-
Notifications
You must be signed in to change notification settings - Fork 1
/
30c3-5334.txt
588 lines (457 loc) · 27.6 KB
/
30c3-5334.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
Here, the subtitles for talk
RFID Treehouse of Horror
Adrian Dabrowski
are supposed to be created
Link and further information can be found here: https://events.ccc.de/congress/2013/wiki/Static:Projects
or: www.twitter.com/c3subtitles (most up to date infos)
or the table of ALL pads: http://subtitles.media.ccc.de/
The language is supposed to be:
[ ] German
[X] English
(the orignal talk-language)
Amara Link: http://www.amara.org/de/videos/DmPI1rpqWLZH/info/
-------------------------------------------------------------------------------------------------------------
... there are many pitfalls... our next speaker will ...
Welcome to the rfid treehouse of horror
first a short overview i will show you some ... systems there are a lot of these systems. in austria, but probably in ogther couhtries too
then ill tell you about my crusade about hacking a city-wide access-control system
So, let's start.
In austria we have a lot of these centralized access control systems
Wiener einheitszylinger 2000
so its the venice..
from the time when everything sounded cool when you added 2000 to it
this is actually actually the key used by the fire bbrigaeds to open all the backyards parkingspaces and and post.
if you need a parking space or need to deliver something, this is the key to get
there are other interesting keys acually the relevgtions ion the key is you do
lyou are not forced to use a padlock that accepts that key
they will break your other padlock open
use a padlock you
also you're not allowed to use a padlock ... hte sec level is too high
basically everyone uses this one
other interesting ones is this one for electrical cabinets.
like with other systems theere is some time of application
permission creep where someone aggreagets permissions over time or actually all kinds of soltuions
keys tend to aggregate additional use cases
so actually this key was specified somewhere in the 60th
and int
and it used indoors and outdoors
only for authorised personnel
vor circuit-breatkers, for gas, for heating...
so basically some of the power-grid componanies started to use another key now... can get a key to access only the circuit-breakers for their level own circuit
but basically for all other biuldoings in vieanny you use that key.
there is a third interesting key, the Z/BG key, this key actually is very interesting, it allws you to enter almost all residential buildings. in vienna
the story behind this is there was a time
the caretaker needs to be available in daytime and the caretaker would open tjem.
let's install small cylinders bypasses the door incercom system and opens the door
So also thiws key is used for garbahg collection because in vienna garbage is collected...
Actually this key.. costed like 150 or 200 eur on the black marked. .. in recent years. the price has fallen to
it costed like 10, 15 or 20 euros.
it has become very popoular actually
additional key like keys before got this key some are official users
like fire brigades and emergency services or garbage collectioner
the newspaper
advertising distributors
makes the decision
They wanted to deliver the newspaper to the front door... it became very popular on the black market.
Since 2006 there is a new way to secure your frotn door
If you have the z key or the pwoer k, you dont need any other key
if you get in a house and turn out the power i think people will come out there selfes
so it's terrible insecure, and since 2006 there is a new system, it's called "BEGEH"
using chip rfid cards, trying to addres the shortcomings, blocking lost and stolen keys, all the things they are supposed to do
its all the sings that they are supposed to do
the new system allows caretaker distinguish between different user groups
allows the caretaker to distignuish between different usergroups.
if adervertisment is allowed in the house or not
it was introduced in 2006 and
last year it was about 9000 installations in vienna
it should have gone about now 10.000 isntallations
other citizens in vienna
mechanical keylock is used in wide parts of
and since the last year, it was expanded in other cities than vienna And since last year they are expanding to other cities in austria.
Mechaniclall keylock has been used in Graz.. all over eastern part of austria.
So these aere some of the claims the manufacturer makes.
Maybe it's a little bit small.
First they say it's unclonable.
second ..
startet
thy started a big marketing campaign against the old mechanical system
however fun fact. they are a 100% subsidiy of company who invented the mechanical key in the 70s
they invented the mechanical key in the 70s
so when this electronical key system was installed I was like Challenge accepted
[applaus]
Later it even became my diploma thesis.
So, Now a small detour.
I had no idea about RFID systems
and depending on how fay you get back in the history
Show you first how RFID works because RFID works its not a standard but concept
the second world war
Everyone who studied electrical engineering, please look away
Because its really over-simplification of the thing.
but i wanted to show
[applause]
its for those people who have no idea of electrical engineering.
these RFIDs rely on.
