Podcast
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Links
Follow Me
Follow Me
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
RFID Hacking with Iceman: Exploring the Intricacies RFID Security
Play On
21 SEP • 2024
1 hour 7 mins
Share:
In this enlightening episode of “Nerding Out with Viktor,” host Viktor engages in a thought-provoking conversation with Iceman, a renowned expert in RFID and NFC hacking. The discussion delves into the intricacies of Bluetooth credentials and their potential vulnerabilities, highlighting the significance of Proxmark, a powerful tool used for RFID and NFC research and development.
Iceman is no stranger to the world of Proxmark, having made significant contributions to the platform’s development and enhancement over the years. His firmware fork, affectionately known as the “Iceman Fork,” has become a staple in the community, extending the capabilities of the standard Proxmark software and adding new features that support a wider range of RFID tags and protocols.
As we dive into this conversation, it becomes clear that Iceman’s involvement with Proxmark began long ago. He shares his memories of working on early versions of the device, collaborating with other developers to push the boundaries of what was possible with RF hacking tools. His expertise has been instrumental in shaping the tool into its current form, and he continues to contribute to its development through his active participation in online forums and communities.
Throughout the conversation, Iceman’s passion for open-source development shines through as he discusses the importance of collaboration and sharing knowledge within the community. He emphasizes that Proxmark is not just a tool, but a platform that enables users to experiment with new ideas and push the boundaries of what is possible in RF hacking. His approachable tone makes complex concepts accessible to listeners with varying levels of technical knowledge.
As we explore the world of Bluetooth credentials, Iceman shares his insights on how attackers can exploit vulnerabilities using modern tools like Proxmark v4 and its custom-built firmware enhancements. He walks Viktor through a scenario where he attempts to clone a lost or forgotten contactless payment card using these advanced techniques.
Iceman’s emphasis on the importance of collaboration and continuous learning in the RF hacking community is particularly noteworthy. He encourages listeners to start with basic devices like the Proxmark v4, which can be purchased for around $30 on online platforms. This approachable tone makes complex concepts accessible to listeners with varying levels of technical knowledge.
As the episode comes to a close, Viktor and Iceman’s conversation leaves listeners with a deeper understanding of the intricacies of RFID and their potential vulnerabilities. The discussion highlights the significance of Proxmark and its custom-built firmware enhancements, providing valuable insights into the techniques used by attackers in this domain.
Transcript
Show/Hide Transcript
Welcome back to another episode of nerding out with Victor.
Today I have a hacker with me on the show, an RFID hacker that goes by the name Iceman.
Welcome to the show, Iceman.
Thank you so much for having me, Victor.
It's a pleasure.
It's a really fun thing to have a hacker on the show.
And I've seen some of your Defcon talks and you've done some amazing things.
And today's episode is going to be all about RFID hacking, or RF hacking, I guess more than RFID.
So, yeah, no, it's going to be RFID hacking.
RFId hacking is not, it's not the same.
Radio frequency is a completely different set of things and RFID is a little bit smaller.
So you can just.
Quick thing if we.
RF is about the full spectrum with SDR software, defined radios, and you go for the spectrum.
RFID hacking is very limited to certain frequencies.
So there's a low frequency, 125, you have a high frequency, about 13.56.
Then you have ultra high frequency RFID, UHF.
And that's about 800 to 900.
That's the only frequency with we touch.
We are very similar to RF sense because we into radio frequency or communications over the wires.
Wireless, of course.
Right.
But it's not that.
So we also do a different thing.
The low ff, lf and Hf is about inductance communications.
So we don't do sending, pushing out signals, but UHF does that.
So crossover.
Right.
So big gray area, but fair enough.
That's a good distinction.
So if you are, if you do have your SDR software or hardware, you cannot necessarily do this.
Or can that be used for the same.
You can.
It's a very good question, though.
It's a great question.
Some of the people who have sdrs, like with lime sdrs or blade RF or hack RF.
Exactly.
And you use better antennas, you can actually get down and sniff a little bit better sniffing because you can easily catch up the signals that comes out.
So just short introduction to what it does.
RFID does, yeah.
You take a proxmog, for instance.
It's an RFID reader and it has antenna on there and it generates a field, an electromagnetic field.
And you put a, you take a card, an RFID based card.
Right.
It also has antenna in here.
So when you present that card into the field of a reader, it energized because the magnetic field couples so the resonant in the same frequency, they are tuned to the same frequency.
And that makes the electron walk and excite the electrons.
Right.
So this one gets power by coming into the field over here.
So with strs, they can sniff this communication because we have a field that pulse out and it goes further on, of course, but it doesn't send.
Right, we don't pulse out.
So you can't, so you can't power the chip or the card from SDR, but you can read it?
You can sniff it.
Yes.
Right.
good.
All right, that's a fair, that's a really good distinction.
So I got really excited about RFID hacking a few years ago.
I lived in an apartment complex in London, and they only gave you one fob for my building.
And I was really annoyed by that because I was like, well, can I get another one?
They were like, oh yeah, that's two out of quid.
I'm like, that's stupid.
And it just so happened I went to DeFcon the same year.
I was like, surely there is a better way for doing this.
So I picked up one of these RFID cloners that you can buy for, I don't know, like $100 or whatever.
It's not that expensive.
Unfortunately, I didn't work for this particular use case because I did not know what technology to use for the Fob.
But it kind of opened my eyes to the world of RFID hacking, and I've kind of been intrigued by that since.
And that's kind of why I wanted to get you on the show, just properly nerd out about all things RFID.
So maybe we can start with kind of like the one ones, the basics of RFID.
Like there are families of different types of RFID cards and readers and readers and categories of traffic, I guess, or frequencies.
And I presume what happened to me was that RFD cloner had could not do that particular key fob, but it can probably do other things.
So maybe we can start there.
Like can you break down broadly the categories off different types of key fobs and, wow, room keys.
Yeah.
Wow, this is a wide topic.
Yes, I would imagine.
I usually get questions about that RFID hacking.
Can I clone my card?
Number one question, without a doubt, right?
And fully fair.
And people go like, how hard can it be?
That's the next one, right?
And then they go like, I bought a cloner and it didn't work.
And you're like, haha.
And now you enter the realm of RFID hacking is one.
First step you have to do is actually what you just figure out.
You have to identify the technology that's being used.
And then I need to figure out, does the cloner understand that technology and have a way to actually make a copy of that card?
Does there exist a way to do that?
Because all technologies or all cards are not cloneable.
Right.
Right.
So we just start that out of questions.
Like, when people go like, can I clone my passport?
Yes and no.
How much money do you have and.
How much time do you have?
It's actually like, you can't, and that's the whole thing.
But some people can, and that's end of story.
