EDL Cloning for $250

Chris Pagetivegotta@tombom.co.uk

ShmooCon 2009

<meta>

Hack the con!

Press Coverage / Demos

Beer

Break It!

What is WHTI?

Western Hemisphere Travel Initiative People Access Security Service (PASS) Electronic Drivers License (EDL) NEXUS FAST SENTRI

Land and Sea entry only (no air travel) Includes RFID “to help speed the entry process”

RFID in WHTI

EPC Class 1 Generation 2 That's an electronic product code – compare UPC

Technical specs: 96-bit ID number 900MHz ISM band operation (woohoo!) 30ft read range, by design No encryption Irrelevant or nonexistant authentication Not a magnetic coupling (more like RADAR)

EPC Gen2 Auth

Yes, it's another barcode. Incorporates “Lock” and “Kill” s3kr3t k0d3z

Unlock to change tag ID Kill code disables tag

Both are broadcast with 1W of CW @ 900MHz Really easy to sniff

MGS uses 1.3W @ ~450MHz Differential Power Analysis

In case you don't want to mess with DHS

EPC Gen2 Reader Auth

Password-protected admin interface Disable the reader, query tags. Woo.

No authentication whatsoever on API port If you can get SYN|ACK from TCP/3000, you're in

Enterprise-grade hardware Designed to be networked & integrated Also designed to be a black box component

No low-level hacking :(

Connect the dots...

Passport cards use EPC Gen2 RFID tags EPC Gen2 RFID tags have no security

(although this kit has limits) EPC Gen2 tags are intended to be read at 30ft

Read and copy passports from 30 feet away.

ORLY?

YA RLY :)

Build It!

Budgeting

ACLU: “We have budget! Not much, but some!”

Reader: $3000 Antenna: $500 Cables: $100 Total: $3600

Budget fail :(

to the rescue!

Reader: $80 + $12.41 Antenna: $65 + $32.60 Cables: $49.98 + $9.90 Total: $249.89 (only $195 + shipping!)

$3k of reader for $90? 97% off retail? No surprise - it didn't work.

Ball Grid Array (BGA)

No pins – solder balls join the chip to the board

BGA weakness

Thermal cycling leads to cracking

Very common failure mode

Xbox 360 RROD = BGA failure

Simple test: Push down on the chips

Fixing BGA fractures

Easy: Reheat until the solder balls melt

The “towel trick” Wrong. Bad. Ugly. No.

Toaster oven Too slow. Not manly enough.

Heat Gun BGA fixing

$20 from Lowes - “High” and “Low” settings.

http://www.youtube.com/watch?v=DVttOR_uez4

1) Remove circuit board.

2) Cover plastic components with tinfoil.

3) 2 minutes low heat, both sides.

4) 2 minutes high heat, chips only.

5) 2 minutes low heat, topside only.

Coding for the XR400

Windows CE 5.1 Ugly as hell, but there if you need it

Embedded Visual C++ 4.0 Was free on the web, now on MSDN

Platform SDK is free: https://docs.symbol.com/KanisaPlatform/Publishing/837/11753_f.html Also has the Device Configuration Package

XR400 C API (beta) Supports native and remote code https://docs.symbol.com/KanisaPlatform/Publishing/38/10412_f.html

XR400 C API

Functional, but only just Expect plenty of random AVs from their library Takes out CE fairly often, too

CE development is nightmarish. Develop locally and port it.

Simple enough to use RFID_Open(), ConfigureTCPIP() Docs are OK but check functions are supported

My UI

<insert live demo here>

Source code is at http://www.rfidhackers.com

(or at least, it will be soon)

Read Range

Limited by the need to power the tag My setup – 1W into 6dBi antenna Increase Tx power, sqrt(power) sets range

1W -> 10W gives sqrt(10) = 3.16x range Increase antenna gain, increase range

6dBi antenna -> 12dBi antenna == 6dBi gain Every 3dB doubles range

6dBi gain -> 4x range 10W into 12dBi should give 20*3.16*4 = 248ft

Testing the math

ThingMagic tested 10W into 12dBi http://www.slideshare.net/ravipappu/ravi-pappu-google-tech-talk-2008

Slides 12 onwards

100% reads at 65m (213ft) Don't care about 100% reliability Any read is a successful read!

Expect something at 248ft Appears to conform with theory

Power!

902-928MHz ISM band Industrial, scientific, medical (part 15) Essentially a multipurpose Ham band

Ham operators are primary owners No limits on antenna gain (no EIRP limit)

18dBi is the practical limit for off-the-shelf Homebrew helical antennas even better (21dBi+)

1500W Tx power limit How far?

Max power!

1W into 6dBi = 20 feet. 1500W into 18dBi:

Sqrt(1500) = 38.7x range increase from power 12dB antenna gain increase -> 16x range

20*38.7*16 = 12384 feet == 2.35 miles

1500W is a LOT of power. 18dBi is a lot of antenna, too

Obtainable power

1W into 6dBi = 20 feet. 300W into 15dBi maximum

Sqrt(300) = 17.3x range increase from power 9dB antenna gain increase -> 8x range

20*17.3*8 = 2720 feet == 0.52 miles

300W into 15dBi is achievable. Whether it'll do half a mile is another question.

