edl cloning for $250
DESCRIPTION
Chris Paget [email protected] ShmooCon 2009. EDL Cloning for $250. . Hack the con! Press Coverage / Demos Beer. Break It!. What is WHTI?. Western Hemisphere Travel Initiative People Access Security Service (PASS) Electronic Drivers License (EDL) NEXUS FAST SENTRI - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/2.jpg)
<meta>
Hack the con!
Press Coverage / Demos
Beer
![Page 3: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/3.jpg)
Break It!
![Page 4: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/4.jpg)
What is WHTI?
Western Hemisphere Travel Initiative People Access Security Service (PASS) Electronic Drivers License (EDL) NEXUS FAST SENTRI
Land and Sea entry only (no air travel) Includes RFID “to help speed the entry process”
![Page 5: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/5.jpg)
RFID in WHTI
EPC Class 1 Generation 2 That's an electronic product code – compare UPC
Technical specs: 96-bit ID number 900MHz ISM band operation (woohoo!) 30ft read range, by design No encryption Irrelevant or nonexistant authentication Not a magnetic coupling (more like RADAR)
![Page 6: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/6.jpg)
EPC Gen2 Auth
Yes, it's another barcode. Incorporates “Lock” and “Kill” s3kr3t k0d3z
Unlock to change tag ID Kill code disables tag
Both are broadcast with 1W of CW @ 900MHz Really easy to sniff
MGS uses 1.3W @ ~450MHz Differential Power Analysis
In case you don't want to mess with DHS
![Page 7: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/7.jpg)
EPC Gen2 Reader Auth
Password-protected admin interface Disable the reader, query tags. Woo.
No authentication whatsoever on API port If you can get SYN|ACK from TCP/3000, you're in
Enterprise-grade hardware Designed to be networked & integrated Also designed to be a black box component
No low-level hacking :(
![Page 8: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/8.jpg)
Connect the dots...
Passport cards use EPC Gen2 RFID tags EPC Gen2 RFID tags have no security
(although this kit has limits) EPC Gen2 tags are intended to be read at 30ft
Read and copy passports from 30 feet away.
ORLY?
![Page 9: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/9.jpg)
YA RLY :)
![Page 10: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/10.jpg)
Build It!
![Page 11: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/11.jpg)
Budgeting
ACLU: “We have budget! Not much, but some!”
Reader: $3000 Antenna: $500 Cables: $100 Total: $3600
Budget fail :(
![Page 12: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/12.jpg)
to the rescue!
Reader: $80 + $12.41 Antenna: $65 + $32.60 Cables: $49.98 + $9.90 Total: $249.89 (only $195 + shipping!)
$3k of reader for $90? 97% off retail? No surprise - it didn't work.
![Page 13: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/13.jpg)
Ball Grid Array (BGA)
No pins – solder balls join the chip to the board
![Page 14: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/14.jpg)
BGA weakness
Thermal cycling leads to cracking
Very common failure mode
Xbox 360 RROD = BGA failure
Simple test: Push down on the chips
![Page 15: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/15.jpg)
Fixing BGA fractures
Easy: Reheat until the solder balls melt
The “towel trick” Wrong. Bad. Ugly. No.
Toaster oven Too slow. Not manly enough.
![Page 16: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/16.jpg)
Heat Gun BGA fixing
$20 from Lowes - “High” and “Low” settings.
http://www.youtube.com/watch?v=DVttOR_uez4
1) Remove circuit board.
2) Cover plastic components with tinfoil.
3) 2 minutes low heat, both sides.
4) 2 minutes high heat, chips only.
5) 2 minutes low heat, topside only.
![Page 17: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/17.jpg)
Coding for the XR400
Windows CE 5.1 Ugly as hell, but there if you need it
Embedded Visual C++ 4.0 Was free on the web, now on MSDN
Platform SDK is free: https://docs.symbol.com/KanisaPlatform/Publishing/837/11753_f.html Also has the Device Configuration Package
XR400 C API (beta) Supports native and remote code https://docs.symbol.com/KanisaPlatform/Publishing/38/10412_f.html
![Page 18: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/18.jpg)
XR400 C API
Functional, but only just Expect plenty of random AVs from their library Takes out CE fairly often, too
CE development is nightmarish. Develop locally and port it.
