1
00:00:00,125 --> 00:00:04,292
FRANCIS BROWN: Yeah, welcome everybody to RFID, live free

2
00:00:04,292 --> 00:00:06,167
or RFID hard.

3
00:00:06,375 --> 00:00:08,334
My name is Fran Brown.

4
00:00:08,334 --> 00:00:12,125
I'm a partner at Bishop Fox, formerly Stach & Liu.

5
00:00:12,709 --> 00:00:14,167
We just rebranded it.

6
00:00:14,167 --> 00:00:14,999
There's going to be some exciting stuff

7
00:00:14,999 --> 00:00:16,999
to show you guys here today.

8
00:00:17,918 --> 00:00:19,751
I'm just going to get right into it.

9
00:00:20,999 --> 00:00:26,125
Basically, what I want to go over today is to cover practical advice

10
00:00:26,125 --> 00:00:29,626
on successfully performing a penetration test

11
00:00:29,626 --> 00:00:32,667
of an RFID physical system.

12
00:00:32,667 --> 00:00:34,626
A little bit of background behind this.

13
00:00:34,792 --> 00:00:38,209
About a year ago, I was doing an assessment of the electric utility

14
00:00:38,209 --> 00:00:41,209
and I needed to get to that network which was only

15
00:00:41,209 --> 00:00:43,792
accessible from two buildings so I needed

16
00:00:43,792 --> 00:00:47,584
to break into a building is how it all started.

17
00:00:47,876 --> 00:00:49,083
And that was my goal.

18
00:00:49,250 --> 00:00:54,999
So I -- so I started looking into, you know, different RFID presentations

19
00:00:54,999 --> 00:00:58,083
that have been in the past.

20
00:00:58,209 --> 00:01:01,417
Unfortunately, there was no hacking exposed RFID.

21
00:01:01,876 --> 00:01:05,417
(Coughing.)    FRANCIS BROWN: That just let me know what I would need

22
00:01:05,417 --> 00:01:08,999
to be able to know to break into a building.

23
00:01:08,999 --> 00:01:12,834
So I saw the past presentations I could find, anything I could find and

24
00:01:12,834 --> 00:01:15,626
after a couple days, I realized I was no closer

25
00:01:15,626 --> 00:01:19,792
to achieving my objective than I was when I started.

26
00:01:20,125 --> 00:01:24,542
Most of the presentations in the past discussed tools that weren't

27
00:01:24,542 --> 00:01:27,999
released or were nor theoretical.

28
00:01:27,999 --> 00:01:29,999
They didn't give me exactly what I needed to know to be able

29
00:01:29,999 --> 00:01:32,083
to break into a building.

30
00:01:32,709 --> 00:01:34,834
So that's what I hope to cover here today.

31
00:01:34,834 --> 00:01:36,999
And I'm going to finish up with practical defenses

32
00:01:36,999 --> 00:01:40,626
as well so you know how to protect yourself.

33
00:01:41,083 --> 00:01:44,751
So bringing it down -- it's a pretty simple methodology when

34
00:01:44,751 --> 00:01:47,876
I would to do an RFID penetration test it just boils

35
00:01:47,876 --> 00:01:50,542
down into three simple steps.

36
00:01:50,959 --> 00:01:53,584
First steal somebody's badge information without them realizing it,

37
00:01:53,584 --> 00:01:55,667
while walking by them.

38
00:01:55,918 --> 00:01:58,709
Two, taking that information and making a clone of their card

39
00:01:58,709 --> 00:02:01,083
and then, three, going into the building that I want

40
00:02:01,083 --> 00:02:02,792
to break into.

41
00:02:02,834 --> 00:02:04,626
And possibly planning a back door so I don't have

42
00:02:04,626 --> 00:02:06,501
to stay there very long.

43
00:02:06,501 --> 00:02:08,999
It seems pretty simple.

44
00:02:08,999 --> 00:02:12,083
But the thing that I -- that I soon realized that step one was

45
00:02:12,083 --> 00:02:16,375
a little bit difficult because most of the tools out there required you

46
00:02:16,375 --> 00:02:18,999
to get within a couple centimeters to be able

47
00:02:18,999 --> 00:02:23,292
to successfully steal someone's badge information out there their pocket

48
00:02:23,292 --> 00:02:26,999
or their purse or, you know, what have you.

49
00:02:26,999 --> 00:02:33,083
So that kind of led to what I like to call the method of RFID hacking.

50
00:02:33,083 --> 00:02:36,334
(Laughing.)    FRANCIS BROWN: Are all from different presentations,

51
00:02:36,334 --> 00:02:39,999
YouTube videos, things I've seen in the past where, you know,

52
00:02:39,999 --> 00:02:42,501
the people go on and on about how insecure it

53
00:02:42,501 --> 00:02:45,167
is and how easy it is to steal somebody's badge

54
00:02:45,167 --> 00:02:47,584
information and then they have something

55
00:02:47,584 --> 00:02:50,918
like this they're walking up and grabbing people's asses

56
00:02:50,918 --> 00:02:52,999
with Proxmark running on their sleeve

57
00:02:52,999 --> 00:02:56,999
with a big CD sleeve antenna walking down S scribing.

58
00:02:56,999 --> 00:03:01,999
I don't know -- you see Jonathan up there -- I don't know how many times

59
00:03:01,999 --> 00:03:06,459
you could potentially do that, walk around and, you know,

60
00:03:06,459 --> 00:03:09,999
our target facility and started grab-assing

61
00:03:09,999 --> 00:03:13,375
before you actually get caught.

62
00:03:13,751 --> 00:03:15,459
I would imagine once or twice.

63
00:03:15,584 --> 00:03:17,834
This was a unrealistic thing for me.

64
00:03:17,834 --> 00:03:18,999
This is not going to work.

65
00:03:18,999 --> 00:03:21,999
I'm not sure what I can do at this point but there's really any tools

66
00:03:21,999 --> 00:03:25,083
that were out there to allow me realistically be able

67
00:03:25,083 --> 00:03:27,999
to pull this type of attack off.

68
00:03:27,999 --> 00:03:30,999
So I started looking into my own custom solutions and

69
00:03:30,999 --> 00:03:34,918
with that I'm going to do a couple quick videos that I think

70
00:03:34,918 --> 00:03:38,918
demonstrate the eliminations as well as our tools for stealing

71
00:03:38,918 --> 00:03:42,125
for step one there and making a clone of a card just

72
00:03:42,125 --> 00:03:45,417
to show how easy it is now to be able to pull this

73
00:03:45,417 --> 00:03:50,918
off and steal someone's badge number and then break into a building.

74
00:03:56,999 --> 00:03:59,999
Can you guys see that okay?

75
00:04:00,167 --> 00:04:04,250
By far the most popular -- okay.

76
00:04:04,250 --> 00:04:09,209
In this first one it's -- how many of you are familiar with the Proxmark.

77
00:04:09,751 --> 00:04:13,167
It's probably the Number 1 tool you could buy.

78
00:04:13,250 --> 00:04:16,125
It's really great for a lot of important purposes.

