Author Topic: EEVblog #539 - RFID Tag Repair  (Read 30693 times)

0 Members and 1 Guest are viewing this topic.

Offline nitro2k01Topic starter

  • Frequent Contributor
  • **
  • Posts: 843
  • Country: 00
EEVblog #539 - RFID Tag Repair
« on: October 24, 2013, 11:43:06 am »


Dave does an impromptu teardown and repairs his 125KHz RFID lab access card.
And finds a use for his DSO Quad oscilloscope.
Whoa! How the hell did Dave know that Bob is my uncle? Amazing!
 

Offline 84GKSIG

  • Regular Contributor
  • *
  • Posts: 58
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #1 on: October 24, 2013, 11:51:39 am »
Well now I want one of those hand held oscilloscopes to play with, have always been put off by them cause most look like re-purposed mp3 players. never actually seen one in operation either, if it can give a frequency read out, may not be as useless as I initially thought. hmmm..

Those RFID tags could be made a lot stronger but looks like they go for the bare minimum to make the thing cheap and function.
 

Offline nitro2k01Topic starter

  • Frequent Contributor
  • **
  • Posts: 843
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #2 on: October 24, 2013, 11:54:21 am »
Oh lookie. We have ourselves some PSK. (See picture.)

That's a nice tag reader you've got there. It would be a shame if something hap... No.

That's a nice tag reader you've got there. It would be a shame if you never did a teardown of it.
Whoa! How the hell did Dave know that Bob is my uncle? Amazing!
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37662
  • Country: au
    • EEVblog
Re: EEVblog #539 - RFID Tag Repair
« Reply #3 on: October 24, 2013, 12:02:35 pm »
Well now I want one of those hand held oscilloscopes to play with, have always been put off by them cause most look like re-purposed mp3 players

They are!

Quote
never actually seen one in operation either

And trust me, you don't want to. The UI is horrible.
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #4 on: October 24, 2013, 12:27:36 pm »
Well now I want one of those hand held oscilloscopes to play with, have always been put off by them cause most look like re-purposed mp3 players. never actually seen one in operation either, if it can give a frequency read out, may not be as useless as I initially thought. hmmm..
Both Dave and Mike did a review of one. This should give you a fair impression of the UI ;). Note that Dave only used it to show the presence of a signal. He could probably as well have used a DMM with frequency function.
 

Offline nitro2k01Topic starter

  • Frequent Contributor
  • **
  • Posts: 843
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #5 on: October 24, 2013, 12:41:12 pm »
And trust me, you don't want to. The UI is horrible.
How bad is DSO Nano, actually? The QDSO is crap, as both you and Mike pointed out, but the DSO Nano is supposedly (said with Dave's critical voice) more upmarket. Maybe time for a review, even you loathe pocket DSOs?
Whoa! How the hell did Dave know that Bob is my uncle? Amazing!
 

Offline Quai

  • Newbie
  • Posts: 2
Re: EEVblog #539 - RFID Tag Repair
« Reply #6 on: October 24, 2013, 01:55:59 pm »
I did a tear-down of the RFID-card used on public transportation in the town that I live;

It's a 13.56 MHz based MIFARE[1] card, two sided (very) flexible PCB with a much shorter antenna coil. You can see the tiny chip in the top left corner, and I think the two squares in the middle of the left side is the cap Dave has in his DaveCAD drawing.

1. http://en.wikipedia.org/wiki/MIFARE
 

Offline 84GKSIG

  • Regular Contributor
  • *
  • Posts: 58
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #7 on: October 24, 2013, 02:38:10 pm »
Far out, can't help but wonder now how many variations of these things there are?? I think we need more pictures.  ;)
 

Offline Fezder

  • Regular Contributor
  • *
  • Posts: 104
  • Country: fi
  • Lean on, or was it learn on?
Re: EEVblog #539 - RFID Tag Repair
« Reply #8 on: October 24, 2013, 02:46:22 pm »
almost started considering those hand-held 'scopes, but came to senses after giving small thought, need to save money for proper multimeter and digital scope....damm student budget argh!

and, nice video, always wondered how those ''smart cards'' work! :)
Both analog/digital hobbyist, reparing stuff from time to time
 

Offline dentaku

  • Frequent Contributor
  • **
  • Posts: 881
  • Country: ca
Re: EEVblog #539 - RFID Tag Repair
« Reply #9 on: October 24, 2013, 03:04:17 pm »
That turned out to be very interesting and educational.
 