Simple enough to use RFID_Open(), ConfigureTCPIP() Docs are OK but check functions are supported
![Page 19: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/19.jpg)
My UI
<insert live demo here>
Source code is at http://www.rfidhackers.com
(or at least, it will be soon)
![Page 20: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/20.jpg)
Read Range
Limited by the need to power the tag My setup – 1W into 6dBi antenna Increase Tx power, sqrt(power) sets range
1W -> 10W gives sqrt(10) = 3.16x range Increase antenna gain, increase range
6dBi antenna -> 12dBi antenna == 6dBi gain Every 3dB doubles range
6dBi gain -> 4x range 10W into 12dBi should give 20*3.16*4 = 248ft
![Page 21: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/21.jpg)
Testing the math
ThingMagic tested 10W into 12dBi http://www.slideshare.net/ravipappu/ravi-pappu-google-tech-talk-2008
Slides 12 onwards
100% reads at 65m (213ft) Don't care about 100% reliability Any read is a successful read!
Expect something at 248ft Appears to conform with theory
![Page 22: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/22.jpg)
Power!
902-928MHz ISM band Industrial, scientific, medical (part 15) Essentially a multipurpose Ham band
Ham operators are primary owners No limits on antenna gain (no EIRP limit)
18dBi is the practical limit for off-the-shelf Homebrew helical antennas even better (21dBi+)
1500W Tx power limit How far?
![Page 23: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/23.jpg)
Max power!
1W into 6dBi = 20 feet. 1500W into 18dBi:
Sqrt(1500) = 38.7x range increase from power 12dB antenna gain increase -> 16x range
20*38.7*16 = 12384 feet == 2.35 miles
1500W is a LOT of power. 18dBi is a lot of antenna, too
![Page 24: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/24.jpg)
Obtainable power
1W into 6dBi = 20 feet. 300W into 15dBi maximum
Sqrt(300) = 17.3x range increase from power 9dB antenna gain increase -> 8x range
20*17.3*8 = 2720 feet == 0.52 miles
300W into 15dBi is achievable. Whether it'll do half a mile is another question.
![Page 25: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/25.jpg)
Easy power!
902-928MHz: USA ISM band GSM-900:
870-915MHz uplink 915-960MHz downlink
A GSM-900 repeater should work GSM is 0.25W max, so no Tx power gain Range limited by powering the chip
Might have no need for the Rx side
A GSM-900 handset should work too (Adi Shamir, RSA)
![Page 26: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/26.jpg)
Reality check
Ranges calculated from Radar Range Equation Reality is far more complex
300W is a LOT of power UHF amps are expensive :(
Antennas are cheap Easy (10-15x) range gains Reader is tied to the AN400 – not sure how
World Record attempt at Defcon? 213 feet can be beaten, no question.
![Page 27: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/27.jpg)
Bring it on!
![Page 28: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/28.jpg)
Why does range matter?
200+ feet, unique identifier. No federal anti-skimming law
CA and WA have RFID law WA has no security exception :(
Could correlate “just a number” to: Digital photos when you see the tag
See a tag twice, look for the same face twice Other identifiers (credit card, etc) Anything you like that forms an “identity”
![Page 29: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/29.jpg)
Scary scenarios
If every drivers license has RFID, you can:
Track everyone in a shopping mall, in realtime Verify identities by correlating credit card receipts
Expect to see people selling matched ID's Real Soon Now.
Spot a group of Americans from outside the blast radius.
![Page 30: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/30.jpg)
Why is the RFID there?
http://www.dhs.gov/xnews/releases/pr_1161115330477.shtm
Fact Sheet: Western Hemisphere Travel Initiative (WHTI) Passport Card Technology Choice: Vicinity RFID: Line 3: “...enhancing the security of our citizens
and travelers...”
How does this RFID technology add security?
![Page 31: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/31.jpg)
So why is it there?
