|24 Aug||Wednesday||09:00 to 17:00 SGT/GMT +8||8 Hours|
|25 Aug||Thursday||09:00 to 17:00 SGT/GMT +8||8 Hours|
During this training’s practical hands-on exercises, we will clone, crack, simulate and brute-force both “Low Frequency” 125kHz RFID (EM, HID Prox, …) as well as “High Frequency” 13.56MHz (Mifare, iClass, DESFire, ISO15693, …) – using dedicated hardware (trainees get to keep these!), or in some cases with just a typical smartphone. We will examine and attack communication between the reader and access controller. We will also exploit reader vulnerabilities allowing to unlock without the need to have a valid card, and reverse-engineer a sample hotel system and create an “emergency” card that will unlock unconditionally all the doors in the facility – having nothing more than just a guest card and a phone.
The training aims not only to raise awareness about the weaknesses of legacy systems, but also provide a solid insight of current technologies which are regarded as more secure. We will abuse implementation flaws and perform remote relay and downgrade attacks on both latest HID SEOS as well as DESFire access control installations. Attendees will also learn how to approach modern contactless smart cards and analyse currently trending mobile access control systems (phone acting as an NFC tag) – based among others on real vulnerabilities of a sample system.
1. Short introduction
a) RFID/NFC – where do I start?
b) Frequencies, card types, usage scenarios.
c) How to recognize card type – quick walkthrough.
d) Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware.
2. UID-based access control
a) Introduction – simple, still surprisingly common technologies
b) Communication between a reader and tag.
c) What is stored on the tag?
d) Low Frequency EM410X (“unique”), HID Prox, …, High Frequecy Mifare UID
e) Cloning card’s UID – cloners, Proxmark, Chameleon, mobile phone, …
f) Simulating (Proxmark, Chameleon, mobile phone,…), brute-forcing.
g) Interpreting markings on the tag, decoding UID from the picture.
h) Sample vulnerability of simple access control reader that allows to unlock it without the need to have a valid card.
i) Countermeasures against attacks
3. Wiegand – typical transmission between the reader and access controller
a) Theory introduction, signal DATA0, DATA1
b) Wiegand sniffers, implants, transmitters – hardware, open source software
c) Decoding card UID from sniffed bytes, clone the card
d) Replay card data on the wire to open lock
4. Mifare Ultralight, NTAG
a) Data structure.
b) Reading, cloning, emulating.
c) Example data stored on a hotel guest card.
d) Ultralight EV1, C.
5. Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket
a) Mifare Classic – data structure, access control, keys, encryption.
b) Default, leaked keys.
c) Reading and cloning card data using just a mobile phone.
d) Cracking keys using various attacks and tools (Proxmark, libnfc, Chameleon).
e) Attacks on EV1 “hardened” Mifare Classic.
f) Online attacks against the reader.
6. Reverse-engineering data stored on a sample hotel system guest card
a) Decoding access control data (room number, date) stored on the hotel guest card.
b) Creating hotel “emergency card” to open all the hotel doors unconditionally, having only sample guest card.
7. Mifare DESFire
a) Introduction, data format, access modes.
b) Creating sample tag for DESFire access control system.
c) Publicly known attacks (misconfiguration, implementation issues) in smart locks, access control, ticketing systems.
a) Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock.
b) Data of several example ski passes.
9. HID iClass
a) Cloning “legacy” / “standard security” iClass.
b) Attacks on iClass Elite.
c) Downgrade attacks.
10. Remote relay attacks against NFC/ISO1443
a) Introduction: research, tools, possibilities and limitations.
b) Practical remote relay of iClass SEOS and DESFire access control.
11. Sample Hitag2 access contol – sniffing password mode, simulating tags
12. Host Card Emulation – smartphone as NFC tag
a) Hardware Secure Element vs software Host Card Emulation
b) Protocols, commands, applications – ISO14443-4, 7816-4, APDU, AID, …
c) Example vulnerable HCE access control system (unlocking door using your NFC phone) – sample vulnerabilities.
d) NFC communication analysis: sniffing using Proxmark, dumping on the phone.
13. Intercepting card data from distance – antennas, possibilities and limits.
Mr. Gal Diskin is a cybersecurity and AI researcher. He was previously the VP & head of Palo Alto Networks’ Israeli site, and is a serial entrepreneur. Mr. Diskin’s research has been featured in HITB, Defcon, Black Hat, CCC, and other conferences, spanning fields from low level security research such as hardware vulnerabilities, binary instrumentation, and car hacking to high level research on AI detection methods, Enterprise security, and Identity security. Mr. Diskin was also the technical lead and co-founder of Intel’s software security organization, as well as the CTO of Cyvera and HeXponent (co-founder) before their acquisition.
Huajiang “Kevin2600” Chen (Twitter: @kevin2600) is a senior security researcher. He mainly focuses on vulnerability research in wireless and Vehicle security. He is a winner of GeekPwn 2020 and also made to the Tesla hall of fame 2021. Kevin2600 has spoken at various conferences including KCON; DEFCON and CANSECWEST.