hacktricks/radio-hacking/pentesting-rfid.md
2022-04-05 18:24:52 -04:00

6.6 KiB
Raw Blame History

Pentesting RFID

Introduction

Radio Frequency Identification (RFID) is the most popular short-range radio solution. It's usually used to store and transmit information that identifies an entity.

An RFID tag can rely on its own power source (active), such as an embedded battery, or receive its power from the reading antenna using the current induced from the received radio waves (passive).

Classes

EPCglobal divides RFID tags into six categories. A tag in each category has all the capabilities listed in the previous category, making it backward compatible.

  • Class 0 tags are passive tags that operate in UHF bands. The vendor preprograms them at the production factory. As a result, you cant change the information stored in their memory.
  • Class 1 tags can also operate in HF bands. In addition, they can be written only once after production. Many Class 1 tags can also process cyclic redundancy checks (CRCs) of the commands they receive. CRCs are a few extra bytes at the end of the commands for error detection.
  • Class 2 tags can be written multiple times.
  • Class 3 tags can contain embedded sensors that can record environmental parameters, such as the current temperature or the tags motion. These tags are semi-passive, because although they have an embedded power source, such as an integrated battery, they cant initiate wireless communication with other tags or readers.
  • Class 4 tags can initiate communication with other tags of the same class, making them active tags.
  • Class 5 tags can provide power to other tags and communicate with all the previous tag classes. Class 5 tags can act as RFID readers.

Information Stored in RFID Tags

An RFID tags memory usually stores four kinds of data: the identification data, which identifies the entity to which the tag is attached (this data includes user-defined fields, such as bank accounts); the supplementary data, which provides further details regarding the entity; the control data, used for the tags internal configuration; and the tags manufacturer data, which contains a tags Unique Identifier (UID) and details regarding the tags production, type, and vendor. Youll find the first two kinds of data in all the commercial tags; the last two can differ based on the tags vendor.

The ISO standard specifies the Application Family Identifier (AFI) value, a code that indicates the kind of object the tag belongs to. Another important register, also specified by ISO, is the Data Storage Format Identifier(DSFID), which defines the logical organization of the user data.

Most RFID security controls have mechanisms that restrict the read or write operations on each user memory block and on the special registers containing the AFI and DSFID values. These lock mechanisms use data stored in the control memory and have default passwords preconfigured by the vendor but allow the tag owners to configure custom passwords.

Low-Frequency RFID Tags

For example key cards that employees use to open doors. These devices rely on passive RFID technology and operate in a range of 30 kHz to 300 kHz, although it's more usual to use 125 kHz to 134 kHz.

High-Frequency RFID Tags

Many people refer to this technology as Near Field Communication (NFC), a term for devices operating over the 13.56 MHz frequency.

Attacking RFID Systems with Proxmark3

The first thing you need to do is to have a Proxmark3 and install the software and it's dependencies.

Attacking MIFARE Classic 1KB

It has 16 sectors, each of them has 4 blocks and each block contains 16B. The UID is in sector 0 block 0 (and can't be altered).
To access each sector you need 2 keys (A and B) which are stored in block 3 of each sector (sector trailer). The sector trailer also stores the access bits that give the read and write permissions on each block using the 2 keys.
2 keys are useful to give permissions to read if you know the first one and write if you know the second one (for example).

Several attacks can be performed

proxmark3> hf mf #List attacks

proxmark3> hf mf chk *1 ? t ./client/default_keys.dic #Keys bruteforce
proxmark3> hf mf fchk 1 t # Improved keys BF

proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF # Read block 0 with the key
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF # Read sector 0 with the key

proxmark3> hf mf dump 1 # Dump the information of the card (using creds inside dumpkeys.bin)
proxmark3> hf mf restore # Copy data to a new card
proxmark3> hf mf eload hf-mf-B46F6F79-data # Simulate card using dump
proxmark3> hf mf sim *1 u 8c61b5b4 # Simulate card using memory

proxmark3> hf mf eset 01 000102030405060708090a0b0c0d0e0f # Write those bytes to block 1
proxmark3> hf mf eget 01 # Read block 1
proxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write to the card

The Proxmark3 allows to perform other actions like eavesdropping a Tag to Reader communication to try to find sensitive data. In this card you could just sniff the communication with and calculate the used key because the cryptographic operations used are weak and knowing the plain and cipher text you can calculate it (mfkey64 tool).

Raw Commands

IoT systems sometimes use nonbranded or noncommercial tags. In this case, you can use Proxmark3 to send custom raw commands to the tags.

proxmark3> hf search UID : 80 55 4b 6c ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
  proprietary non iso14443-4 card found, RATS not supported
  No chinese magic backdoor command detected
  Prng detection: WEAK
  Valid ISO14443A Tag Found - Quiting Search

With this information you could try to search information about the card and about the way to communicate with it. Proxmark3 allows to send raw commands like: hf 14a raw -p -b 7 26

Scripts

The Proxmark3 software comes with a preloaded list of automation scripts that you can use to perform simple tasks. To retrieve the full list, use the script list command. Next, use the script run command, followed by the scripts name:

proxmark3> script run mfkeys

You can create a script to fuzz tag readers, so copying the data of a valid card just write a Lua script that randomize one or more random bytes and check if the reader crashes with any iteration.