Same thing with payment cards, right?
Without a doubt.
Number second question is, like, can I clone my.
I want to be able to pay with my implants.
Biohacking is a big thing because they want to make these implants on your hand and you put inside everyone.
Yeah, I've seen that.
They want to pay with your hand.
It's really cool.
Right.
But still, they have to move over the EMV data onto your chip, and that's, EMV doesn't really like that.
So Mastercard and Europe pay.
They really don't like that thing.
So they want to have control of it.
So they put on the cryptographic keys on the factories and very harsh about it, but you can do a semi version of it.
Another thing that works for payments is downgrade attacks.
You can do replays and stuff like that.
That is kind of obvious because the traffic for EMV is not encrypted.
But you cannot clone it per se.
Right back again to the thing.
Yes, you can, but you can't.
That's a Android store.
I can't do a diver.
So it's okay.
I can make a copy of some things, but I cannot do it.
So it works always.
Right?
Right.
So now we already touched base of payment cards, what you can and can't do, and then the top of cloners comes in.
You showed off a kesey.
That's right.
Yeah.
And that's Kisi was fun.
I met the inventor in Zenzhen a couple of years ago, actually.
He was doing, you know, developing his, like you said, we talked about hardware before a little bit, and he was doing his first revisions and down over there.
And it's really hard to make business in China sometimes if you don't speak Chinese or Mandarin and bring it up.
So apparently he was there for a year, and he went over to Mexico and finalized there.
Anyway, the keys is kind of interesting because it clones low frequency, so it targets with 125 khz tags.
Right.
That's usually only used for entry systems.
Simple entry systems, kind of popular from Wycom.
From Scandinavia.
It's lots of those low frequency tags, but you can do that.
So like you access key card for your hotel room and so on, right.
Is that a common use case?
Yeah.
And now I have to do one thing.
Wait.
Because that was the next thing I did.
Like the next hotel I stayed, I was like, all right, sure.
That could use this case.
Yeah.
My headset just went bananas for me.
So I can't hear your voice very well now, because it's what it is, I have to do one thing.
Wait, that's all right.
That's right.
I some hardware hacking live on stage.
Let's see.
Are you back?
Yeah.
Perfect.
Yeah.
So these are used mostly for access systems for hotel rooms and for buildings and so on, right?
Oh, no, usually just enter passage entrance to doors, like simple doors to office buildings and stuff like that, or fraternities like that.
So here comes another thing.
Bring something down.
Yes.
Love some hardware.
We love hardware.
So Kesey works by now very easily put the card, you put your little reader, it's very smooth.
You put it on and put it on the card and then you put it on where you want to clone it to.
Very simple.
That stemmed from this little vice.
This is what we call the blue gun cloner.
This is a low frequency em cloner.
So has this two little buttons.
Read, write and that's what it does.
It's like.
So this is what, this is like standard issue red team kind of equipment.
Oh, this is what you saw back 2010.
I'm pretty sure they had it.
Oh, yeah, yeah.
Then comes the new and better versions and more expensive models.
You know, things like this, the icopy 100 or something like that.
This takes low frequency, has that ui and graphical and all that stuff.
And it does h high frequency as well.
Right.
And then comes even more modern versions of it.
That's an I copy x, which is speaks and all that stuff.
And it copies and clones and it.
Can write as well.
So it can.
Okay, cool.
Yeah, so most of these ones here are more advanced, so we can read up things and do more.
And we support very much more different car technologies because that was something else were asking about.
So first we just ended up with cloners, right?
So it's a tons of cloners and you need to know which one works for my system.
And you sit now you're like, how do I know my system?
Well, right, you use something like this.
This is a simple field detector, so it lights up if you have a RFID signal, something like that.
Behind it, you will see that it lights up.
And let's see if we can do like this.
It's not buttering.
Let's see what it is.
Can I do this?
Yes.
You see how it flashes because that's the phone.
Your phone is an NFC reader, high frequency, right?
So this is what it shows.
All right.
This was a high frequency and you see it here on this one.
You would have presented this one to your reader, what you wanted to clone and see, like, if it's low frequency or high frequency, that would have been one of the things.
Another thing you would have done is like, you look at the cards and look at the antenna that's in the cardinal and see how many coils it has wrapped around.
Yeah, few coils, high frequency and tons of coils.
Massive is low frequency and they are.
Probably smaller radius too, I would imagine.
On the.
It's all kinds of styles, so it's not obvious, but, you know, you see about the amount of wires there are like.
Okay, that's a good indication.
Some of these cars has dual tech or even triple tech.
So you have like three different kinds of technology in one card.
Oh, wow.
Okay.
Oh, yeah, it gets worse.
Yeah.
So this is fun, right?
So you start out with your card and you had a cloner and you're like, oh, damn, I couldn't do it.
It's like, has to be something better.
Yes, right?
It has to be.
And I'm pretty sure that you just bought one because here's a flipper.
I literally just order a flipper this morning.
So.
Yes, absolutely.
Everybody needs to have a flipper, right?
Everybody needs to have a flipper because this has an SDR, it has two pins, I O gpios and has low frequency and high frequency and a simple UI and stuff.
So it's very easy.
And it's great ecosystem.
Yes.
With apps and everything like that.
Yeah.
By the way, though, they are actually in London, the headquarters.
Are they now?
You know, you can visit their place.
Indeed.
Next.
My next.
I was there last weekend.
I'm going to come knock on the.
Knock on the next time I'm in London.
Better do that.
Like say hi.
Hi to Pavel and all those guys.
Those guys made a million, though.
That is a super success.
Oh, yeah.
Massively, massively.
This is super cool.
So we now know.
So we use one of these first devices and that narrows down kind of like high version load.
Right?
So now we have like two buckets of card readers, I guess.
And then I would imagine there is a ten families in each of those that you need to be aware of.
So for low frequency, there's like tons of them.
I think it's about.
We have a support for 20 of them in the Proxmo code, right?
And in the HF world is five big families.
You have ISO 1443 a b, and then you have 15 693, and then you have 18,002.
And there's one more.
There's too many cyclops and peekaboos and all that.
It's versions of it anyway.
It's different families.
I'm so excited.
I'm sorry, I'm just interrupting you all the time.
I'm sorry for that.
Good content.
I love it.
I want to learn more.
I want to absorb like a sponge here.
So that's amazing.
I think it's just too fun.
Anyway, so all of his cards and tags and all that stuff, this is how I ended up in this world, is because I did as you did.
I was like, I want to learn to hack something.
To be really honest.
It's like my story started out where I was separating and I was very depressed.
And I was like, I've been doing programming, hacking all my life, but I was not happy, I was not content.
So I thought like, let's see if I can do something naughty and let's buy something naughty.
