Author: Baab

Posted on

Another RFID reader on the way

Since I had success with both commercial and maker-level LF RFID readers, i decided to move forward in time another decade, and picked up a HID RP40 multiclass reader.

I’m still in the learning process with HF RFID, so bear with me in this little logic exercise, if you please…

  1. LF RFID is terrible because it’s just a tag ID and is easily cloned.
  2. HF RFID (MIFARE etc) offer enhanced security because it adds the capability of generating a nonce, and I won’t go into further detail here because math… In short, you can write the UID of a tag to a UID-writable tag and the UID will present, but it won’t generate that nonce, so depending on the security application, it may or may not be more secure.
  3. I have found at least one person providing a DIY HF RFID reading app for Arduino that simply validates the UID against a database. This defeats the entire purpose of the enhanced security of MIFARE-type tag protocols, and renders. It’s the equivalent of me being able to withdraw money from your checking account just by knowing your name.
  4. That said, the pm3 with Iceman’s firmware can quickly crack the passwords and dump tag data. The pm3 can also copy that dumped data to a “magic Chinese backdoor” tag and then set the tag to the same UID. At that point, the copied tag seems to read the same as the original. I’d love to test that, but until my next hotel stay, I don’t have access to test that copied tag against an HF reader in situ.
  5. If #4 is correct, given ~15 seconds of proximity to a users badge or fob, I can have a working cloned copy of it, rendering the HF tag literally no more secure than the UID-only LF tag.

I have pretty strong confidence that this will work after reading the following article, and I find the conclusion rather titillating. “While card cloning is a serious security risk, the main problem is not reading or copying the card itself, but being able to reverse engineer the card contents, which could lead to us making a “master key” that opens all the doors in a building.” By the way, I apologize for linking to a medium.com article. I hate everyone that implements paywalls in any form, even though theirs doesn’t kick in until after you’ve read a few articles.

https://medium.com/exc3l/cracking-mifare-classic-cards-with-proxmark3-e42121cd968b

Posted on

RFID Antennas

In the process of imagining potential IoT RFID devices, I’ve been looking more closely at how RFID antennas are deployed (for reader and writer devices). Here are a few examples, and a source document to aid in design.

First, the commercial LF reader. This is a pretty beefy antenna, surprising that it still only gets a few cm of range. This is from a medium-range ProxPro 5355 reader.

Next is the RFID-RF522 which I posted about earlier this week. This is an HF reader, which allows the antenna to be much smaller (because the wavelength is much smaller) — small enough to be printed on the PCB itself, which lends itself well to IOT design, especially #badgelife.

Now let’s look at the Proxmark3 RDV4. Without looking, I had assumed they managed to get an LF antenna implemented on the PCB itself, but I was wrong. It’s another wire coil antenna, it’s just sandwiched between the HF antenna (printed on both sides of the larger PCB) and the other PCB.

Then I found this interesting piece — an RFID emulator circuit from kukata86.com (note: Website is dated and SLOW). I say it’s interesting because this person apparently implemented a cloning card that is programmable and passive, meaning it doesn’t require battery for emulation. Also, he seems to have managed to get a LF PCB antenna into production. It takes up a good amount of board space, which makes sense, but if you can print it, you can run the calculations and get the right capacitor(s) to tune it to become resonant. Even though this was made a few years ago, it’s interesting. I just wish they provided KiCAD or Eagle files, or Gerbers, rather than just PDFs.

Finally, here’s a PDF tutorial on HF antenna design, for those who are interested in digging much, much deeper.

RFID_antennas

Posted on

Further RFID Reader Explorations

Last night I successfully modified my RFID Arduino demonstration code to use the MFRC522 chip, by way of the RFID-RC522 module which was included with my CrowPi. Thanks, CrowPi!

The whole point of all of this exploration is for possible use in #badgelife, and the MFRC522 is a sea change from the commercial RFID reader in my last post. I’m not saying interfacing the Arduino with commercial readers isn’t useful, there are probably a number of people out there interested in DIY physical access control at a DIY-friendly price point. In fact, I found an electromagnetic cabinet lock for $6 from China!

https://www.newegg.com/p/0X6-04KT-2B699?Description=magnetic%20door%20locks&cm_re=magnetic_door%20locks–0X6-04KT-2B699–Product

But now that that point has been made, we’re on to exploring other creative uses.

  1. Most importantly, the MFRC522 reads HF (13.56MHz) MIFARE tags rather than LF (125KHz) tags. This changes the game a little bit. It allows us to scan hotel room keys, which from my explorations are ALL HF tags nowadays, and the vast majority are MIFARE.
  2. LF reader chips are more expensive and less available — generally…
  3. Due to the size of the wavelength (125KHz LF wavelength is ~2400m, while 13.56MHz HF wavelength is more along the lines of 22m), it seems like it’s WAY easier to design a PCB-printed antenna for HF than LF.