Offline mcinque

  • Supporter
  • ****
  • Posts: 1129
  • Country: it
  • I know that I know nothing
Re: EEVblog #539 - RFID Tag Repair
« Reply #10 on: October 24, 2013, 03:16:33 pm »
it is very curious that Mythbusters were banned about investigation on RFID (expecially vulnerabilities, security and so on) from major credit cards providers, just Google "rfid mythbusters banned" to know more.

Maybe you, Dave, could do the investigation and be our Jamie+Adam! ;D
 

Offline firehopper

  • Frequent Contributor
  • **
  • Posts: 408
  • Country: us
Re: EEVblog #539 - RFID Tag Repair
« Reply #11 on: October 24, 2013, 04:27:14 pm »
it is very curious that Mythbusters were banned about investigation on RFID (expecially vulnerabilities, security and so on) from major credit cards providers, just Google "rfid mythbusters banned" to know more.

Maybe you, Dave, could do the investigation and be our Jamie+Adam! ;D


I thought he was already our jamie+adam?
 

Offline mcinque

  • Supporter
  • ****
  • Posts: 1129
  • Country: it
  • I know that I know nothing
Re: EEVblog #539 - RFID Tag Repair
« Reply #12 on: October 24, 2013, 05:30:53 pm »
 ;D You're right, I should rephrase my sentence:

"Maybe you, Dave, could do the investigation and be AGAIN our Jamie+Adam!" ;D
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #13 on: October 24, 2013, 07:21:20 pm »
May I say, these things are horribly insecure.

This kind of card (I have 10 or so in my lab) has just a numeric string which is read by the reader. Of course it is totally copiable, so Dave if it opens something that is supposed to be secure, beware.

Don't confuse these cheapies with proper security cards. I am attaching an image I just took of my security card at work (which of course I tore down...), which although I have never analysed, seems to have a proper cryptographic handshake.

Also, credit cards in europe (EMV standard) are pretty secure as they are active cards (not just passive memory modules) and they do a cryptographic handshake according to public key infrastructure of mastercard/visa. The US have only lately started moving to EMV. I have no idea about Australia...
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #14 on: October 24, 2013, 07:45:46 pm »
The difference between active and passive RFID tags in the power source. Active tags have their own power source; passive tags are powered by the field from the reader. A passive RFID tag can still employ encryption. The Mifare Classic would be one (not so secure) example. Mifare Plus and DESFire would be more secure alternatives.
 

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2365
  • Country: de
    • Frank Buss
Re: EEVblog #539 - RFID Tag Repair
« Reply #15 on: October 24, 2013, 07:49:03 pm »
There is a nice project on Kickstarter for reading and emulating 125kHz RFID cards and tags:

http://www.kickstarter.com/projects/1708444109/rfidler-a-software-defined-rfid-reader-writer-emul

Looks promising, I supported it. Probably better than expensive commercial readers, because someone can hack it until it works, which would be more fun anyway.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #16 on: October 24, 2013, 07:57:27 pm »
The difference between active and passive RFID tags in the power source. Active tags have their own power source; passive tags are powered by the field from the reader. A passive RFID tag can still employ encryption. The Mifare Classic would be one (not so secure) example. Mifare Plus and DESFire would be more secure alternatives.

We might have a different view of what active and passive is.

Passive (to me) is a memory card. It employs no logic. These are the mifare. Haven't used the higher end ones, but even if you encrypt something, it doesn't matter on authentication use, in a replay attack you can just replay the encrypted data. I have used the lower end ones and I can assure you, they are copiable

Active: The contactless credit cards (and chip & pin for that matter) are not self powered but are proper processors. The reader talks to the card via a standard protocol and usually there is a challenge/response scheme where they both authenicate themselves via pki. At no point can the reader, read the actual data in the card.
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #17 on: October 24, 2013, 08:11:54 pm »
Active RFID tags and passive RFID tags are technical terms used in the industry, I'm not sure why you feel the need to come up with alternative definitions. See for example this page. Passive tags can be small (credit card or wrist strap size) and have a short range. Active tags are larger and might for example be used in logistics for vehicle identification.