I'm going to buy myself a hacker, too.
Never done that in my life because that's illegal and all that stuff.
Right?
And here's the thing.
In Umil, one of the towns up here in north, in Sweden, there was this news article about how the local hackerspace actually managed to break the keys of that bus ticket system.
And I was like, oh, yeah, plenty of stores like that over the years.
Yeah, yeah.
And they are the same as here in my town.
That's where I'm from.
So I was like, okay, I want to do that.
So I went online and, like, googled a little bit.
And then, you know, the name Proxmo comes up everywhere and it's very expensive, $300.
I'm like, okay, I'm gonna do it for me.
I'm gonna order one.
So I ordered one, you know, and all excited, giddle like the boy.
All get around.
Two weeks later, you know, you get this package from Alibaba or whatever it was, you know, and I will show you.
Wait, wait.
It comes down.
It doesn't even come in a plastic box.
It comes like this, like a circuit board, like this.
This is radio war's versions of it a little bit.
I have so many versions of Proxmox nowadays.
I don't know why, I just have it.
They all better.
And this was an awful model.
It was great because there was first model that was actually assembled, and you couldn't get like this before that.
Everybody has to solve their own things.
It wasn't sold together, so that was a thing.
Looks like a lot of small components we get, right?
Oh, yeah.
I'm not a good soldier.
No, I'm not that good soldier.
No, me neither.
But I'm better now anyway.
So I'm like, oh, God, I'm gonna do this.
I'm like, you know, get on the forum, the Proxmox forum, and try to do this.
Try to set this one up.
It's like, oh, it's Mingv and all that stuff.
And people go like, I don't know.
Have you read the instruction guys?
I'm like, no, I'm good at computer.
I should be able to do this.
So, of course I failed.
And I took it very hard in myself because, like, I'm worthless, so I couldn't handle it, so I put it away.
I have a little shelf up there.
So I put it up there, and it was reminding me every day, it's like this cat laying up there, despising you, looking down and despising.
I could look up there and I'm just like, oh, God, my failures.
It took me six months.
It took me.
Sometimes it took me six months before I was ready to learn, you know, right when I was, like, accepting myself, saying, you're not very good at this, Iceman.
Iceman didn't exist back then.
You know, he didn't.
So after six months, I was like, okay, where's the guidance?
Let's do that.
Hello.
That works.
No, you pull, git, clone, repo, and it compiled.
Wow, that's great.
Then flashing phone on embedded device.
I never done that.
And it worked.
Like, oh, great, run the client.
Oh, the proximal client comes up.
I'm like, damn.
It's like, where is my tariff bus ticket system card?
And I put it on, you know, and I run this command.
It's the miffer, classic technology.
So you run this attack called HFMF.
Dark side.
The dark side attack.
And you run it, and it says, you know, 25 seconds average run time, and you sit there and wait, and it goes.
And then out comes the first key.
And I'm like, yes, I'm a hacker, but dopamine, Russia, that first key, I still remember it.
Oh, yeah, I can imagine.
I can imagine.
Yeah.
People go like, huh?
What do you mean?
It's intense.
I don't know how it is for yourself, but first time you do something that, and you're like, I have done something amazing.
Yeah.
And everybody else, congratulations, you broke your first.
Christ, you finished a readme good.
We're all newbies, right?
So, but that's, you know, who I am.
It's like I always keep on asking questions about curious.
I was really hooked into this big deep rabbit hole we call RFID hacking and it never ends.
So one of the things with the proxima world and what you learn very fast is that they talking about the proxima can do everything, but you have to implement it yourself.
It's like software, you can do anything, you have to implement it yourself.
Exactly.
You just have to learn to do yourself, man, it's like nothing.
And this is the thing, what I started doing is like, oh yeah, but I'm quite good at that.
So let's learn c again and learn about embedded and doing that.
And I started doing things, but it was a rough place.
So Iceman was just a user then.
But after a year I think I posted, I'm the guy who has the most question on the whole Proxmox forum.
I think I will ask more than 6000 questions.
I kept on asking everything.
I was like a bottomless because only thing I had was a proxmock and I did things based on that and I changed code because I can't do that and stop fiddling with things.
And I realized, you know, you want to do things the hard way, you know, you should be reading a raw signal trace and then you see a plot window and you should be able to manually decode that to bits and ones and zeros.
And then, you know, from there you should be able to twist and decode that one into a vegan pack stator maybe.
And I'm like, interesting.
I learned that now, but not very functional because I can't use this.
If I have to do this, every time I want to look at the cardinal, it's gonna, I'm gonna go nuts.
So I started doing those changes because I wanted something that the proximal client to work in the way that I want to work with it how I want to see, right?
So I forced, you know, you start changing the tools in the way that you want to do it.
So this is how I became very good at the proxy market thing.
And most of my changes was like the old people who are running the repo was like maybe why do you want to do it.
So you say, why do you want to do that?
Very protective Og people.
And I was like, how was GRN or something?
And then I realized, well, I can just make a fork right of it.
And then Iceman fork was born.
And then I did my changes there and made sure that upstream things comes in as well.
And it didn't matter what they wanted or not wanted.
I can just do it how I wanted it to become.
And I did open source.
Yes.
And it starts.
That's a beautiful source.
Yes, I love it.
And it started with that idea of always becoming more and more useful.
Things work better.
Another thing that adds, in the beginning there was the static analyzing, this continuous Covid scan.
That's what it called that make analyzing because it's C code and we always have memory leaks and all that crappy code styles and proxmograph Washington full of it.
But you know, gradually you start taking away all those problems, starts to become better and better.
Better.
And you figure out more and more formats.
We figure out more and more how to clone, how to read more in ellipse stuff, enhanced and made the high tag or not just the high tech we made for classic attacks, made them better, working more faster.
And all of that started, ended up.
So this is where Iceman started showing up everywhere.
This is where people know about the Eisenman fork and who that is.
This is why I ended up doing all this code.
And from there, I never been entered conference, I never been to Devcon, I never done anything like that.
But I was all of a sudden a maintainer.
And then I was also administrator of approximate forums.
And, you know, people was like, yeah, okay.
You seem to burn for community as well, which I do.
I'm very much for building a learning community, and we're always welcome to it.
And that's why we also have a Discord channel now since a couple of years back.
The forum is not for people anymore.
It's like the modern, the youth.
We don't like BBS's and that style.
I know, it's discord everywhere.
It's great.
It's a fucking great.
You know, we started with that during COVID It was perfect.
So we have like 11,000 members there.
Oh, wow.
Mostly lurking around, but it's good enough.
Sure, sure.
But around 20 17, 20 18, 20 17.
And I was involved with three other people.