79
00:04:16,250 --> 00:04:20,999
(Feedback.)    FRANCIS BROWN: Sorry about that.

80
00:04:21,083 --> 00:04:22,834
It's too much for the microphone.

81
00:04:23,334 --> 00:04:28,709
But as you'll see here, it also has the problem of distance.

82
00:04:29,876 --> 00:04:31,999
This is the Proxmark.

83
00:04:32,209 --> 00:04:37,999
This is an RFID hacking tool you can buy by far the most popular we have.

84
00:04:37,999 --> 00:04:39,834
It's plugged into my laptop here.

85
00:04:39,999 --> 00:04:42,959
A USD and the antenna.

86
00:04:45,375 --> 00:04:49,667
We're running the Proxmark and we have it in listening mode

87
00:04:49,667 --> 00:04:53,167
and it's trying to listen right now.

88
00:04:53,167 --> 00:04:57,083
As we can see it still does not see the card even at this range.

89
00:04:57,250 --> 00:04:59,626
So I'll keep coming down.

90
00:04:59,626 --> 00:05:00,667
Keep coming down.

91
00:05:01,709 --> 00:05:08,334
Getting closer to the antenna until -- there we go.

92
00:05:08,334 --> 00:05:09,334
6339.

93
00:05:09,334 --> 00:05:10,667
We had to be probably an inch right here

94
00:05:10,667 --> 00:05:15,999
before it actually starts picking up the badge information, 6339.

95
00:05:16,542 --> 00:05:20,083
So this is about how close you have to get to somebody on their person

96
00:05:20,083 --> 00:05:23,999
to be able to effectively use this tool to steal their information, which

97
00:05:23,999 --> 00:05:27,375
is a little too close for comfort if you ask me.

98
00:05:28,417 --> 00:05:30,999
So -- I mean, how many people have pulled

99
00:05:30,999 --> 00:05:34,999
off successful penetrations with the Proxmark or whatever existing

100
00:05:34,999 --> 00:05:37,417
tools that are out there?

101
00:05:37,999 --> 00:05:40,083
A handful of people?

102
00:05:42,209 --> 00:05:45,626
I mean, I guess you could, but you saw the antenna.

103
00:05:45,626 --> 00:05:47,459
It's about the size of a CD and typically people would run

104
00:05:47,459 --> 00:05:50,417
it down their sleeve and have this CD, you know, and try to go

105
00:05:50,417 --> 00:05:52,584
up and guess where the person has their badge

106
00:05:52,584 --> 00:05:54,375
on to begin with.

107
00:05:54,375 --> 00:05:57,999
If you don't know which pocket it is and start, you know, feeling around.

108
00:05:57,999 --> 00:05:59,999
(Laughing.)    FRANCIS BROWN: So I -- I saw

109
00:05:59,999 --> 00:06:05,751
a few things where people posted custom solutions that they had done.

110
00:06:05,999 --> 00:06:09,959
They didn't really release code or, you know, practical advice on how

111
00:06:09,959 --> 00:06:12,083
to put it together.

112
00:06:12,083 --> 00:06:13,999
So I kind of had to do my own thing.

113
00:06:13,999 --> 00:06:16,959
It will be up on the website tomorrow, but my goal here was

114
00:06:16,959 --> 00:06:20,959
to make it so that I can create a tool that security professionals who,

115
00:06:20,959 --> 00:06:23,375
you know, don't know a lot about RFID or have

116
00:06:23,375 --> 00:06:26,834
an electrical engineering background or, you know, are going

117
00:06:26,834 --> 00:06:28,999
to build their own custom antennas, this

118
00:06:28,999 --> 00:06:32,250
is your average security professional who wants to be able

119
00:06:32,250 --> 00:06:34,999
to perform this kind of pen test so they can get

120
00:06:34,999 --> 00:06:38,083
up and running realistically quickly.

121
00:06:38,292 --> 00:06:41,999
So --    Wouldn't it be great if there was

122
00:06:41,999 --> 00:06:45,999
a tool that took that step one that allowed us

123
00:06:45,999 --> 00:06:50,999
to secretly steal this information without having to go

124
00:06:50,999 --> 00:06:54,334
up and grab somebody's butt.

125
00:06:54,459 --> 00:07:03,209
So as a crazy random happenstance we do have such a tool, 6339 again.

126
00:07:03,459 --> 00:07:04,999
We look to my left here.

127
00:07:04,999 --> 00:07:11,250
This is what I'm calling a long-range RFID stealer.

128
00:07:11,250 --> 00:07:15,167
(Talking Simultaneously.)    FRANCIS BROWN: You see

129
00:07:15,167 --> 00:07:22,792
the -- So we'll go ahead and pull it up here the 6-bit card moving in.

130
00:07:24,125 --> 00:07:27,334
And card number 6339.

131
00:07:28,083 --> 00:07:32,834
So it puts to the screen nice as well.

132
00:07:34,626 --> 00:07:38,125
A few feet away right now.

133
00:07:38,501 --> 00:07:40,876
And with this, I can steal the information

134
00:07:40,876 --> 00:07:44,292
without having going and grab somebody's butt.

135
00:07:44,459 --> 00:07:46,834
So we'll take a look actually what this tool

136
00:07:46,834 --> 00:07:50,999
is doing and how the circuit board comes into play.

137
00:07:51,292 --> 00:07:52,626
You turn this off.

138
00:07:55,542 --> 00:07:59,292
And we can see that it is a foot by a foot

139
00:07:59,292 --> 00:08:03,999
and only -- (Inaudible.)    FRANCIS BROWN: And have

140
00:08:03,999 --> 00:08:09,876
a missile switch from the back here as well as using to the alarm

141
00:08:09,876 --> 00:08:12,751
and things like that.

142
00:08:12,834 --> 00:08:17,542
It's completely self-powered and portable so what we would do

143
00:08:17,542 --> 00:08:21,626
is take this and put in your message bag or backpack

144
00:08:21,626 --> 00:08:25,167
or briefcase; walk around with it.

145
00:08:25,626 --> 00:08:28,999
Walk by somebody from up to 3 feet away and pick

146
00:08:28,999 --> 00:08:34,209
up their badge information, which is much better than, you know,

147
00:08:34,209 --> 00:08:37,083
grabbing butts up here.

148
00:08:37,083 --> 00:08:39,834
It's to the right of the screen where we actually see

149
00:08:39,834 --> 00:08:43,083
where it's easy to take apart here.

150
00:08:43,083 --> 00:08:47,751
Just a simple scrim at the front.

151
00:08:47,751 --> 00:08:49,167
Something I can just twist off.

152
00:08:52,125 --> 00:08:58,999
And take the lid off and this is a long distance commercial badge

153
00:08:58,999 --> 00:09:06,334
reader, the kind you would find in parking lots so that you don't have

154
00:09:06,334 --> 00:09:09,834
to get out of your car.

155
00:09:09,834 --> 00:09:12,083
You can just roll down the window and put your car

156
00:09:12,083 --> 00:09:16,083
out of the car window and hold the badge up and so it's meant

157
00:09:16,083 --> 00:09:19,459
to be picked up several miles away.

