RFID

long le -

Well, how should I even begin to start explaining this? How should I justify myself that building this doesn't mean that I would be going around and steal people cards? It's hard to explain in this position, so let's explain what is this device you're looking at.


Well first, let's begin by explaining what is an RFID id card. RFID stands for (Radio-frequency identification). The application for RFID card is very wide from bus tap card to school card. If you work in a company in Australia this is considered the basic stage security.

How does an RFID card work? To simply put the scanner that you usually see at a building on the bus or car park will frequently send out and signal wave indicating that it looks for a card. When a card hovers in front of the scanner the signal wave will reach the card more specifically the small coil inside your card will react to the signal, that signal is sent to the chip that has the card data and the data will be sent back to the scanner. After that it depends on the people responsible for what to check and should they allow it or not. This does not only apply for cards but other forms of the RFID tags, labels, fobs you name it.

The reason that why this has become a common form of security nowadays is because of the cost of it and also security reasons. Creating an RFID tag is very simple all you need is a chip and a coil the cost can range from 1$(AUD) to around 20$(AUD). Most of the cost would be revolving around the casing that protects the card (plastic fob, the plastic of the card) and the chip which has a variety of them. Which can hold different variety of data, works with different frequency(ies).

Commonly RFID is divided into 2 frequency the High Frequency (HF) and the Low Frequency (LF). The High Frequency is 13.56MHz this is the now commonly used frequency this frequency not only use RFID but also NFC (Near-field communication) it offers more security data wise and short range (2cm-10cm). That is also why NFC is also used on this frequency

The low-frequency use 125KHz this is still now widely used but not as much since it's now obsolete. The security protection is to low and the range is too far (up to 2 meters).

Before getting to how an RFID card is susceptible to attacks I would like to take a bit of time to list some commonly used RFID cards/fobs over here in Australia

  • NXP MIFARE DESFire 4k card - opal card (Has high security and somewhat expensive) 13.56MHz.

  • MIFARE Classic 4k/1k card/fob - school card, company card, staff card (Medium security, price varies) 13.56MHz.

  • EM4X fob - apartments (VERY LOW security, dirt cheap) 125KHz.

Now, to a few basic attacks.

For low frequency (more attacks soon)


This is an RFID scanner (Radio-frequency identification). A 125khz card scanner that scan card at 125khz this scanner can scan from 1 to 2 meters away. Now regularly you would find one of these on the wall or at a modern car park, apartment car park but this one is portable and you can use it on the go. On the picture above you can clearly see 2 sides of the scanner the left side with batteries an LCD screen and a small PCB. On the right, you can see the main PCB of the scanner. You might have seen it from a show called Mr.robot.

For most of how this is modified, I will leave a link here
https://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/

Now since the scanner has been modified the battery will run the Arduino and the scanner and every time the scanner is active it will scan 125GHz cards every time it scans the date will be sent to the Arduino and saved to the MicroSD card. With having tested it out with my cards I have to say that's it is terrifyingly effective it can scan through my bag quickly and given the necessary modification it can make little to no sound at all. I can easily go around on the bus and scan people card and never has to pay for my bus fee ever again. Well, luckily the bus here in Australia utilized the high-frequency cards, so my scanner was proven useless against them. Which I will now move to the attack of the high-frequency cards.

High frequency RIFD

Case study 1:
This has happened in a university which I will not list. I have reported this problem to the university management. now with a High frequency card the data security is higher and the range is way shorter. We can't simply go around and scan people card even if we want to since it will take more than 2 seconds to fully scan the cards while it has to be static. So going around stealing people information and copy it to a new card is not possible. What was another way to do this? Well how about the card data itself? With that I have opened the pandora box to the most vulnerable system I have ever seen.

The university is quite big and has a lot of facilities from basic things like laptops to high-end equipment that cost millions of dollars to dangerous chemicals and high-end machinery. As I have seen there was no other form of physical security from a person to getting there besides the door is locked unless a card with allowed access is tapped. With a cheap card scanner that i bought from aliexpress i was able to read all the data of what is inside the card because they all have default password. I will not discuss what model it is but it's a High frequency card (just in case you forget).

Which is already raised my first red flag. The second red Flag is that many special blocks that contain special information are printed on the card, as in the surface of the card itself the student number, the barcode's code. These blocks are actually the blocks used to identify if the card has access to the building or not. The biggest flag of all is they don't use the unique ID the unique ID is an ID that sticks to the card the moments it is printed in case if someone else make a card with same data block that card wouldn't work if the unique id on the database has not changed unless you have Chinese magic card. I have copied the card that I had borrowed, and I have the same access with the original. From there on it was easy since everyone has a number ID from student to teacher to staff to a security guard. I had no problem looking up the open database of the school to look up an ID of a security guard copied to a blank new with just the ID number and voilà. I have access to almost every single building in the school given that I have tested only buildings/rooms that teachers and students most don't have access to. With that, I have make a report and give it to the school. After I have noted that the school has just outsourced a card security company and that the school does not manage the card scanning system by themselves.

So if you are still oblivious a "hacker" or a person could do this illegally scanning people card, credits cards, bus cards, hotel card, and load the data to a blank card and use it for their own good.

Either way this is not the how I would to use this, the reason I built this because I was bored and had time to do it.