A secure passive RFID tag will often contain a low-power micro doing the encryption and performing the handshake. Communication between reader and the chip within the tag is encrypted. For example, if you read the RFID tag inside many passports on a normal Mifare lite reader it will return a different (apparently random) block of data every time. Even the serial number is random. In some cases it may be possible to crack this encryption (the Mifare Classic encryption has been cracked), but it's certainly not trivial to copy or crack by replay attacks. That only applies to the Mifare Lite tags which don't employ any encryption and are only intended for low security applications.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37662
  • Country: au
    • EEVblog
Re: EEVblog #539 - RFID Tag Repair
« Reply #18 on: October 24, 2013, 08:16:50 pm »
And trust me, you don't want to. The UI is horrible.
How bad is DSO Nano, actually? The QDSO is crap, as both you and Mike pointed out, but the DSO Nano is supposedly (said with Dave's critical voice) more upmarket.

It's pretty bad. Not as bad as the other one we reveiwed I suspect, but not great. At least that's my first impression. The UI is awful. There is replacement firmware from someone that is supposed to fix hat, but haven't tried it.
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #19 on: October 24, 2013, 08:25:43 pm »
Active RFID tags and passive RFID tags are technical terms used in the industry, I'm not sure why you feel the need to come up with alternative definitions. See for example this page. Passive tags can be small (credit card or wrist strap size) and have a short range. Active tags are larger and might for example be used in logistics for vehicle identification.
You are a bit touchy now, aren't you? I'm trying to have a conversation not find out who has the best knowledge of the industry. I am terribly sorry sir, but coming from the software world this is how we usually define active and passive. Or alternatively intelligent or dumb if you like. I'd suggest that we drop the industry naming issue and just concentrate on the actual convertation shall we?

Quote
A secure passive RFID tag will often contain a low-power micro doing the encryption and performing the handshake. Communication between reader and the chip within the tag is encrypted. For example, if you read the RFID tag inside many passports on a normal Mifare lite reader it will return a different (apparently random) block of data every time. Even the serial number is random. In some cases it may be possible to crack this encryption (the Mifare Classic encryption has been cracked), but it's certainly not trivial to copy or crack by replay attacks. That only applies to the Mifare Lite tags which don't employ any encryption and are only intended for low security applications.

As I said, I have no experience in the higher end models of mifare. However, you don't give any crypto information about the scheme in your post. Is it pki or symmetric? If it is symmetric (DES is) then, how does the key change - let alone that (single) DES is trivially cracked with a partially known plaintext attack? What is the PRNG that seeds the process? If it is time then a time attack is in order. If it is pki, then of course it starts to become more hard to crack, but again, who manages the CA? Is it secured properly?
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #20 on: October 24, 2013, 08:50:54 pm »
I'm not intimately familiar with the DESFire tags. I believe the current version supports 3DES and AES. The key can be unique per card and can be derived from the unique ID stored on the card. Or in the case of passports the first layer of encryption is protected by the birth date and passport number, which can only be read by opening the passport and scanning it. Cards can also store multiple keys, granting different levels of access. The appnotes on this page give some more details.

I'm not going to claim these are perfectly secure (nothing is), and some have been cracked, but copying is certainly not as trivial as recording the response and replaying it.
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #21 on: October 24, 2013, 09:07:31 pm »
I'm not intimately familiar with the DESFire tags. I believe the current version supports 3DES and AES. The key can be unique per card and can be derived from the unique ID stored on the card. Or in the case of passports the first layer of encryption is protected by the birth date and passport number, which can only be read by opening the passport and scanning it. Cards can also store multiple keys, granting different levels of access. The appnotes on this page give some more details.

I'm not going to claim these are perfectly secure (nothing is), and some have been cracked, but copying is certainly not as trivial as recording the response and replaying it.

From the datasheet, the DESFire cards seem to work the same way as EMV as part of the same ISO standards. I have studied these and by themselves they are mostly secure, but usually the devil is in the details and the crack usually comes from the implementation. However infrastructures like these are not easy to build, and you won't find them in your run of the mill building security.