Reason #2: “Facilitating cross-border travel”
Raytheon managed 4% - 13% reads EPC Class 1 Generation 1
The RFID has no security, but it's a passport. The card itself has security... ...but that gets checked by a CBP agent... ...who has to hand-inspect every card. How has RFID sped this up?
![Page 32: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/32.jpg)
So why is it there??!?!
Theory: Extra time to look you up.
RFID doesn't speed things up for you... ...it gives the databases longer to crunch.
Everyone's databases.
![Page 33: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/33.jpg)
What to do?
Scrap WHTI. Blame Bush. Save money.
RealID has potential (but is a mess) Who pays for it? (ask Janet Napolitano!) No RFID please!
Contact Smartcard is acceptable. Roll up WHTI needs into RealID
Rework it, incorporating privacy concerns
![Page 34: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/34.jpg)
Don't take my word for it!
Name that quote...
![Page 35: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/35.jpg)
Who said...
“...unique attributes EPC Gen 2 tags lack–i.e., the ability to securely manage, store and provide access to data on the card, perform complex functions (for example, encryption and mutual authentication) and interact intelligently via RF”
“EPC tags release their identifiers and product information to any compatible reader”
“EPC tags are subject to cloning.“
“[A]n eavesdropper merely has to overhear the tag’s transmission to intercept data or passwords.”
![Page 36: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/36.jpg)
http://www.smartcardalliance.org/pages/publications-epc-gen2-faq
![Page 37: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/37.jpg)
Who said...
“A potential illicit hacker could very easily read (again, from a distance) the unique ID contained ... and easily create a duplicate.“
“All the potential terrorist need do is be sure that the holder of the fake card resembles the holder of the true WHTI card in order to pass a cursory visual inspection.”
![Page 38: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/38.jpg)
http://www.aeanet.org/governmentaffairs/AeA_Letter_Jan_30_2006.asp
![Page 39: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/39.jpg)
Who said...
“RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security.”
“For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings.”
![Page 40: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/40.jpg)
Department of Homeland SecurityData Privacy and Integrity Advisory Committee
http://www.rfidjournal.net/PDF_download/privacy_advcom_rpt_rfid_draft.pdf
![Page 41: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/41.jpg)
Who said...
(on the subject of EPC Gen2 tags in WHTI):
"State and DHS do not appear to have tested this technology for use in a personal ID card ... I urge State and DHS to give careful consideration to concerns that it has chosen the wrong technology for its program."
![Page 42: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/42.jpg)
Secretary of State Hillary Clinton
http://www.gcn.com/online/vol1_no1/42815-1.html.
![Page 43: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/43.jpg)
One Track Mind
![Page 44: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/44.jpg)
Coming up...
Right now: http://www.rfidhackers.com That domain should not have been available.
This was Phase 1 A.K.A. “Demonstrating the point”
Now begins Phase 2 A.K.A. “Teabagging”
![Page 45: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/45.jpg)
GNU Radio & USRP
Software-defined radio (like the XR400) Universal Software Radio Peripheral
The name is no exaggeration UW have a working EPC Gen2 implementation
Build a sniffer. Build a card emulator. Perform DPA against the card.
(Thankyou, Ettus Research!)
![Page 46: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/46.jpg)
Upping the power
213 feet target to start with. 10W is easy 15dBi is easy Should be enough to start with (~400 feet?)
Have kit? Mail me! Better yet, join the forums!
![Page 47: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/47.jpg)
RFID defense: EMP weapons
Kill tags! (iPods, too, if you're not careful) CCC's disposable camera
Nowhere near enough power. Big capacitors from eBay
Getting there... Ultracapacitors?
Pricey. Slow. Huge amounts of power :)
![Page 48: EDL Cloning for $250](https://reader033.vdocument.in/reader033/viewer/2022042608/568146f2550346895db425c9/html5/thumbnails/48.jpg)
World Record Attempt
2 potential records: Longest range at which an unpowered tag can be
read. Longest range at which a tag can be eavesdropped.
Need people... Need equipment... Nevada desert is perfect...
Watch this space!