Zero XFF from Australia and Dennis and Olaf.
Olaf is Prox grind.
He is the boy genius, or he's not boy anymore.
He's almost 30.
He's the genius doing very small proxmarks and miniaturizing hardware.
Very great chinese person for that.
And then this is the business unicorn, doing networking and talking about things with stuff.
So we created a company called RFID Research Group, and we made the RB four, an improved version of approxmox, small handled, easy, sleek, better antennas, and overall nice.
And we made a Kickstarter out of that one.
It was actually very successful.
So it came to fruition and all of a sudden I was like, yeah, we have to go out and talk about this product as well.
Stuff like that.
So I did that a little bit and then started my career as talker on different conferences, which I never done in my life either.
So that was a big thing.
I never went to conferences.
Right.
So this is another thing I keep on talking.
Sorry, you have to interrupt me.
No, no, this is great.
I'm learning a lot.
It's great.
This is exactly what the stuff I wanted to cover.
This is perfect.
I don't even have to.
I'm sorry about that.
Anyway, so I started up doing more things.
I'm meeting people, and people is like always so touched by the efforts and doing the proctimal stuff.
And I'm like, wow.
It's like, you know, after the first talk, I remember a guy comes up and is like, thank you.
Because of you, I've been having free laundry during my time as a student.
And I was like, I'm sorry, I.
Could not, I could not know this.
Please give us a flaws for the ability here.
And I'm like, huh?
I'm happy you learned.
However, how about you don't rip off a small business person, right?
It's just like, pay for your damn laundry.
It's not hard.
It's like, yeah, I get it, you know, so this is what I want to say when you talk about cloning your key fob for your apartment, right?
This is where it actually comes in.
People want to have a functional thing between.
This is a practical thing I can have advantage of versus the illegal part, which is I can make fraud out of it.
That's why people ask about payments and bus tickets and laundry or coffee machines or you name it, they asked.
Yeah, but I think that's for me, it was always like the pursuit of understanding.
I want to understand how it works.
It made me realize like, oh, shit, there's a crypto key in there.
That makes it harder to clone it.
Okay, that's clever.
And that leads you to, like, NFC, and now you have better grasping of like, how NFC contactless pay work and like, because they're all kind of the same family of things, right?
Oh yeah.
Oh yeah.
NFC is one of the worst names, though, because everybody says, oh, RFID and NFC.
And I'm like, no, RFID is the umbrella.
NFC is a part of it underneath.
Be sure that you keep it correctly.
And people go, no, it's NFC.
It's like, no, it's like, yes, but it's a task group and they're very good at it.
So within RFID is a lot of ISO standards, right?
And work groups like NFC group, right?
So they make an NFC readers what you see in phones, they're very good at that.
And they use a protocol that use NDEF standard or something about NDEF messages.
That's why you can send your business card and stuff like that over your phone like that, right?
Yeah.
There's also point to point network communications and stuff.
It's very high tech, but it's another level on top, built on top of different ISO standards, how to communicate physically with cars.
Right?
It's like a protocol on top of it.
And it's used for everything, but it always goes across surfing.
So MDF use is very much of apus.
So for one of the systems, payment system does the same thing.
That's the ISO 7816.
A lot of ISO standards now, but it's like a package, a wrapped package, saying you have a header, a fire byte header, and then you have the data that you're sending and then a CRC afterwards, right?
So you pack it up so you can see it goes back and left, up and down, and you need to keep track of it.
One of the things when you do RFID hacking is that you want to look at the traffic that's happening, because just doing it, like having a reader writing, doing things is good, but you don't learn anything from it.
And that's why the Proxmox is what we call the swiss army knife of things for RFID hacking, because you can look at the signal on the lower levels, you can look at it on the package tracements, in a sense.
We don't have wireshark in that sense, but we have annotations and trace logs.
There is a mode where you can actually export it to wireshark.
So someone made a wireshark plugin for it somewhere.
Apparently you can look at the ISO 1443 a packages from there.
I'm like, cool.
Yes.
So I think what's interesting, like here is if for the most basic cards, essentially it's an identifier, right.
It's just like if you swipe the card and you get like a string of text, essentially, right?
In various ways.
But the obvious thing is like, well, that's just a replay attack waiting to happen.
Right?
So what are the mitigation strategies in place for some of these cards?
Some of them have cryptographic id, so I presume there's a clock of sorts in there that generates a timestamp.
So you, like, there's a time delay and, like, so you can't do the replay attack.
Well, how does that.
How does it actually look like?
Or is it way too.
I hear that you from a completely different set of stories of computers.
One, remember one thing.
Now, RFID is an old, young technology, but it's very low power, right.
The ICs on a card is very simple.
So the simplest one from the low frequency we talked about before, just shouted out the five bytes of information that was there, the EM 4100.
So the Proxmo quadrant, developed by a guy called Jonathan Bestieu's, as in his masterpieces, where he wanted to prove the state of the governor of California that the Veritas chips that they were trying to implement as an id cardinal for schools is crap.
And you shouldn't do it because you can very easily capture the data and then replay it.
So that's why you did this.
That was 2006, okay?
Yeah.
So that's where it started there.
And then some other very smart people, researchers starting attacking and looking into the more secure versions of RFID cards.
So low frequency is usually very simple.
Right.
There's one exception, and that's high tag, the high tag family.
And they have a crypto, so that's a handshake of crypto, but it's also.
It's very similar to my crypto one because it's developed by the same people, by Philips, and they attack that one and they recover keys how we do it.
So it has a crypto chip on there with a private key that no sealed.
It's not a crypto ship, it's only one IC.
Right?
Oh, okay.
So it's one system on chip in that sense, that runs its things, that have some crypto things that's hard coded into it in the beginning.
Right.
So the more years comes, the more advanced the ICs became, and they added proper crypto and proper dedicated more parts of hardware for it, and you can actually run like Java machines on it.
So like a secure development style crypto, stuff like that.
So if you take an EnV cards, they are more likely running on a smart chip inside of there than actually.
I see.
Right.
So 2006 and 2010 is when other researchers start hacking the Mifare classic cards and coming up with a crypto key that's ended up with me ending up in this world.
And the same thing for you, going, oh, hold on, those cards are more like a USB stick.
They are like memory cards.
All of a sudden they start screaming out the UID as well in anti collision process.
But after that they are like a USB stick memory stick.
It has memory and it's divided into sectors and blocks.
Those sectors has two keys and access rights.
So in order to get rid of the memory, in order to do a clone of a card, you need to break the keys.
So that's how it improved.
And in the more later ones, like NXP desfire, they have added proper crypto like AE's and encrypted channels, dedicated hardware and Eil five plus certifications.
And so they're really good.
You don't hack both, right?
