Posts

Posted on

Further RFID Reader Explorations

Last night I successfully modified my RFID Arduino demonstration code to use the MFRC522 chip, by way of the RFID-RC522 module which was included with my CrowPi. Thanks, CrowPi!

The whole point of all of this exploration is for possible use in #badgelife, and the MFRC522 is a sea change from the commercial RFID reader in my last post. I’m not saying interfacing the Arduino with commercial readers isn’t useful, there are probably a number of people out there interested in DIY physical access control at a DIY-friendly price point. In fact, I found an electromagnetic cabinet lock for $6 from China!

https://www.newegg.com/p/0X6-04KT-2B699?Description=magnetic%20door%20locks&cm_re=magnetic_door%20locks–0X6-04KT-2B699–Product

But now that that point has been made, we’re on to exploring other creative uses.

  1. Most importantly, the MFRC522 reads HF (13.56MHz) MIFARE tags rather than LF (125KHz) tags. This changes the game a little bit. It allows us to scan hotel room keys, which from my explorations are ALL HF tags nowadays, and the vast majority are MIFARE.
  2. LF reader chips are more expensive and less available — generally…
  3. Due to the size of the wavelength (125KHz LF wavelength is ~2400m, while 13.56MHz HF wavelength is more along the lines of 22m), it seems like it’s WAY easier to design a PCB-printed antenna for HF than LF.

Posted on

Commercial RFID and Arduino

Today I’ve been playing with a commercial RFID reader and an Arduino UNO. I like the idea of this combo in principle, because I can connect a 12V power supply to the Arduino and power the reader directly from the VIN pin, eliminating the need for two power supplies or a step-down converter.

I tried several different libraries for Arduino, and wasn’t having the best of luck — I settled on Daniel Smith’s code from Pagemac back in 2012.

http://www.pagemac.com/projects/rfid/arduino_wiegand

Then I made a change that caused buffer overflows and Arduino resets. Once that was fixed, it started reading cards consistently. But it was reading them at twice the actual tag length. A 34-bit card was detected at 68 bits. I changed the pin mode from INPUT to INPUT_PULLUP on both data pins, and bang, I was getting 34-bit tag reads.

Unfortunately, the code I had only interpretation for 35 and 26-bit formats, so some minor rearrangement of boundaries and bitshifting was required. It’s easy to tell when bitshifting is required, because the result you get is a multiplier or a factor of the result you expect. In my case, the facility code was coming up at 1/8 of the value of the actual facility code, and the card code was coming up as 2x the actual card code (actual codes were validated by the Proxmark3 RDV4).

After the bitshifting was done, it was able to read my card properly. Now I just need to set up interpreters for all the known card variants that I need to test against.

BIG thanks to Kevin for his help in narrowing down the issues I was fighting with.

Posted on

Building ingress vs suite ingress

I mentioned that in my Dangerous Things RFID card post that my office suite ingress reader scans for both LF and HF RFID tags. The building ingress, however, is purely LF. So it seems that if the company decides to switch to HF internally, then employees would either need to carry two fobs, or a dual LF/HF fob, which is less likely.

I say that a dual fob is less likely because in practice, it doesn’t seem like most small businesses program their own cards/fobs — instead, they buy pre-programmed random fobs/cards in bulk and add them to their systems. Fob/card programming only seems necessary in larger enterprise systems where building/department ID codes come into play. Also, interaction between building management and company management, and coordination of security within physical space, seems infrequent. But I mention the possibility because dual fobs do exist.

In researching the dual fobs, I also learned of the existence of UHF RFID tags, with have a longer range (1-10m), which I hadn’t looked into before.

Here are videos of the Dangerous Things RFID card testing the building ingress reader, which looks to be a typical HID reader like a ProxPro 5355, and the suite ingress reader, which reads both LF and HF.

I would also like to note that I’m not responsible for physical security in my office, company or building. I’m just curious about all things security, including the physical security domain of infosec.

Posted on

Badass Army SWAG

So Katelyn from The Badass Army posted last month-ish that she had procured a PO Box. I took the opportunity to send a couple of batches of stickers and other trinket swag, mostly DC540-branded, because I love their mission and I enjoy Katelyn’s twitter persona.

What I wasn’t expecting when I checked the DC540 box today (POB 2861, Dulles VA 20146, btw) was a similar gift. Some great stickers, a magnet and a nice card. If you follow Infosec Twitter, you’re probably aware of some recent drama that caused a potential threat to the very existence of BADASS. I just want to take a moment to say I hope that doesn’t happen.

Posted on

Dangerous Things RFID Diagnostic Card

Maybe you’re a little bit of RFID-curious, or are gathering preliminary information. Maybe you’re like me, and this device just scratches the related itches of seeing hidden information and learning how things work.

I have a Proxmark3 RDV4. I have a lot of fun with it, as previous posts indicate. But I’m considering building something that incorporates an RFID reader, and I feel like this device would come in super handy in determining basic functionality, before coding the card reader functionality. Just to see if the device is TRYING to read RFID.

It fits really nicely in the top wallet pocket, making it really easy to use within the wallet, illuminating the left or right LEDs green or red depending on whether it’s reading LF (125KHz) or HF (13.56MHz). One thing I learned is that my company’s readers read both LF and HF, despite the fact that we have traditional LF HID Prox cards. I’m filling in the gaps here myself, but my guess is that when we expanded space, we got new readers, and rather than just continue to install LF readers, we installed the newer readers so that we can eventually migrate to HF cards, which are ostensibly harder to clone.

$20 on the dangerousthings website, but I got mine for $10 on ebay. Totally worth it, and not as painful as an LED RFID implant, which they also sell.

Posted on

2020-10-05 DC540 Monday Check-In

Nice DC540 meetup on Discord tonight. Topics ranged from #badgelife to RFID and biohacking, to slavery and oppression, to pentesting and red team methodology and mindset, among others. Looking forward to creating some content in these areas!

Posted on

Server acquired

Well, I did it. Scored a Dell R710 with 72GB RAM and 6TB of HDD (well, somewhat less after RAID overhead). I’m well on the way to rebuilding WOPR Jr (the Hades Canyon NUC).