Easy power!

902-928MHz: USA ISM band GSM-900:

870-915MHz uplink 915-960MHz downlink

A GSM-900 repeater should work GSM is 0.25W max, so no Tx power gain Range limited by powering the chip

Might have no need for the Rx side

A GSM-900 handset should work too (Adi Shamir, RSA)

Reality check

Ranges calculated from Radar Range Equation Reality is far more complex

300W is a LOT of power UHF amps are expensive :(

Antennas are cheap Easy (10-15x) range gains Reader is tied to the AN400 – not sure how

World Record attempt at Defcon? 213 feet can be beaten, no question.

Bring it on!

Why does range matter?

200+ feet, unique identifier. No federal anti-skimming law

CA and WA have RFID law WA has no security exception :(

Could correlate “just a number” to: Digital photos when you see the tag

See a tag twice, look for the same face twice Other identifiers (credit card, etc) Anything you like that forms an “identity”

Scary scenarios

If every drivers license has RFID, you can:

Track everyone in a shopping mall, in realtime Verify identities by correlating credit card receipts

Expect to see people selling matched ID's Real Soon Now.

Spot a group of Americans from outside the blast radius.

Why is the RFID there?

http://www.dhs.gov/xnews/releases/pr_1161115330477.shtm

Fact Sheet: Western Hemisphere Travel Initiative (WHTI) Passport Card Technology Choice: Vicinity RFID: Line 3: “...enhancing the security of our citizens

and travelers...”

How does this RFID technology add security?

So why is it there?

Reason #2: “Facilitating cross-border travel”

Raytheon managed 4% - 13% reads EPC Class 1 Generation 1

The RFID has no security, but it's a passport. The card itself has security... ...but that gets checked by a CBP agent... ...who has to hand-inspect every card. How has RFID sped this up?

So why is it there??!?!

Theory: Extra time to look you up.

RFID doesn't speed things up for you... ...it gives the databases longer to crunch.

Everyone's databases.

What to do?

Scrap WHTI. Blame Bush. Save money.

RealID has potential (but is a mess) Who pays for it? (ask Janet Napolitano!) No RFID please!

Contact Smartcard is acceptable. Roll up WHTI needs into RealID

Rework it, incorporating privacy concerns

Don't take my word for it!

Name that quote...

Who said...

“...unique attributes EPC Gen 2 tags lack–i.e., the ability to securely manage, store and provide access to data on the card, perform complex functions (for example, encryption and mutual authentication) and interact intelligently via RF”

“EPC tags release their identifiers and product information to any compatible reader”

“EPC tags are subject to cloning.“

“[A]n eavesdropper merely has to overhear the tag’s transmission to intercept data or passwords.”

http://www.smartcardalliance.org/pages/publications-epc-gen2-faq

Who said...

“A potential illicit hacker could very easily read (again, from a distance) the unique ID contained ... and easily create a duplicate.“

“All the potential terrorist need do is be sure that the holder of the fake card resembles the holder of the true WHTI card in order to pass a cursory visual inspection.”

http://www.aeanet.org/governmentaffairs/AeA_Letter_Jan_30_2006.asp

Who said...

“RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security.”

“For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings.”

Department of Homeland SecurityData Privacy and Integrity Advisory Committee

http://www.rfidjournal.net/PDF_download/privacy_advcom_rpt_rfid_draft.pdf

Who said...

(on the subject of EPC Gen2 tags in WHTI):

"State and DHS do not appear to have tested this technology for use in a personal ID card ... I urge State and DHS to give careful consideration to concerns that it has chosen the wrong technology for its program."

Secretary of State Hillary Clinton

http://www.gcn.com/online/vol1_no1/42815-1.html.

One Track Mind

Coming up...

Right now: http://www.rfidhackers.com That domain should not have been available.

This was Phase 1 A.K.A. “Demonstrating the point”

Now begins Phase 2 A.K.A. “Teabagging”

GNU Radio & USRP

Software-defined radio (like the XR400) Universal Software Radio Peripheral

The name is no exaggeration UW have a working EPC Gen2 implementation

Build a sniffer. Build a card emulator. Perform DPA against the card.

(Thankyou, Ettus Research!)

Upping the power

213 feet target to start with. 10W is easy 15dBi is easy Should be enough to start with (~400 feet?)

Have kit? Mail me! Better yet, join the forums!

RFID defense: EMP weapons

Kill tags! (iPods, too, if you're not careful) CCC's disposable camera

Nowhere near enough power. Big capacitors from eBay

Getting there... Ultracapacitors?

Pricey. Slow. Huge amounts of power :)

World Record Attempt

2 potential records: Longest range at which an unpowered tag can be

read. Longest range at which a tag can be eavesdropped.

Need people... Need equipment... Nevada desert is perfect...

Watch this space!

Questions?

ivegotta@tombom.co.uk

http://www.rfidhackers.com

(Twitter and Facebook, too)