Posted on

Commercial RFID and Arduino

Today I’ve been playing with a commercial RFID reader and an Arduino UNO. I like the idea of this combo in principle, because I can connect a 12V power supply to the Arduino and power the reader directly from the VIN pin, eliminating the need for two power supplies or a step-down converter.

I tried several different libraries for Arduino, and wasn’t having the best of luck — I settled on Daniel Smith’s code from Pagemac back in 2012.

http://www.pagemac.com/projects/rfid/arduino_wiegand

Then I made a change that caused buffer overflows and Arduino resets. Once that was fixed, it started reading cards consistently. But it was reading them at twice the actual tag length. A 34-bit card was detected at 68 bits. I changed the pin mode from INPUT to INPUT_PULLUP on both data pins, and bang, I was getting 34-bit tag reads.

Unfortunately, the code I had only interpretation for 35 and 26-bit formats, so some minor rearrangement of boundaries and bitshifting was required. It’s easy to tell when bitshifting is required, because the result you get is a multiplier or a factor of the result you expect. In my case, the facility code was coming up at 1/8 of the value of the actual facility code, and the card code was coming up as 2x the actual card code (actual codes were validated by the Proxmark3 RDV4).

After the bitshifting was done, it was able to read my card properly. Now I just need to set up interpreters for all the known card variants that I need to test against.

BIG thanks to Kevin for his help in narrowing down the issues I was fighting with.

Posted on

Building ingress vs suite ingress

I mentioned that in my Dangerous Things RFID card post that my office suite ingress reader scans for both LF and HF RFID tags. The building ingress, however, is purely LF. So it seems that if the company decides to switch to HF internally, then employees would either need to carry two fobs, or a dual LF/HF fob, which is less likely.

I say that a dual fob is less likely because in practice, it doesn’t seem like most small businesses program their own cards/fobs — instead, they buy pre-programmed random fobs/cards in bulk and add them to their systems. Fob/card programming only seems necessary in larger enterprise systems where building/department ID codes come into play. Also, interaction between building management and company management, and coordination of security within physical space, seems infrequent. But I mention the possibility because dual fobs do exist.

In researching the dual fobs, I also learned of the existence of UHF RFID tags, with have a longer range (1-10m), which I hadn’t looked into before.

Here are videos of the Dangerous Things RFID card testing the building ingress reader, which looks to be a typical HID reader like a ProxPro 5355, and the suite ingress reader, which reads both LF and HF.

I would also like to note that I’m not responsible for physical security in my office, company or building. I’m just curious about all things security, including the physical security domain of infosec.

Posted on

Badass Army SWAG

So Katelyn from The Badass Army posted last month-ish that she had procured a PO Box. I took the opportunity to send a couple of batches of stickers and other trinket swag, mostly DC540-branded, because I love their mission and I enjoy Katelyn’s twitter persona.

What I wasn’t expecting when I checked the DC540 box today (POB 2861, Dulles VA 20146, btw) was a similar gift. Some great stickers, a magnet and a nice card. If you follow Infosec Twitter, you’re probably aware of some recent drama that caused a potential threat to the very existence of BADASS. I just want to take a moment to say I hope that doesn’t happen.

Posted on

Dangerous Things RFID Diagnostic Card

Maybe you’re a little bit of RFID-curious, or are gathering preliminary information. Maybe you’re like me, and this device just scratches the related itches of seeing hidden information and learning how things work.

I have a Proxmark3 RDV4. I have a lot of fun with it, as previous posts indicate. But I’m considering building something that incorporates an RFID reader, and I feel like this device would come in super handy in determining basic functionality, before coding the card reader functionality. Just to see if the device is TRYING to read RFID.

It fits really nicely in the top wallet pocket, making it really easy to use within the wallet, illuminating the left or right LEDs green or red depending on whether it’s reading LF (125KHz) or HF (13.56MHz). One thing I learned is that my company’s readers read both LF and HF, despite the fact that we have traditional LF HID Prox cards. I’m filling in the gaps here myself, but my guess is that when we expanded space, we got new readers, and rather than just continue to install LF readers, we installed the newer readers so that we can eventually migrate to HF cards, which are ostensibly harder to clone.

$20 on the dangerousthings website, but I got mine for $10 on ebay. Totally worth it, and not as painful as an LED RFID implant, which they also sell.

Posted on

2020-10-05 DC540 Monday Check-In

Nice DC540 meetup on Discord tonight. Topics ranged from #badgelife to RFID and biohacking, to slavery and oppression, to pentesting and red team methodology and mindset, among others. Looking forward to creating some content in these areas!