1 / 49

EDL Cloning for $250

Chris Paget ivegotta@tombom.co.uk ShmooCon 2009. EDL Cloning for $250. <meta>. Hack the con! Press Coverage / Demos Beer. Break It!. What is WHTI?. Western Hemisphere Travel Initiative People Access Security Service (PASS) Electronic Drivers License (EDL) NEXUS FAST SENTRI

hubert
Download Presentation

EDL Cloning for $250

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chris Paget ivegotta@tombom.co.uk ShmooCon 2009 EDL Cloning for $250

  2. <meta> • Hack the con! • Press Coverage / Demos • Beer

  3. Break It!

  4. What is WHTI? • Western Hemisphere Travel Initiative • People Access Security Service (PASS) • Electronic Drivers License (EDL) • NEXUS • FAST • SENTRI • Land and Sea entry only (no air travel) • Includes RFID “to help speed the entry process”

  5. RFID in WHTI • EPC Class 1 Generation 2 • That's an electronic product code – compare UPC • Technical specs: • 96-bit ID number • 900MHz ISM band operation (woohoo!) • 30ft read range, by design • No encryption • Irrelevant or nonexistant authentication • Not a magnetic coupling (more like RADAR)

  6. EPC Gen2 Auth • Yes, it's another barcode. • Incorporates “Lock” and “Kill” s3kr3t k0d3z • Unlock to change tag ID • Kill code disables tag • Both are broadcast with 1W of CW @ 900MHz • Really easy to sniff • MGS uses 1.3W @ ~450MHz • Differential Power Analysis • In case you don't want to mess with DHS

  7. EPC Gen2 Reader Auth • Password-protected admin interface • Disable the reader, query tags. Woo. • No authentication whatsoever on API port • If you can get SYN|ACK from TCP/3000, you're in • Enterprise-grade hardware • Designed to be networked & integrated • Also designed to be a black box component • No low-level hacking :(

  8. Connect the dots... • Passport cards use EPC Gen2 RFID tags • EPC Gen2 RFID tags have no security • (although this kit has limits) • EPC Gen2 tags are intended to be read at 30ft • Read and copy passports from 30 feet away. • ORLY?

  9. YA RLY :)

  10. Build It!

  11. Budgeting • ACLU: “We have budget! Not much, but some!” • Reader: $3000 • Antenna: $500 • Cables: $100 • Total: $3600 • Budget fail :(

  12. to the rescue! • Reader: $80 + $12.41 • Antenna: $65 + $32.60 • Cables: $49.98 + $9.90 • Total: $249.89 (only $195 + shipping!) • $3k of reader for $90? • 97% off retail? No surprise - it didn't work.

  13. Ball Grid Array (BGA) No pins – solder balls join the chip to the board

  14. BGA weakness • Thermal cycling leads to cracking • Very common failure mode • Xbox 360 RROD = BGA failure • Simple test: Push down on the chips

  15. Fixing BGA fractures • Easy: Reheat until the solder balls melt • The “towel trick” • Wrong. Bad. Ugly. No. • Toaster oven • Too slow. Not manly enough.

  16. Heat Gun BGA fixing • $20 from Lowes - “High” and “Low” settings. http://www.youtube.com/watch?v=DVttOR_uez4 • Remove circuit board. • Cover plastic components with tinfoil. • 2 minutes low heat, both sides. • 2 minutes high heat, chips only. • 2 minutes low heat, topside only.

  17. Coding for the XR400 • Windows CE 5.1 • Ugly as hell, but there if you need it • Embedded Visual C++ 4.0 • Was free on the web, now on MSDN • Platform SDK is free: • https://docs.symbol.com/KanisaPlatform/Publishing/837/11753_f.html • Also has the Device Configuration Package • XR400 C API (beta) • Supports native and remote code • https://docs.symbol.com/KanisaPlatform/Publishing/38/10412_f.html

  18. XR400 C API • Functional, but only just • Expect plenty of random AVs from their library • Takes out CE fairly often, too • CE development is nightmarish. • Develop locally and port it. • Simple enough to use • RFID_Open(), ConfigureTCPIP() • Docs are OK but check functions are supported

  19. My UI <insert live demo here> Source code is at http://www.rfidhackers.com (or at least, it will be soon)

  20. Read Range • Limited by the need to power the tag • My setup – 1W into 6dBi antenna • Increase Tx power, sqrt(power) sets range • 1W -> 10W gives sqrt(10) = 3.16x range • Increase antenna gain, increase range • 6dBi antenna -> 12dBi antenna == 6dBi gain • Every 3dB doubles range • 6dBi gain -> 4x range • 10W into 12dBi should give 20*3.16*4 = 248ft

  21. Testing the math • ThingMagic tested 10W into 12dBi • http://www.slideshare.net/ravipappu/ravi-pappu-google-tech-talk-2008 • Slides 12 onwards • 100% reads at 65m (213ft) • Don't care about 100% reliability • Any read is a successful read! • Expect something at 248ft • Appears to conform with theory

  22. Power! • 902-928MHz ISM band • Industrial, scientific, medical (part 15) • Essentially a multipurpose Ham band • Ham operators are primary owners • No limits on antenna gain (no EIRP limit) • 18dBi is the practical limit for off-the-shelf • Homebrew helical antennas even better (21dBi+) • 1500W Tx power limit • How far?

  23. Max power! • 1W into 6dBi = 20 feet. • 1500W into 18dBi: • Sqrt(1500) = 38.7x range increase from power • 12dB antenna gain increase -> 16x range • 20*38.7*16 = 12384 feet == 2.35 miles • 1500W is a LOT of power. • 18dBi is a lot of antenna, too

  24. Obtainable power • 1W into 6dBi = 20 feet. • 300W into 15dBi maximum • Sqrt(300) = 17.3x range increase from power • 9dB antenna gain increase -> 8x range • 20*17.3*8 = 2720 feet == 0.52 miles • 300W into 15dBi is achievable. • Whether it'll do half a mile is another question.