These datas. If you're in daily life you'll find 150 125 khz tags and . mhz texts
basically it works like this let's think of a transformer, you probably know it from high school.
if you attach alternating current.
basically you know, if you attach AC, it transports power over a magnatic cut lonk
so ähm in the second picutrue you see if i close the skript..
the second thig is that next you can transver data ...
thte she scond thing is how can i trasfer data back ...
this is done mostly by … modulation
basicalliy if you a...
you can transfer power back to the primary coil
because of these uses <you have a completely different downlink protocoll than different uplink protocol a
however you have fouur properties...
… I have something like an air transformer..now you have a very. bad coupling....but it's enough to transfer little bit …data? …over airlink …
So you can make some kind of ..tags.. very very damp... you usually find in burglary...
Some kind of EEprom... functions...
encode or encrypt the data chankle or wireless smart cards
to specify the transport layer, just a I
It's very little device
Wireshark-style traces... dependign on the options.
You probably already heard on ccc lectures in the previous years
which costs 250, 300 euros-.
low freq and high freq tags... for what i have needed for my project.. whole bunch of code
so I decided to make my own simulator
and the thing is, a chaper expolit is a better exploit.
because everything you have something like it's academmically broken
But you need somethingk like
and every manufactrorer make it its kind of security
if it's costs that much to break our system and secure system that is less vauluable, than the cost of an attack, nobody will do it.
so, you have to find very,very cheap ataacks,
to circumvent this things.
so lt s make a small detour about rfid systems i encounterd in vienna.
for example there is this nfc ticketting system by vienna linie
and basically you can touch a phone on a sticker and
funny thing about this one you I often get asked about what's the diffrence between NFC and RFID.
is it the same because most people use it interchangeably
so actually RFID and NFC is a higher protocol and a
So like http on tcp or other protocols.
so i can buy this tickets an the funny thing about this sticckers is -- don't get distracted by all the bubbles --
here the 25, bubble, basically they use mifrare cards and .. for page memory on sectors.
and lthe last memory is like the access control with all the keys and the access control permissions
and the funny thing is, when they were writing the tags, they hat da off by one error.
they started writing the securiity page always in the next sector
so revealing fristly the secret key and secondly
so you can use it like a dead letter box, you can leave messages for your friends
[applause]
another thing is this coffe machine you'll find in austria in universityes and airports,
Office buildings, they have this electronic purse which is based on mifare
actually when carstren YXXX and i went around five years ago,
how crypto one works and how you can break it and it was two minutes for me to see what's on this token,
jthen i just added one euro to it and made a difference and i could write any amount of money on this tag
very interesting, about 5 years ago, thex had no way of disabling this or having a new system
I will come to this in my conclusion later on, actually, it's a very hard problem on how to desiggn an update path.
also they use some kind of key that is derived from the unique id...of this cards so either you brake this key or you use …
actually i have not found any oflfine counter measures like ...
at least once a week they connect and refill it, and blacklist the cards, that don't fit into a .. check.
just to make sure I have not used.
thaa
by pure chance you can program it...that way that it produces the same signal than an original chip would produce
i dont comply atmel devices... you just have to put your original key there and then your rewriteable atmel chip there and then it's copied.
erm, also confronted with the ..
uid based systems the property building managemetn often states ist not so secure
but it has one certain feature, that is ... and its very convenient ... peaople use it to use
you have 64 bit key space
so i thought interesting, is it really like this?
… and searching would take hundreds of years
Is it really that secure? I looked at a key system that works basically like at my university
it's for technical laboaratories, tech. .. labs, .. access control database
and basically it is a little bit small,
and then i make some very easy statistical analysis by making a histogram of this
when they are produced they are numbered one by one
on the x axis and you see almost all the kys are in one range so i zoom in and I see they bought like five badges of cards and when they're produced they're … one by one
so basically htat's somwhow ineffectivce wan you are blocking the UUID,
and with two up and down you have 98 perscent probability ...
when you just take a new id it's one off up or down, you have 90 % probability of finding another unique id
you buy in a hardware store, it's probable the numbers are not that small ,and you get a card wich...
beacuse obviously they also bought these cards in batches.
so manufactures of this card should really do is randomize these keys ... at least randomize it.
