RFID Hacking — An Introduction

all right bye-bye

okay so hello everyone I'm talking about RFID hacking because I recently started a semester work at school and I wanted to break our school license but um so when I was started with all of that I put together all of the information that might have been good to have before I started so in case you want to play around with RFID in the near future this could help you um just quick overview um the first steps I want to show you what do you need to look after and then the RFID technology you need to know is because there's just a few basic things to understand the concept um then what else is possible afterwards

and then I put together a few RFID readers and what the differences are and what might be possible or good for you to use and I put them some nice groups and those groups that are putting here together and all of the information is actually it's really not a full list of all the possibilities this is just the stuff I stumbled upon um so what you first need to Define is what is your step what is your goal because um if you just want to build your own home uh RFID system which many people seem to do um you do you need different uh specifics and do different features then if you want to for example read a card

that you have um and also if you want to learn about the technology you might want to choose a different reader then if you want to like hack a card um also there are many different standards available and they have different features so for example there are more complicated ones ones with with more memory to store stuff on but they also do have different encryptions available on those cards and for example the desk fire cards the my fair test fire once they have a chip in a wolf so it's actually quite heavy to break that because it does have more features what I'm now focusing on are the ones on high frequency the 13.56 megahertz ones

the 1K my fair um they are also part of the iso 14 443 standard and um this is this is one type of card that is mostly distributed and are it's like the one most used out there so it's very possible that if you've got an iPhone card from some vendor that you got one of those now about this card um it does have 16 sectors each does have four blocks the last block of each sector has an access key um up to two access Keys per sector are possible and they might have different permissions that's actually by the vendor to be decided um the first block usually has the uid which is on common cards fix and you

can't change um so that's why it's write protected and the general one k cards do have the crypto one encryption but the crypto one encryption is broken as you most probably know from a few last CCC talks so you also find the links and everything on the Wikipedia page about how to break it exactly now for the authentication what you need to know is um that as soon as um your car does get into close proximity of a reader um it wants to authenticate so it sends the first request the card responds with the uid that it has as it's just like the default protocol it always does that and what then the reader does is send

back the uid card the uid information and the sector key and now the sector key I tried to put first that you might not want to do that um because it's I quickly started it and measured up and it would have taken about hundred and thousand years so um you don't want to do that um but as soon as you have the right sector key the card sends back the information from that sector that you specifically asked for and afterwards it's possible to send further information or ask preferred information or to send further comments because for example there are specific comments to increase for example a number that is stored in that my fair in that slot

and then you'll get for sure the replies and stuff um so what you can do as soon as you have your stuff set up um you first want to do that authentication key and there are default Keys available I put a website with a list of default keys in the reference section um this might be helpful in case you don't have it for it yeah like I said you don't want to try the Brute Force but what you can do is you can eavesdrop on the communication for that you need an antenna on the receiver and not all of the readers to have that feature and um oh well no they can do that but

the emulating part is actually they're very complicated or more Yeah the more complicated part um so for that you might need to be able to have specific Hardware um at first like a few years ago they had the open PICC for that um I'm coming to that in a moment but you most people use the proxmark free um as soon as you have the authentication key you're able to read read the data block which is most probably encrypted but as I said the disencryption is just the crypto one on the typical ones and this can be broken so information about is that this also in the reference section um so and what you else can do is you can

clone a card now with the cloning card as the uid is usually fixed on the general cards you get you need to get special cards um there are sometimes called magic cards from China but you can also find them with the keywords My Fair Classic uid and eBay um and then you can get the key for the first sector and then you can change that uid so if that's what you need um for actually be able to clone a card um it's also funny because some vendors they say that you can't clone a card because of this Unique Card unique IDs that aren't able or aren't possible to change well it's I don't know what world

they live but um they are import from China isn't that difficult um now to the readers I started my reader project with an Arduino RFID reader which I found out is like the most complicated one so um I had most experience with that the good thing about Arduino or Raspberry Pi Shields is that they are combined to the standards to the iso standard which you want to have because you want to use the same comments and stuff to make all the uh all of the communication um but um it's really hard work because you need to write the protocol code all yourself it's possible that some people put stuff up on GitHub but you need to

really look for that and might need some luck and but uh though I found out that um for example the XP reader is sold by Ada as well Lady Ada and her eight um other shop and she does have a GitHub webpage also with a lot of code so you might want to start look there first um some of the readers do have Hardware limitations which is nasty if you only find that out afterwards because for example the seat Studio R5 module if you want to read the data section it does have a hardware limitations where it only reads 80 um bytes and not the 256 that would be available which is yeah a little sad

