Author Topic: EEVblog #539 - RFID Tag Repair  (Read 24055 times)

0 Members and 3 Guests are viewing this topic.

Offline nitro2k01

  • Frequent Contributor
  • **
  • Posts: 844
  • Country: 00
EEVblog #539 - RFID Tag Repair
« on: October 24, 2013, 11:43:06 am »


Dave does an impromptu teardown and repairs his 125KHz RFID lab access card.
And finds a use for his DSO Quad oscilloscope.
Whoa! How the hell did Dave know that Bob is my uncle? Amazing!
 

Offline 84GKSIG

  • Regular Contributor
  • *
  • Posts: 58
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #1 on: October 24, 2013, 11:51:39 am »
Well now I want one of those hand held oscilloscopes to play with, have always been put off by them cause most look like re-purposed mp3 players. never actually seen one in operation either, if it can give a frequency read out, may not be as useless as I initially thought. hmmm..

Those RFID tags could be made a lot stronger but looks like they go for the bare minimum to make the thing cheap and function.
 

Offline nitro2k01

  • Frequent Contributor
  • **
  • Posts: 844
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #2 on: October 24, 2013, 11:54:21 am »
Oh lookie. We have ourselves some PSK. (See picture.)

That's a nice tag reader you've got there. It would be a shame if something hap... No.

That's a nice tag reader you've got there. It would be a shame if you never did a teardown of it.
Whoa! How the hell did Dave know that Bob is my uncle? Amazing!
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 29891
  • Country: au
    • EEVblog
Re: EEVblog #539 - RFID Tag Repair
« Reply #3 on: October 24, 2013, 12:02:35 pm »
Well now I want one of those hand held oscilloscopes to play with, have always been put off by them cause most look like re-purposed mp3 players

They are!

Quote
never actually seen one in operation either

And trust me, you don't want to. The UI is horrible.
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #4 on: October 24, 2013, 12:27:36 pm »
Well now I want one of those hand held oscilloscopes to play with, have always been put off by them cause most look like re-purposed mp3 players. never actually seen one in operation either, if it can give a frequency read out, may not be as useless as I initially thought. hmmm..
Both Dave and Mike did a review of one. This should give you a fair impression of the UI ;). Note that Dave only used it to show the presence of a signal. He could probably as well have used a DMM with frequency function.
 

Offline nitro2k01

  • Frequent Contributor
  • **
  • Posts: 844
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #5 on: October 24, 2013, 12:41:12 pm »
And trust me, you don't want to. The UI is horrible.
How bad is DSO Nano, actually? The QDSO is crap, as both you and Mike pointed out, but the DSO Nano is supposedly (said with Dave's critical voice) more upmarket. Maybe time for a review, even you loathe pocket DSOs?
Whoa! How the hell did Dave know that Bob is my uncle? Amazing!
 

Offline Quai

  • Newbie
  • Posts: 2
Re: EEVblog #539 - RFID Tag Repair
« Reply #6 on: October 24, 2013, 01:55:59 pm »
I did a tear-down of the RFID-card used on public transportation in the town that I live;

It's a 13.56 MHz based MIFARE[1] card, two sided (very) flexible PCB with a much shorter antenna coil. You can see the tiny chip in the top left corner, and I think the two squares in the middle of the left side is the cap Dave has in his DaveCAD drawing.

1. http://en.wikipedia.org/wiki/MIFARE
 

Offline 84GKSIG

  • Regular Contributor
  • *
  • Posts: 58
  • Country: au
Re: EEVblog #539 - RFID Tag Repair
« Reply #7 on: October 24, 2013, 02:38:10 pm »
Far out, can't help but wonder now how many variations of these things there are?? I think we need more pictures.  ;)
 

Offline Fezder

  • Regular Contributor
  • *
  • Posts: 103
  • Country: fi
  • Lean on, or was it learn on?
Re: EEVblog #539 - RFID Tag Repair
« Reply #8 on: October 24, 2013, 02:46:22 pm »
almost started considering those hand-held 'scopes, but came to senses after giving small thought, need to save money for proper multimeter and digital scope....damm student budget argh!

and, nice video, always wondered how those ''smart cards'' work! :)
Both analog/digital hobbyist, reparing stuff from time to time
 

Offline dentaku

  • Frequent Contributor
  • **
  • Posts: 831
  • Country: ca
Re: EEVblog #539 - RFID Tag Repair
« Reply #9 on: October 24, 2013, 03:04:17 pm »
That turned out to be very interesting and educational.
 

