1. RFID Security WorkshopNahuel Grisolía
PHDays III, 23-24 May 2013
Moscow, Russia
nahuelgrisolia@gmail.com

2. • Daytime job at an Insurance Company in Buenos Aires, AR
• (Web) Application Security specialist & enthusiast
• Many vulnerabilities discovered in Open Source and Commercial
software: Vmware, Websense, OSSIM, Cacti, McAfee, Oracle VM, etc.
• Gadgets and Electronics Lover (RFID!)
• EC-Council C|EH, CompTIA Security+ and Private Pilot License
• http://ar.linkedin.com/in/nahuelgrisolia
• http://cintainfinita.com.ar
• http://www.exploit-db.com/author/?a=2008
• http://www.proxmark.org/forum/profile.php?id=3000
2

3. Motivation
from The Hacker Ethic and the Spirit of the Information Age…
Pekka Himanen
Enthusiastic, passionate attitude to the work that is
enjoyed
Creativity, wish to realize oneself and one's ability,
often in teams that are formed spontaneously (project
orientation)
Wish to share one's skills with a community having
common goals
3

4. Motto v2…
4

5. 1. What is true about RFID?
2. What is NOT true about RFID?
3. Real Life Examples?
4. RFID Hardware
! Operating Frequencies (LF, HF, UHF)
! Active vs. Passive Tags
! Types, Shapes, Sizes and Colors!
5. LibNFC
! What?
! Compatible Devices
! Resources
! Examples of usage
6. Proxmark3
! What?
! Community Forum
! Examples of usage
Agenda
5

6. 7. Low Frequency Tags
! Intro
! Types
! Examples of Emulation & Cloning
! Bypassing a Door Lock
8. High Frequency Tags
! Intro
! NXP Mifare
" What?
" Practical Applications
9. Mifare Classic
! Memory Organization
! Access Keys and Bits, Security
" Crypto1
! Well-known attacks
" mfoc, mfcuk, crapto1
10. Use Cases
! Real World Examples using Mifare Classic
! Public Transport in Argentina using Mifare Classic
11. Resources & more…
Agenda
6

7. Intro… But necessary…

8. What is true about RFID?
RFID is a generic term that is used to describe a system that transmits the identity (in the
form of a unique serial number) of an object or person wirelessly, using radio waves. It's
grouped under the broad category of automatic identification technologies.
RFID stands for Radio-Frequency IDentification. The acronym refers to electronic devices
that consist of a small chip and an antenna.
RFID devices will work within a few cm. of the scanner. For example, you could just put
all of your groceries or purchases in a bag, and set the bag on the scanner. It would be able
to query all of the RFID devices and total your purchase immediately.
8

9. What is true about RFID?
A typical RFID tag consists of a microchip attached to a radio
antenna mounted on a substrate.
To retrieve the data stored on an RFID tag, you need a reader. A
typical reader is a device that has one or more antennas that emit
radio waves and receive signals back from the tag.
The reader then passes the information in digital form to a master
system.
9
Note: not always true - the reader might be a self-contained system, doing
logic (eg. check if card/tag authorized) and actions (eg. unlock the door, buzz
the buzzer, light the led) on it's own without master system

10. Some common problems with RFID are reader collision and tag
collision.
Reader collision occurs when the signals from two or more readers
overlap.
The tag is unable to respond to simultaneous queries. Systems must be
carefully set up to avoid this problem.
Tag collision occurs when many tags are present in a small area; but
since the read time is very fast, it is easier for vendors to develop
systems that ensure that tags respond one at a time.
Other Problems: low computing power, no RTC on tags, bad RNG on
tags, critical timing requirements, low bandwidth, etc.)
What is true about RFID?
10

11. NFC (Near Field Communication) is an open platform technology
standardized in some ISO specs, specifying modulations schemes,
coding, transfer speeds, data exchange methods (NDEF – sort of MIME
- by NFC Forum), etc.
Form/subset of RFID (Radio Frequency IDentification) given that is
uses radio waves for identification purposes.
NFC works at 13.56 MHz in accordance with inductive coupling
principles and allows communications at very short ranges (a few cm).
It provides Card Emulation, Peer-to-Peer and Reader/Writer mode.
What is true about NFC?
11