158
00:09:19,459 --> 00:09:20,999
This was all to begin with.

159
00:09:21,083 --> 00:09:25,125
All you do is add the LCD screen, the batteries are self-powered

160
00:09:25,125 --> 00:09:29,501
and we will recognize this circuit board here which you have

161
00:09:29,501 --> 00:09:33,501
without all the things that are installed.

162
00:09:33,501 --> 00:09:36,999
But it has other logic the code and it will be on our website for you

163
00:09:36,999 --> 00:09:41,709
to download as well and this is just an ID number control that you can buy

164
00:09:41,709 --> 00:09:45,751
online on Amazon, Radio Shack as well as just some resistors and

165
00:09:45,751 --> 00:09:49,959
a few things there you can pick up there anywhere.

166
00:09:49,959 --> 00:09:53,999
We'll have detailed instructions on the website to recreate this, which

167
00:09:53,999 --> 00:09:56,542
is our main goal here.

168
00:09:57,584 --> 00:10:00,999
And finally you'll see the micro-SD card.

169
00:10:01,626 --> 00:10:06,751
I was running it in the SD card in a text file.

170
00:10:07,999 --> 00:10:09,709
So pretty cool.

171
00:10:10,125 --> 00:10:11,999
(Applause.)    FRANCIS BROWN: Yep.

172
00:10:11,999 --> 00:10:17,501
Thank you.

173
00:10:17,501 --> 00:10:18,501
Thank you.

174
00:10:18,501 --> 00:10:20,667
So, you know, for those who are really attached to it,

175
00:10:20,667 --> 00:10:24,375
the ass-grabbing methodology is still at your disposal

176
00:10:24,375 --> 00:10:29,626
if that's what you want to do but this, I think, is a much better solution

177
00:10:29,626 --> 00:10:33,167
and so you could see it's super light.

178
00:10:33,167 --> 00:10:36,999
It's got just self-powered, completely portable.

179
00:10:37,125 --> 00:10:41,876
Picks it up from a couple feet away as opposed to a centimeter or two.

180
00:10:42,834 --> 00:10:45,918
And, yeah, so effectively this was my attempt

181
00:10:45,918 --> 00:10:49,918
at solving that step 1 of those three steps.

182
00:10:57,999 --> 00:11:02,459
And then I just have one more video, which shows you step 2,

183
00:11:02,459 --> 00:11:06,584
which I mentioned -- I like the Proxmark.

184
00:11:07,584 --> 00:11:09,709
This is the ID card.

185
00:11:09,959 --> 00:11:11,417
The output.

186
00:11:11,542 --> 00:11:13,751
I put it to my laptop.

187
00:11:13,792 --> 00:11:15,876
It should come up over here.

188
00:11:23,999 --> 00:11:27,999
So we should see the SD card came up that I pulled

189
00:11:27,999 --> 00:11:31,626
from our long-range RFID viewer.

190
00:11:34,709 --> 00:11:38,667
Check that out and we see that there's a single file,

191
00:11:38,667 --> 00:11:40,999
a simple text file.

192
00:11:42,125 --> 00:11:46,751
I click on that.

193
00:11:46,751 --> 00:11:53,083
And we see here -- when you scan it a few times, it's a 26-bit card.

194
00:11:53,542 --> 00:11:58,584
Here is the notation information for that badge information we actually

195
00:11:58,584 --> 00:12:00,999
decode it for you.

196
00:12:00,999 --> 00:12:02,542
It's facility code 113.

197
00:12:03,125 --> 00:12:05,834
And badge number 6339.

198
00:12:07,667 --> 00:12:10,292
We actually have the binary as well.

199
00:12:10,501 --> 00:12:15,709
So we've successfully completed step 1.

200
00:12:15,792 --> 00:12:19,918
We took the badge information where we can

201
00:12:19,918 --> 00:12:27,876
from 3 feet away casually walk by you and steal the information.

202
00:12:27,876 --> 00:12:31,709
Now that we have that we can use tools like the Proxmark to create

203
00:12:31,709 --> 00:12:35,083
a clone fake version of your badge so we can go ahead

204
00:12:35,083 --> 00:12:38,792
and use that and that's extremely easy.

205
00:12:38,792 --> 00:12:42,167
It's a single command where we have the Proxmark set up here.

206
00:12:42,584 --> 00:12:49,417
So what we're going to do here is -- I'm going to go ahead

207
00:12:49,417 --> 00:12:56,709
and copy that version of this badge, 6339; copy and come back

208
00:12:56,709 --> 00:13:00,083
to our Proxmark here.

209
00:13:00,209 --> 00:13:02,584
Now, the Proxmark is in read mode now and

210
00:13:02,584 --> 00:13:05,709
by hitting this button I'll stop that.

211
00:13:05,834 --> 00:13:10,209
So now we have the badge information from our tool,

212
00:13:10,209 --> 00:13:16,667
just the value and what we're going to do is take this programmable T557

213
00:13:16,667 --> 00:13:20,751
card which is a programmable card that doesn't

214
00:13:20,751 --> 00:13:25,334
read anything right now, and we can turn this -- this

215
00:13:25,334 --> 00:13:28,250
is just a sticky note.

216
00:13:28,250 --> 00:13:31,209
It's clearly not the 6339 badge.

217
00:13:31,209 --> 00:13:33,125
It's for a post-it on it.

218
00:13:33,667 --> 00:13:34,709
It's programmable.

219
00:13:34,709 --> 00:13:38,709
I just lay that on top of the card here.

220
00:13:38,709 --> 00:13:46,209
And if we look right here, all I'm going to do is type in LF

221
00:13:46,209 --> 00:13:54,876
for low frequency, HID clone space and then I'm just going to paste

222
00:13:54,876 --> 00:14:00,999
in my value we took from our cards that text file

223
00:14:00,999 --> 00:14:07,959
and click N and we see cloning tag, it's done.

224
00:14:09,584 --> 00:14:16,999
So right now this card is functioning as an exact duplicate

225
00:14:16,999 --> 00:14:21,375
of the card we stole, 6339.

226
00:14:21,667 --> 00:14:23,083
So let's test it out.

227
00:14:23,459 --> 00:14:32,792
So we have our original badge number 6339, the original card 6339.

228
00:14:36,292 --> 00:14:38,584
And it's a Prox card too.

229
00:14:39,876 --> 00:14:42,999
6339 still.

230
00:14:43,250 --> 00:14:46,083
Now we take our cloned card, this card which

231
00:14:46,083 --> 00:14:49,459
is clearly not that same card.

232
00:14:50,999 --> 00:14:56,876
It's my third -- badge 6339.

233
00:14:59,375 --> 00:15:03,334
113, 26-bit card so now we've successfully stolen

234
00:15:03,334 --> 00:15:08,167
and now made a fake copy of this person's badge.

235
00:15:08,292 --> 00:15:20,918
(Applause.)    FRANCIS BROWN: So pretty easy now, right.

236
00:15:22,501 --> 00:15:25,792
Hopefully you guys can get up and running with this kind of tool.