Offline mcinque

  • Supporter
  • ****
  • Posts: 1034
  • Country: it
  • I know one thing: that I know nothing
Re: EEVblog #539 - RFID Tag Repair
« Reply #10 on: October 24, 2013, 03:16:33 pm »
it is very curious that Mythbusters were banned about investigation on RFID (expecially vulnerabilities, security and so on) from major credit cards providers, just Google "rfid mythbusters banned" to know more.

Maybe you, Dave, could do the investigation and be our Jamie+Adam! ;D
I'm basically still a rookie and because of this, even with the best intentions, I often say bullshits
 

Offline firehopper

  • Frequent Contributor
  • **
  • Posts: 375
  • Country: us
Re: EEVblog #539 - RFID Tag Repair
« Reply #11 on: October 24, 2013, 04:27:14 pm »
it is very curious that Mythbusters were banned about investigation on RFID (expecially vulnerabilities, security and so on) from major credit cards providers, just Google "rfid mythbusters banned" to know more.

Maybe you, Dave, could do the investigation and be our Jamie+Adam! ;D


I thought he was already our jamie+adam?
 

Offline mcinque

  • Supporter
  • ****
  • Posts: 1034
  • Country: it
  • I know one thing: that I know nothing
Re: EEVblog #539 - RFID Tag Repair
« Reply #12 on: October 24, 2013, 05:30:53 pm »
 ;D You're right, I should rephrase my sentence:

"Maybe you, Dave, could do the investigation and be AGAIN our Jamie+Adam!" ;D
I'm basically still a rookie and because of this, even with the best intentions, I often say bullshits
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #13 on: October 24, 2013, 07:21:20 pm »
May I say, these things are horribly insecure.

This kind of card (I have 10 or so in my lab) has just a numeric string which is read by the reader. Of course it is totally copiable, so Dave if it opens something that is supposed to be secure, beware.

Don't confuse these cheapies with proper security cards. I am attaching an image I just took of my security card at work (which of course I tore down...), which although I have never analysed, seems to have a proper cryptographic handshake.

Also, credit cards in europe (EMV standard) are pretty secure as they are active cards (not just passive memory modules) and they do a cryptographic handshake according to public key infrastructure of mastercard/visa. The US have only lately started moving to EMV. I have no idea about Australia...
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #14 on: October 24, 2013, 07:45:46 pm »
The difference between active and passive RFID tags in the power source. Active tags have their own power source; passive tags are powered by the field from the reader. A passive RFID tag can still employ encryption. The Mifare Classic would be one (not so secure) example. Mifare Plus and DESFire would be more secure alternatives.
 

Online FrankBuss

  • Supporter
  • ****
  • Posts: 2283
  • Country: de
    • Frank Buss
Re: EEVblog #539 - RFID Tag Repair
« Reply #15 on: October 24, 2013, 07:49:03 pm »
There is a nice project on Kickstarter for reading and emulating 125kHz RFID cards and tags:

http://www.kickstarter.com/projects/1708444109/rfidler-a-software-defined-rfid-reader-writer-emul

Looks promising, I supported it. Probably better than expensive commercial readers, because someone can hack it until it works, which would be more fun anyway.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #16 on: October 24, 2013, 07:57:27 pm »
The difference between active and passive RFID tags in the power source. Active tags have their own power source; passive tags are powered by the field from the reader. A passive RFID tag can still employ encryption. The Mifare Classic would be one (not so secure) example. Mifare Plus and DESFire would be more secure alternatives.

