you know have that brand you might be able to like you or you can even use your own like I said we have readers over there you can try to read your badge through a blocker and see if it actually works there's there was a a friend of mine was telling me about how he did a project for this for his Executives recently and because they were concerned that their cards were going to get cloned and the

two the there's like a two slide in ones like they're called like clam shells they're like one's blue and one's like mostly transparent whsh those were the ones that they found were the best most usable and they worked very well so feel free to test them I actually he also gave me some Hotel keys that you can put in there or you can be brave and use your own RFID tag or ID or whatever and then I have some other fun things there I those em 4100s uh these devices I have them both over there you can try to get them to work I have magic bands I have a link this card to like set up your whatever I

have the b key which we can talk about it's very cool you kind of like stamp it into your devices and you can open and close doors over Bluetooth and it's very inconspicuous very small uh back there I have some uh mag spoofing stuff so I have a MSR 605 I think and I have a demo card where I made something that both does credit that that's both does a credit card and a hotel Key and you can uh you can see how you clone it and stuff I have the software and um I have a coin back there as well which is very similar to the ma spoof so you're supposed to be able to load Keys

up to it like cards up into it um and be able to like lock them in and so you have essentially multiple credit cards in One credit card so they can actually swipe it at a restaurant you don't have to hold it a bunch with you that's essentially very similar to what mag spoof does except mag spoof Max purchase a little bit differently but it still can simulate pretty much any card you want and the back of that table is more of like a catch all so I have the key sweeper stuff there I have some Eddy Stone and ibeacon devices I have the USB condom which is now called something else like syn stop I think yeah syn stop

and then I have a really cool device which I haven't seen for sale anywhere but I got a conference it's a USB cable with a built-in USB condom where you press the button and it'll so by default data is off and you press the button it can turn data on so you just use that like on when you're traveling and no matter what you won't it won't connect with data because it literally like doesn't have those cables connected and you press the button and it and it lets um the data flow so you don't have to have any protections on your that's that's how I charge my phone at def essentially so cool that that's pretty

much it so uh grab some beer in the back there's tons of food over there eat drink and be merry

so