237
00:15:27,501 --> 00:15:30,375
At this point I've been able to train some of our consultants

238
00:15:30,375 --> 00:15:32,999
to do it now in about 10 minutes.

239
00:15:32,999 --> 00:15:37,999
There's the on switch which is also the off switch on the back, you know,

240
00:15:37,999 --> 00:15:44,999
go forth and prosper so -- what we're talking about here is low frequency.

241
00:15:45,209 --> 00:15:46,999
I saw with some of the articles that came

242
00:15:46,999 --> 00:15:50,542
out people were posting links to high frequency long-range antennas

243
00:15:50,542 --> 00:15:52,709
and things like that.

244
00:15:52,709 --> 00:15:55,292
But we're talking the 125 kilohertz low frequency

245
00:15:55,292 --> 00:15:58,999
technology for physical security systems.

246
00:15:59,083 --> 00:16:00,542
And in looking at that, people have known

247
00:16:00,542 --> 00:16:03,250
about these issues for quite some time.

248
00:16:03,999 --> 00:16:06,999
But the interesting thing to me was that no one's really done

249
00:16:06,999 --> 00:16:09,083
anything about it yet.

250
00:16:09,083 --> 00:16:10,999
This came from HID Global directly

251
00:16:10,999 --> 00:16:14,209
from a post they had recently saying 70 to 80%

252
00:16:14,209 --> 00:16:18,918
of physical security systems out there still use this legacy low

253
00:16:18,918 --> 00:16:23,209
frequency technology that we're exploiting here.

254
00:16:23,417 --> 00:16:26,083
Despite us having known for quite some time and

255
00:16:26,083 --> 00:16:28,999
they admit there's no security.

256
00:16:28,999 --> 00:16:30,709
They've been hacked, we know this.

257
00:16:30,709 --> 00:16:33,250
They're not resistance to any of these kind of common attacks

258
00:16:33,250 --> 00:16:35,999
and yet they still persist.

259
00:16:36,250 --> 00:16:39,334
And one of the motivations in doing this talk -- I'm actually

260
00:16:39,334 --> 00:16:42,501
after creating the tools was I noticed that, you know,

261
00:16:42,501 --> 00:16:45,999
we've seen Chris talking in 2007 it couldn't be any simpler

262
00:16:45,999 --> 00:16:48,375
if you're using this information technology

263
00:16:48,375 --> 00:16:51,667
for your doors you're highly unsecure.

264
00:16:51,667 --> 00:16:55,250
That's a big bullet that's in 2007 and this quote came

265
00:16:55,250 --> 00:16:58,751
out of this blog post in 2013.

266
00:16:58,792 --> 00:17:00,999
So from 2007, to 2013 we've made

267
00:17:00,999 --> 00:17:05,083
about zero progress in terms of upgrading these physical

268
00:17:05,083 --> 00:17:07,334
security systems.

269
00:17:07,667 --> 00:17:10,334
And that blog post is actually pretty interesting

270
00:17:10,334 --> 00:17:12,876
to talk about some of the reasons why

271
00:17:12,876 --> 00:17:16,584
the physical security product lifecycle is about 20 years

272
00:17:16,584 --> 00:17:20,209
they estimate so most of the things they made was bought

273
00:17:20,209 --> 00:17:22,459
in the early '90s.

274
00:17:22,999 --> 00:17:25,959
HID offers more solutions, but people have bought

275
00:17:25,959 --> 00:17:28,999
and stolen products from 20 years ago and are

276
00:17:28,999 --> 00:17:31,751
more than happy with it.

277
00:17:31,918 --> 00:17:35,459
So to some extent it's ignorance on the part of the people making

278
00:17:35,459 --> 00:17:37,999
the purchased decisions.

279
00:17:37,999 --> 00:17:41,334
They just don't realize that these things are this insecure, as well

280
00:17:41,334 --> 00:17:43,999
as there's budget issues.

281
00:17:45,167 --> 00:17:48,125
So what we're looking at here is a basic breakdown

282
00:17:48,125 --> 00:17:52,250
of what's happening for a badging system for a door.

283
00:17:52,250 --> 00:17:54,375
There's four main components and coincidentally

284
00:17:54,375 --> 00:17:56,999
if we're thinking about doing a pen test this

285
00:17:56,999 --> 00:18:00,417
is the four areas that we'll want to target.

286
00:18:00,417 --> 00:18:04,959
So with this attack, we're targeting the card directly.

287
00:18:04,959 --> 00:18:06,999
We're going to local Starbucks in your building that we want

288
00:18:06,999 --> 00:18:09,542
to break into and hang out in the smoke area and something

289
00:18:09,542 --> 00:18:11,417
like that and targeting the cards that are

290
00:18:11,417 --> 00:18:13,375
on somebody's person.

291
00:18:13,542 --> 00:18:18,459
These cards -- basically when they come within a near distance

292
00:18:18,459 --> 00:18:23,459
of a reader like this, the reader powers it and it just singing

293
00:18:23,459 --> 00:18:25,792
out 26 to 3710s.

294
00:18:25,999 --> 00:18:26,999
That's it.

295
00:18:26,999 --> 00:18:29,501
As soon as it gets powered it starts singing this out depending

296
00:18:29,501 --> 00:18:32,542
on what they have and then the reader just reads these

297
00:18:32,542 --> 00:18:36,417
off the air and then encodes them and we can protocol which I'll talk

298
00:18:36,417 --> 00:18:40,542
about in a little bit and just forwards them on to the controller to make

299
00:18:40,542 --> 00:18:44,375
the decision about whether to open the door or not.

300
00:18:44,375 --> 00:18:46,751
And then you have the host PC where physical security

301
00:18:46,751 --> 00:18:50,792
guard will be sitting at new users and monitor, you know, cameras

302
00:18:50,792 --> 00:18:52,999
and things like that.

303
00:18:55,999 --> 00:19:00,125
So in breaking this down -- in doing this initial research, it was

304
00:19:00,125 --> 00:19:02,375
like pulling teeth.

305
00:19:02,375 --> 00:19:03,834
I mean, just trying to understand what was going

306
00:19:03,834 --> 00:19:05,751
on with these things.

307
00:19:05,751 --> 00:19:08,334
What's written on the card, how far away can I be?

308
00:19:08,834 --> 00:19:10,999
Every question that would jump to your mind

309
00:19:10,999 --> 00:19:15,459
if you didn't know RFID it would be the 130th Google hit or some random

310
00:19:15,459 --> 00:19:19,083
product manual that I found the answer in.

311
00:19:19,584 --> 00:19:24,459
So I tried to compile as much as I could here to make it easy.

312
00:19:24,459 --> 00:19:26,876
But one of the questions that come up, if I saw somebody's badge --

313
00:19:26,876 --> 00:19:29,999
if I looked at the number on the back, is that enough information for me

314
00:19:29,999 --> 00:19:32,167
to make a fake copy of it?

315
00:19:32,167 --> 00:19:34,334
You'll want to Google images and somebody took their picture

316
00:19:34,334 --> 00:19:38,083
and you have their badge number could you take a copy of that?

