My name is Craig. I'm a security researcher with Tripwire Work Group I write content for IP360 scanner and do a lot of vulnerability research in my free time and at work. Today I'm going to talk to you not about vulnerabilities but rather how to work with some of the tools that are out there for RFID hacking. So I accumulated with Bert a number of tools for working with high frequency RFID and I've noticed there is not really a lot of consistent documentation out there for some of these tools. People release patches for adding new functionality for various thing bus it doesn't often get a lot of documentation for it. You can read through the source code and figure things out but I wanted to make things easier for people. And then I wanted to look at ways I could use the 3D printer that we have to try to enhance some of the practical attacks that you have with RFID tools and also look at some of the different options that you have or opportunities for research through that. What we're going to go through here, I'm going to overview the tools that I'm working with for this project. Go through some of the basics of how RFID functions, some of the basic 3D printing functions and we'll get into firmware changes that I made to the Proxmark3 and how these changes were made. This is actually documented in a lot more detail in a white paper that is going to be available on the DEFCON site and then we'll get into the 3D printing stuff and look at how you can make antennas and how you can conceal different tools with 3D printed objects. These are the tools that we have going on for this. You have the RFID tools over here. The Proxmark3 is your Swiss army knife for all things RFID in the low frequency and high frequency bands at least. I have below that the PN533USB stick. It's an NXP set on a USB stick. And finally on the bottom there is the RFIDler V22 board which I obtained at DEFCON last year. Moving over to the embedded computing tools, we have the USB armory which is a little thumb stick computer and raspberry pie board that I was looking at. Finally, for the 3D printing I was using primarily cube probe 3D printer which we acquired in the office. Getting right into it. The Proxmark3 for anybody that doesn't know, this is a board that was developed as part of a Ph.D. thesis but someone who was analyzing the transit cards in their city. As I said it does low frequency and high frequency support. At the heart of it you have a ZYLINX (ph.) [indiscernible] 2GA. This is what's used for doing the precise timings that are needed to do effective NFC communication or high frequency RFID communication. It also is providing spy interface and NSSP interface for transferring data and commands. The heart of that -- or the app mill micro controller. Something similar to what you might find on an Adwardino (ph.) board. This is actually what's handling the communication from the computer and relaying commands over the FPGA as needed. And doing demodulation and decoding. Most of the heavy lifting happens in C code in there. You don't have to worry so much about the verilog. It goes on in the FPGA unless you want to do low level stuff with changing around the NFC modulator keys. You've got an 8-bit ADC, an analog digital converter which gives you a 40 mega sample per second bit rate on there. And it receives its commands over a spy interface. The connectors on the board, you've got mini USB that you're using for powering it and also for data transfer and you have a high rows connector. This has four wires on it. Two for a low frequency coil and two for a high frequency coil. And then you've got a number of different human interfaces for it. You have a push button that gives you input to it and 4LEDs for taking output from it, different colors. This tells you the status that the device is in while you're working with it. Some of the commands that are very helpful for this have been added recently, like the LF search and HF search. These give you opportunities for identifying a tag that you don't know what kind of tag it .S also have the commands here for reading in a wave form for a low frequency tag. Reading NFC tags the ISO14A standard. And also some commands here for cracking the encryption on my fair classic cards. The USB stick that we're talking about here, this is one of many LIBNFC compatible USB sticks. It supports a wide range of NFC and not a lot to say about that. Some commands here that you might find helpful for working with LIBNFC. For doing various emulation, reading tags, relay attacks and also you can use LIBNFC to do more advanced functionality through scripting of course. Sending out [indiscernible] messages if you want to do fuzz testing on Android. The RFIDler board finally on the RFID tools, this is a low frequency tool. You have a lot of LEDs for output, a pick 32 is the heart of it. And then you've got two banks, or a bank of digital potentiometers which are used for adjusting thresholds on the reads. Here are some of the common commands that you would find on that. This is of course in the white paper as well. A late comer to this project know was the chameleon mini. This is a platform for working with an emulating contact with smart cards. It was developed at the Rohr university in [indiscernible] and recently was started shipping from risk