馃攳
How to Bypass RFID Badge Readers (w/ Deviant Ollam and Babak Javadi) - YouTube
Channel: unknown
[0]
>> This episode of the Modern Rogue
[1]
brought to you by Privacy.
[2]
>> Go to privacy.com/rogue
[4]
and get five dollars of free money.
[6]
>> Yeah, what's up, free money.
[7]
Hi, knock knock, who's there?
[9]
Free money, ya like it?
[10]
Take it.
[11]
>> Come on in.
[16]
All right, we're back
with Red Team Alliance.
[19]
>> Hey brother.
[20]
>> It's Babak Javadi and Deviant Ollam,
[22]
thank you for joining us, gentlemen.
[23]
>> So last time, you guys
took us on a deep dive
[25]
of what all's in a mag stripe.
[27]
Help me understand why
RFIDs are any better,
[30]
or are they even better?
[32]
>> Marginally.
[33]
[laughing]
[34]
>> Well, that's a ringing endorsements.
[36]
>> I am a little bit more kind.
[38]
I think they are better in a lot of ways,
[39]
but it's important to
understand the limitations,
[41]
just like any of the stuff
that we've talked about
[43]
in the past, with locks,
hotel safes, or otherwise.
[46]
>> Would it be fair to
say that a mag stripe
[47]
is basically a piece of paper
[49]
with numbers written down on it?
[50]
>> Absolutely, that would be fair.
[51]
>> And then this would be, what?
[52]
A miniature computer, basically, or?
[54]
>> That's actually very close, yeah.
[56]
So, what we're doing, when they moved away
[59]
from mag stripe technology to RFID,
[62]
they were looking for long-term
reliability and convenience.
[66]
And also security.
[68]
Go ahead.
[69]
>> RFID is radio frequency identification?
[71]
>> Radio frequency
identification, that is correct.
[73]
Now, it is important
to understand, though,
[75]
that the R, radio, in
RFID, is different than
[78]
how a lot of people can think about radio.
[80]
So normally, like, you know,
[81]
if you're listening to the FM radio,
[83]
you have a station transmitting
and then you have receiving.
[87]
And that can happen over
a distance of, you know,
[89]
miles, tens of miles.
[91]
>> Right, you have a power source--
[92]
>> Exactly.
>> In fact, as we learned
[93]
about with HAM radio licenses,
[94]
sometimes very intense power sources.
[97]
And then other people
receiving the signal.
[98]
>> Right, with RFID, it's
not a similar situation.
[100]
You can't really do like
super-long range transmissions.
[103]
>> Yeah, it's not broadcasting radio.
[104]
>> That's right.
[105]
So you know, we talked
about how on the mag stripe,
[108]
it's just magnetizing parts of that rust,
[110]
that dark rust basically.
>> Like a barcode.
[111]
>> Exactly, right.
[113]
And instead, they, you
know, back in the '70s,
[116]
developed a technology that allowed them
[120]
to electromagnetically couple with a coil
[124]
that powers up this chip.
[125]
And then that chip is able
to talk back to the reader
[128]
just by modulating its power draw.
[131]
>> Wait, that's been
around since the '70s,
[133]
but it was only introduced into debit
[135]
and credit cards in the United
States a couple of years ago?
[139]
>> Broadly, so, that's, this is like
[142]
the predecessor to what you see today.
[144]
>> Gotcha.
[145]
>> So this is like old, old
original generation technology.
[148]
And then now what you have today is
[151]
a lot of other stuff added on top of it.
[153]
>> An iteration of it, okay.
[154]
>> Yes, many iterations, actually.
[155]
>> Am I right, and forgive me
if I'm so wrong about this,
[157]
but is this the same kind of thing
[159]
that charges my toothbruth,
[160]
where it's like there's a magnet--
[161]
>> Same kind of technology.
[162]
>> Okay.
>> Exactly.
[163]
>> And so this is--
>> And your phone as well.
[164]
>> Look at this, with his
fancy electronic toothbrush!
[169]
>> No, but like, I remember, I
remember in elementary school
[171]
building a generator, right?
[173]
You take a magnet and you
spin it around or whatever,
[175]
so there's waves, and
then this is looks like
[178]
the receiving part of the generator.
[179]
>> Similar idea, in fact,
[180]
we have something that can show you.
[183]
So, this is super cool,
[184]
a lot of people have
made devices like this.
[186]
This is basically just a circuit
board with some LEDs on it,
[190]
and some coils.
[191]
>> I'm going to be honest with you,
[192]
this looks like this grants you access
[193]
to some crazy supervillain club.
[195]
>> It could, or it could just be a card
[199]
that when you present
it in front of a reader,
[201]
you'll notice that the LEDs that light up
[203]
indicate that a reader is
somewhere in the vicinity,
[206]
and it's able to draw that
power from the reader.
[208]
>> So that card has no battery in it.
[210]
>> That's correct.
>> That card doesn't
[211]
have its own power source.
[212]
Whenever you see a reader like this,
[213]
it's always offering power right
into the world right there.
[216]
>> So anybody who's weird
about electromagnetic radiation
[219]
better be scared of these
all the time, you know.
[222]
>> I promise you they already are.
[225]
>> So these guys are
radiating power at all times.
[228]
>> Yes, within a very small bubble,
[230]
if that makes you feel
any better, but yeah.
[232]
>> Sure, the RFID card,
[233]
I didn't know that it had an actual chip.
[235]
For some reason, I thought it
was just a number basically,
[239]
similar to a mag stripe.
[241]
>> In effect, what we're
doing is we're changing
[243]
how that number is transmitted.
[244]
It is still just a number,
[246]
but instead of it being
read off a magnetic stripe,
[249]
it's just being transmitted wirelessly.
[251]
The actual content is not changing,
[253]
the means by which we transmit
the content is changing.
[256]
It's the difference between
me writing down a note
[259]
and handing it to you and me
telling it to you verbally.
[262]
>> So, in other words,
this thing is asleep
[263]
until you hold it and it gets power,
[265]
then it wakes up and it goes,
[266]
hello, I am 1266742!
[268]
>> Over and over and over
and over again, you got it.
[271]
>> Is it re-programmable, though?
[273]
>> Some are, the newer versions are.
[275]
>> Okay, so some of them
have actual memory in them.
[276]
>> Yes, we're actually going to see
[277]
how we can take advantage of that.
[278]
>> Ooh, ooh, ooh, ooh.
[279]
>> Yes, yes, be excited.
[281]
>> All right, and since
this is the Modern Rogue,
[283]
why should I be afraid?
[284]
>> I would actually
call it being informed.
[286]
Here's why you should be informed, right?
[288]
For example, Dev there has our friendly
[291]
baggage handler's badge.
[293]
>> From your local airport?
[294]
>> From your local airport.
[295]
>> BRIAN: Got it, okay.
[297]
>> And that grants him access
to that particular door.
[300]
Now, what we're going to do is
[301]
we're going to walk through a very basic
[303]
card cloning technique just to show you
[305]
how easily that number that we
discussed can be duplicated.
[308]
So right now, we have this
card here and that works.
[311]
And this card here, again,
[312]
this is the same as
any other kind of card,
[315]
the only difference is
we had these custom made
[317]
with clear PVC, just so you
can see all the goodies inside.
[320]
>> Now, I that the kind of
microchip where all it does
[322]
is shout out a number?
>> Yes, it is.
[324]
>> But I'm going to
guess that maybe it's--
[327]
>> It's re-programmable,
it's re-programmable.
[328]
>> Yeah, so it's basically that
plus a little bit of memory--
[331]
>> Correct.
>> So that you can change it.
[332]
>> 100% right.
>> Got it, got it.
[334]
>> Exactly.
[334]
So right now, this card
here doesn't work, right?
[338]
So, what we're going to
do is we're going to use
[339]
a open-source tool called the Proxmark 3,
[342]
and we're going to read
the data off of that card.
[345]
>> And I assume this is
available via the internet.
[348]
>> It is, it is available
indeed on the internet.
[351]
So here we have the
number that we discussed
[354]
is actually saved inside this card,
[356]
and that's what's being presented
[358]
to the reader anytime it powers up.
[359]
>> Now, how complicated are those numbers?
[361]
Are we talking like four-digit,
[362]
or it something lengthy and complex?
[366]
>> Not as long as you might think.
[368]
Anywhere between 26 and
44 bits of binary data,
[373]
which is not a very long number.
[374]
>> Yeah, yeah, what about
the technical side of things?
[377]
Because this looks pretty, like,
[378]
if I could buy one of these,
[379]
I assume this software is
not terribly complicated.
[381]
>> Unfortunately this particular software
[385]
is a little bit more
clunky than I would like.
[387]
>> It's open source, man!
>> Yeah.
[388]
>> It's going to work better.
>> You can just fix it.
[390]
>> Yeah, exactly.
>> Got it, okay,
[391]
so, get ready for 20
minutes when all of a sudden
[393]
anybody can do any of this.
[394]
>> It's all totally
understandable and graspable
[397]
if you're willing to invest the time.
[398]
>> So at this point,
we've captured the number.
[400]
I assume it's just like
the mag stripe thing.
[402]
You're going to do something
where you program the thing.
[404]
>> I am going to do something.
[405]
Right, the first something I'm going to do
[407]
is I'm going to turn this into a card.
[410]
>> Okay.
[411]
>> So, because this can be reprogrammed
[413]
to behave as a reader or as a card,
[416]
I can actually tell it instead of reading,
[420]
what I'll do is I'll give it a command
[423]
to simulate that same data.
[425]
>> So right now, it's just blasting.
[427]
It's using its own source of power,
[428]
it's not drawing from that--
>> That's correct.
[430]
>> Okay, it's just
screaming those numbers.
[432]
>> All right, so we've gone
ahead and begun the transmission.
[434]
So I'm actually just
going to hand this to you.
[435]
Go ahead and present it to
that reader on the left.
[437]
>> Okay.
[439]
[beeps]
[440]
>> Boom, simple, you're authorized.
[442]
>> Simple, but like--
[443]
>> And you looked so legit doing it.
[444]
>> We can't have him running around
[446]
the facility like this, right?
[447]
>> I wouldn't recommend it.
[448]
>> I would love to see that,
[449]
he's like pretending
he's delivering a pizza,
[451]
but he's got a laptop in there.
[453]
>> I've known people that
like wire it down their sleeve
[455]
and there, they got a
backpack laptop going on.
[458]
>> Instead, remember this card?
[460]
>> Yeah.
[461]
>> That currently does not work.
[462]
So we're going to place that back on here.
[464]
>> These blank programmable
cards, totally legal?
[466]
Are they, how much do they cost?
[467]
>> Yeah, so, they're super
cheap, a couple bucks.
[469]
>> Yeah.
>> Yeah, yeah.
[470]
So we're actually going to tell it instead
[472]
to reprogram this card and
we're going to check to see
[476]
if it wrote correctly,
it looks like it did.
[477]
Go ahead and grab that card
[479]
and present it to the
reader for me, please.
[481]
[beeps]
>> Magic, it's voodoo!
[485]
>> What do these run?
[487]
>> About $300.
>> $300.
[489]
>> Okay.
>> Yeah.
[490]
>> So, a little pricey, but not--
[492]
>> Not terrible.
[493]
>> Achievable.
[494]
>> Now, to be fair, there
are like, there's a bunch
[497]
of different RFID card
technologies out there.
[499]
We're just talking about like
some of the more basic ones
[501]
like Prox, for example,
is what you're holding.
[505]
For Prox specifically, because
it's such an old technology,
[507]
there's really cheap,
like, readers out there,
[510]
cloners available out
there for like 20 bucks
[512]
on like AliExpress and stuff.
[514]
>> They're like a little
blue gun, kind of.
[516]
>> They're going to do nothing but Prox.
[517]
And if that's your only
game is cloning Prox,
[520]
then that's going to be much easier.
[521]
But this is cool because this
basically a research tool.
[524]
This allows you to interact
[525]
with almost any kind of credential
[527]
if you're willing to put
in the time and effort.
[528]
>> If you're trying to
penetrate a building,
[529]
do you go up to the card reader
[531]
and have to do research and determine,
[532]
okay, it's this type, and so I have to get
[534]
the right type of these?
[536]
>> Yes and no, so, you do
need to do some reconnaissance
[540]
and intelligence gathering.
[541]
That's one of the things
that we actually cover
[543]
when we teach other
professionals on how to do this
[546]
is we spend a lot of time
on how to remotely identify
[548]
different card technologies
and readers at a distance
[551]
just by taking photos.
[552]
Dev has taken tons of photos,
[554]
so we can [snaps] just like that
[555]
see what kind of card it is.
[557]
>> Question, question, a key fob is just
[558]
one of these with a battery in it?
[560]
>> No battery.
>> No battery?
[561]
>> No, same exact, just
a smaller form factor.
[563]
>> Yeah.
[564]
>> Smaller coil, smaller enclosure.
[566]
>> Today, I learned.
[567]
>> That's it, today, we all learned.
[568]
>> And much like your key
fob may have branding on it,
[570]
your card may have branding on it.
[572]
Many times the readers have branding
[574]
and certain very unique visual elements.
[576]
We say, oh well, look,
the three colored lights,
[577]
well, that's IO Prox.
[579]
Oh, look at this, the light
bar, okay, the I-Class.
[581]
>> So in both of these examples,
[582]
you get your hands on the credentials
[584]
and then you duplicate them.
[585]
Is there a version, let's
say you have access to the,
[588]
I don't know, the gizmo,
but not the credentials.
[590]
What can you do then?
[591]
>> Well, you know how with credit cards,
[594]
skimming is such a problem?
>> Sure.
[596]
>> Yeah, same problem exists
in access control as well.
[598]
>> That doesn't seem
right because a skimmer,
[600]
you just put a thing over the thing
[601]
and then they slide through the thing.
[603]
>> Or putting it behind the thing.
[605]
>> Yeah.
>> Got it.
[606]
>> There's different things
to put in different places.
[608]
>> Imagine a big company
that's here in the Austin area,
[611]
you can think of a couple,
[612]
that has one of these scanner devices
[613]
just outside, unprotected.
[616]
You could go up to any number of those
[618]
and put something in there.
[620]
60 seconds and no one
would be able to stop you,
[623]
no one would know.
[623]
>> Yeah, you get two guys
who are dressed the same,
[625]
matching polo shirts, one
of them holding a clipboard,
[627]
kind of look like you belong there.
[629]
He's watching me, make
sure I do my job correctly
[631]
and I'm just underneath it, swinging,
[633]
push, punch, reload, gone.
[634]
>> This is the moment you realize that
[636]
that's way too polished to
be just a theoretical story.
[639]
That is definitely a factual
story that you guys have done.
[642]
All right, so walk me through this.
[643]
You guys show up wearing
a couple of orange
[644]
fluorescent pennies
and having clipboards--
[646]
>> Sure, whatever works.
[647]
>> Doing whatever this
fake maintenance is.
[649]
>> So, what Dev is going to
do is he's going to go ahead
[651]
and take the reader off the mount.
[653]
It's important to consider that, you know,
[655]
this type of problem
that we're demonstrating
[657]
is valid on almost any card reader.
[660]
It's not specific to
these models or brands.
[663]
>> I would not have thought
it would be this easy
[664]
to bust one of these open.
[666]
>> And now what you're seeing is
[668]
on the back of the reader, we
just have a couple of wires,
[671]
so we have our power and our ground,
[674]
our LED control, and then
data zero and data one.
[676]
These two wires, the white and green ones,
[679]
these are the two wires
that are used by the reader
[681]
to send that card
information from the reader
[684]
back to the door controller,
which actually controls
[687]
whether or not that
door is open or closed.
[688]
>> Okay now, in this
case, it turned yellow.
[690]
I assume that's what, like a tamper alarm?
[692]
>> That's a tamper alarm that I installed.
[694]
Truth be told, 99% of
installations never use tamper.
[698]
But I installed it
because I wanted to show
[700]
how easy some of these tamper
mechanisms are to defeat.
[703]
>> DEV: If you look at
the back of this reader,
[704]
in addition to the wires,
[705]
do you see something else
potted into the metal there?
[707]
>> That's a magnet because
on this side I'm seeing
[709]
what looks like a house alarm there.
[710]
>> Oh yeah.
>> That's right.
[711]
>> Wait, so of course, you
defeat it with a magnet!
[713]
>> [beep]ing magnets, how do they work?
[715]
>> Magnets are behind 99% of penetrations.
[718]
>> Go ahead and put that reader back on
[720]
and if you put the magnet,
hold it there against the wall
[723]
as you take the reader off--
[724]
>> It's very "Indiana Jones."
[725]
>> Yes, yes!
[727]
Okay, and so I see
there's a gizmo in here.
[729]
I assume you installed something.
[731]
>> That's correct, this is actually
[733]
one of these devices here.
[735]
>> Right here.
>> So this is an ESP key.
[738]
This is a kind of interception tool.
[741]
It's a credential skimmer,
not a card skimmer,
[743]
but a credential skimmer.
[744]
So this is installed on the
wires behind the reader.
[747]
>> You mentioned the
green and white wires,
[749]
is it just those?
[750]
>> Well, and power as well.
[751]
So this, because it
doesn't have a battery,
[753]
siphons its power off of the same power
[755]
that goes to the reader.
[756]
>> But it does have wifi.
>> It does.
[758]
>> And so, you're storing stuff here
[762]
and sending it to your phone, I guess,
[764]
or a computer.
>> Yes, yes.
[765]
So right now, that little guy
is recording any credential,
[769]
anytime someone uses their card to get in,
[773]
they, to them, everything is normal.
[776]
But that ESP key is now
recording that information
[779]
and because I can
connect to it wirelessly,
[782]
I can actually connect to it here.
[784]
So we're connected right
now to this little guy.
[787]
So this webpage is not being
displayed from the internet,
[792]
this is being served up
by that little ESP key.
[794]
>> And that's a log of everybody
who's been coming and going.
[795]
>> This is a log of everyone
who's come and gone into here.
[797]
So I can actually just on
any one of these credentials
[800]
and when I want to come in,
I can just be like, replay.
[803]
I don't even have to clone their card.
[804]
I can just walk up to the door,
[806]
tap the credential I want,
hit replay, and I'm in.
[810]
>> So not only can you get access,
[811]
but you could decide
who to fool the computer
[814]
into thinking is coming and coming.
[815]
>> Correct, oh yeah.
[816]
>> You don't just have a key,
you control the lock too.
[819]
>> Yes.
>> Yeah.
[820]
And when we dump that kind
of data on a penetration job,
[823]
if we look and say, oh
look, somebody, look,
[826]
look at all these people
coming back from lunch.
[827]
Not only does that tell us things like,
[829]
well, when the building is empty,
[830]
but if we see someone
hitting the door at one AM,
[834]
and then 2:30, and then
four AM, we're like,
[838]
that's a guard doing a guard tour.
[840]
If I want to be somebody,
I want to be them.
[842]
>> It didn't even occur
to me until just now
[843]
that there's value in just
installing one of these,
[846]
letting it run for a month,
and then removing it,
[848]
never penetrating anything
because now you know
[851]
the habits and the comings
and goings of people.
[852]
>> And I have all those credentials,
[853]
I can take this same card information
[856]
and I can use that Proxmark
tool to make myself a new card.
[860]
>> That is extraordinary.
[861]
>> And it's not just one,
it's any number of them.
[864]
>> That's correct.
>> Yeah.
[865]
>> How much does one of these cost?
[866]
>> 08 bucks.
[867]
>> Goddammit, it's just, it's
always two dollars and a taco,
[869]
and I can't believe it, how cheap this is.
[871]
>> I don't know that I'll ever
be able to do this myself,
[875]
but--
>> I know, and you could.
[876]
>> Well, I would very much like
to carry one of these around
[880]
and just kind of going.
[881]
[laughing]
[882]
Do you have the briefcase?
[884]
>> Oh yeah, let's say Jason Murphy
[886]
did want to become an expert,
[887]
what would be the best
way for him to train?
[890]
>> We actually have professional
trainings that we do.
[893]
You can over to readteamalliance.com
[895]
to check out our schedule.
[896]
In fact, if you take the
access control class,
[898]
I'll probably be your instructor.
[899]
>> Nice!
[900]
Gentlemen, thank you so much,
that was freaking amazing!
[902]
>> Absolutely, guys.
[904]
>> Murphy, I'm losing
my god[beep]ing mind!
[906]
>> Wow, okay, I'll handle
this, it's cool, it's cool.
[908]
What's going on?
[909]
>> Everybody on the internet!
[910]
They're all like, oh,
there's got to be some scam,
[912]
some kind of switcheroo,
some kind of gotcha moment
[915]
with freaking privacy!
[916]
What they don't understand is that
[918]
every credit card company out
there is double-tapping you,
[922]
they're making all their money on the fact
[924]
that they're charging you for interest,
[925]
they're charging the vendors
to make everything happen,
[928]
and then on top of that,
[930]
they sell all of your
information behind your back!
[932]
Except for one institution, privacy.com!
[936]
>> I order comic books from
sketchy sources sometimes
[940]
that I'm not real
comfortable giving my actual
[943]
debit or credit card information.
[944]
Like, it's a ship in international waters
[946]
filled with "X-Men" trade paperbacks
[949]
that fell off of a truck.
[949]
>> This took a very
unexpected turn, keep going.
[951]
>> But I do that and I'm like,
[952]
well, I'm don't want to put my actual
[953]
card information in there,
but it's a really good price!
[957]
>> What you wish is that
there was a magic button
[959]
you could press that would
cause a one-time burner card
[963]
that you could use to buy that stuff
[964]
that would never, ever
be traced back to you!
[967]
>> Oh yeah, it is so good,
[969]
just go to privacy.com/rogue,
[971]
get five free dollars to spend on it.
[973]
Try it out with those five free dollars!
[975]
It is so worth it!
[976]
You're protecting yourself,
peace of mind, do it!
[979]
[static]
[beeping]
[984]
>> You guys know that every week,
[985]
we do a free giveaway in the
pinned comment down below.
[987]
This week, it's super special!
[988]
What are we getting?
[989]
>> Want to give them a couple
of ESP keys for people?
[991]
>> We could do that, we'll
give you some ESP keys.
[993]
And I'll do you one better,
[994]
I'll give you some of
our clear credentials
[996]
that we had made for us.
[997]
>> Yes, yes!
[998]
>> Can I put it in my
skull and get telepathy?
[1001]
>> Please don't.
>> ESP, would that work?
[1002]
>> I don't recommend it.
[1003]
>> I wouldn't paying attention.
Most Recent Videos:
You can go back to the homepage right here: Homepage