um and the quality of the documentation it really does vary you need to make sure first to find out if you have a good documentation available and how good the whole reader is developed still so you don't hang on the wrong places afterwards now the intermediate readers I call them um because they are a little more expensive but also um they have a little more support there and um so the ACR 122u is the one that is used with the backtrack manuals I'm not sure if you saw them but um this card reader has been proven to be working and is working with the drivers and everything so it's probably easy to set up um I once and sold the stuff for the

open PCD reader it's the one that is famous from all the CCC talks um well the problem with that one I had was that it was only running on 32-bits architectures and I think they now build up all the new versions so they're now on version two which is also able to emulate tax the first version wasn't able to do that if I remember right and they now have like trainings available that they make at different conferences and they also have a live system that you can just boot into which makes the whole Driver part really easy to get started um and it's not that um that much more expensive than the Arduino ones so it's

probably good to have a look at and um just the prices are the ones from the country that the reader is originally from so that's why I kept them like this um now the professor Mark 3 is the one that I called the deluxe version because uh it doesn't only have the biggest or the most features it does have a big active Community it supports different frequencies like high-end low frequency depending on the antenna you use you can or get them separately it also supports emulating cloning and eavesdropping and it does have a really nice Forum where you can discuss with other people what the experiences they had and if you have issues with setting anything up they can

basically help you but um it's also the most expensive one so you might get bundles at different stores but uh this is the one you're gonna pay most for um although this price now is for an enclosed version if you want to have the one without the body around it's uh quite a bit cheaper there so you might want to have a look at that and it really gives you the most options so that's a good reason to stick for that one so and here are the references I put those papers all together because they were helpful to me they were explaining a lot of the basics and stuff behind to be able to crack stuff

and um you might just want to go through that in case you're interested so I'm already done do you have any questions yes did you do any tests like just using a 10 SDR USB sticks see if you can just drop on your credit Communications no no I actually just had my Arduino set up at home and the student license and everything and I tried playing around with that mostly and I didn't get to the whole public readers yet because I'm officially not allowed to do that so I probably gonna shift my focus off the talk or of the um the the the study that I do um towards an RFID game um because that might be easier with the

ndas and um yeah so yeah yeah practical is the eavesdropping what sort of Kit would you need for that well the eavesdropping the biggest problem is probably the antenna and how far you can reach and there are different antennas also privately built that are able to support longer lengths than the ones officially allowed and but that's probably up to your um Imagination and there have been many talks that have proven that it's possible to reach that information over more or bigger distances yes um if there was one kind of reader you would you would suggest for someone who's looking to get into RFID which is the suggestions well if you want to learn about the

protocol then I would go for the Arduino Stow um XP one actually because it does have a really nice documentation and with nice scripts ready to use um and also like a nice Forum as well with other and um but if you want to have it easy and just get the job done then I would go with the prox mark 3.

it's in terms of public space well are there any uh those in the UK or EU I don't know about the UK lots I'm not from here but um I mean I've gotten into this whole thing from the technology point of view because I wanted to understand how it works um leisurely there are issues because most vendors if they give out a card they expect you to behave well and so you always need to make sure before you start an investigation or something or before you want to learn more about it um if it's all right with that vendor but um it's hard because it's so easy exposed and I mean I don't know how they try to

or how why they want to protect it and how they want to get that in short so what do you actually recovering from the car you're actually having a Canon ID come out that you actually is that the ultimate game to actually get the card plan the car and and to prove that you can get the pin ID so you can get access to a building or something well you can do that um also I've heard that some vendors actually suggest to the people they're selling their products to that they just need to improve the software that is running on the back and doing the checks so if in for example those cards are used as student licenses as public

transport um thingies and I don't know um but um uh if you use it for example paying for your food at a container which is a common thing um then they suggest that the software in the back that does do the credit uh the transactions the checks for it it um checks if you always have like the same amount of money on the card and if some person always shows up with the same amount of money then there might be a problem so this is the way they try to handle it which is horrible but uh that's just my personal opinion so yeah I think with the error sound titles nope excuse nope are there any more questions

because in case not then I um would like to thank you for your attention and thank you to Chris for being a great mentor and um have fun with playing around foreign