Fun fact: I was in a theoretically secure building today with a door system by HID with double doors, weight sensors and all the fancy stuff. The tags themselves were mifare ultralight readable by a smartphone, so easily copiable. Given this, and my general experience in building security systems, they are not very secure (I've seen pretty secure ones, but they are usually an exception). Hence my initial posting.
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #22 on: October 24, 2013, 09:38:33 pm »
From the datasheet, the DESFire cards seem to work the same way as EMV as part of the same ISO standards. I have studied these and by themselves they are mostly secure, but usually the devil is in the details and the crack usually comes from the implementation. However infrastructures like these are not easy to build, and you won't find them in your run of the mill building security.
No argument here. But on the other hand, the old systems don't usually have perfect security either. Physical keys are often trivial to copy, and so called high security locks may also be easy to pick with the right tools and skills. Building security partly relies on the fact that thieves have limited time, resources and skills, and on other mechanisms like cameras and other people. Very few buildings would be hard to enter for anyone determined to enter that particular building.

Fun fact: I was in a theoretically secure building today with a door system by HID with double doors, weight sensors and all the fancy stuff. The tags themselves were mifare ultralight readable by a smartphone, so easily copiable. Given this, and my general experience in building security systems, they are not very secure (I've seen pretty secure ones, but they are usually an exception). Hence my initial posting.
That sounds pretty typical for many organizations. I believe even the NXP marketing material only suggests Ultralight for disposable tickets and other low security applications, so someone was really not paying attention. At least the tags are cheap ;).
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37662
  • Country: au
    • EEVblog
Re: EEVblog #539 - RFID Tag Repair
« Reply #23 on: October 24, 2013, 10:01:36 pm »
No argument here. But on the other hand, the old systems don't usually have perfect security either. Physical keys are often trivial to copy, and so called high security locks may also be easy to pick with the right tools and skills. Building security partly relies on the fact that thieves have limited time, resources and skills, and on other mechanisms like cameras and other people. Very few buildings would be hard to enter for anyone determined to enter that particular building.

In my building, after hours and weekends there are only two ways onto a given floor. Via the front door and lifts, both of which have RFID access. Or via the fire escape which has multiple locked doors you'd have to pick. The locks would be easier than the RFID system. Then you also have to evade the roaming security patrol.
Even during the week when the front door is open, if those lifts fail, there is no way to access the floors unless someone jams the fire doors open.
 

Offline Ferroto

  • Frequent Contributor
  • **
  • Posts: 289
  • Country: ca
Re: EEVblog #539 - RFID Tag Repair
« Reply #24 on: October 24, 2013, 10:11:33 pm »


Chris Paget gave a talk at defcon 17 about RFID security flaws.
« Last Edit: October 24, 2013, 10:19:32 pm by Ferroto »
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #25 on: October 24, 2013, 10:21:03 pm »
From the datasheet, the DESFire cards seem to work the same way as EMV as part of the same ISO standards. I have studied these and by themselves they are mostly secure, but usually the devil is in the details and the crack usually comes from the implementation. However infrastructures like these are not easy to build, and you won't find them in your run of the mill building security.
No argument here. But on the other hand, the old systems don't usually have perfect security either. Physical keys are often trivial to copy, and so called high security locks may also be easy to pick with the right tools and skills. Building security partly relies on the fact that thieves have limited time, resources and skills, and on other mechanisms like cameras and other people. Very few buildings would be hard to enter for anyone determined to enter that particular building.

Probably the wisest argument. I have some experience in implementations of highly secure rooms usually used for crypto key management, so I usually get excited in physical security through electronic means. In the end of the day however, when cracking physical security it's the angry guard with the big stick you should worry about, not the lock itself.
Having said that, it's sad that even in security systems, the contract goes to the lowest bidder. And the lowest bidder uses mifare ultralight or something like that
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #26 on: October 24, 2013, 11:10:42 pm »
In my building, after hours and weekends there are only two ways onto a given floor. Via the front door and lifts, both of which have RFID access. Or via the fire escape which has multiple locked doors you'd have to pick. The locks would be easier than the RFID system. Then you also have to evade the roaming security patrol.
Even during the week when the front door is open, if those lifts fail, there is no way to access the floors unless someone jams the fire doors open.
Some transponders can read 125 kHz RFID tags from a few meters distance. It would probably not be too hard to install one somewhere close to the entrance / parking lot and read the RFID tags from people walking by. Assuming the (if any) security on those particular cards has been cracked. Not something a thief would do and probably no the easiest way to enter the building, but not terribly hard either. The roaming security patrol would probably your biggest worry.

