|19 Apr||Wednesday||09:00 to 17:00 CEST/GMT+2||8 Hours|
|20 Apr||Thursday||09:00 to 17:00 CEST/GMT+2||8 Hours|
During this training’s practical hands-on exercises, we will clone, crack, simulate and brute-force both “Low Frequency” 125kHz RFID (EM, HID Prox, …) as well as “High Frequency” 13.56MHz (Mifare, iClass, DESFire, ISO15693, …) – using dedicated hardware (trainees get to keep these!), or in some cases with just a typical smartphone. We will examine and attack communication between the reader and access controller. We will also exploit reader vulnerabilities allowing to unlock without the need to have a valid card, and reverse-engineer a sample hotel system and create an “emergency” card that will unlock unconditionally all the doors in the facility – having nothing more than just a guest card and a phone.
The training aims not only to raise awareness about the weaknesses of legacy systems, but also provide a solid insight of current technologies which are regarded as more secure. We will abuse implementation flaws and perform remote relay and downgrade attacks on both latest HID SEOS as well as DESFire access control installations. Attendees will also learn how to approach modern contactless smart cards and analyse currently trending mobile access control systems (phone acting as an NFC tag) – based among others on real vulnerabilities of a sample system.
1. Short introduction
a) RFID/NFC – where do I start?
b) Frequencies, card types, usage scenarios.
c) How to recognize card type – quick walkthrough.
d) Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware.
2. UID-based access control
a) Introduction – simple, still surprisingly common technologies
b) Communication between a reader and tag.
c) What is stored on the tag?
d) Low Frequency EM410X (“unique”), HID Prox, …, High Frequecy Mifare UID
e) Cloning card’s UID – cloners, Proxmark, Chameleon, mobile phone, …
f) Simulating (Proxmark, Chameleon, mobile phone,…), brute-forcing.
g) Interpreting markings on the tag, decoding UID from the picture.
h) Sample vulnerability of simple access control reader that allows to unlock it without the need to have a valid card.
i) Countermeasures against attacks
3. Wiegand – typical transmission between the reader and access controller
a) Theory introduction, signal DATA0, DATA1
b) Wiegand sniffers, implants, transmitters – hardware, open source software
c) Decoding card UID from sniffed bytes, clone the card
d) Replay card data on the wire to open lock
4. Mifare Ultralight, NTAG
a) Data structure.
b) Reading, cloning, emulating.
c) Example data stored on a hotel guest card.
d) Ultralight EV1, C.
5. Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket
a) Mifare Classic – data structure, access control, keys, encryption.
b) Default, leaked keys.
c) Reading and cloning card data using just a mobile phone.
d) Cracking keys using various attacks and tools (Proxmark, libnfc, Chameleon).
e) Attacks on EV1 “hardened” Mifare Classic.
f) Online attacks against the reader.
6. Reverse-engineering data stored on a sample hotel system guest card
a) Decoding access control data (room number, date) stored on the hotel guest card.
b) Creating hotel “emergency card” to open all the hotel doors unconditionally, having only sample guest card.
7. Mifare DESFire
a) Introduction, data format, access modes.
b) Creating sample tag for DESFire access control system.
c) Publicly known attacks (misconfiguration, implementation issues) in smart locks, access control, ticketing systems.
a) Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock.
b) Data of several example ski passes.
9. HID iClass
a) Cloning “legacy” / “standard security” iClass.
b) Attacks on iClass Elite.
c) Downgrade attacks.
10. Remote relay attacks against NFC/ISO1443
a) Introduction: research, tools, possibilities and limitations.
b) Practical remote relay of iClass SEOS and DESFire access control.
11. Sample Hitag2 access contol – sniffing password mode, simulating tags
12. Host Card Emulation – smartphone as NFC tag
a) Hardware Secure Element vs software Host Card Emulation
b) Protocols, commands, applications – ISO14443-4, 7816-4, APDU, AID, …
c) Example vulnerable HCE access control system (unlocking door using your NFC phone) – sample vulnerabilities.
d) NFC communication analysis: sniffing using Proxmark, dumping on the phone.
13. Intercepting card data from distance – antennas, possibilities and limits.
Trainer, speaker, pentester and IT security consultant with over 15 years of experience. Participated in countless assessments of systems’ and applications’ security for leading financial companies, public institutions and cutting edge tech startups. Has an MSc in automation&robotics, developed secure embedded systems certified for use by national agencies.
Currently Slawomir researches security of new technologies (especially Bluetooth Low Energy and NFC/RFID) and provides relevant trainings – based among others on electronic locks and access control systems (www.smartlockpicking.com). Beside research and training, he focuses on consulting and designing of secure solutions for various software and hardware projects, during all phases – starting from a scratch.
Previously gave talks, workshops or trainings at HackInTheBox Amsterdam, BlackHat USA, HITB Cyberweek, HackInParis, multiple Appsec EU, Deepsec, BruCON, Confidence, Devoxx and many other events.
Training score :
Course material: 91%
“Well prepared training, due to the amount of tools and equipment also easy to continue at home.”
“Trainer did a good job in preparing all the labs. Really gorgeous.”
“The best thing with this course is the instructor and our ability to do all exercise back at home.”
“Great instructor, well maintained materials had a lot of experience.”
” I am amazed how well everything is prepared.”
“Great instructor, lot’s of information, topics and exercise to practise at home.”