Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

RFID Treehouse of Horror

2.190 visualizaciones

Publicado el

Publicado en: Tecnología, Empresariales
  • Sé el primero en comentar

RFID Treehouse of Horror

  1. 1. RFID Treehouse of Horror Adrian “atrox” Dabrowski Picture Source: http://audisondesigns.blogspot.co.at/
  2. 2. Outline ● Central Key Systems in .at and Vienna ● 65000, WEZ2000, Z/BG, BEGEH ● RFID ● What is it? ● Other Systems ● BEGEH details ● RFID Sniffer and Simulator ● Analysis-Methods ● BEGEH Key types and vulnerabilities ● Field Test Conclusion and Lessons Learned
  3. 3. WEZ-2000 Source: Yolosiedler.info Source: Wikicommons “Wiener Einheitszylinder 2000”
  4. 4. Key #61005 ● Installation Cabinets (In- & Outdoor) ● Power metering ● (Floor level) fuses ● Circuit breakers ● Gas ● Heating ● Water
  5. 5. Z / BG key ● History ● Up until 1957: caretaker needed to be physically present ● 2000: no designated caretakers necessary ● Front door intercom systems
  6. 6. The Solution: “BEGEH” Card ● BEGEH BASIC ● RFID based ● 10+1 Groups ● BEGEH SECURITY ● 128 Groups ● Log-file ● BEGEH SECURITY PLUS ● Subscription Fee ● Blacklist updates
  7. 7. Claims (Manufacturer)
  8. 8. CHALLENGE ACCEPTED
  9. 9. What is RFID? ● Radio Frequency Identification – Near field communication ● Frequency ● 125 kHz, 13.56 MHz, 433 MHz, 900 Mhz, 2.45 GHz ● Power ● Passive, semi-passive, active ● Coupling ● Inductive, Backscatter, Capacitive ● Return Channel ● Load Modulation, Sub-carriers, Harmonics ● Carrier is... ● Power supply ● Clock supply ● Downstream ● Base for upstream signal
  10. 10. How does RFID work ● Radio Frequency Identification – Near field communication ● Frequency ● 125 kHz, 13.56 MHz, 433 MHz, 900 Mhz, 2.45 GHz ● Power ● Passive, semi-passive, active ● Coupling ● Inductive, Backscatter, Capacitive ● Return Channel ● Load Modulation, Sub-carriers, Harm. ● Carrier is... ● Power supply ● Clock supply ● Downstream ● Base for upstream signal A ~ A ~ A ~ A ~
  11. 11. Functionality morefunctionality Burglary Alarm e.g. EM4102 e.g. Mifare Ultralight, Tag-IT e.g. Mifare Classic & DESfire e.g. SmartMX (JCOP)
  12. 12. Tools (expensive!) IAIK DemoTag Proxmark IIIComprion
  13. 13. Wiener Linien ● Buy tickets with your mobile NFC phone ● Passive NFC stickers
  14. 14. Wiener Linien
  15. 15. ● Mifare Hacks, Cafe and Co ● Wiener Linien ● UID Based ● EM4102 ● T5556 ● Android ● TI Lab
  16. 16. Coffee anyone?
  17. 17. Coffee anyone? ACR122u == TikiTag == Touchatag + libnfc (mfoc)
  18. 18. EM4102 & co.
  19. 19. Atmel T5557 T5567 T5551
  20. 20. Atmel T5557 T5567 T5551
  21. 21. EM4102 cloning
  22. 22. UID-Based Security: TI-LAB Cumulative distribution function
  23. 23. EM4102 sniffing with a PC ● Modulated Data ~4khz ● Sampling with USB Audio adapter ● Milosch Meriac / bitmanufaktur (openbeacon, openpcd, ...)
  24. 24. EM4102 sweep with your phone
  25. 25. The Solution: “BEGEH” Card ● BEGEH BASIC ● RFID based ● 10+1 Groups ● BEGEH SECURITY ● 128 Groups ● Log-file ● BEGEH SECURITY PLUS ● Subscription Fee ● Blacklist updates
  26. 26. Hardware
  27. 27. Build a Sniffer
  28. 28. Build a Sniffer
  29. 29. Long Range Reader?
  30. 30. How to Get Samples ? ~25cm
  31. 31. How to Get Samples ? Source: post.at
  32. 32. Programming a Simulator ● Fuzzing ● Systematic Tests ● Later: UID Emulation and Card Replay
  33. 33. Simple RF Frontend Resonant circuit Rectifier Prot. Mod- ulation Evelope Detector Input Buffer.
  34. 34. How BEGEH Basic works
  35. 35. BEGEH Basic: How it works ● Card Types ● User cards – Encrypted data, 3 Sectors ● Master card „ownership“ – Based on UID ● Programming cards – Need a master card ● Baucard (former Testcard) – Only uses the first sector – checksum, but not encrypted
  36. 36. Fieldtest
  37. 37. Results
  38. 38. BEGEH Circumvention
  39. 39. Updates Source: facebook.com/Begehcard
  40. 40. BEGEH Conclusion ● Stolen key management ● Blacklist only once/year ● Only for „Security“ product line ● Card copy without knowledge of holder ● Expiration ● Only for „Security“-Variant, since 2011 ● Duplication prevention ● BAUCARD: €2 ● Emulator(build): €20 ● Wrong technology ● (Default) configuration error ● Design error ● Blacklist update labor intense ● Subset of installations ● Implementation/Production
  41. 41. General Conclusion: The undead...
  42. 42. Source: freepsdfiles.net I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background. I will not design security solutions without a strong IT security background.
  43. 43. RFID Treehouse of Horror Adrian Dabrowski adabrowski@sba-research.org atrox@seclab.tuwien.ac.at Picture Source: http://audisondesigns.blogspot.co.at/

×