Not me, not you.
And I would imagine the only way is to do so kind of downgrade attack on those cards then if you were to.
Or is that even possible?
Oh, look at that.
Someone has been reading up on things.
Downgrade attacks is a concept.
Yes, it's a very interesting concept, because in physical access control world, this is more one of the standard attacks there is that you have a reader, and for access control, physical access control vendors, they choose a protocol called VGAN to communicate between the reader and the microcontroller behind doors that decides to open the door strikes or not.
And by doing so, you can easily swap out the readers as long as it spoke vgana.
So you can put up a low frequency technology reader of different sorts, or you could put up a high frequency one that was for I class or desk fire or 14 a or 14 b, whatever you want to put on, as long as you spoke v gan and talk back.
That way the door opened.
And that's just plain text protocol, right?
That was in plain text protocol, yes.
That's why we do this on wire sniffering and all that attacks you've seen, right.
You get to that in a second.
But yeah, I, because I think that's worth zooming in on.
So the downgrade attacks is like, does the reader support multiple different versions of COD technology?
Does it support a legacy or a simpler version?
If it does, Bob's your uncle, you just take the data out from vegan wires, put that data on a lower secure credential, and then you have a copy of, but it works.
Yeah.
And I mean, I think these things are like, well, what makes me love the concept of like, red teaming.
Really?
Like, you never attack the strongest security parameter.
You always find for the weakest link.
And in this case, just like, well, okay, you have all this fans security to check the card, but if I just lift this out and put a sniffer behind it, like, what's the point?
Like, it's not a complicated attack.
The thing with red teaming, when you talk to those guys and pen testers who do physical access, they always get in.
That is the least of their concerns.
It's like, oh, yeah, we put on two multifactors, biometric and all that stuff.
They got in anyway.
Somebody left the door open, the cleaner forgot the closet.
Like, oh, yeah, cool.
Yeah, like, you know they're going to get in.
That's not a problem.
So, yeah, and that's, this is where I started saying to people, for commercial properties like that or for your entering your multi tenant house, is it's secure enough.
It gives you a feeling that it's secure and you can't easily do it, but it's not secure.
It's secure enough.
I mean, yeah, that's why I want to have another episode later on lock picking because I think that's equally interesting because it's a perception of like, people believe locks are safe, you believe key tags are safe, but to a great degree, they are nothing.
No, it's an illusion of security rather than real security.
Yes.
And what many people are interested in RFID hacking medicine is that we want to tell the story that the vendors are saying something.
And by the RFID hacking community, you have now the tools to prove if that statement is correct or false.
So let's zoom in on that for a second.
So a lot of alarm systems these days are using RFID dongles, both in commercial buildings, but even increasingly residential buildings.
It's becoming more like if you buy a new lock, like, oh, do you want the smart version of your lock more often?
They're usually more stupid than smart, but that's a different.
But when you go to like assabloy, whatever, one of these lock companies, and they sell you a smart lock, how secure are those?
What standards are they using to actually secure this?
Are they somewhat secure against cloning or are they actually a downgrade from a traditional lock?
Yeah, I like where this is going.
Well, okay, let's see.
Let's decode that one a little bit.
One of the most common thing now is to have Bluetooth right.
So something that they call mobile credentials.
Yeah.
So the mobile credential lives in your phone, it lives in a secure element and it's very high crypto because the phone has the compute power and memory to do this stuff.
Right.
So that part is very secure.
Yes.
However, over and over again, this is outside already hacking because now we're going into different technology.
So with Bluetooth, like everything else, right.
As soon as you can capture the signals, because you can do that before.
But once you start learning SDR and you're capturing Bluetooth signals and you know how to use the tools, you can also replay things.
Right.
And if you don't have a session protocol in that sense in place, those simple Bluetooth locks is very like you just replay, you just record the first opening and then you just replay it.
So you go by the day before, put little battery powered sniffer next to the doorway and then you come back the next day.
Well, you don't have to do that ever.
It's Bluetooth, it's designed to distance, right?
So you just need a badass antenna.
You can sit several meters away, hundreds of meters.
But it comes to that is a completely different story.
So this is why it's so fun when you go to Defcon and you go to the radio frequency village or RF hacker sanctuary, right?
So they teach all of that stuff there.
They have an excellent CTF that you can play.
So RF CTF via Devcon, it's well worth it.
Runs by Ricks.
Big shout out to those guys and they are really good.
So if you want to learn the latest and tricks and things, how to do things, you go there and you realize, oh my God.
But this is yet again, it comes down to costs and administrative money to do this, to secure things with Bluetooth and mobile credentials as is right now it's pretty secure.
But as always, there are tons of interest.
As soon as there's a lock, there's a ton of interest among people out there and they're very dedicated to find out there's some bugs and they want to prove to people that they can actually pass by and penetrate that system.
So there are some interesting talks at Defcon this year, talking about how the secure element on the I class of CIO systems is not proper or they managed to extract the key materials from there.
And yeah, so that's the same key material that is used for Bluetooth credentials as well.
So yeah, it comes down to the keys.
In the end of the day, if you find the keys somehow you can extract it.
It's game over.
It doesn't matter.
It doesn't matter if you have the latest 4000 bits or diffie Hellman or whatever shit you use.
Yeah, yeah.
If you have access to that, it doesn't really matter.
Right.
And so walk me back to like, the toolkit that you use.
Obviously you have your hardware, the pocmark.
And in terms of like, if you go back to the scenario where you try to do your cloning of your bust card that you had ten years ago or 15 years, how many years back that was, how would that process look like with approximately three today or four?
Sorry, it's proxima free, but auto v four, it's okay.
It's a silly world.
It's tons of it.
But I usually say this, if you want to get started with your fadiac, you don't need very much, right?
If you have android phone, you can do a lot of HF stuff and learn from there.
And otherwise you just buy a $30 Proxmox, easy on Tabao, whatever, you buy it, or Amazon, and you have something to start with.
If you have more money, you can buy a very fancy flipper and then you can do more stuff with that ecosystem.
But it's a good entry system that you can learn to do things, but you will not understand how.
It's a point and click.
That's the cloner thing is one button click.
Cloners.
With me, I started out with proximity.
I had that one for five years.
People were like amazed, like, how many readers do you have?
Do you have logic analysis?
Do you have oscilloscopes?
What do you do?
And I'm like, no, I have a proxmox.
And people didn't understand.
I can do so much with it.
It was like, well, you know, I just used the tool that I have and I made it work better to it, but today it looks completely different.
I have tons of stuff.
Yeah, I can imagine.
I can imagine.
It's like, you know the play tools from when you grow up and all of a sudden you have more play twos.
That's right, that's right.
And less time, but more.