12. NDEF Standard (NFC Data Exchange Format)
NFC-Forum Tags:
– Type 1: Innovision Topaz/Jewel (ISO14443-3A)
– Type 2: NXP Mifare Ultralight (ISO14443-3A)
– Type 3: Sony FeliCa
– Type 4: ISO7816-4 on ISO14443-4 A or B
(e.g. DesFire EV1)
What is true about NFC?
12

13. What is true about NFC?
13
# Define and Stabilize Technology
# Develop standards that ensure interoperability among devices and
services
# Encourage the development of products within NFC Forum
Specs.
# Educate the Market
# Ensure that NFC products follow NFC Forum Specs.
# Promote End User usage
NFC Forum Mission

14. What is NOT true about RFID?
14

15. What is NOT true about RFID?
15

16. What is NOT true about RFID?
16

17. What is NOT true about RFID?
I can clone any card!
Muehehe…
Well… not that much… =)
125KHz~135KHz RFID Card Copier / Duplicator (1 x 6F22/9V)
17

18. What is NOT true about RFID?
I’m fully featured!!…
18

19. Real Life Examples?
Electronic Payments, Physical Access to
buildings, Tolls, Passports, Medical Supplies
and Equipment Tracking,
Clothes, almost everywhere!
19

20. Real Life Examples?
Electronic Payments, Physical Access to
buildings, Tolls, Passports, Medical Supplies
and Equipment Tracking,
Clothes, almost everywhere!
20

21. Real Life Examples?
21

22. Real Life Examples?
22

23. Hardware

24. RFID Hardware
A Radio-Frequency IDentification system has three basic
parts:
• A transponder - the RFID tag - that has been programmed
with information.
• A scanning antenna
• A transceiver with a decoder to interpret the data
The scanning antenna puts out radio-frequency signals in a relatively short range.
The RF radiation does two things:
It provides a means of communicating with the transponder (the RFID tag) AND
It provides the RFID tag with the energy to communicate (in the case of passive RFID tags).
How does RFID work?
24

25. When an RFID tag passes through the field of the scanning antenna,
it detects the activation signal from the antenna. That “powers-up"
the RFID chip, and it transmits the information on its microchip to be
picked up by the scanning antenna.
In addition, the RFID tag may be of one of two types:
$ Active RFID tags have their own power source; the advantage of
these tags is that the reader can be much farther away and still get
the signal. Even though some of these devices are built to have up
to a 10 year life span, they have limited life spans.
$ Passive RFID tags, however, do not require batteries, and can be
much smaller and have a virtually unlimited life span.
RFID HardwareHow does RFID work?
25

26. Because RFID systems generate and radiate electromagnetic waves, they are
justifiably classified as radio systems. The function of other radio services must
under no circumstances be disrupted or impaired by the operation of RFID
systems.
It is particularly important to ensure that RFID systems do not interfere with
nearby radio and television, mobile radio services (police, security services,
industry), marine and aeronautical radio services and mobile telephones.
The need to exercise care with regard to other radio services
significantly restricts the range of suitable operating frequencies
available to an RFID system.
RFID HardwareRadio Regulation
26

27. It is usually only possible to use frequency ranges that
have been reserved specifically for industrial, scientific or
medical applications or for short range devices.
These are the frequencies classified worldwide as ISM
frequency ranges (Industrial-Scientific-Medical) or SRD
(Short Range Device) frequency ranges, and they can also
be used for RFID applications.
Frequency Ranges
RFID Hardware
27

28. Frequency Ranges
RFID Hardware
28

29. It’s all About Tags…

30. An RFID tag is an active tag when it is equipped with a battery that
can be used as a partial or complete source of power for the tag's
circuitry and antenna.
Some active tags contain replaceable batteries for years of use; others
are sealed units. (Note that It is also possi