RFID Sniffing: Under Your Nose and in Your Face! (10-2-2019)

My DerbyCon talk is here: http://www.irongeek.com/i.php?page=videos/derbycon9/3-14-rfid-sniffing-under-your-nose-and-in-your-face-rich-rumble

First, thanks for watching the talk :) Second I am a bonehead, and I was a bit nervous when I spoke at this the final DerbyCon. My talk was short, because I was early. The speaker before me finished a little early, and I put my LT up on the podium 10 minutes before my talk was to start. I wanted to make sure there were no AV issues, so I started presenting. About 26 minutes into the talk, I think I am running out of time because the "presenting timer" has an additional 10 minutes on it. So, I didn't give the full talk I intended to. Had I looked at the actual time, 10:26, I would have known I still had around 20 minutes or so I could fill :(

I did have many people come to my “touch and feel session”, they also wanted to see the devices we made. This is something I skipped past in the presentation, the innards: (wiring is an excercise for the reader, it is not hard)

Materials Used:

We made very simple innards and were able to get badge numbers and easily clone, but as I mentioned in the talk, not every client is interested in the cloning, they were interested in the attention being paid, rather, not being paid to the badge readers. And the essence of my talk is basically this:

TLDR; People don’t pay attention to the door reader, if they get let in, they have no issues if the door readers change dramatically and or very often. Again, something I glossed over in the talk was our interviews with people after we swapped the readers or placed duplicate readers on the walls next to the legit readers. The lesson’s learned from the interviews:

Follow up interviews:

People thought it was weird the readers changed often for Client_1. However, they were getting into the building, so they thought maybe some testing was going on, or because we “broke” the readers (faraday) in the middle, that the change was to replace the defective reader(s). Those people however were misremembering the order in which we used the faraday reader, it was the last change we made for that Client. One person commented that when we moved to the Carbon Fiber reader, the range seemed to improve, again we think we hurt read range, but not by a noticeable amount.

Client_2 was more interesting overall. We gave them an additional attack we didn’t do on Client_1, the “evil twin” attack, placing our reader from e-bay next to their real readers around the building. We did this to area’s that were restricted to various personnel. The thought was, if we clone the badge in this area, we get into that area, and from that area into another… and on and on. We probably got the most “psychological” with Client_2. And since we’d observed the same behavior with almost no deviation, we had to get better data and follow up with people as soon as they were in the building.

Client_2 interviews were carried out by Client_2 exclusively, with the caveat we stipulated that no admonishment or penalty should befall anyone who “fell” for these readers. They were already on the same page, no one would be punished from a “baseline test” as they put it. Good on them btw, we just wanted to be sure we weren’t getting people fired. They’d have to fire everyone but themselves by the end anyway, so no dividing by zero :)

Client_2 was as fascinated as we were by the phenomenon. Once you know the covers aren’t what they appear to be, it’s obvious you shouldn’t use them. A few people simply “tailgated” into the building because they didn’t trust the readers, however their altruism did not extend to telling others they maybe shouldn’t scan on the readers. And a few days later, those tailgaters did use the readers simply because they had been there for more than a few days, this must be the “new normal”. Again fascinating.

EXTRAS: We tried using a cheap RFID reader and a RaspberryPi -Zero-w, basically over engineered the reader. And for power you need 5V solid for the Pi, we were providing 6v no problem, Pi doesn’t like that. A dividing resistor got too hot, a (backward) 5v zener diode didn’t work well and we did use a rectifier that was a lossy (heat) but provided adequate power for a few hours. We even used Polaroid film batteries… these are 6v very slim batteries that powered the Polaroid film camera’s all those years ago. They provided the power for the flash in that camera as well as the power to the motor that ejected the film. We used the small grey square’s at first, but given their age, they were very hit or miss as to their longevity inside the device. We basically settled on the 3.2v button cell batteries because they were simple/cheap as well as very very thin. We could put pairs of them in parallel to provide longer durations of 6v power. The nice thing about simplifying the innards to just the reader, batteries and a memory card, we didn’t have to step the voltage down, both components worked +/- 5v just fine for our needs.

Final thoughts: Maybe we don't need to be so clandestine… Our group is going to focus more on this, with our ultimate idea, getting a client to pwn themselves without us stepping foot in the building. “Warshipping” is one thing, what we have in mind is another :)

-rich

Some short videos of the shells