This sniffing device... he uses only a basic... adapter
at least randomize...
nice project, made by milos meriac, he's done a lot of talks recently on CCC
this is possibly because the modulated daata is in the range of 4khz
sampling theorm so you need at least 8 khz, maybe 16 khz
sample it with your audio card. but this is just a sniffing device
i wanted to build something -- as a side project of my talk -- it's not finished yet
the idea was lets build a device that sweeps through an id range.
and it should be cheap. i should only take a phone
actually I wanted to present it here but it wasnt finished by now.
because you have no return channel because you are not syncronized with the sender
you only have to guess the carrier frequency within one percent.
to a amall circuit to modulate and configure it ..?
but ill probably realese it in two or three weeks
and the rest should be down in manchester...
I will later talk about why these insecure system will not go away that fast.
so this schould circumvent most of these home market systems.
because even if you look at this blook diagram there's this analog frontend.
even with so simople hacks like this
there is this analog frontend
i forgot to mention something at the previous slide here.
however, as i show you later, its not that complicated because the manufacturers want to make cheap
you have to make an analog frontend, for those RFID readers.
just rely on those very simple circuits and dont mess around
but almost non on how to build tags, as I will show you later,
so lets get back to the BG system.
so first step is reconnaissance. i need to get a door unit.
and I also don't own real estate that could be upgradet to the new system
i don't want to steal oupn something on my appartment
so i contacted the genereal distributor but they told me its only sold by
but they can name me some wholesame distriubutoer or some distroiubutor partner
and if the refereanc I'm coming from this general distributpr the wholesale detail distributor partnes actually sold me some.
And i adressed that a little bit.. i want to upgrade my building.. i even got a little...
actually i asked, if ounds a shop that...
but then there wasn't
so now I had this hardware device, took it apart looked at it it had som components, a texas intstruments.
for the rf frontend, so i built a very small sniffer
and yeah ,you see thate is a small, so called envelope detector,
and I could start this is a oscolloscape traces some bitse here appearing.
out of the signal there above, basically its just a diode and a low-pass filter
so actually you can start decoding some bits and these parts are bawes on ISO 15XXX
so the next thing was how to get real user cards. so.
i mean ok, for example, i could start as a volounteer and...
but these sticks by me and you, baybe i know some organisation...
and he can borrow me a card, but I don't know so
i can not do this either
and very expensive, tehy start at 2000 euros.
but when i have the money...
this is a picture of ski gates
a reader that's 25 cemtimetsr in diameter it has tis very big battery pack on it
and small extra memory and went to my post office.
and really for about 5 euros i could convince them to send them this parcel back home to me.
[applause]
so while it was in transit back to me it simply recorded keys
(applause)
Also i didnt trust the austrian post very much so i put a very large battery on it
i dind't know how long it takes them and it worked on the first drive.
I had some ... I had a key sampling.
So therefore I could show that anyone could get samples of keycards...
without knowing anyone or investing a lot of money.
just what would happen if someone found this parcel like suspicisous and reported it to the police or something like …
I would probably have been woken up by an anti-terror squad
so thst's why i put this note in the parvcel, "look, this is my oohnie numer, his is an experiment"
[laughter]
hoewer it didn't happen. So the next thing i built a small sniffer and
and i want to extend it to an emulatoir and do some testing, some snuffing
with the door opening unit, and actually it was an interesting thing becasue programming is such a thing is tricky.
because you have keep the timing exactly with the oscilloscope
because the city scope ... you
the bits thats' coming or the demodulated signal.
actually its the modulated signal and then I have to demodulate it
and actually you start by interleaving different loops
you recieve a bit, and you try to decode it.
and then also do the checksum calculation while youre receiving
and because afterwards when the request ends you have no time to
and also for sending I've misused two PWM generators on this really cheap micro controller.
that like triggered themselves so the one triggers the other and the otter way round
and it was quite a nuisance but actually i could then use this for systematric tests
and UUID emulation and card replay attacks.
and i designed it a way tis is my prototIype
with the you can see there is the manual door opening unit
and these are the antennas one stacked on oanotehr and the whole set cost less than 20 euros
I can briefly show you how it looks like it's actually quite simple
and the analog frontend isnt't acutally hard
and I've never studied electrical engineering, here you have
but basically you have an ... you rectify it...and you have an output transistor here
and an input buffer and that's everything and you feed it in your micro contrroller and write your program and that's basically it.
with all the testing equipment I now had I could build a model of the inner working
so a bit like this flow-chart showing how the checks are because it is kind of weird how they acess the cards
and all it as some kind of brute force detection so i could...
but at the end I could analyse what different cards there are and how they supposedly works
So basically there are four types of cards, there are user cards
with encrypted data on it, there are a few sectors on it with reserved sectores
there are this master card, ownership card and programming card, you need this programming card together to make configuration changes to the configuration of the device
And then there is something the user cards are like ten groups
and there is an elevent'h group that is called Baucard, and a former that is called test card
which using the internet wayback machine from the vendors homepage,
And the interesting thing is the first sector is unencrypted, it just has some kind of checksum
and the second and the third secor are somehow encrypted on the RFOID
of the card. however the baucard only uses the first sector.
so its completely unecrypted - for what reason ever
so actually the main findings are the baucard and the manufactor assumed that the RFID is unchangabe and not duplicable
and not changeable. so that's the wrong assumption that they've made here.