More toys, but less time.
Yes, yes.
So, so if you wanted the crack of my fair card, my fair classic card, that's kind of a super straightforward.
These days, it's what we call auto porn.
It's one command, it's you run auto porn and within two to 13 seconds it's done.
You got all the keys, you've got all memory, and that's it.
And then you can clone and write your own key and then you.
Happy days, essentially, yeah.
Mindframe classic doesn't have any security left in it.
It had some.
This is amazing research, by the way, I just presented.
That's why we met up.
Yeah, that's right.
Philip Turvin Dojox is a really good RFID hacker and a great researcher.
And he works for Quarks Lab, and he has been deeply involved in RFID hacking for years in different other projects.
And he also used, he actually used to work for NXP and doing the death fire cards in generation 1 hz.
So it's a big shout out to him.
He's a great guy.
He's amazing.
He's really smart as well.
He's super smart.
And what he came up now is one of the cards that was left.
So my favorite classic came from original ics from NXP.
First one, the hacked that we broke, that they made an improvement of it, and they call that MiFare classic EV one evolution one.
That's how they call it.
Right.
So that one was secure, came out 2010, I think it was.
And then 2015 came up in a new attack called the hard nested attack.
So we have different names of attacks.
You know, we have a dark side.
The nested, the hard nested, and it sold these genuine cards.
Genuine cards follow standard protocol and behaves nicely accordingly.
And pop Zonken.
Right.
However, there was a difference, because when you start doing things, those shows up illegal copies or sublicensed copies of this IC, the Mifra classic.
Right.
And they are usually by Fudan, is in microelectronics in China.
One of them, Fudon, is one of the big ones.
And they had something that they didn't quite follow the protocol perfectly.
So the attacks were used before the cryptkeys that you can figure out the nonsense is used, you can restart the PRNG that is used for it.
But for Fudan cards, they had a different way of doing it.
We saw one version that had static nones use and only once number, random number is supposed to be used only once static means, but it's not, it keeps on sending the same number.
It's like, okay, and it was a problem with that.
And I.
Till 2020, because then we had to figure out a way to get another nonce and then we could all of a sudden recover keys for it.
Right.
But there was another model of this one that we call the static encrypted nonsense.
And it had a dynamic first nonce, but the second one in the nested part of authentication process, was static.
And it's really annoying as fuck because you can't do very much with it.
However, Philipp had a look at this in May this year, and he came up with some amazing findings.
Made paper, research paper that is gigantic.
He's going to do a talk about this paper and his findings on hardware I o in October.
So I don't.
It's a big shout out to him.
And I don't want to, you know, take anything about away from his jams.
I'm not going to talk very much more about the paper in pure respect that I want him to deliver his own message.
Right, fair enough.
But what he did find is a way to figure out things.
But he started fuzzing.
Authentication properly call.
Right.
So you have an act, you know, to authenticate.
We have sector key over key a, you send 60, the hex byte 60.
If you want to authenticate with key b, you send a hex byte 61.
Right.
And then the block number.
Now he was just for the fun of it, let's, you know, he likes doing that things.
Let me fuzz that one.
What happens if I send 62?
What happens, you know, if I go up to six f.
Right.
Because why?
Nothing.
And then he found out some of the cars actually answered.
So by fuzzing the authentication protocol, he got announced out of it.
And it's like, holy mo.
How come?
And start to identify with categories of IC, what might be, and, you know, doing his contacts, whatever he has and figuring things out and start collecting things.
And he comes up with some amazing ideas about.
Now I can reuse some data that we have here because we got two different ones.
So the static encrypted nerds, he started analyzing that one back one.
And then he realized that there is, when you're looking at, there's also android.
It's android app and you can do things.
And he looked at the API calls for that one.
And it's like he can look at the data, goes, oh, wait, I know that data.
And he realized there's a key.
It's like, oh, what's this key?
And it turns out it's static.
Since a backdoor key that answers to those unauthenticant, not genuine authentication protocol bytes, right?
It has a static key, so you can read out the memories of his cards.
That's his findings in his paper.
And it's fucking amazing how he came up with that.
He spent like two and a half, three months about it.
And I'm like, wow.
Yeah, that's amazing.
It is.
It is.
So my fair classic game over in all shapes and form then.
Yeah, now it's.
Now it's game over.
It's nothing there, but it's.
It's end of life since I think we call it end of Life 2012 or something like that.
So.
But the thing is like life cycle, these locks or wherever doorway, they.
They will exceed that, right.
They will be in use for like a long period of time past.
Yeah, yeah, yeah, yeah.
You know, how often do you change the door locks down there?
It's like 20 years.
Right, right.
When you change.
When you buy a new house and you change the lock because you don't know who has the key previously.
Right.
No husky keys.
And you know, when we don't want to change the world, so you just want to change the reader.
So you get the same reader that speaks wigan anyway, because it's cheap.
And those cards, Mifare classic cards is like what, six cents a dollar now per card?
I have a bunch here that I bought for testing.
Right, yeah.
But genuine ones, like desk five is secure ones.
It's like $0.38.
So it's a bloody difference in money, right?
So it's.
If you're big company or a big house, you know, if you take one of these modern houses, you know, with multi tenants in and people lose the keys left and right and up and downs, it's a lot of money.
If you go for hotel systems is even worse.
Right?
I mean, they're disposable essentially, right, hotels.
Mm.
That's a lot of money.
Yeah.
So secure enough, remember?
Right.
Yeah.
So that's.
That's interesting.
So then obviously there are more modern versions that people should be using, but we expect to see these for the next decade in real world at minimum.
Right.
It's very practical.
Remember, you can just give them, you know, you can give.
Here, you can get in.
Use my card.
You get in.
It's practical.
If you have a mobile credential, you're never going to do this.
Take my mobile phone and go and open that door.
Well, what you can do with mobile credentials, which I think is one of the first, I forgot I started an Airbnb in the Bay Area.
This is a long time ago.
And they have one of the first smart locks and they have something very clever.
This is before the whole like Bluetooth key, but they had expiry.
So you can grant people access for a specific duration of time and then your credential automatically expires.
Right.
Which is much better.
Right, than giving somebody key or like if you want to give you cleaner access to your house.
Well, I know the clean's gonna gone Wednesday at 09:00 a.m.
well, keys can work between 09:00 a.m.
and 11:00 a.m.
and any time beyond that.
No, just no.
Right.
So I think there is a lot of validity and I think the same thing.
I mean in London you have the oyster card which was like the predominant way of like paying for your subway fares, right?
Has more lows been eroded for contactless?
Like nobody's using oyster card these days because it's like why you have five contactless cards with you that you can equally well pay with.
Yeah, but you can also pay with your phone, right.