317
00:19:38,584 --> 00:19:42,626
The short answer is, maybe.

318
00:19:44,999 --> 00:19:48,125
So basically there's 26 to 371s and 0s it sings

319
00:19:48,125 --> 00:19:51,417
out when it comes near a reader.

320
00:19:51,417 --> 00:19:55,083
They eventually get interpreted by a controller the way

321
00:19:55,083 --> 00:20:00,292
they get interpreted -- this is what they call the card format which typically

322
00:20:00,292 --> 00:20:04,125
breaks down into your ID and facility code.

323
00:20:04,709 --> 00:20:07,751
What's written on the card is the card ID which is part

324
00:20:07,751 --> 00:20:09,876
of what you need.

325
00:20:10,083 --> 00:20:13,375
If they're using a standard 26-bit card then there's only

326
00:20:13,375 --> 00:20:16,999
255 possible facility codes so technically with that,

327
00:20:16,999 --> 00:20:21,584
I could just try that card number and facility code 1, facility code 2,

328
00:20:21,584 --> 00:20:23,626
facility code 3.

329
00:20:24,042 --> 00:20:28,209
And pretty quickly be able to do basically what you see

330
00:20:28,209 --> 00:20:30,083
on the card.

331
00:20:30,999 --> 00:20:35,876
A 35-bit card or something, then it wouldn't be as easy to do.

332
00:20:35,999 --> 00:20:39,584
There's also -- you'll typically see on these cards one number

333
00:20:39,584 --> 00:20:42,999
and then a space and then a longer number.

334
00:20:42,999 --> 00:20:45,918
That longer number is just a sales order number.

335
00:20:45,918 --> 00:20:47,667
I found it in a product manual.

336
00:20:47,834 --> 00:20:48,834
If you want to buy more cards, when you call

337
00:20:48,834 --> 00:20:51,000
the sales guy you read him that number.

338
00:20:51,000 --> 00:20:53,000
It has nothing to do with authentication or getting you

339
00:20:53,000 --> 00:20:55,959
in the door or anything like that.

340
00:20:56,709 --> 00:20:59,375
So good to know.

341
00:20:59,375 --> 00:21:02,999
And this is what I'm talking about with the -- so in reading this

342
00:21:02,999 --> 00:21:06,834
as well, it's -- I saw things from your standard 26-bit card

343
00:21:06,834 --> 00:21:10,334
or your corporate 35-bit card and then you hear there are

344
00:21:10,334 --> 00:21:12,125
44-bit cards.

345
00:21:12,250 --> 00:21:15,125
And in the Proxmark, you see typically tools that are

346
00:21:15,125 --> 00:21:19,999
accessing them are 10 hexadecimal numbers which are 20 digitals so what's

347
00:21:19,999 --> 00:21:23,250
exactly going on with the card is a little confusing

348
00:21:23,250 --> 00:21:27,375
to me 'cause people didn't really make it clear.

349
00:21:27,375 --> 00:21:32,417
So just to make it clear what's actually going on, it sings out 26 to 37 bits

350
00:21:32,417 --> 00:21:34,209
in the air.

351
00:21:34,417 --> 00:21:37,083
It's always 44 bits on the card.

352
00:21:37,792 --> 00:21:41,209
And when you see here -- I scanned this in from a product manual and put

353
00:21:41,209 --> 00:21:43,542
the notation there myself.

354
00:21:43,999 --> 00:21:46,959
Typically, the -- always the first hexadecimal would be zero

355
00:21:46,959 --> 00:21:51,125
which is why it gets dropped which is why you see it's 10.

356
00:21:51,125 --> 00:21:55,292
You see 11 hexadecimals but it starts with a zero.

357
00:21:55,999 --> 00:21:59,125
Always 44 bits on the card which you see out there.

358
00:21:59,501 --> 00:22:05,999
The standard 26 bit is what you see on the right and then it starts -- come

359
00:22:05,999 --> 00:22:07,876
on, man!

360
00:22:09,083 --> 00:22:11,501
Everyone look at that guy with a stare.

361
00:22:11,501 --> 00:22:16,626
(Laughing.)    FRANCIS BROWN: So it's -- it's always -- every single card it

362
00:22:16,626 --> 00:22:21,083
starts with six zeros and a one on every card.

363
00:22:21,250 --> 00:22:22,999
Six zeros and a one.

364
00:22:22,999 --> 00:22:26,709
And there's a buffer of 10 zeros and then a parity -- or a sentinel bit

365
00:22:26,709 --> 00:22:30,626
and then you're 26 bits so if you have a 35-bit card or anything

366
00:22:30,626 --> 00:22:34,375
up to 37, all it does is extends to the left using that buffer

367
00:22:34,375 --> 00:22:39,250
of those 10 zeros and that's the four full 44 bits on the card.

368
00:22:39,250 --> 00:22:42,626
So mystery solved.

369
00:22:44,959 --> 00:22:49,125
This is on low frequency stuff and mainly for breaking into buildings,

370
00:22:49,125 --> 00:22:52,999
but these type of attacks and the techniques that we're going

371
00:22:52,999 --> 00:22:55,999
for here are only going to become more applicable

372
00:22:55,999 --> 00:22:57,876
as we go on.

373
00:22:57,959 --> 00:23:01,334
We're starting to see them in credit cards in the U.S.

374
00:23:01,334 --> 00:23:02,334
now.

375
00:23:02,334 --> 00:23:04,999
Passports and my favorite -- who here is a Disney fan?

376
00:23:04,999 --> 00:23:05,999
Anybody?

377
00:23:06,209 --> 00:23:07,667
Disneyland, Disney World?

378
00:23:07,999 --> 00:23:10,999
Yeah, so Disney is going over to RFID for everything.

379
00:23:10,999 --> 00:23:12,999
So that's going to be fun experiments some

380
00:23:12,999 --> 00:23:14,999
field research.

381
00:23:15,083 --> 00:23:17,125
(Laughing.)    FRANCIS BROWN: Get some fast passes to get to the front

382
00:23:17,125 --> 00:23:19,375
of the lines and things like that.

383
00:23:19,751 --> 00:23:22,542
So you see the band there on somebody's wrist.

384
00:23:22,542 --> 00:23:24,792
Everything from getting in the world to Disney World

385
00:23:24,792 --> 00:23:28,083
to getting your fast passes to the rides to paying for things

386
00:23:28,083 --> 00:23:32,626
to your hotel room are all going to be -- it's all RFID-based.

387
00:23:32,626 --> 00:23:34,209
They're rolling it out right now.

388
00:23:34,209 --> 00:23:36,417
So these things are just -- people are finding more and more uses

389
00:23:36,417 --> 00:23:40,250
for RFID technology that will be fun to do pen tests for.

390
00:23:43,876 --> 00:23:47,167
A couple of the tools that you want to have in your arsenal

391
00:23:47,167 --> 00:23:52,083
besides our tool here -- I would definitely recommend the Proxmark.