So I did some basic tests and brute-forcing, but they didnt do much
so now it's time for some evaluation, after all it's my diploma thesis
so I went like to one hundred and ten house entrances in vienna and tested it.
(great applause)
So basically 92percent of residential houses use either the old mechanical key or the new electronic or the old mechanic key
and i .. the ... out ofthis.. to 9X% se this electoinic variant
so actually I was able to transfer the baucard to an old electronig skipass.
(appplause again)
and 43 percent of the installations could be opened with this ski pass
so what yould be more Austrian. than this skipass?
the cost for these attacks is like 2 euors deposit in the ski resort of your choice
Also i mad a small android app to reprogram ski passes
(laughter and applause)
i must say that the android RFID/NFFC passes are (bad)
So now as I said, 43% could be opened with a reprorammed skipass and 90% with a card simulator.
Wahts with the 7 percent rest, I was not really sure
bacause it was like.. maybe the lock is broken or somethig i tested for this.
also it was quite funny because I was afraid of going around and testing at these entreances
So i made up some kind of cover story so i got this workers jacket to look like some kind of technician but actually noone cares
(applause)
but actually no one cares
[lauthger]
so as I already said the card emulator could be build for a little less than 20 euros.
you have to produce your own pcb...
it shows that you can actually circumvent the new system with almost the same amount of monexy that you circumvent the old mechanical system
so no additional sceurity at all actually
Another funny thing i found on their homepage ...
and didnt mentioned the blacklisting feature
there are different variants of this lock, the one called basic
costs like 300 euros
and there is a 600 euro variants that has a blacklisting feature
and you have to buy this additionaly, have a annual fee fo this blacklisting feature.
And this is a picture from their facebook oage showing where they update their blackllist
(applause, laughter)
so, if you read the contract now, you want to ... that ther is only one blacklist update per year included
so actually if you have this premium lock
and you pay for their updates, the stolen key
and you don't know all avout the stuff i told you about in the last few minutes
this key still has a value because maybe it gets blocked a year later
also the basic devices dont have a blacklist features
common, no, it's 2013
there are like gsm modules for 20 30 dollars
you could build in one in every lock
ok...
so, just for the blackbox analysis for the BEGEH,
key system the 4 main points are circumventing the cost of material. are more or less the same like the mechanical system there is no additional security
there is no practival security offered
inappropriate card, assuming the UID is fixed and not vulnerable
the basic design is somehow broken and also their default configuration...
later they changed it, and also that the blacklist feature is once per year, that's redic…
however, customers should not expect any significantly higher security of the new system than the old system.
and act careless or sth like this the other question that probably comes to your mind
why will this crappy security solutions accompany us and have such al ong lifetime
why all this things that we shows are broken that don't go away
and the first answer is: users dont care.
rs and marketing of the comapnies
and everytime you present an attack that cost 10000 euros the company will say.
just protect things that are less valuable..and noone will use this attack. isnt safe
tha attack is ... and save.
the other thing is the other (?) sample with the coffee machine.
this is a prime sample, also this one.
vendors somehow didnt realise they need to build in an update plan
and in software like everyone of us it's clear
whenever you have a security solution you are in an arms race with the dark side of the world
so you need some kind of update mechanism and update path
an, ok, you can not make an online updateing of hardware code that easy
however, for example blacklists could be updated via GSM
and also like with the coffee machine
if you designed that electronic purse to be modular
and to have an update plan that when you decide to change your card format you first replace your reader modules
and then step by step you replace all the cards in the field and then you switch to the new format
if you build this in from the very beginning then you have a chance
to do it. otherwise you will face severe. costs
and this is something buyers of the system should be aware of
that .. an yould ask, what is the supposed lifetime of it.and what's the … upgrade it
no security seoltuin lastes forever.
actually there is a nice example with pay-tv cards in germany
in germany which have beed proken multiple times l, live pay tv cardse heard ways thy
… for several years …
learned how to do it
and you need a way to change the lifespan of the securoty soluting stays unbroken for a longer time...
there is some
aa little bit
also the other thing is, that like i mentioned bveode, like the application creep,
that solutions that are in place this is designed for other things
and you should always be aware that they are not up to the high security you will expect.
so to jump sum up. ...