In the end of the day however, when cracking physical security it's the angry guard with the big stick you should worry about, not the lock itself.
That angry guard may also be the greatest weakness, though. Plenty of advanced security systems have been defeated through carelessness or social engineering. What good is your cryptographically secure card if the guard opens the door for someone she believes to be legitimate? If the USAF can't even get their officers to close the doors to their nuclear bunkers, how can you expect your security guard (or other employees) to always follow security policy?

Having said that, it's sad that even in security systems, the contract goes to the lowest bidder. And the lowest bidder uses mifare ultralight or something like that
That's what you get if you don't specify in the contract that the security system has to be secure.
 

Offline apelly

  • Supporter
  • ****
  • Posts: 1061
  • Country: nz
  • Probe
Re: EEVblog #539 - RFID Tag Repair
« Reply #27 on: October 24, 2013, 11:17:57 pm »
Chris Paget gave a talk at defcon 17 about RFID security flaws.

Yea, I remember following that. Despite subscribing to the mailing list I had heard nothing more until this thread prompter me to do some googling. I see theres a proxpic iii available from a couple of places now. His original testing and fooling around is still an inspiration for me. One day I'll try and make something that can replay multiple IDs. I don't know about you guys, but I have a bunch of these cards and they all interfere with each other so you can't just stack them up in your wallet. They're thick too. Something small to replay multiple IDs would save a bunch of room and PITA.
 

Offline NickS

  • Supporter
  • ****
  • Posts: 55
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #28 on: October 25, 2013, 01:24:54 am »
Passive (to me) is a memory card. It employs no logic. These are the mifare. Haven't used the higher end ones, but even if you encrypt something, it doesn't matter on authentication use, in a replay attack you can just replay the encrypted data. I have used the lower end ones and I can assure you, they are copiable

Active: The contactless credit cards (and chip & pin for that matter) are not self powered but are proper processors. The reader talks to the card via a standard protocol and usually there is a challenge/response scheme where they both authenicate themselves via pki. At no point can the reader, read the actual data in the card.
Passive/Active usually only refers to how it is powered. No reason why you couldn't have a unpowered encrypted card or a powered passive card.

Replay attacks should only work if the company implementing it is incompetent.
It is easily thwarted by sending a nonce to the card and the card has to encrypt the id and the nonce, guaranteeing a different transaction every time.
Wrong nonce (which changes every read) = no access. Again no reason why this can't be in a passively powered card.
 

Offline adcurtin

  • Contributor
  • Posts: 29
Re: EEVblog #539 - RFID Tag Repair
« Reply #29 on: October 25, 2013, 03:14:24 am »
You got lucky with that card. That die is absolutely huge, and has nice solder pads. My proxcard 2 card had the coil bonded to the die, which was tiny. Here's a picture (with a mac laptop keyboard for scale): https://www.dropbox.com/sc/fibckndwn0qtz7x/S2dqcWSedo
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37662
  • Country: au
    • EEVblog
Re: EEVblog #539 - RFID Tag Repair
« Reply #30 on: October 25, 2013, 03:34:30 am »
You got lucky with that card. That die is absolutely huge, and has nice solder pads. My proxcard 2 card had the coil bonded to the die, which was tiny. Here's a picture (with a mac laptop keyboard for scale): https://www.dropbox.com/sc/fibckndwn0qtz7x/S2dqcWSedo

Yes, that's what I had feared for mine.
 

Offline 84GKSIG

  • Regular Contributor
  • *
  • Posts: 58
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #31 on: October 25, 2013, 04:48:02 am »
The best part out of that repair is you've now got a spare  ;D a spare key always comes in handy one day.