392
00:23:52,083 --> 00:23:55,959
You can get cheaper versions but the nice polished version is 399.

393
00:23:56,292 --> 00:23:59,999
You can use it we saw in the video for making cloned cards.

394
00:24:00,334 --> 00:24:02,209
It has all kinds of purposes that are great

395
00:24:02,209 --> 00:24:04,542
for doing RFID hacking.

396
00:24:05,083 --> 00:24:07,542
It does have a single button on it.

397
00:24:07,834 --> 00:24:10,667
You see that -- one crazy work flow for the single button on top

398
00:24:10,667 --> 00:24:13,709
of the Proxmark which is a little fun.

399
00:24:13,709 --> 00:24:16,626
It's like stand on one foot and hold the button for 4.5 seconds

400
00:24:16,626 --> 00:24:18,999
until it blinks orange.

401
00:24:19,876 --> 00:24:22,999
That's literally the one button's work flow which

402
00:24:22,999 --> 00:24:24,999
is pretty cool.

403
00:24:27,083 --> 00:24:29,334
Another cool thing with the Proxmark there's

404
00:24:29,334 --> 00:24:31,542
a tool called ProxBrute.

405
00:24:31,542 --> 00:24:33,292
Has anyone ever heard of ProxBrute?

406
00:24:35,709 --> 00:24:42,459
It's custom firmware that someone from McAfee that you loaded

407
00:24:42,459 --> 00:24:48,501
on the Proxmark that you can use brute force.

408
00:24:51,083 --> 00:24:54,999
Once you have like a valid badge, if you stole maybe, you know,

409
00:24:54,999 --> 00:24:57,334
just a normal worker's badge information

410
00:24:57,334 --> 00:25:02,125
to get in the front door, but you want to get in the data center and that person

411
00:25:02,125 --> 00:25:05,667
didn't have access, well, the card numbers themselves are

412
00:25:05,667 --> 00:25:08,999
sequential so you could use this tool and the Proxmark

413
00:25:08,999 --> 00:25:11,999
will simulate being a badge and try that number and

414
00:25:11,999 --> 00:25:15,417
the next badge number so it will allow you to brute force

415
00:25:15,417 --> 00:25:18,999
a different badge number to get into a different data center

416
00:25:18,999 --> 00:25:22,959
or more secured area than the actual badge that you stole which

417
00:25:22,959 --> 00:25:24,375
is great.

418
00:25:24,709 --> 00:25:30,542
And it has a similar crazy work flow for that one button which

419
00:25:30,542 --> 00:25:34,375
is altered there that you see.

420
00:25:34,375 --> 00:25:36,751
Also there's the RFID-idiot -- Adam Laurie has done

421
00:25:36,751 --> 00:25:40,999
a different talks over time, and compiled different python scripts

422
00:25:40,999 --> 00:25:44,626
for doing RFID hacking and he just keeps adding to them so

423
00:25:44,626 --> 00:25:48,459
for all different sorts of purposes so I definitely recommend

424
00:25:48,459 --> 00:25:51,834
checking that out as well as one convenience is that

425
00:25:51,834 --> 00:25:56,167
the software -- it all comes loaded on backtrack so all you need to do

426
00:25:56,167 --> 00:25:59,083
is get the equipment, plug the USB in and fire

427
00:25:59,083 --> 00:26:04,125
up backtrack and you can be up and running stuff pretty quickly.

428
00:26:06,542 --> 00:26:10,334
These are extremely -- essence anyone see these tools before from RF ideas?

429
00:26:11,334 --> 00:26:13,626
I don't typically -- I don't think I've ever seen this

430
00:26:13,626 --> 00:26:16,083
in a security presentation on RFID.

431
00:26:16,083 --> 00:26:17,999
I just happened to stumble across it.

432
00:26:17,999 --> 00:26:22,918
And basically it's just two little USB sticks about that size.

433
00:26:22,918 --> 00:26:24,417
It requires no software.

434
00:26:24,417 --> 00:26:26,501
It's for field testing for people that install this type

435
00:26:26,501 --> 00:26:29,999
of equipment and basically one of the things I wanted to answer what

436
00:26:29,999 --> 00:26:33,083
if I don't know what kind of card if this?

437
00:26:33,209 --> 00:26:35,626
What if I don't know what technology is using?

438
00:26:35,709 --> 00:26:37,209
Take the Disney, for example.

439
00:26:37,209 --> 00:26:41,083
The Disney stuff doesn't have -- it has all Walt Disney stuff on it.

440
00:26:41,083 --> 00:26:43,250
It doesn't tell what kind of card it was.

441
00:26:43,459 --> 00:26:47,083
If I wanted to figure out what type of technology it was,

442
00:26:47,083 --> 00:26:49,667
I had use these things.

443
00:26:49,667 --> 00:26:52,876
This would have a high frequency and a low frequency USB stick.

444
00:26:52,876 --> 00:26:54,999
You open it up and open up note pad and you lay a card

445
00:26:54,999 --> 00:26:58,792
on top of it and print screen and a note pad it will tell you

446
00:26:58,792 --> 00:27:03,167
not only what the batch information is, but what exactly technology it is,

447
00:27:03,167 --> 00:27:06,375
which matters for being able to understand what kind

448
00:27:06,375 --> 00:27:10,209
of tools you're going to need to break into it.

449
00:27:11,334 --> 00:27:12,834
So pretty cool.

450
00:27:13,918 --> 00:27:16,083
And then, again, this is our tool again which you saw

451
00:27:16,083 --> 00:27:18,417
the demonstration of already.

452
00:27:18,751 --> 00:27:23,250
I programmed in there -- you see a 35-bit card.

453
00:27:23,501 --> 00:27:27,876
Basically, you'll be able to get one of the certain versions that I'm

454
00:27:27,876 --> 00:27:31,125
about to go out or go to our website and download

455
00:27:31,125 --> 00:27:36,999
the code that you could send away to anyone that makes circuit boards.

456
00:27:36,999 --> 00:27:38,959
And for about 30 bucks, they'll send you

457
00:27:38,959 --> 00:27:41,999
a copy and then you buy the parts that you need, load

458
00:27:41,999 --> 00:27:44,375
the code that we have.

459
00:27:44,375 --> 00:27:46,876
It will be on our website, and be up and running.

460
00:27:46,876 --> 00:27:49,999
You essentially plug this in to any RFID reader that there

461
00:27:49,999 --> 00:27:53,083
is for any of the technologies.

462
00:27:53,083 --> 00:28:00,459
So as we'll see, simple missile switch in the back easily from 3 feet away.

463
00:28:01,501 --> 00:28:04,999
I designed it -- what I've been releasing I designed it in fritzing.

464
00:28:04,999 --> 00:28:06,792
Anybody familiar with fritzing.

465
00:28:09,501 --> 00:28:12,959
I'll be releasing that and you can actually explore it

466
00:28:12,959 --> 00:28:15,999
to send it away to get the board.

467
00:28:15,999 --> 00:28:17,292
That's a picture of the board that I'll be giving away

468
00:28:17,292 --> 00:28:18,999
after the talk.

