ShmooCon 2022: RFID Key Cloning for Angry Bikers

1. An Introduction to RFID Cloning ( for angry bikers ) Gabe Schuyler @gabe_sky ShmooCon 2022
2. The motivation • Garage gate w/ RFID • Gloves • Two-handed vehicle • "It's so easy ..." Gabe Schuyler @gabe_sky ShmooCon 2022
3. Passive RFID • A flashlight and a mirror • Flashlight: send binary in flashes • Mirror: reflect binary response Gabe Schuyler @gabe_sky ShmooCon 2022
4. Frequencies & Chips • 125 kHz (low frequency) • HID ProxCard • EM41xx • T55xx chips • 13.56 MHz (high frequency) • HID iClass • MIFARE Classic Gabe Schuyler @gabe_sky ShmooCon 2022
5. Ten bucks on eBay • Cheap • Works • Quirky • Get rewritable tags! Gabe Schuyler @gabe_sky ShmooCon 2022
6. A few bucks more • Proxmark 3 • Does it all • Open source Gabe Schuyler @gabe_sky ShmooCon 2022
7. Read • Facility code • Card number Gabe Schuyler @gabe_sky ShmooCon 2022
8. Write • T55xx Gabe Schuyler @gabe_sky ShmooCon 2022
9. Form factors • Fobs • Cards • Keys • Injectable • and Rings! Gabe Schuyler @gabe_sky ShmooCon 2022
10. "Open!" Gabe Schuyler @gabe_sky ShmooCon 2022
11. Go experiment! Gabe Schuyler @gabe_sky ShmooCon 2022

Notas do Editor

Hey I'm Gabe.
I don't speak for my employer; in fact, the bio is dated, so I couldn't if I wanted to.
Here's my mother of invention. My building's garage requires an RFID key, to open it. But I ride a motorcycle, which takes two hands to operate. So I found myself stopping at the corner, stuffing my key into my glove, and trying to ride like that. I've always heard people say "it's so easy" to clone these, so I decided to see if it's true. (Spoiler: yes.)
Passive means no battery. To completely and vastly oversimplify, imagine I have a flashlight, and want to communicate with you. What if I gave you a mirror? I can beam binary at you. And if I just send a steady beam, you can use the mirror to reflect in a binary pattern, to beam your reply.
Every tag has a chip in it, and an antenna. (You'll need to do research.) There are two main frequencies in use for access keys. My experience suggests simple keys are usually on 125 kHz. And the fancier ones are high frequency. But in reality the frequency doesn't necessarily correlate with complexity.
So if all you want to do is copy a low frequency tag (like mine), you can get a handheld cloner for ten bucks. But some do weird stuff. Among these things are setting the read-only bit, or adding a password. (The password is most likely 51243648.)
Also, make sure to buy rewritable tags. Some are just a serial number burned in with no ability to change it.
If you want to experiment more deeply, you'll need to get a proxmark 3. It has antennas to work with both low-frequency and high-frequency tags. (It even does NFC.) It's compatible with tons of chipsets. And it's open source, so you can add/fix things yourself!
Step one, read. My tag lacks encryption, so it's easy to read. (Likely yours is unencrypted, as well.) What I need is the HID "facility code" (FC) (i.e. building number) and my "card number" (CN) (think: key pinning).
And then I write to my rewritable tag. Again, not encrypted, so it's super simple. And that's it, I have a copy!
But let's keep the original purpose in mind, which is to not have to fumble to get out my key. There are tons of form-factors out there, after all, all you need is a coil of antenna and a chip. And guess what, you can get a ceramic ring with those components embedded in it. Now I can just wave my gloved hand at the reader and ride on in.
Here's the proof.
And that's it ... if you've got ten bucks, something from China can copy it.
Or pick up a Proxmark and go down the rabbit hole.
But it really is "so easy to copy those."
I have my tools and a bunch of blanks so please grab me if you want to try it!

ShmooCon 2022: RFID Key Cloning for Angry Bikers

Esté a ler uma amostra.

Confira estes a seguir

ShmooCon 2022: RFID Key Cloning for Angry Bikers

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Mais de Gabriel Schuyler (10)

Mais recentes (20)

ShmooCon 2022: RFID Key Cloning for Angry Bikers

Notas do Editor