We might have a different view of what active and passive is.

Passive (to me) is a memory card. It employs no logic. These are the mifare. Haven't used the higher end ones, but even if you encrypt something, it doesn't matter on authentication use, in a replay attack you can just replay the encrypted data. I have used the lower end ones and I can assure you, they are copiable

Active: The contactless credit cards (and chip & pin for that matter) are not self powered but are proper processors. The reader talks to the card via a standard protocol and usually there is a challenge/response scheme where they both authenicate themselves via pki. At no point can the reader, read the actual data in the card.
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #17 on: October 24, 2013, 08:11:54 pm »
Active RFID tags and passive RFID tags are technical terms used in the industry, I'm not sure why you feel the need to come up with alternative definitions. See for example this page. Passive tags can be small (credit card or wrist strap size) and have a short range. Active tags are larger and might for example be used in logistics for vehicle identification.

A secure passive RFID tag will often contain a low-power micro doing the encryption and performing the handshake. Communication between reader and the chip within the tag is encrypted. For example, if you read the RFID tag inside many passports on a normal Mifare lite reader it will return a different (apparently random) block of data every time. Even the serial number is random. In some cases it may be possible to crack this encryption (the Mifare Classic encryption has been cracked), but it's certainly not trivial to copy or crack by replay attacks. That only applies to the Mifare Lite tags which don't employ any encryption and are only intended for low security applications.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 29891
  • Country: au
    • EEVblog
Re: EEVblog #539 - RFID Tag Repair
« Reply #18 on: October 24, 2013, 08:16:50 pm »
And trust me, you don't want to. The UI is horrible.
How bad is DSO Nano, actually? The QDSO is crap, as both you and Mike pointed out, but the DSO Nano is supposedly (said with Dave's critical voice) more upmarket.

It's pretty bad. Not as bad as the other one we reveiwed I suspect, but not great. At least that's my first impression. The UI is awful. There is replacement firmware from someone that is supposed to fix hat, but haven't tried it.
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #19 on: October 24, 2013, 08:25:43 pm »
Active RFID tags and passive RFID tags are technical terms used in the industry, I'm not sure why you feel the need to come up with alternative definitions. See for example this page. Passive tags can be small (credit card or wrist strap size) and have a short range. Active tags are larger and might for example be used in logistics for vehicle identification.
You are a bit touchy now, aren't you? I'm trying to have a conversation not find out who has the best knowledge of the industry. I am terribly sorry sir, but coming from the software world this is how we usually define active and passive. Or alternatively intelligent or dumb if you like. I'd suggest that we drop the industry naming issue and just concentrate on the actual convertation shall we?

Quote
A secure passive RFID tag will often contain a low-power micro doing the encryption and performing the handshake. Communication between reader and the chip within the tag is encrypted. For example, if you read the RFID tag inside many passports on a normal Mifare lite reader it will return a different (apparently random) block of data every time. Even the serial number is random. In some cases it may be possible to crack this encryption (the Mifare Classic encryption has been cracked), but it's certainly not trivial to copy or crack by replay attacks. That only applies to the Mifare Lite tags which don't employ any encryption and are only intended for low security applications.

As I said, I have no experience in the higher end models of mifare. However, you don't give any crypto information about the scheme in your post. Is it pki or symmetric? If it is symmetric (DES is) then, how does the key change - let alone that (single) DES is trivially cracked with a partially known plaintext attack? What is the PRNG that seeds the process? If it is time then a time attack is in order. If it is pki, then of course it starts to become more hard to crack, but again, who manages the CA? Is it secured properly?
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #20 on: October 24, 2013, 08:50:54 pm »
I'm not intimately familiar with the DESFire tags. I believe the current version supports 3DES and AES. The key can be unique per card and can be derived from the unique ID stored on the card. Or in the case of passports the first layer of encryption is protected by the birth date and passport number, which can only be read by opening the passport and scanning it. Cards can also store multiple keys, granting different levels of access. The appnotes on this page give some more details.