469
00:28:21,083 --> 00:28:24,999
And essentially you could -- you could take this board and just basically has

470
00:28:24,999 --> 00:28:27,375
two inputs and two outputs.

471
00:28:27,375 --> 00:28:31,375
It's taking out the output of the reader like this one here.

472
00:28:31,375 --> 00:28:33,999
It's taking in the batteries and it's outputting the badge number

473
00:28:33,999 --> 00:28:37,167
to the screen and to a text file on the card.

474
00:28:37,417 --> 00:28:40,626
That's as simple as you could think of how the board is working.

475
00:28:42,626 --> 00:28:46,876
And it's output of the reader is we can output that I mentioned

476
00:28:46,876 --> 00:28:53,083
earlier which every single badge reader has this output that they typically use.

477
00:28:53,083 --> 00:28:57,125
So the 26 and 371s and 0s there's data one and data zero

478
00:28:57,125 --> 00:29:02,542
on each one it sends a pulse on data one and we're just tapping

479
00:29:02,542 --> 00:29:09,792
into that so essentially you could use this for any type of batch system.

480
00:29:09,792 --> 00:29:13,083
So the two main ones for physical security are HID Prox

481
00:29:13,083 --> 00:29:16,209
and Indala Prox for the low frequency which

482
00:29:16,209 --> 00:29:20,667
is both owned by the company HID, if I held up a HID reader

483
00:29:20,667 --> 00:29:24,959
to an Indala reader it wouldn't do anything.

484
00:29:28,209 --> 00:29:30,834
So between these two long distance readers, one

485
00:29:30,834 --> 00:29:33,876
of which you see here you're pretty much covered with 99%

486
00:29:33,876 --> 00:29:37,250
of the badges that people would have out there.

487
00:29:37,250 --> 00:29:40,792
So you could take my board, plug it into the HID reader which we have here

488
00:29:40,792 --> 00:29:44,792
and if you noticed it's not working you can plug it into the Indala reader

489
00:29:44,792 --> 00:29:47,167
and walk around and grab people's Indala cards

490
00:29:47,167 --> 00:29:48,709
as well.

491
00:29:48,876 --> 00:29:52,999
You see the proven securitized there written for Indala claims

492
00:29:52,999 --> 00:29:58,584
to be more secure and they have a lot of people convinced that it is.

493
00:29:58,626 --> 00:30:02,751
Instead of just singing out the 1s and 0s it does a little bit

494
00:30:02,751 --> 00:30:06,918
of obfuscation which doesn't even matter because if we're using

495
00:30:06,918 --> 00:30:11,876
an actual reader like we are it does all the coding for you.

496
00:30:12,209 --> 00:30:14,792
(Laughing.)    FRANCIS BROWN: So it's very easy to do, and, you know,

497
00:30:14,792 --> 00:30:16,209
we've made fake versions and so both

498
00:30:16,209 --> 00:30:18,751
of these are just as susceptible.

499
00:30:19,626 --> 00:30:23,501
And finally I just plugged in an SD card and running it

500
00:30:23,501 --> 00:30:26,626
into a text file for ease but there's plenty

501
00:30:26,626 --> 00:30:29,542
of add-ons you can imagine.

502
00:30:29,542 --> 00:30:33,501
We play around with an ad next adding Bluetooth capabilities so I can see

503
00:30:33,501 --> 00:30:37,459
the badges on my phone as they're being read and even cell

504
00:30:37,459 --> 00:30:41,083
phone capability to have a text message.

505
00:30:41,626 --> 00:30:44,334
Every badge that it says if I leave it everything else.

506
00:30:44,334 --> 00:30:47,918
They would be easily added on to this particular technology.

507
00:30:55,417 --> 00:30:59,709
Basically, if you guys are aware of any tools that do this attack,

508
00:30:59,709 --> 00:31:02,083
you could let me know.

509
00:31:02,083 --> 00:31:04,918
I've heard people talk about it in theory in some Ph.D.

510
00:31:04,918 --> 00:31:05,918
papers.

511
00:31:05,918 --> 00:31:07,209
But the distance limitation that we're now getting with 3 feet

512
00:31:07,209 --> 00:31:10,584
on the west centimeters we saw before is due to powering

513
00:31:10,584 --> 00:31:14,876
the card not reading the 1s and 0s that is singing out.

514
00:31:14,876 --> 00:31:17,501
People talk about if you're leave something front

515
00:31:17,501 --> 00:31:22,167
door of the building and you let the real reader power their card you can

516
00:31:22,167 --> 00:31:25,083
listen for those 1s and 0s from further away,

517
00:31:25,083 --> 00:31:29,709
and I know that Chris Paget's talk he had mentioned being able to get

518
00:31:29,709 --> 00:31:33,501
up to 10 feet in this, in this passive mode letting someone

519
00:31:33,501 --> 00:31:35,542
else powered it.

520
00:31:35,542 --> 00:31:38,626
This was never released due to legal reasons I believe and I haven't

521
00:31:38,626 --> 00:31:42,918
seen any other tools successfully do it but it is something to be aware

522
00:31:42,918 --> 00:31:46,542
of in terms of getting further distance still.

523
00:31:47,626 --> 00:31:51,459
A copy of the card, I mentioned this in the video.

524
00:31:51,999 --> 00:31:56,334
What you would want to get are these T55X7 cards.

525
00:31:56,334 --> 00:31:58,375
They're like a dollar.

526
00:31:58,375 --> 00:31:59,751
You could buy them online.

527
00:32:00,083 --> 00:32:03,876
Just a note, all these slides, my note sections are white papers links

528
00:32:03,876 --> 00:32:07,999
to everything you'd want for each topic are in there.

529
00:32:08,876 --> 00:32:11,292
But these things are not blank cards.

530
00:32:11,792 --> 00:32:13,375
They're programmable cards.

531
00:32:13,375 --> 00:32:16,459
So they'll simulate the data and behavior of any type of card

532
00:32:16,459 --> 00:32:20,292
and what I meant -- when I mentioned a HID card wouldn't work

533
00:32:20,292 --> 00:32:23,709
with Indala wouldn't work with HID these cards behave

534
00:32:23,709 --> 00:32:27,999
like an Indala card or HID card so they can simulate any type of card

535
00:32:27,999 --> 00:32:30,292
and the data on them.

536
00:32:30,751 --> 00:32:33,375
They'll definitely want to have in your arsenal and you could

537
00:32:33,375 --> 00:32:35,125
reprogram them as much as you want

538
00:32:35,125 --> 00:32:37,999
to be your fake versions of cards.

539
00:32:40,167 --> 00:32:43,375
Finally, if people start, you know, using RFID blocking

540
00:32:43,375 --> 00:32:45,999
with a little stuff like that we have to move

541
00:32:45,999 --> 00:32:49,959
down the line what we're attacking, there's things where you can pop

542
00:32:49,959 --> 00:32:52,709
up the lid of the reader and start dumping things

543
00:32:52,709 --> 00:32:55,999
off the readers and attack them directly.