I want to get an RFID lock for my hobby room, just because I can  :-DD
 

Offline 84GKSIG

  • Regular Contributor
  • *
  • Posts: 58
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #32 on: October 25, 2013, 06:16:46 am »
 just watched this  ....    :o for any one who is interested and hasnt seen the video on the mini DSO
and the link to its related thread
https://www.eevblog.com/forum/blog/eevblog-359-qdso-pocket-oscilloscope-review/msg148327/#msg148327

I think ill be listening to you Dave and putting that 130 bucks towards a better DSO  :-+  one day  ::)
« Last Edit: October 25, 2013, 06:46:50 am by 84GKSIG »
 

Offline rain

  • Newbie
  • Posts: 5
Re: EEVblog #539 - RFID Tag Repair
« Reply #33 on: October 25, 2013, 06:42:58 am »
The modern HID badges (at least) do use some encryption for the exchange, but most HID installations are "standard security," which use the same (known) key for every installation worldwide.  There's a lot of good reading material about the protocol on http://www.openpcd.org/HID_iClass_demystified
 

Offline Quai

  • Newbie
  • Posts: 2
Re: EEVblog #539 - RFID Tag Repair
« Reply #34 on: October 25, 2013, 08:01:37 am »
The best part out of that repair is you've now got a spare  ;D a spare key always comes in handy one day.

Hopefully, they deactivate the IDs of lost/broken cards. If not, this repair should give them something to think about. Even if Dave cut his card in two and throws it in the trash, someone dumpster diving might find it and replace the antenna/coil. Wola, full access!
 

Offline peter.mitchell

  • Super Contributor
  • ***
  • Posts: 1567
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #35 on: October 25, 2013, 12:00:00 pm »
This video may be of slightly more interest than the previously linked one,


A great presentation, covers the system more so than the electronics.
 

Offline DeepThought

  • Newbie
  • Posts: 8
Re: EEVblog #539 - RFID Tag Repair
« Reply #36 on: October 25, 2013, 03:12:28 pm »
Also, credit cards in europe (EMV standard) are pretty secure as they are active cards (not just passive memory modules) and they do a cryptographic handshake according to public key infrastructure of mastercard/visa. The US have only lately started moving to EMV. I have no idea about Australia...

Where did you get that from?
First, EMV is a smart card system. Not contactless.
Second, the actual contactless system is not active. It's bog standard RFID/NFC.
And lastly, the contactless system far from secure. They have processors, but as far as I know they do practically zero crypto. Certainly no handshake.
Basically what they do is generate on request a one-time credit card number which can be used for the transaction through the regular legacy billing system with the bank.
Hence the transaction limit. Because you can use simple replay attacks against it.
 

Offline mcinque

  • Supporter
  • ****
  • Posts: 1129
  • Country: it
  • I know that I know nothing
Re: EEVblog #539 - RFID Tag Repair
« Reply #37 on: October 25, 2013, 06:33:35 pm »
Now that I've seen those two vids I understand very well why Mythbusters were banned about RFID.
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #38 on: October 25, 2013, 06:55:11 pm »
Also, credit cards in europe (EMV standard) are pretty secure as they are active cards (not just passive memory modules) and they do a cryptographic handshake according to public key infrastructure of mastercard/visa. The US have only lately started moving to EMV. I have no idea about Australia...

Where did you get that from?
First, EMV is a smart card system. Not contactless.
Second, the actual contactless system is not active. It's bog standard RFID/NFC.
And lastly, the contactless system far from secure. They have processors, but as far as I know they do practically zero crypto. Certainly no handshake.
Basically what they do is generate on request a one-time credit card number which can be used for the transaction through the regular legacy billing system with the bank.
Hence the transaction limit. Because you can use simple replay attacks against it.

I work on EMV and Paypass/Paywave and I analyse smart card/contactless communications every day. Paypass/Paywave or CMV is an evolution of EMV and is based on it. They have crypto for digital signing and barring 2-3 attacks published over the years, which are not exactly practical, they are pretty secure. The one-time credit card number is not correct, it doesn't exist.
Also they are practically uncopiable/no exploit exists that can copy them. If someone copies it, I would certainly want to know more
Quote
Where did you get that from?
7 years in EMV, 2 years in contactless. You?
 

