From OpenBeacon
Introduction
The security of many RFID protocols depends on owning the production process, controlling the card or reader distribution, magic unique read-only IDs that stop you from copying card content and hardwired protocols in cards and readers that stop you from tampering with the communication (man-in-the middle, remote forwarding etc.) on chip- or firmware-level.
As a result of these security features a key requirement for evaluating and breaking RFID cards is to have full control over protocols and cards on radio-frequency level. In our last years course we did show how to build and use RFID sniffers to reverse engineer unknown card protocols. This year we will teach you emulating 13.56MHz HF RFID cards and readers on radio-frequency level (ISO14443, ISO15693, NFC and proprietary) in software and readers on radio-frequency level in software.
This three day hands-on course will teach you to emulate proprietary 13.56MHz reader and card protocols (ISO14443A, ISO15693, NFC and proprietary card chips) in software and show real world attacks on prominent RFID card systems on protocol level. It will show how to practically exploit weaknesses in the random number generation of RFID cards or how to perform card emulation for cloning cards.
RFID hardware projects for RFID Security Analysis
Further Reading
- Cascaded integrator-comb (CIC) filters are specific forms of moving-average filters that enable you to tackle difficult signal-processing problems like filtering RFID signals out of noise. See Robert Lacoste's the Darker Side: Practical Applications for Electronic Design Concepts from Circuit Cellar - excellent book with invaluable chapters on signal processing (excellent article on CIC/Comb filters, paper edition, Kindle edition, )
- Breaking good cryptography by implementing it wrongly.
- HF RFID Antenna Cookbook
- RFID Handbook - Fundamentals and Applications in Contactless Smart Cards, Radio Frequency Identification and Near-Field Communication, Third Edition
- AN2866 Application Note - How to design a 13.56MHz customized tag antenna
- AN710 Application Note - Antenna Circuit Design for RFID Applications
- Gerhard Hancke - A Practical Relay Attack on ISO 14443 Proximity Cards
Random Recipes
Please check out our Fedora 17 x64 based bootable ISO image of the RFID OpenPCD 2 live CD/DVD with OpenPCD 2 support for NFC and Mifare Classic cracking (64bit x86 systems only). This download link is only valid for 3 hours - just reload page to get a new link. The following examples are all done in the Live system.
update reader to the latest OpenPCD 2 firmware with libnfc support
Press both the RESET+FLASH button and release RESET first to switch OpenPCD 2 into programming mode. A mass storage device containing the firmware image pops up as a result.
wget http://www.openpcd.org/people/milosch/firmware/lpc13xx/openpcd2-libnfc-LPC1342.bin lpc-flash openpcd2-libnfc-LPC1342.bin /run/media/$USER/CRP\ DISABLD/firmware.bin
reading and analyzing the hotel door RFID card
Dump both hotel key cards:
# place card 1 on the reader & run mfoc to break the keys and dump the card content mfoc -O hotel1.mfd # place card 2 on the reader & run mfoc to break the keys of the second card mfoc -O hotel2.mfd # inspect one of the files ghex hotel1.mfd # convert both binary dumps into text files od -v -Ax -t x1 -w16 hotel1.mfd > hotel1.txt od -v -Ax -t x1 -w16 hotel2.mfd > hotel2.txt # highlight the differences between both key cards meld hotel1.txt hotel2.txt
creating a ndef based NFC tag
Create a NDEF formatted link:
ndef-encode openpcd.ndef -sp "http://www.openpcd.org" -t "OpenPCD.org web site" "en-US" -s-
Store the link to a Mifare DESfire RFID card:
mifare-desfire-format -y mifare-desfire-create-ndef -y mifare-desfire-write-ndef -i openpcd.ndef
Emulate a RFID tag using OpenPCD2:
nfc-emulate-forum-tag4 openpcd.ndef
compiling the latest OpenPCD 2 source code and flashing the firmware
Press both the RESET+FLASH button and release RESET first to switch OpenPCD 2 into programming mode. A mass storage device containing the firmware image pops up as a result.
OpenPCD is also capable of running in a stand-alone mode where the RFID protocol is handle by the onboard ARM cpu. For a stand-alone firmware example - please refer to firmware/lpc13xx/openpcd2. In src/main.c you can see the interface for talking to the PN532 chip and sending out data via USB Serial CDC ACM protocol.
git-get cd openbeacon/firmware/lpc13xx/openpcd2-libnfc make clean flash
Talking directly to the RFID reader chip on OpenPCD 2
Please check the PN532 datasheet for details on the RFID chip protocol (starting at page 65).
pn53x-tamashell
# NFC reader: pn532_uart:/dev/ttyACM0 openedGetting the firmware version (see GetFirmwareVersion, page 73):
> 02 Tx: 02 Rx: 32 01 04 07
Scanning for cards (see InListPassiveTarget, page 115):
> 4A 01 00 Tx: 4a 01 00 Rx: 01 01 03 44 20 07 04 36 26 a9 b2 1c 80 06 75 77 81 02 80
You can see the card uid length length (7) at byte 6. The card uid follows (04 36 26 a9 b2 1c 80).
Converting sniffed binaries to WAV-files
Record the sniff with PicoRFID-3K at 15.5Mhz. Use sox to convert the recorded binary log file into a WAV file for review in Audacity. Please visit OpenPICC SnifferOnly front end for more information.
sox -2 -b 16 -s -c 1 -r 15625 -t raw dump-003.img dump-003.wav