You just tap and pay for it.
Yeah, that's what I mean.
Contactless in the sense of like your phone or your watch or whatever it may be kind of supersedes these cards or the need for cards.
So yeah, my gut feel would be like they will probably be replaced by software equivalent rather than the next generation of that perhaps.
Here's the thing with it though, with technology, it's like, I know that you and I, we like technologies for, you know, it's fun and exciting and let's see if there's some bugs in it.
But when it comes to credentials, remember they always have to work.
Yeah.
So mobile credentials means that your phone has to have some sort of battery, which we usually have, but some of them needs then if you have online verification.
So your bluetooth has to go to your lock and that one has to verify online that has to be able to talk twenty four seven to a sampling system to verify things, right.
And if NFC doesn't do that, NFC can work like Apple pay for instance can work even if you have no signal, right?
Yes it does.
Right.
So and you can also do it like up to 8 hours this reserve some battery power for minimum things, right.
Because you use your phone today even to start a car.
Right.
That was going to be my next thing I want to talk about.
Yeah.
Yeah.
So I see it's like you see it as well.
So mobile credentials and using your phone is going to be natural, but it comes to cost.
The mobile NFC is not cheap, it's really you pay extra, right?
Remember it costs thirty eight cents per dollar to get a card and if you add thirty five cents to that you're up in seventy six cents per credential.
But you can turn it off and turn it on and very easily because you can just sit and maintain that one, you say yes, no, remove, revoke his access, it's gone.
That's not the same thing with cards.
Remember, if it's not up connected cards.
Right.
Or readers.
Right, right.
Absolutely.
Yeah.
Because I was renovating my house and were looking at like, should I get smart locks for every doorway?
And I was like, the nerd in me really wants this, but the security person in me is,
Is this really a good idea or not?
I was looking at the unifi ubiquity office access stuff, which that's probably a company I would trust with this stuff.
But nonetheless, I think Unifi or ubiket uses desfire.
So as card credentials is good enough, but then it comes down to cost as well.
For you, it's like, what do you want it?
What kind of buck is it?
How often do my cleaner come, do I need it for that?
Or.
Oh, it was purely like a nerdy exercise.
More so than.
Yeah.
Can I justify this as a expense rather than, do I really need this?
Because the answer is very much, no, I do not need this.
It's more like, can I justify it?
Because it's kind of fun.
It is.
But I get it.
I get it totally.
It is fun.
And you always get curious, how secure is it?
And you can bet your bottom dollar on that.
There is a couple of people looking into just that system and they're bound to find something.
Yeah, absolutely.
All right, that brings me on.
You mentioned cars, and so I think I'm almost bucket cars and consumer alarm system into the same bucket, because I would imagine they're somewhat similar intact.
Well, maybe they are.
Maybe they are.
But let's start with cars.
Like what?
They use some kind of rfid, I would imagine, for like the authentication for the handshake or is that completely different tech?
Well, here's the same thing again.
Right.
So the old cars use this old technology.
They have propriety.
Cryptos, DS 40 and DS 80 and DST 40, DS t 80, I think if that was called.
And it's also called Megamos ID 48.
And then it's high tech two and the high tech three and high tech pro.
It's a lot of things that goes on in the evolution of car entry systems.
So you have two ways.
You have a mobilizer system and the car entry.
Car entry usually is dual frequency today.
So because key fob sends an rfid signal to the car and the car turns on and sends, or we present, I don't know which one it is.
If you present the ILF to the door and then the car responds with a signal back.
Or is it because when you press the button, you send an RF signal and the 433 MHz field of 314 car responds back by looking if the key is near the reader.
Yeah.
Like that is.
So you have to present your key near your handle.
So it's dual tech to enter the car.
And then when you start the car, it's usually an authentication process with exchange crypto and say, yes, this is an enrolled key fob in the immobilizer system in Ecuadore.
However, there's no standard to it.
Right.
Hotel system, car systems is not the same as PAX.
PAx uses the vegan data and then, you know, you can always find that one somewhere there.
But in the hotel systems and in car systems is individual, how that works.
Okay.
Yeah.
Tons of research going on though and I.
Yeah, yeah.
Because a friend of mine had his car stole about one of the replay attacks.
Not replay the relay attacks.
Right.
Where they basically, like, you had to put, like they basically just.
Yeah, they big antenna.
And they figure out your car is your car keys, probably by the door.
So they walk up to the door with big antenna, relay that to the car, open the door and drives away.
Right.
It depends on the car and system, you know.
Was it Toyota, what it was that you can open with a usb stick?
You can just as soon as you broke in, you can just put a usb stick into, you know, you pop over plastic near them, the key holder, whatever, ignition.
And then you just put a usb stick in there.
And the car was on.
That was Hyundai.
Same thing.
But what we do with that relay attack, you know, is.
See the flipper?
That's another research.
We rolling codes and.
Yeah.
And making that you can get out of sync.
So you record by being a distance when people open or unlock the doors and then you can just replay those.
Yeah, it's not very good.
No, no.
Yeah.
Car hacking is interesting as well, for many reasons.
Why I think there was one attack on, I forgot what car that was.
I think was a Range Rover, something like that, where they found that if you remove the left front light, you could access the canvas from outside the car and jacks the canvas.
Like, game over.
Yeah, yeah, we do a lot of those things.
I saw some videos from Ukraine.
I had this interest this spring looking into high tech two, and it eventually always comes into.
When you look into high tech two, there's a reason.
It's because it's very close to car hacking.
It's very popular for cars.
Well, it's one more case in England, where you're from, is that the Paxton system uses high tech, too, for copy on cars.
Anyway, once recovered the keys there, it turns.
People get very careful because the car hacking and the car stealing, car theft, it's.
People are like, I asked around because I needed some firmware for the icus.
I'm like, yeah, I'm looking this, and, you know, and people go like, I like you, icemandhe, but why do you want that stuff for?
It's like, you don't get close to my car.
It's like, you know, all of a sudden, it was very dodgy and people got scared.
Real.
Like, I could ask people about EMV payments stuff, and people were like, oh, yeah, you can do this and this.
But as soon as you start talking about being an interesting car hacking, people were very restrictive with sharing information.
All of a sudden, I.
So, yeah, there is probably a big.
A far higher price tag to sell toolkits for stealing cars on the dark web than there is to sell kits for.
Like, cloning a hotel fob.
Right?
Like, there's a lot more financial interest in.
In that space than there is obviously, in.
In passageways.
Oh, God.
I can show you one thing.
One more thing.
Yeah.
I'm sorry.
No, no, I see you have.
I see you have the best social engineering kit behind you there, which is a hive.
This vest, that's the best.
Yeah, it's from Wigglenet.
I got it now at Defcon.
So big shout out to those people.
Hi, wiz.
I should have it.
This is what I bought because this is a high tech two cloner, and the software says it can clone BMV, Opal, and all these different things.
But none of the software has their needed phones files for it, so it's completely useless.
So I was like, okay, where do I get those from?
And it's like, no.
So you see, this one is sold everywhere, but it's completely useless as is.
And with software that you get.
Yeah, no, because that.
Yeah, I was looking at.
I have on my car.
I only have one car key on my car, so I was.
Which car do you have?
It's Passat.
So not.
Not super sexy, but I want to get clone.
I was gonna clone it.
How old is it?
2020?
I think that.
2016, I think 16.
Oh, then it could be a high tech, too.
Yeah.
So I was just thinking, like, can I clone it myself?
And I was looking at it.
A lot of people can come and clone it for you.
I was like,
I don't really want some random dude, shop my doorway, clone my core key and give me a spare copy.
And he's like, let me save that firmware real quick.
But of course, you know, let me hook up my gear to your can bus and program it for you, because that's how you do it.
But I forgot to delete the files.
Exactly.
But it's.
It's interesting because I was, like, looking into how hard is to buy the kit.
And you can buy the kit.
It's not that expensive to buy it.
Well, it's far more expensive than buying a key clone, of course.
But, yeah, it's in the hundreds of pounds.
Rather than paying somebody 50 quid to do it.
Yeah, 400 pounds.
Yeah, something like that.
400 quid or something like that.
So I was on the verge of, like, purely from a scientific perspective, kind of want to buy one of these myself.
I was about to buy one as well.
Yeah.
Just, just for shits and giggles, really.
But sure, whatever tickles you.
I was, for the interest of learning.
Yeah, let's call that.
But, yeah, it's.
But, yeah, it's interesting that.
But it's relatively accessible.
These toolkits you can buy.
I mean, Flipper is kind of the same category of, like, click and play security tool.
So there is the same thing for the car space, like things that can connect to the canvas and do a lot of funny things.
I haven't really gotten that far in my journey of car hacking, but maybe.
Do you feel it now?
Do you feel how it spreads out?
I usually call RFId hacking that it.
It encompasses.
It engulfs all of hacking.
Right?
It's low level hardware.
It's firmware extraction, it's crypto keys, it's software, bugs, patches or whatever.
It really covers all of it and spreads out.
It's not just this narrow little thing.
Oh, no, it's just this.
It just spreads out.
Yeah, no, absolutely.
And it's used both for identity and for cryptography.
And like, yeah, there's a lot of intersection about all things tech in the realm of RFID, which is super interesting.
The last thing I want to cover is alarm systems.
I'm curious about, like, that's probably the most common use case for RFID tags for consumers, home consumers today, because almost every alarm system you buy today, they would have an RFID ish right with them.
How much can you speak about that?
Like what?
How secure are they?
Like, how worried should one be about cloning attacks on those types of forbes?
It's kind of similar to pax.
Oh, yeah.
So it's if you go from my, our region in the world where I said that they have a lot of low frequency tags, a lot of alarm systems in our region in the world has low frequency tags encoded into them.
So that's, that tells you a little bit about that one.
And there are some with more, you know, with high frequency tags, but usually it's, if it uses one of card technologies that is normal.
You know, what we already have full access to and ways of recovering the keys and access the memory.
It's not a thing to make a copy of it.
Right.
Have you thought about brute force attacks for like alarm system like that?
Can you do like a brute force attack with something like an SDR esque thing where you just like, well, I know the identity looks like six, I don't know, six characters or it's a six inch, whatever it may be.
Right.
Can you just like, are these alarm system, for instance, sophisticated enough to prevent against the brute force, like we just like literally iterate to all combinations?
I don't think so.
To be honest, I haven't looked into that one, but I doubt that they take those kinds of attacks in because it's not feasible that you're going to stand next to when you've broken in and you're going to put your flip over and like, no, but you could.
Stand outside and just broadcast it, right?
Yeah, well, yeah, if it's all like we did again with RFID, it's.
You can't transmit.
Yeah.
You have to be physically there.
So that's the limit.
Right.
You should be able, if you access to the house, whatever to do, you know, to make a simulation and then you change the data that is needed to iterate the different things and you keep on doing it until you figure, hit the pay dirt.
I mean, that's another way of when we do RFID hacking is to let the proxmo Cora nowadays, a flipper to simulate a tag and then you see what comes out of it.
Right.
And simulate different things.
Yeah.
Trial and error essentially.
Right?
Yeah.
Well, it's kind of fun.
You can also make things go boop if you know how to fuzz 14 a or whatever anti collision protocol, if you know that you can make readers go, holy moly, I didn't like this anymore.
And you don't overheat and just, and.
Just collapse, or I would imagine that's an other interesting attack factor.
Yeah, fair enough.
All right.
I think we cover a lot of interesting ground here and I think there's probably like an hour worth more of content that we could be zooming in.
Maybe we'll break that into another episode for the readers and listeners to have a bit of a break.
But I think this has been super interesting.
I've learned a lot and I have not even gone through all my notes yet because I had a lot a few more here that I wanted to cover.
So I think that to be an episode part two for this one where we dive into even more of these things.
Once I made my through my backlog of your Defcon talks and your other talks, I probably got a couple even more questions.
No worries, man.
I liked it.
Much appreciated to be on your show, man.
Really good.
So, and if one wants to buy a Proxmark three, where does one go and procure one of those?
Well, you just go to Amazon or eBay or Aliexpress Alibaba and you buy something.
I usually tell people, don't spend too much money.
If you're corporate and you're working as a pen tester, you can spend the two $300 that you have to do for an auto v four.
It's worth it.
But if you like a hobbyist, buy a $30, make sure that's a 512 flash memory on it, and then you will run the latest firmware, the Iceman version of course, on it.
And you will have everything that needs to be done right.
But the quality could be a bit dodgy sometimes for someone.
But that's why we have a discord.
We have, in the discord, we have a shopping channel where you get, you know, you just ask there and you will get a link to places where unknown to sell great stuff.
And I, you know, I don't take sides anymore in that sense.
I think it's just, you know, they, you know, if you want to buy it in English, I can mention a lot of people who can sell it for you in England.
I can put them in the show links if you send over some afterwards.
And I can put in links to their Discord channel as well because it seems like a lot of stuff.
That's where a lot of conversation is happening.
Oh yeah, for sure.
Sure.
So I'll make sure to put that in the show notes.
So good stuff.
Much appreciated as well.
Very much enjoyed the hour conversations and I guess until next time, thank you so much.
Thank you so much.
Bye.
Found an error or typo? File PR against this file or the transcript.