6.6 KiB
Pentesting RFID
Introduction
Radio Frequency Identification (RFID) is the most popular short-range radio solution. It's usually used to store and transmit information that identifies an entity.
An RFID tag can rely on its own power source (active), such as an embedded battery, or receive its power from the reading antenna using the current induced from the received radio waves (passive).
Classes
EPCglobal divides RFID tags into six categories. A tag in each category has all the capabilities listed in the previous category, making it backward compatible.
- Class 0 tags are passive tags that operate in UHF bands. The vendor preprograms them at the production factory. As a result, you can’t change the information stored in their memory.
- Class 1 tags can also operate in HF bands. In addition, they can be written only once after production. Many Class 1 tags can also process cyclic redundancy checks (CRCs) of the commands they receive. CRCs are a few extra bytes at the end of the commands for error detection.
- Class 2 tags can be written multiple times.
- Class 3 tags can contain embedded sensors that can record environmental parameters, such as the current temperature or the tag’s motion. These tags are semi-passive, because although they have an embedded power source, such as an integrated battery, they can’t initiate wireless communication with other tags or readers.
- Class 4 tags can initiate communication with other tags of the same class, making them active tags.
- Class 5 tags can provide power to other tags and communicate with all the previous tag classes. Class 5 tags can act as RFID readers.
Information Stored in RFID Tags
An RFID tag’s memory usually stores four kinds of data: the identification data, which identifies the entity to which the tag is attached (this data includes user-defined fields, such as bank accounts); the supplementary data, which provides further details regarding the entity; the control data, used for the tag’s internal configuration; and the tag’s manufacturer data, which contains a tag’s Unique Identifier (UID) and details regarding the tag’s production, type, and vendor. You’ll find the first two kinds of data in all the commercial tags; the last two can differ based on the tag’s vendor.
The ISO standard specifies the Application Family Identifier (AFI) value, a code that indicates the kind of object the tag belongs to. Another important register, also specified by ISO, is the Data Storage Format Identifier(DSFID), which defines the logical organization of the user data.
Most RFID security controls have mechanisms that restrict the read or write operations on each user memory block and on the special registers containing the AFI and DSFID values. These lock mechanisms use data stored in the control memory and have default passwords preconfigured by the vendor but allow the tag owners to configure custom passwords.
Low-Frequency RFID Tags
For example key cards that employees use to open doors. These devices rely on passive RFID technology and operate in a range of 30 kHz to 300 kHz, although it's more usual to use 125 kHz to 134 kHz.
High-Frequency RFID Tags
Many people refer to this technology as Near Field Communication (NFC), a term for devices operating over the 13.56 MHz frequency.
Attacking RFID Systems with Proxmark3
The first thing you need to do is to have a Proxmark3 and install the software and it's dependencies.
Attacking MIFARE Classic 1KB
It has 16 sectors, each of them has 4 blocks and each block contains 16B. The UID is in sector 0 block 0 (and can't be altered).
To access each sector you need 2 keys (A and B) which are stored in block 3 of each sector (sector trailer). The sector trailer also stores the access bits that give the read and write permissions on each block using the 2 keys.
2 keys are useful to give permissions to read if you know the first one and write if you know the second one (for example).
Several attacks can be performed
proxmark3> hf mf #List attacks
proxmark3> hf mf chk *1 ? t ./client/default_keys.dic #Keys bruteforce
proxmark3> hf mf fchk 1 t # Improved keys BF
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF # Read block 0 with the key
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF # Read sector 0 with the key
proxmark3> hf mf dump 1 # Dump the information of the card (using creds inside dumpkeys.bin)
proxmark3> hf mf restore # Copy data to a new card
proxmark3> hf mf eload hf-mf-B46F6F79-data # Simulate card using dump
proxmark3> hf mf sim *1 u 8c61b5b4 # Simulate card using memory
proxmark3> hf mf eset 01 000102030405060708090a0b0c0d0e0f # Write those bytes to block 1
proxmark3> hf mf eget 01 # Read block 1
proxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write to the card
The Proxmark3 allows to perform other actions like eavesdropping a Tag to Reader communication to try to find sensitive data. In this card you could just sniff the communication with and calculate the used key because the cryptographic operations used are weak and knowing the plain and cipher text you can calculate it (mfkey64
tool).
Raw Commands
IoT systems sometimes use nonbranded or noncommercial tags. In this case, you can use Proxmark3 to send custom raw commands to the tags.
proxmark3> hf search UID : 80 55 4b 6c ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
With this information you could try to search information about the card and about the way to communicate with it. Proxmark3 allows to send raw commands like: hf 14a raw -p -b 7 26
Scripts
The Proxmark3 software comes with a preloaded list of automation scripts that you can use to perform simple tasks. To retrieve the full list, use the script list
command. Next, use the script run
command, followed by the script’s name:
proxmark3> script run mfkeys
You can create a script to fuzz tag readers, so copying the data of a valid card just write a Lua script that randomize one or more random bytes and check if the reader crashes with any iteration.