  25. Easy power! • 902-928MHz: USA ISM band • GSM-900: • 870-915MHz uplink • 915-960MHz downlink • A GSM-900 repeater should work • GSM is 0.25W max, so no Tx power gain • Range limited by powering the chip • Might have no need for the Rx side • A GSM-900 handset should work too • (Adi Shamir, RSA)

  26. Reality check • Ranges calculated from Radar Range Equation • Reality is far more complex • 300W is a LOT of power • UHF amps are expensive :( • Antennas are cheap • Easy (10-15x) range gains • Reader is tied to the AN400 – not sure how • World Record attempt at Defcon? • 213 feet can be beaten, no question.

  27. Bring it on!

  28. Why does range matter? • 200+ feet, unique identifier. • No federal anti-skimming law • CA and WA have RFID law • WA has no security exception :( • Could correlate “just a number” to: • Digital photos when you see the tag • See a tag twice, look for the same face twice • Other identifiers (credit card, etc) • Anything you like that forms an “identity”

  29. Scary scenarios • If every drivers license has RFID, you can: • Track everyone in a shopping mall, in realtime • Verify identities by correlating credit card receipts • Expect to see people selling matched ID's • Real Soon Now. • Spot a group of Americans from outside the blast radius.

  30. Why is the RFID there? • http://www.dhs.gov/xnews/releases/pr_1161115330477.shtm • Fact Sheet: Western Hemisphere Travel Initiative (WHTI) Passport Card Technology Choice: Vicinity RFID: • Line 3: “...enhancing the security of our citizens and travelers...” • How does this RFID technology add security?

  31. So why is it there? • Reason #2: “Facilitating cross-border travel” • Raytheon managed 4% - 13% reads • EPC Class 1 Generation 1 • The RFID has no security, but it's a passport. • The card itself has security... • ...but that gets checked by a CBP agent... • ...who has to hand-inspect every card. • How has RFID sped this up?

  32. So why is it there??!?! • Theory: Extra time to look you up. • RFID doesn't speed things up for you... • ...it gives the databases longer to crunch. • Everyone's databases.

  33. What to do? • Scrap WHTI. • Blame Bush. • Save money. • RealID has potential (but is a mess) • Who pays for it? (ask Janet Napolitano!) • No RFID please! • Contact Smartcard is acceptable. • Roll up WHTI needs into RealID • Rework it, incorporating privacy concerns

  34. Name that quote... Don't take my word for it!

  35. Who said... “...unique attributes EPC Gen 2 tags lack–i.e., the ability to securely manage, store and provide access to data on the card, perform complex functions (for example, encryption and mutual authentication) and interact intelligently via RF” “EPC tags release their identifiers and product information to any compatible reader” “EPC tags are subject to cloning.“ “[A]n eavesdropper merely has to overhear the tag’s transmission to intercept data or passwords.”

  36. http://www.smartcardalliance.org/pages/publications-epc-gen2-faqhttp://www.smartcardalliance.org/pages/publications-epc-gen2-faq

  37. Who said... “A potential illicit hacker could very easily read (again, from a distance) the unique ID contained ... and easily create a duplicate.“ “All the potential terrorist need do is be sure that the holder of the fake card resembles the holder of the true WHTI card in order to pass a cursory visual inspection.”

  38. http://www.aeanet.org/governmentaffairs/AeA_Letter_Jan_30_2006.asphttp://www.aeanet.org/governmentaffairs/AeA_Letter_Jan_30_2006.asp

  39. Who said... “RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security.” “For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings.”

  40. Department of Homeland SecurityData Privacy and Integrity Advisory Committeehttp://www.rfidjournal.net/PDF_download/privacy_advcom_rpt_rfid_draft.pdf

  41. Who said... (on the subject of EPC Gen2 tags in WHTI): "State and DHS do not appear to have tested this technology for use in a personal ID card ... I urge State and DHS to give careful consideration to concerns that it has chosen the wrong technology for its program."

  42. Secretary of State Hillary Clintonhttp://www.gcn.com/online/vol1_no1/42815-1.html.

  43. One Track Mind

  44. Coming up... • Right now: http://www.rfidhackers.com • That domain should not have been available. • This was Phase 1 • A.K.A. “Demonstrating the point” • Now begins Phase 2 • A.K.A. “Teabagging”

  45. GNU Radio & USRP • Software-defined radio (like the XR400) • Universal Software Radio Peripheral • The name is no exaggeration • UW have a working EPC Gen2 implementation • Build a sniffer. • Build a card emulator. • Perform DPA against the card. • (Thankyou, Ettus Research!)

  46. Upping the power • 213 feet target to start with. • 10W is easy • 15dBi is easy • Should be enough to start with (~400 feet?) • Have kit? Mail me! • Better yet, join the forums!

  47. RFID defense: EMP weapons • Kill tags! (iPods, too, if you're not careful) • CCC's disposable camera • Nowhere near enough power. • Big capacitors from eBay • Getting there... • Ultracapacitors? • Pricey. • Slow. • Huge amounts of power :)

  48. World Record Attempt • 2 potential records: • Longest range at which an unpowered tag can be read. • Longest range at which a tag can be eavesdropped. • Need people... • Need equipment... • Nevada desert is perfect... • Watch this space!

  49. ivegotta@tombom.co.uk http://www.rfidhackers.com (Twitter and Facebook, too) Questions?

More Related