I'm not going to claim these are perfectly secure (nothing is), and some have been cracked, but copying is certainly not as trivial as recording the response and replaying it.
 

Offline alxnik

  • Regular Contributor
  • *
  • Posts: 81
  • Country: 00
Re: EEVblog #539 - RFID Tag Repair
« Reply #21 on: October 24, 2013, 09:07:31 pm »
I'm not intimately familiar with the DESFire tags. I believe the current version supports 3DES and AES. The key can be unique per card and can be derived from the unique ID stored on the card. Or in the case of passports the first layer of encryption is protected by the birth date and passport number, which can only be read by opening the passport and scanning it. Cards can also store multiple keys, granting different levels of access. The appnotes on this page give some more details.

I'm not going to claim these are perfectly secure (nothing is), and some have been cracked, but copying is certainly not as trivial as recording the response and replaying it.

From the datasheet, the DESFire cards seem to work the same way as EMV as part of the same ISO standards. I have studied these and by themselves they are mostly secure, but usually the devil is in the details and the crack usually comes from the implementation. However infrastructures like these are not easy to build, and you won't find them in your run of the mill building security.

Fun fact: I was in a theoretically secure building today with a door system by HID with double doors, weight sensors and all the fancy stuff. The tags themselves were mifare ultralight readable by a smartphone, so easily copiable. Given this, and my general experience in building security systems, they are not very secure (I've seen pretty secure ones, but they are usually an exception). Hence my initial posting.
 

alm

  • Guest
Re: EEVblog #539 - RFID Tag Repair
« Reply #22 on: October 24, 2013, 09:38:33 pm »
From the datasheet, the DESFire cards seem to work the same way as EMV as part of the same ISO standards. I have studied these and by themselves they are mostly secure, but usually the devil is in the details and the crack usually comes from the implementation. However infrastructures like these are not easy to build, and you won't find them in your run of the mill building security.
No argument here. But on the other hand, the old systems don't usually have perfect security either. Physical keys are often trivial to copy, and so called high security locks may also be easy to pick with the right tools and skills. Building security partly relies on the fact that thieves have limited time, resources and skills, and on other mechanisms like cameras and other people. Very few buildings would be hard to enter for anyone determined to enter that particular building.

Fun fact: I was in a theoretically secure building today with a door system by HID with double doors, weight sensors and all the fancy stuff. The tags themselves were mifare ultralight readable by a smartphone, so easily copiable. Given this, and my general experience in building security systems, they are not very secure (I've seen pretty secure ones, but they are usually an exception). Hence my initial posting.
That sounds pretty typical for many organizations. I believe even the NXP marketing material only suggests Ultralight for disposable tickets and other low security applications, so someone was really not paying attention. At least the tags are cheap ;).
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 29891
  • Country: au
    • EEVblog
Re: EEVblog #539 - RFID Tag Repair
« Reply #23 on: October 24, 2013, 10:01:36 pm »
No argument here. But on the other hand, the old systems don't usually have perfect security either. Physical keys are often trivial to copy, and so called high security locks may also be easy to pick with the right tools and skills. Building security partly relies on the fact that thieves have limited time, resources and skills, and on other mechanisms like cameras and other people. Very few buildings would be hard to enter for anyone determined to enter that particular building.

In my building, after hours and weekends there are only two ways onto a given floor. Via the front door and lifts, both of which have RFID access. Or via the fire escape which has multiple locked doors you'd have to pick. The locks would be easier than the RFID system. Then you also have to evade the roaming security patrol.
Even during the week when the front door is open, if those lifts fail, there is no way to access the floors unless someone jams the fire doors open.
 

Offline Ferroto

  • Frequent Contributor
  • **
  • Posts: 287
  • Country: ca
Re: EEVblog #539 - RFID Tag Repair
« Reply #24 on: October 24, 2013, 10:11:33 pm »


Chris Paget gave a talk at defcon 17 about RFID security flaws.
« Last Edit: October 24, 2013, 10:19:32 pm by Ferroto »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf