HN Gopher Feed (2017-07-22) - page 1 of 10
Zigfrid - A Passive RFID Fuzzer
97 points by wolframiohttps://z4ziggy.wordpress.com/2017/07/21/zigfrid-a-passive-rfid-...ive-rfid-fuzzer/
ivanbakel - 5 hours ago
Wonder if there's some sort of low-power hardware-easy problem you
could use to reduce the request rate for individuals, instead of
just shutting the device down when it detects a brute-force
attempt. Seems to me that having hardware that breaks
inconspicuously means you can't leave it as unmanned as you'd want
joshvm - 2 hours ago
With these kind of systems (like a parking meter) you could add a
2-3 second delay between each attempt. Most people wouldn't
notice the slowdown, but it would make brute forcing so slow that
it would be useless in the field. This also works for things like
logins on websites where the time taken to authenticate can be a
second or two without annoying the user (vs loading a page which
should be instant).There is absolutely no reason why anything
RFID controlled, like a door mechanism, should allow key entries
at full speed (3k keys/sec someone posted).
ynezz - 2 hours ago
It's usually easier and faster to get the sniff of the
communication between MCU and the reader(UART,I2C,SPI,USB) in
some cases you've to dump MCU's flash or EEPROM to get an idea
about the keying scheme used in particular product range.
contingencies - 1 hours ago
I found the following interesting.Using a curtain capacitors combo
might initiate a DoS attack on the reader which will prevent
legitimate tags from being read correctly after placing it against
a reader only once. A hard reset to the reader will be required to
resume work. Just FYI.Seems like a cute way to create a
diversionary scene or frustrate physical security personnel in
physical pen testing.
keyme - 3 hours ago
Why bruteforce when you can just passively listen for a working
code (once someone else uses their card)?40 bits of bruteforce at
125khz, with every code being 40 bits long, results in 3125
codes/sec at best, thus it will take roughly 11 years.
Goopplesoft - 3 hours ago
They include a video of a parking garage being opened after just
a few iterations. The code used in commercial applications could
often be lower bits given criminal prosecution is a larger
deterrent than code security. Although, OP may have set a
specific range for that demo.
Goopplesoft - 3 hours ago
This made me wonder if iOS 11's CoreNFC API can be used in similar
ways. It would be cool to consolidate my tags (building and office)
if they speak NFC.
ynezz - 2 hours ago
You can do this with some cards/tags with rooted Android
phone(some tweaks are needed in the NFC subsystem) with certain
NFC chipsets. It needs to be card with broken crypto (Mifare) so
you can obtain the password and then copy complete card's
content. The door reader shouldn't rely on the card's UID (unique
serial number) as this can't be spoofed, the chipsets doesn't
allow this.I don't waste time with closed systems, so I can't
comment directly on iOS capabilities, but I would guess, that
it's going to be almost impossible to make it working in such
locked down iOS world.
IshKebab - 5 hours ago
Somehow this post skips an explanation of what it actually does.
It's a passive RFID tag that sends 40 bits of data (5 bytes). The
bits are changed in sequence. More of a brute force attack than a
geekuillaume - 5 hours ago
From the comments in the source, the code needs 20 clock cycles
to send a new tag, it's running at 125kHz and each tag is 40 bits
long. How can this device bruteforce the tag at this rate? Won't
it be extremely slow compared to the number of possible tags?
revelation - 5 hours ago
It will be and most software on the other end likely isn't
prepared to even read tags at that speed. Fun hack though.
moron4hire - 4 hours ago
125kHz is the transmission frequency. It's one of the
unregulated frequencies for RFID tags, but sort of an industry
standard value commonly used in retail products and goats. Most
other cattle use tags at 134kHz. NFC is mostly just RFID at
cobookman - 15 minutes ago
RAIN rfid uses 900mhz and can be read from 30+ feet away
TheSoftwareGuy - 1 hours ago
Well let's do the math125 kHz 2 bits/cycle = 250 bits /secA
2^40 bit string has 1099511627776 combinations, and would
require 1099511627776 40 = 43980465111040 bits to besent to
try all of them. That would take 43980465111040/250 seconds or
about 5575 yearsAnd that's under ideal "spherical object in a
vacuum" conditions.So yeah your right, unless they get lucky.
mrb - 19 minutes ago
Bruteforcing is totally doable because in practice the unique
identifiers broadcasted by these tags are allocated
sequentially. I built an AVRFID a few years ago to bruteforce
the HID ProxCard II RFIDs at work (45 bits of data: 20-bit
mfg ID, 8-bit facility ID, 16-bit tag ID, 1 odd parity bit).
Starting from my ID, and incrementing it one by one, it only
took seconds to find many other valid IDs that were unlocking
doors of various restricted areas. Imagine a disgruntled
employee who has his legit RFID and is looking to access
other restricted areas to which he normally doesn't have
access... bruteforcing work for him.
thatsso1999 - 36 minutes ago
I believe your math is off by a factor of 1000.125kHz =
125,000 cycles/sec * 2 bits/cycle = 250,000 bits/sec250,000
bits/sec / 40 bits/code = 6250 codes/sec2^40 =
1,099,511,627,776 possible codes / 6250 codes/sec ~=
175,921,860 sec ~= 5.578 yearsWhile this is still an
extremely long time for the worst case, by the looks of other
comments, as well as the author's video, it appears extremely
doubtful that most RFID readers have anywhere near 40 bits of
security - and it takes about 10 seconds (65536/6250) for the
fuzzer to brute force all codes 16 bits or less.
ckdarby - 5 hours ago
Wouldn't the readers be designed against this sort of attack?
EvanAnderson - 4 hours ago
One would hope.The small amount of IT security work I've done
has taught me that such hopes are quickly and frequently
dashed. Even products specifically designed for security
applications have silly glaring vulnerabilities.
Moru - 2 hours ago
20 years ago I laughed myself silly when I realised our new
big radiocontrolled doors to the factory had 8 dipswitches to
set the security code for the remote. Last month I was
looking for some home-alarm system for the club house. I
wasnt terribly surprised to see only 4 bit security code in
some of them...
londons_explore - 3 hours ago
Seems it would be better to use a pseudorandom number generator
to just test a random selection of tags