In-Person Hands-On Hacking for NFC/RFID

Attendees will learn how to approach modern contactless smart cards and analyse currently trending mobile access control systems (phone acting as an NFC tag) - based among others on real vulnerabilities of a sample system.

$2,299.00

Duration

2 days

Delivery Method

in-person

Level

beginner

Seats Available

20

 


This 2-day NFC/RFID course is part of a 4-day BLE & NFC/RFID course.


– To join the 2-day BLE course instead, click here.
– To join both BLE and NFC/RFID with a combo discount for 4 days, click here.
– To join only this 2-day NFC/RFID class, read further below.
– Want to attend this class virtually instead at early June? Sign-up here

 

ATTEND IN-PERSON: Onsite in Singapore   

DATE: 24-25 August 2022

TIME: 09:00 to 17:00 SGT/GMT +8

Date Day Time Duration
24 Aug Wednesday 09:00 to 17:00 SGT/GMT +8 8 Hours
25 Aug Thursday 09:00 to 17:00 SGT/GMT +8 8 Hours

 

It is still surprisingly easy to clone so many access control tags used today.
RFID/NFC has been around us for quite some time now. However, many of its vulnerabilities pointed out since years ago probably won’t yet be resolved in the near future.

During this training’s practical hands-on exercises, we will clone, crack, simulate and brute-force both  “Low Frequency” 125kHz RFID (EM, HID Prox, …) as well as “High Frequency” 13.56MHz (Mifare, iClass, DESFire, ISO15693, …) – using dedicated hardware (trainees get to keep these!), or in some cases with just a typical smartphone. We will examine and attack communication between the reader and access controller.  We will also exploit reader vulnerabilities allowing to unlock without the need to have a valid card, and reverse-engineer a sample hotel system and create an “emergency” card that will unlock unconditionally all the doors in the facility – having nothing more than just a guest card and a phone.

The training aims not only to raise awareness about the weaknesses of legacy systems, but also provide a solid insight of current technologies which are regarded as more secure. We will abuse implementation flaws and perform remote relay and downgrade attacks on both latest HID SEOS as well as DESFire access control installations. Attendees will also learn how to approach modern contactless smart cards and analyse currently trending mobile access control systems (phone acting as an NFC tag) – based among others on real vulnerabilities of a sample system.

Each student will receive
  • Course materials – about 1000 pages, step by step instructions for hands-on exercies.
  • All required additional files: source code, documentation, installation binaries, virtual machine images.
  • Included hardware pack for hands-on exercises, consisting of Proxmark 3 with latest firmware, various sample tags (including “magic” ones), NFC PN532 board.
  • Don’t have an Android phone? Sign up for both 2-day trainings (click here), and we’ll hook you up with an Android phone with Bluetooth 4 and NFC support!

 

 

 

Agenda
Day 1

1. Short introduction
a) RFID/NFC – where do I start?
b) Frequencies, card types, usage scenarios.
c) How to recognize card type – quick walkthrough.
d) Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware.

2. UID-based access control
a) Introduction – simple, still surprisingly common technologies
b) Communication between a reader and tag.
c) What is stored on the tag?
d) Low Frequency EM410X (“unique”), HID Prox, …, High Frequecy Mifare UID
e) Cloning card’s UID – cloners, Proxmark, Chameleon, mobile phone, …
f) Simulating (Proxmark, Chameleon, mobile phone,…), brute-forcing.
g) Interpreting markings on the tag, decoding UID from the picture.
h) Sample vulnerability of simple access control reader that allows to unlock it without the need to have a valid card.
i) Countermeasures against attacks

3. Wiegand – typical transmission between the reader and access controller
a) Theory introduction, signal DATA0, DATA1
b) Wiegand sniffers, implants, transmitters – hardware, open source software
c) Decoding card UID from sniffed bytes, clone the card
d) Replay card data on the wire to open lock

4. Mifare Ultralight, NTAG
a) Data structure.
b) Reading, cloning, emulating.
c) Example data stored on a hotel guest card.
d) Ultralight EV1, C.

5. Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket
a) Mifare Classic – data structure, access control, keys, encryption.
b) Default, leaked keys.
c) Reading and cloning card data using just a mobile phone.
d) Cracking keys using various attacks and tools (Proxmark, libnfc, Chameleon).
e) Attacks on EV1 “hardened” Mifare Classic.
f) Online attacks against the reader.

 

Day 2

6. Reverse-engineering data stored on a sample hotel system guest card
a) Decoding access control data (room number, date) stored on the hotel guest card.
b) Creating hotel “emergency card” to open all the hotel doors unconditionally, having only sample guest card.

7. Mifare DESFire
a) Introduction, data format, access modes.
b) Creating sample tag for DESFire access control system.
c) Publicly known attacks (misconfiguration, implementation issues) in smart locks, access control, ticketing systems.

8. ISO15693/iCode
a) Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock.
b) Data of several example ski passes.

9. HID iClass
a) Cloning “legacy” / “standard security” iClass.
b) Attacks on iClass Elite.
c) Downgrade attacks.

10. Remote relay attacks against NFC/ISO1443
a) Introduction: research, tools, possibilities and limitations.
b) Practical remote relay of iClass SEOS and DESFire access control.

11. Sample Hitag2 access contol – sniffing password mode, simulating tags

12. Host Card Emulation – smartphone as NFC tag
a) Hardware Secure Element vs software Host Card Emulation
b) Protocols, commands, applications – ISO14443-4, 7816-4, APDU, AID, …
c) Example vulnerable HCE access control system (unlocking door using your NFC phone) – sample vulnerabilities.
d) NFC communication analysis: sniffing using Proxmark, dumping on the phone.

13. Intercepting card data from distance – antennas, possibilities and limits.

 


This 2-day NFC/RFID course is part of a 4-day BLE & NFC/RFID course.


– To join the 2-day BLE course instead, click here.
– To join both BLE and NFC/RFID with a combo discount for 4 days, click here.
– Want to attend this class virtually instead at early June? Sign-up here

Why You Should Take This Course

Attendees will learn how to approach modern contactless smart cards and analyse currently trending mobile access control systems (phone acting as an NFC tag) – based among others on real vulnerabilities of a sample system.

Who Should Attend

  • Pentesters, red-teamers, security professionals, researchers.
  • Device designers, developers.
  • Anyone interested.

Key Learning Objectives

  • Solid understanding of NFC/RFID.

  • Ability to perform in practice typical attacks: cloning, cracking, remote relays

  • Point out common implementation pitfalls in both legacy and modern systems.

  • Analyse security of mobile access solutions.
  • Prerequisite Knowledge

    • Basic familiarity with Linux command-line; some pentesting experience will be helpful but not crucial.
    • No previous knowledge of NFC is required.

    Hardware / Software Requirements

    • Laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest.
    • Android smartphone with NFC support (most current phones, with a few small exceptions of incompatible devices: https://github.com/ikarus23/MifareClassicTool /blob/master/INCOMPATIBLE_DEVICES.md). Root option will be an advantage, but not crucial.
    • Don’t have an Android phone? Sign up for both 2-day trainings (click here), and we’ll hook you up with an Android phone with Bluetooth 4 and NFC support!

    Your Instructor

    No data was found