[applause]
so why am I doing this, Why am I doin this?
in generally, security is not verifiable, only falsifieable
if you have a new security solution you have to go through a number of . verify?
you can assume a certain level of security
erm, and also it.. i think it's very important to use cheap exploits that are practical
otherwise vendors will claim some kind of practial security
to mention. so my last words aere the cheaper the exploits , the better
i hope you had a lot of fun, build cheaper exploits
and build cheaper exploits..
[applause]
serve at ...???
now for the questions, the first question wilyes, I have informed the vendor of this system.
thank you for this very entertaining talk, and
if you have questions please line up for the microphones
while you do that we have one question from the internet.
okay ähm, i dont really know if you had it,
i dont really know.. what happens with the BEGEH system when you dont have any power
have a power shortage or doesn't have any power? -- then you have to use the mechanical jkeys
for the emergency services won't get in but normal user, appartment oweer.
owner of this building gets in because he has the mechanical key
MIC 1 please
hi, i would ask one questing, in france we have the same this system,
since 1970s so porbably old now.
and for these keys.. there is a restriction...
so this kind of keys could be used after ..... pm
so maybe some of, Id' like to if you uncovered some of these.
mitht be some... ???...
so you.. this is a theory of thos 7% of hte ssytems
in france this is how it works.
the premium variant of the system acutally provides clock-based-
so maybe this was the case...
there wrere a lot of old systems that don't work like this
thanks for dioing the exploit - what was the companies reply?
thanks for doing this explooit, was was the reply from the companies?
it sounds like a „typische österreichische Lösung“ (the „typical austrian solution“).
i informed the cert team
and like i wrote one page of who i did this exploit and
what are the other card systems they could proably switch to.
how the probably could make it
they don't believe this was an independent researcher. they think that it was someone from a company
and the company
so that is challenge accepted for me, so I will try to repeat, the the .if your.
is your research and theses available in the TU bibliothek. Yes, its available.
(applause)
MIC4 plaease
cant you just emulate these cards with your cellphone or do you need the ski pass. the chip in the andriod phone
yea, this chip you receive in the android 4.0.4 and
a
and until the very last android veriosn it wasn't enabled.
youse psi again and can not emulate the system...
so, not with the chip that is used in the android phones
mic 7 up there please
thank you very much for this great... yea..
erm.. what i wanted to ask is you used 125khz systems
and you mentioned the long range readers that are available.
do you know about long-range-readers for 13 mhz systems
well, the 125khz system where
the BEGEH systems works on 13 MHZ ,
and ah yes, actually I found a company in germany that sells them, starting at 2000€
ther are some physical constraints that the rulke of thumb
you only get a distance like one and a half of the diameter of the antenna.
and the second thing is there is a hard physical limit
because of theis agnetic oulling only waoks in the so-called near filed of the antenna
so when you move out of mju feet there are several models to calculate mju feet.
but ...
another question from our signal angel:
so while the commercilally avail. ROFID bebugging eare so expensive, is this monopoly or ,..
it's basically, it's not the componnetns, I'm sure it's not the componnents.
its basically design work and becuase your prices on the market are determined by what they pay and not how much it costs
your prices at the market is determed by what the customers ...
so, you have this developer tools, and the company is like2will you want to develop this system.
okay i need something new equipment with and I could have atechnician work one month on it.
or I could have work a technican work for like one month on it
or i can buy something for 10k EUR
so for them, maybe 10000€ is acceptable
we have time fro two more questions from mic 1
Hello, i wanted to ask you some different question
i want to ask a different questions - fright at hte beginning you showed picures of keys
yea,
and i'm wondering, what the acualy keys are,
especially the third key you shoed, looked like maybe 5 pin or something, so it looked like an
analog treehouse of horror. I have this picture of...
there is probalby
i mean the old physical keys and locks
so if this is the actually key, yes it is.
This basically...??
so this is lockpickers heaven
i didn't show the backside, so it's not enough to make a key out of.
I wouldn't trust that.
(applause)
acutally there is a nice controversy whether it is legal
copy this key, mechanilcal keys, but it's probably a talk for another 15 minute.s
but i wrote about it in my master thesis.
thank you Adrian Dabrowski, please give him a warm round of applause
[applause]
whijle