Offline Stonent

  • Super Contributor
  • ***
  • Posts: 3824
  • Country: us
Re: EEVblog #539 - RFID Tag Repair
« Reply #39 on: October 25, 2013, 08:22:39 pm »
Where I work we have two kinds of cards. The ones for the time clocks are basic cards that are read only.  The ones we have to open doors (only issued to IT and Maintenance) have to be programmed with a site key.

About 10 years ago at the first place I worked that used cards they were solid cards. They said Proxlite Casi Rusco on them.

These cards were about as thin as a credit card and from what I gathered just injected around the coil and chip. They tended to crack over time and I haven't seen them used anywhere else since.

Another employer had these cards that you had to slide up on a metal plate. If you just placed them on the plate, they didn't work.  I was at an IBM office one time and saw them there as well. I seem to remember a security guard refer to them as barium nitride cards. I've seen similar readers under the name "touch plate"

They were later replaced with read only cards for general access and programmable cards for the fingerprint readers to IT areas.
The larger the government, the smaller the citizen.
 

Offline 84GKSIG

  • Regular Contributor
  • *
  • Posts: 58
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #40 on: October 26, 2013, 05:51:39 am »
As far as some one walking past you with a reader goes, wouldnt a card designed with a momentary push button which allows the coil to work have been a better way to go about it? ie

hold card up to the reader and press a button to activate the coil which in turn then lets the rfid chip function as normal? i know it would only stop the card from being read when its on the person, but that could then be taken a step further and have a 2 way momentary switch. One which allows the chip to function and the other to sound a piezo buzzer alarm if the card if the card is energized when the button isnt being pressed? or has this already been done in the more upmarket systems or something.
 

Offline SeanB

  • Super Contributor
  • ***
  • Posts: 16272
  • Country: za
Re: EEVblog #539 - RFID Tag Repair
« Reply #41 on: October 26, 2013, 06:26:03 am »
The cards need significant power ( a few milliwatts) to operate, and doing this at a distance needs a pretty high power transmitter, plus the received signal back from the card will be even harder to detect in the massive near field of the transmitter. As well the only field used is a magnetic one, you need orientation for it to work at all, so really remote reading is a non issue for contact reading cards. Ones designed for remote read however are larger, have local power storage and an active transmitter either on the same or on a different frequency to get the range and reliable reading.
 

Offline mcinque

  • Supporter
  • ****
  • Posts: 1129
  • Country: it
  • I know that I know nothing
Re: EEVblog #539 - RFID Tag Repair
« Reply #42 on: October 26, 2013, 07:39:06 am »
and press a button to activate the coil which in turn then lets the rfid chip function as normal? i know it would only stop the card from being read when its on the person

Excellent solution!  :-+ :-+
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #43 on: October 26, 2013, 05:43:11 pm »
The cards need significant power ( a few milliwatts) to operate, and doing this at a distance needs a pretty high power transmitter, plus the received signal back from the card will be even harder to detect in the massive near field of the transmitter. As well the only field used is a magnetic one, you need orientation for it to work at all, so really remote reading is a non issue for contact reading cards.
The Defcon video linked by peter.mitchell shows reading of 125 kHz RFID cards up to half a meter or so and mentions that it was successfully used in penetration testing. I've also seen HF cards read at that distance, although the antenna for that would be too large to be portable, so you would need some sort of stationary setup. Yes, the card would need to be orientated parallel to the antenna, but note that you only need to copy one card to gain access.

and press a button to activate the coil which in turn then lets the rfid chip function as normal? i know it would only stop the card from being read when its on the person
Or just put it into a shielding sleeve, like a tinfoil-lined wallet ;). Or don't use the crappy cheap cards without security put use HF cards with some (almost :P) properly implemented challange-response authentication. That would probably be cheaper than the button.
 

Offline Leo

  • Newbie
  • Posts: 1
Re: EEVblog #539 - RFID Tag Repair
« Reply #44 on: October 26, 2013, 10:22:47 pm »
Nice video Dave, I love your blog   O0

I was looking for an affordable microscope to inspect boards and I found this video:



Apparently you can build one with 175x magnification for around 10 bucks using laser pointers lenses...
This might be useful for your blog Dave and for hobbyists in general..

Enjoy!!