Corp. But you can also grab the schematics and fab this board yourself. Looks like this. USBs for power and data and also you have a reprogramming port, PDI headers but you don't generally need to use that so often. On the embedded devices, the raspberry pie I think everybody in this room is probably familiar with. USB armory is the little thumb stick which also has an [indiscernible] host adapter so you can use this as a client or a host in the USB mode. Now the 3D printer that we have, the cube probe, this is one of the larger build areas that I see in the consumer market. And it has the ability to go down to 70-micron layers. And supports several different materials. When you're working with this printer, the first step is going to be you want to draw up your model in a CAD program, just like you would with any CNC or 3D printing process. But then unlike the maker bot for example which many people are familiar with, on this one you're going to put down a coating of water-soluble glue. You put that into the printer and you have an extruder that is going back and forth depositing one layer of whatever thickness you wanted onto the board as the build plate moves down so that your project moves off from it. In the end you can pull it off with some hot water that dissolves the glue. There are some problems with 3D printing. You can't just draw anything you want and print it. And you do have to worry about machine maintenance up here on the screen, that is a picture of the extruder or the driver for the extruder on power cube pro. There is some debris in there. When you get debris in there it can lead to clogs within the print jet which are not fun. But RFID, that's what we're here to talk about. So to build a little basis of this there is low frequency text. These run around 125 kilohertz. Primarily access controls, also pet tags, vehicle immobilizer technologies that work in this range. And then you have the high frequency class. This is where NFC falls in. Access control, contactless payment cards, the German identification cards, U.S. passports, these all have high frequency tags in them. When you open up one of these, what you're going to find a coil of wires that is tuned to work and make an LC circuit or an LC tank with the little chip that you see there in the corner. What this means is that when you put this into a field that it's tuned for, like the 125-kilo hertz, it's going to draw some power, power up the chip and the chip is going to be able to dampen and undampen, open and close the circuit so that the reader on the other side is going to be able to see modulations in the wave form. These are common modulations for many RF applications. Not going to get into that. When you want to clone an RFID tag, you're going to work with the T55XX tags. These are like, you can buy these over in the vendor area. I think you get 10 cards for $30 so they're not too expensive. You have a support for a couple different modulation schemes. And what you also have is pre-programmable EPOMs (ph.). So you're able to throw on a configuration for this and tell it what type of data rate you want, what type of modulation scheme you want, and also how many blocks you're going to use for the demodulated buffer. If you want to work with one of these using the Proxmark to clone a tag that you don't know, you can start by doing the olive search command. It's going to read examples and try to demodulate until it finds the tag. When it does find it you'll see a report letting you know what the tag format is, the ID, you can see here we have an HID tag with dead beef on it. And then we can use this print de-Mod buffer command which was recently added in the past year to Proxmark. This will give you the bytes that the tag is sending out. You can break these down and split them up into the blocks that you need to put on the T55 tag. And then you still need the block 0. The configuration block. So you can obtain this by going through the data sheets for the T55 card as well as the tag that you're working with or you can try and decipher those values. But you generally don't need to do this because the Proxmark forums have lots of detailed information telling you the blocks that you need to set up for these. So you can see the configuration for the HID tag right there. And then now that we have that information you do a series of right commands and you have a cloned tag. We can read it back in and you see that it is in fact cloned. Moving on quickly to the NFC end of things. One of the popular formats here is my fare which we're going to work on today. These are tags that have some UID, four bytes, 7 bytes and some amount of data, possibly some security features. They get used in all sorts of places. Hotel key cards which we'll look at cloning today, payment cards, lots of places. For cracking these cards, one of the earliest formats of them were my fare classic and it was discovered that you could launch an attack where you power up the card and repeatedly get the same nods and perform a cryptographic attack on it. Once you've recovered one of the keys you can then launch a nested attack and actually, you can recover all of the keys for one of these cards, like what you might find on a train pass in under a minute. And then you can use what are called magic cards which are fully reprogrammable to write the data that you found and make for all intents and purposes a clone of that original card. This is really why you don't want to every use an application like that locks in on the table over there that's only going to use a UID for validation. If you want to clone for example my fare ultra light card, something you might see in hotel key cards for example, you can use LIBNFC is a very effective tool. Commands up here using an MFCMF ultra light. You can also of course scan a tag with your phone and you have the bytes from it, you can then enter those bytes into a file, write that onto a tag that you want. I was using tags from clonemykey.com. Some of the things you can clone, you have hotel cards, you've also got as we learned this week at black cat, the possibility of being able to use some of these tools to clone transactions on the EMD credit cards. Because they have some legacy support in there. Also Android smart unlock tags and as I mentioned the Samsung NFC locks. These are only validating UID so it's very easy to break those. You can see here what it looks like if we're using a cloned key card. Unmarked. But clearly it opens the door. So now getting into the firmware hacking aspects of this project. One of the things that I wanted to do is work with both high frequency and low frequency and I figured that one of the useful applications for me would be working with NFC tags in the stand alone offline mode. So I went ahead and worked on writing code for capturing the tags and doing a clone to a magic card of the UID. Also replaying of the UID. This can be extended fairly easily towards data sections on the card as well. So the initial low frequency mode of the Proxmark stand alone, this is flowcharted out by the Prox group white paper. You hold down a button, flash some lights and through holding the button or pushing the button you can manipulate whether you're in a play back mode or if you're in a clone mode. Cloning to a T55 tag. Now, when you look through the source code this is all in the white paper of course, but you're going to find that everything runs on the arm processor of course for this. There's a function SAME run which makes use of variation functions available to the arm processer through for the HID functionality. When we want to go over to high frequency, however, I wanted to try to reproduce as much of that functionality as possible with the focus on my fare cards. And not just may fare classic of course. The ability to clone the UID onto my fare classic was implemented though. Here is some of the set up functions that you need for working with high frequency tags, selecting them, getting yourself in reader mode and then for simulating. The most interesting part of this I think was I decided to go ahead with a different work flow for how this was going to happen. In the low frequency mode for Proxmark, for anybody that used it, you might have noticed that you can jump right into the play back mode with uninitialized data. You're jumping into the stand alone but then you have to hit a button again before you get into read mode. I decided to get rid of that and instead jump right into the record mode. And when you read a tag, jump into play back mode. Use this as the hopping point for your other functions through a button press or a button hold and also added in some sanity checks so you never use an uninitialized value and you also wouldn't inadvertently fill your banks with the same card. I do have a demo here of this but I'm going to hold off on doing that because I have a lot of slides and not as much time. If there is time at the end I'll come back to that. Otherwise if anybody would like to see this you can hit me up on Twitter or tap me on the shoulder or whatever it might be. The second component of my firmware hacking I wanted to add support for a firm tag support that wasn't in Proxmark. And let's learn how to do that and be able to document this with really editorial like examples so that other people would be able to go back and add support for other tag formats that they might be interested in. In order to do this, I decided I would make the LFA wood context for Proxmark. This means cloning most of the functionality that you would have in the HID mode. Writing things to T55 tags based on the numbers printed on the tag. Because if you see here on the printout of that tag, it's screen printed with all the information that you need for being able to clone it or assimilate it whereas most tags you're going to have an ID number but it's not going to disclose all of the information that you need like the facility code and the card number rather. So since there was no support in this one, I started looking. I decided it would be a great place to work on. So the AWID26 bit format, that's what I specifically targeted. This is comprised of an 8 bit facility code and a 16 bit card number. Now that's only 24 bits but the other 2 bits come from parody. And the card is going to work with the same parameters actually as an HID tag. It's got this FSA2A which means RF50 data rate and it's specifying a certain number of cycles that you're going to go through with the higher frequency to indicate a logical low versus a logical high. And then when we want to add the commands into the Proxmark you have to understand there is a command table structure, things are hierarchical, so you just need to add a definition in your new file that you're creating and within the functionality that's actually going to be called, you're creating a USB command structure and sending that off to the FPGA. So you can see here how it looks, this code is all by the way in GitHub already. And it's under the master branch for Proxmark. You can see here the FSKD mod functionality and on the slide here are some of the functions that you need for working with that. In order to move beyond this into the clone and simulate functions, I needed to develop a function to take those numbers printed on the card and convert that into the YGAND (ph.). For this, I decided it should stay within the client code. Doesn't make sense to have this down on the arm chip where it's going to take up space and the arm is never going to know anything about these numbers anyway. Or I was then able to go right ahead into doing the LFA with clone functionality. Which is piggybacking on the T55X commands under the covers and also showing to you as you see the blocks that its calculated that you need to program onto the card. The simulate function also has no purpose within the arm so this lives in the client code. And you can see up here the parameters that you need to specify and the commands. There is a lot more detail about that in the white paper. But now the antenna construction. This is where we get into 3D printing and the applications there. When I start -- I was always interested in making an antenna for my Proxmark and for other tools but I noticed that the DIY projects out there felt too artsy-craftsy for me, maybe there is a bit of trial and error going on there. I thought I might be able to do better with making 3D printed forms for that. And that's what I did exactly. So to make a coil for the Proxmark you take wire, very thin, thinner than the strand of your hair, like 40 gauge wire. And you want to coil that around a form to make your coil, or wind it around a coil. So you've got some functions that you can find for going between the frequency and the inductance that you need based on the capacitance in your circuit. You've also got some functions or some equations from white paperers out there explaining if relationship between the number of turns and the dimensions of your form to the inductance. With all of that, I went and looked and I saw there was a nice design for an LF badge on the Proxmark website but it was using, cutting out CD cases, glueing them together, stuff that I didn't really want to go through. So I took that design and basically just drew it in some cad software, print it out and found that it worked really quite well. It took around 87 turns for the Proxmark, about 57 turns for the RFIDler. But you would find if you wanted to reproduce that it's varies a bit due to the nature of the system. But all those equations fortunately don't really matter all that much as long as you have enough turns, you plug it in, you try and tune your thing so you see what frequency it's optimal at, what voltages you're getting out of it and then you simply unwind it one by one until you get to the frequency that you want. You can see here the antenna that came out from this, it was, I tuned it exactly for 125-kilo hertz and it actually worked better than the commercial antenna that I had already paid $60 for. Whereas that antenna was picking up at its optimal voltage 29.43 I was getting 31.2. I know you can get a lot higher than that even. But in badge worked very effectively or this card worked very effectively for me. I then went ahead and added a lanyard clip to it. And made something that looks like this. This actually broke on me. Word to the wise, that those -- that 40 gauge wire, very, very thin, you want to do everything you can to reinforce that, hot glue, higher gauge wire, these are your friends in this. But in the end this was a very inexpensive build even going out through shape ways, you can use the model that is on GitHub now and have this printed for $7.68 for your shipping and handling. With the cube probe printer, it costs maybe $4 to print out the form for it. And if you actually had like a maker bot that you can feed filament into, you can do this for well under a dollar. And then I cut up a lanyard and a cable and made it so I could have the cable going down through my shirt into the Proxmark in my pocket and out of sight and looking like an actual badge with a sticker with my picture on it. The next project that I looked at here was the clip Pone (ph.). A lot of people talk about using clipboards and pen testing situations for RFID. So I decided to see what I could do with the fact that I now have three printable antennas that could be kind of fit into my thing. And you can see just by printing out some simple shapes you're able to make nice spacers to have a very clean covert little board. You can hide this with some papers inside there to -- in case somebody opens it up, it won't look so suspicious. In general if you want to make one of these, there are all sort of storage clipboards out there on Amazon. You need to make sure that you find something that has enough depth to fit whatever it is you're trying to hide in there. So you can also enhance this if you wanted to by adding in something like the USB armory or a raspberry pie board. Say you had an RFIDler in there, all you need to do is connect something that is going to be listening with USB serial and logging that data very simply and you can walk around all day and then come back and have a log of all the UIDs you captures. With the Proxmark you can of course take the client code and build this. It's already got an arm build for Android. That shouldn't be too much work. And then you can also move onto making fake readers and doing other things to hide your tools in the field. One of the valuable resources for this, you have building information models out there. So if you have autocad, they have their seek environment which allows you to search for lots of things that you would find in different buildings. I found for example this HID reader enclosure which if my 3D printer hadn't failed on me, I would have printed it out to bring here. But you can very easily hide inside of that a custom circuit board or a tool with an antenna. And maybe put in an unexpected place. Maybe conceal a legitimate reader and use that to try to capture badge swipes. So really what we're looking at here is the fact that you can make realistic prints of things and you've got models out there. Even if you don't, you can use something like a connect or even an Android phone or iPhone with the 1, 2, 3D sketch app and actually just take pictures and get a very reliable 3D form out of this. The next thing that I was looking at was using a phone case to actually hide an antenna inside of that and some of the things that I envision doing with this. You could of course do exploits on the Android beam functionality. Say somebody thinks it's just a phone but you have more sophisticated hardware on there. The initial intent that I had for this was being able to eves drop on the NFC communications for something like apple pay or Google wallet. And there's so many phone cases out there that it really should be trivial to take one of those and merge it with the design for a coil in such a way it's not going to be obvious. On the embedded side of things some of the other things I was looking at were adding in the support for the USB armory to be able to log keys, doing script able responses, and also being able to do something like if you use the ODG adapter on here with a little passive USB hub, you can have a wifi adapter in there and have a two-man team where one person is going to be using the device but not being able to see it, not knowing when it's read something, but somebody else maybe a couple hundred feet away is going to be able to access it. Monitor what is being scanned, trip it into simulate mode when it needs to be. So there are a lot of possibilities with that for pen testing. Actually at this point I do have some time that I can try and do the demo of how the stand alone mode works for NFC. I'm going to take the Proxmark out of the clipboard. And plug it into a battery here. And then I need my high frequency antenna for this right here. Now, add the extra battery back into this. That's to let us know it's happy. And we have to lock it. Oops, not so happy. Let me try that again. It thinks it's locked. It's not the smartest smart lock. So now it is in its locked mode. And if I take this card, we can see this one does not open it. This one however, will open it. And we'll relock it. This however is a magicking to. If I now power up the Proxmark by holding on this button. It flashes its lights for me which I'm sure nobody in this room can see. I go to the tag that works for it. When I touch it down, it is lighting up to let me know it scanned in a tag and now it's in play back mode. One of the problems with play back mode, either the shape of the antenna or the implementation that you see on here isn't always so conducive for this. So what we're going to do is try it out. But and this did work once earlier today. But, yeah, generally that's not happening. So we're going to clone it to a tag by holding down the button now and putting it on the field of the tag. When I release it, it flashes to let me know it's written it. With any luck now ... We can go ahead and -- maybe not. Let's try that again. My antenna was lose. The higher Res connector on this is not always great for holding in cables. Just put it in stand alone mode again. Go ahead and scan in this tag. And then we will clone it onto this one, hopefully it hasn't been bricked (ph.). One of the risks with working with the magic cards is that if you don't have a strong connection to the antenna while you're writing to it, you can actually break it which is why I stuck to just my fare classic where the tags are cheaper but now we do have it working. ...(applause)... so that's pretty much what I've got for you. If anybody wants to see any of this stuff up close you can definitely come up here or meet me outside afterwards. And just -- I want to say thanks for the Proxmark development team, marshmallow and ice man, very, very great for being helpful for working with this stuff, being very patient. And also to my family for putting up with all the crazy hours leading up to DEFCON. So yes, thank you. ...(applause)... And I guess there are a few minutes for questions if anybody has questions now.