544
00:32:56,375 --> 00:32:58,459
There's a man in the middle tool called Gecko where

545
00:32:58,459 --> 00:33:01,667
you plug in the reader and as people badge in it's writing them

546
00:33:01,667 --> 00:33:03,751
to something as well.

547
00:33:03,751 --> 00:33:06,792
I didn't really designed my circuit board to be used that way

548
00:33:06,792 --> 00:33:10,417
but I realized afterwards with a little minor alterations,

549
00:33:10,417 --> 00:33:13,542
you could use this circuit board.

550
00:33:13,542 --> 00:33:16,417
All I'm doing is tapping into the output of a real reader.

551
00:33:16,417 --> 00:33:17,959
You could take the circuit board go to the front

552
00:33:17,959 --> 00:33:21,083
of the building that you're trying to break in open the lid, insert it

553
00:33:21,083 --> 00:33:24,250
and have it sit there and record all the other real badges that are

554
00:33:24,250 --> 00:33:26,459
coming through that reader so you could use it

555
00:33:26,459 --> 00:33:28,375
in this way as well.

556
00:33:29,999 --> 00:33:37,709
And this Brad -- I'll butcher his name, the guy from McAfee.

557
00:33:37,709 --> 00:33:40,125
He made the brute software I'm talking about he has

558
00:33:40,125 --> 00:33:44,292
a product where he's come up with tons of scripts and things

559
00:33:44,292 --> 00:33:48,417
to attack the readers and attackers directly.

560
00:33:48,417 --> 00:33:49,417
It's really cool.

561
00:33:49,417 --> 00:33:51,083
I would recommend checking it out.

562
00:33:53,125 --> 00:33:56,459
Lastly, once you get in, you'll want to not be in the building any longer than

563
00:33:56,459 --> 00:33:58,083
you have to be.

564
00:33:58,083 --> 00:34:00,999
So I recommend -- are you familiar with that poem plug?

565
00:34:01,751 --> 00:34:03,999
So it's just going to be your own personal VP back door

566
00:34:03,999 --> 00:34:05,918
into their network.

567
00:34:05,999 --> 00:34:11,999
It's $1,000 for the regular plug and 1500 for the Power Pwn.

568
00:34:11,999 --> 00:34:14,417
It's pretty cool licking it's a little hefty.

569
00:34:14,417 --> 00:34:19,167
I would recommend people are coming out images for the Raspberry Pi

570
00:34:19,167 --> 00:34:23,792
to do the very same thing even from Pwnie Express you got

571
00:34:23,792 --> 00:34:26,501
the Raspberry Pi and instead of $35

572
00:34:26,501 --> 00:34:31,709
instead of $1500 you could create your own little back door to be

573
00:34:31,709 --> 00:34:35,334
on the network and you see people used hollowed

574
00:34:35,334 --> 00:34:38,999
out old laptop chargers with the Raspberry Pi

575
00:34:38,999 --> 00:34:43,292
with the back door which works pretty cool.

576
00:34:44,999 --> 00:34:49,709
I think we're just about out of time so I'm going

577
00:34:49,709 --> 00:34:52,999
to skip the to defenses.

578
00:34:53,584 --> 00:34:55,584
Avoid being probes.

579
00:34:55,999 --> 00:35:01,501
I don't know if this will help you out but it's very fashionable.

580
00:35:01,501 --> 00:35:03,709
So I would recommend upgrading your systems if possible

581
00:35:03,709 --> 00:35:07,250
to the contact smart cards the high frequency stuff.

582
00:35:07,250 --> 00:35:10,999
These things can do challenge response, authentication, encryption.

583
00:35:12,792 --> 00:35:15,083
If you're a company that has 100,000 employees

584
00:35:15,083 --> 00:35:18,209
placing everybody's badges and, you know, every single door

585
00:35:18,209 --> 00:35:23,334
out there might be not that realistic at least in any kind of good time frame.

586
00:35:23,334 --> 00:35:26,959
So in order to get around that, what I would recommend is, you know,

587
00:35:26,959 --> 00:35:30,584
changing -- using things like detection software so if I badge

588
00:35:30,584 --> 00:35:34,918
in at 8:00 in the morning every morning but all of a sudden I'm badging

589
00:35:34,918 --> 00:35:37,959
at 4:00 in the morning in a building I never go to,

590
00:35:37,959 --> 00:35:41,709
you can have it generate an alert and flag you.

591
00:35:42,083 --> 00:35:45,375
Also you have the protective sleeves that I'll talk

592
00:35:45,375 --> 00:35:48,083
about more in a second.

593
00:35:48,083 --> 00:35:50,918
But you want to not wear your badge in prominent view so I can't make

594
00:35:50,918 --> 00:35:53,417
a realistic looking picture of it.

595
00:35:53,501 --> 00:35:56,959
Security screws that prevent people from easily popping the lid

596
00:35:56,959 --> 00:36:01,501
off your reader on your door instead of just normal screws.

597
00:36:01,999 --> 00:36:03,876
And there's also ones -- some of your readers you have to check

598
00:36:03,876 --> 00:36:06,125
with tamper to detect systems that will send an alert if somebody

599
00:36:06,125 --> 00:36:08,167
is messing with the systems.

600
00:36:08,167 --> 00:36:10,918
And finally the protective sleeves you would get

601
00:36:10,918 --> 00:36:13,751
some of them work and some of them don't so

602
00:36:13,751 --> 00:36:19,375
before you buy 100,000 of them for your employees, make sure it works.

603
00:36:19,375 --> 00:36:22,876
This is a green card protective sleeve which one of our employees

604
00:36:22,876 --> 00:36:27,459
is from Scotland very charming fellow and he has his green card which has

605
00:36:27,459 --> 00:36:31,999
RFID in it and it has this sleeve that you should keep in it all times

606
00:36:31,999 --> 00:36:36,250
to prevent communication with your -- with your card.

607
00:36:36,250 --> 00:36:37,417
It doesn't work at all.

608
00:36:37,876 --> 00:36:40,209
It's probably just a piece of paper I don't know how they got

609
00:36:40,209 --> 00:36:42,209
over selling it to the federal government

610
00:36:42,209 --> 00:36:44,584
for every single green card and it doesn't work

611
00:36:44,584 --> 00:36:48,083
at all and my experience there's no rhyme or reason.

612
00:36:48,083 --> 00:36:49,792
Half of them work, half of them don't so get a sample;

613
00:36:49,792 --> 00:36:53,083
test it out before you buy them in bulk for your company.

614
00:36:53,250 --> 00:36:54,999
And that's it.

615
00:36:54,999 --> 00:36:56,834
(Applause.)    MODERATOR: Okay.

616
00:36:56,834 --> 00:36:56,834
So here's the thing: If you want to get one

617
00:36:56,834 --> 00:36:56,834
of these awesome little boards or ask questions for that matter,

618
00:36:56,834 --> 00:36:56,834
we're going to do a little Q & A and distribution of these

619
00:36:56,834 --> 00:36:58,083
in the chillout lounge now.

620
00:36:58,083 --> 00:37:00,250
FRANCIS BROWN: See you guys over there.