Leo
 

Offline David_AVD

  • Super Contributor
  • ***
  • Posts: 2797
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #45 on: October 26, 2013, 11:08:49 pm »
The best part out of that repair is you've now got a spare  ;D a spare key always comes in handy one day.

Hopefully, they deactivate the IDs of lost/broken cards. If not, this repair should give them something to think about. Even if Dave cut his card in two and throws it in the trash, someone dumpster diving might find it and replace the antenna/coil. Wola, full access!

Yes, I was surprised that the old card worked.  Surely the broken one should have been revoked (in the system) upon issue of the replacement.
 

Offline SeanB

  • Super Contributor
  • ***
  • Posts: 16272
  • Country: za
Re: EEVblog #539 - RFID Tag Repair
« Reply #46 on: October 27, 2013, 05:33:43 am »
Unlikely, most systems have a very poor UI when used in programming, often it is near impossible to remove a card without deleting all. A lot of the simpler tag systems can delete, but you need a good register of tag numbers and allocation to get it to work. The simpler ones just have delete all and relearn.
 

Offline sleemanj

  • Super Contributor
  • ***
  • Posts: 3020
  • Country: nz
  • Professional tightwad.
    • The electronics hobby components I sell.
Re: EEVblog #539 - RFID Tag Repair
« Reply #47 on: October 27, 2013, 07:13:34 am »
often it is near impossible to remove a card without deleting all.

Surely that negates the whole point of using a card access system - so you can easily control access by disabling any given card.

I'd have thought that was a pretty fundamental UI requirement!
~~~
EEVBlog Members - get yourself 10% discount off all my electronic components for sale just use the Buy Direct links and use Coupon Code "eevblog" during checkout.  Shipping from New Zealand, international orders welcome :-)
 

Offline SeanB

  • Super Contributor
  • ***
  • Posts: 16272
  • Country: za
Re: EEVblog #539 - RFID Tag Repair
« Reply #48 on: October 27, 2013, 09:10:07 am »
Older UI is a master card/tag, a 12 digit keyboard with 3 LED's above it, and a manual that is 30 pages long with 25 being devoted to install and add tags. Delete requires you to have a book with the tag numbers in it so as to delete, and a convoluted keyboard operation to delete.

Then again i deal with gate motors a little, where the UI is a button and a LED where you count flashes and press the button in time with the flashes. Newer ones have a LCD display and are a breeze to set up, but still you find it hard to delete remotes, so I use another receiver ( not the integrated one) which actually can delete individual remotes easily. As well it allows me to back up the remote list as well, which has come in useful as well.
 

Offline GraphicArmy

  • Newbie
  • Posts: 5
Re: EEVblog #539 - RFID Tag Repair
« Reply #49 on: October 28, 2013, 01:04:45 am »
Any way to hack the RFID card to increase the range on the card? So I don't have to open my car window to scan in and out of work?
 

Offline mobbarley

  • Regular Contributor
  • *
  • Posts: 200
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #50 on: October 28, 2013, 09:55:42 am »
Dave, would you like a compatible reader for a teardown? I work across the road from you.
 

Offline David_AVD

  • Super Contributor
  • ***
  • Posts: 2797
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #51 on: October 28, 2013, 10:22:56 am »
I work across the road from you.
Stalker Alert  LMAO!   :-DD
 

Offline mobbarley

  • Regular Contributor
  • *
  • Posts: 200
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #52 on: October 28, 2013, 10:31:36 am »
I work across the road from you.
Stalker Alert  LMAO!   :-DD

If only you knew what my occupation was...  ;)
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37662
  • Country: au
    • EEVblog
Re: EEVblog #539 - RFID Tag Repair
« Reply #53 on: October 28, 2013, 11:25:26 am »
Dave, would you like a compatible reader for a teardown? I work across the road from you.

*waving* (from my windowless box)
Would it do anything useful without the system connected to it? What model?
 

Offline mobbarley

  • Regular Contributor
  • *
  • Posts: 200
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #54 on: October 29, 2013, 08:18:33 am »
Sure, it will beep and you can read out the card number via wiegand pulses. I have some documents on the way a HID card is read/programmed too. Probably only interesting if you want to do a more in-depth blog on rfid.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf