We’ve been eagerly anticipating this, [Larry] has published the entire build of the Shmooball gun for 2009. This design is more compact and elegant than the one for 2008 and has a slightly more Ghost Buster’s aesthetic about it.  The pictures are great and there’s lots of good tips along the way. We can’t wait to see what they make next year. How about a gattling version?

When we first saw [Chris Paget]‘s cloning video, our reaction was pretty ‘meh’. We’d seen RFID cloning before and the Mifare crack was probably the last time RFID was actually interesting. His ShmooCon presentation, embedded above, caught us completely off-guard. It’s very informative; we highly recommend it.

The hardest part about selling this talk is that it has to use two overloaded words: ‘RFID’ and ‘passport’. The Passport Card, which is part the the Western Hemisphere Travel Initiative (WHTI), is not like the passport book that you’re familiar with. It has the form factor of a driver’s license and can only be used for land and sea travel between the USA, Canada, the Caribbean region, Bermuda, and Mexico. They’ve only started issuing them this year.

The Passport Card also uses RFID… but not the same technology as e-passports that have been issued world wide. You’re probably familiar with 125KHz access control cards and 13.56MHz smartcards, MiFare tags, and e-passports. These are all inductively coupled technologies. The RFID used in Passport Cards is in the 900MHz band and is a capacitive technology. It’s EPC Class 1 Generation 2, the same sort of technology used to track goods in warehouses. Each EPC has a 96bit ID number. By design, they have to be readable from a minimum of 30 feet.

To start his research, [Chris] purchased an XR400 RFID reader of off eBay. This is an industrial reader with four antenna ports and Windows CE. He got a great deal… because it didn’t work. He guessed that the ball grid array (BGA) solder joints had cracked. Putting enough pressure on the chips allowed the device to boot. He repaired the board using a heat gun to reflow the solder. He referenced this video of an Xbox 360 being repaired with the same technique. [bunnie] has a post from last year investigating Xbox 360 RRODs and possible BGA failures.

900MHz RFID cards are not inductively coupled to the reader, so their read range is not limited by the wavelength. With a HAM license in the US, you can broadcast with up to 1500W. At Defcon this year, [Chris] plans on going for a new read record. He cited the company ThingMagic using 10W into a 12dbi antenna and getting 100% read reliability from 213ft. The theoretical limit for 1500W through a 18dBi antenna is 2.35 miles; you’d be limited by how far the tag can transmit though. He’s set up the site RFIDHackers.com to help coordinate efforts.

Another future project is using the GNU Radio USRP board to do differential power analysis against the Passport Card. It’s a brute force method for extracting the 32bit kill and lock codes for the tags, which could then be used to deactivate cards.

The goal of [Chris]‘ research from the beginning was to show that RFID is unsuitable for security situations like this. Passport Cards assign a unique identifier to each holder. This ID can be read from a distance and coordinated with the holders other RFID items like their credit card. Any party can track someone holding these cards, and they don’t make border crossings any faster, since the cards still have to be checked in person.

The USA is now tracking its residents with the same respect given to items in Walmart.

The first talk of ShmooCon was [Ethan O'Toole] and [Matt Davis] presenting their OpenVulture software for unmanned vehicles. In the initial stages, they had just planned on building software for Unmanned Aerial Vehicles, but realized that with the proper planning it could be used with any vehicle: airplanes, cars, boats, and subs (or more specifically, their Barbie PowerWheels). The software is in two parts. First is a library that lets you communicate with each of the vehicle’s modules. The second half is the actual navigation software.

They’ve spent a lot of time sourcing hardware modules. They are looking for items that work well, aren’t too expensive, and have a fairly plug and play implementation. For their main processor, they wanted something that wasn’t a microcontroller and could run a full Linux system. The ARM based NSLU2 NAS seems to be the current frontrunner. You can find the opensource software and descriptions of the supported modules on their site.

They’re building the first test UAVs now. One has a 12 foot wingspan for greater lift and stability. We’ve covered the Arduino based Ardupilot and other UAVs in the past.

The registration desk hasn’t opened yet at ShmooCon 2009, but we’re already running into old friends. We found [Larry Pesce] and [Paul Asadoorian] from the PaulDotCom Security Weekly podcast showing off their latest ShmooBall gun. ShmooBalls have been a staple of ShmooCon from the very beginning. They’re soft foam balls distributed to each of the attendees who can then use them to pelt the speakers when they disagree. It’s a semi-anonymous way of expressing your dismay physically. [Larry] has been building bigger and better ways to shoot the ShmooBalls for the last couple years. You may remember seeing the 2008 model. This year the goal was to make the gun part much lighter. The CO2 supply is mounted remotely with a solenoid valve and coiled air line. The pistol grip has a light up arming switch and trigger. The gun is fairly easy to transport: the air line has a quick disconnect and the power is connected using ethernet jacks.

[Chris Paget] is going to be presenting at ShmooCon 2009 in Washington D.C. this week. He gave a preview of his RFID talk to The Register. The video above demos reading and logging unique IDs of random tags and Passport Cards while cruising around San Francisco. He’s using a Symbol XR400 RFID reader and a Motorola AN400 patch antenna mounted inside of his car. This is industrial gear usually used to track the movement of packages or livestock. It’s a generation newer than what Flexilis used to set their distance reading records in 2005.

The unique ID number on Passport Cards doesn’t divulge the owners private details, but it’s still unique to them. It can be used to track the owner and when combined with other details, like their RFID credit card, a profile of that person can be built. This is why the ACLU opposes Passport Cards in their current form. The US does provide a shielding sleeve for the card… of course it’s mailed to you with the card placed outside of the sleeve.

Technology exists to generate a random ID every time an RFID card is being read. The RFIDIOt tools were recently updated for RANDOM_UID support.

[Thanks Zort]

November 1st means that registration for ShmooCon 2009 has opened. The DC hacker convention is entering the fifth year. They’re releasing the tickets in blocks; after today’s are gone the next won’t be available till December 1st. Today is also the closing of first round consideration for their call for papers, but you still have another month before the final deadline.

We’ve always enjoyed our time at ShmooCon. In 2008 we saw talks on cracking GSM encryption and recovering data from SSDs.

• Defcon 15, Las Vegas, NV
• ToorCon 9, San Diego, CA
• 24C3, Berlin, Germany
• ShmooCon 2008, Washington D.C.
  
• Notacon 5, Cleveland, OH
  
• LayerOne 2008, Pasadena, CA
  

[thanks, Dan]
[photo: ario_j]

The gun is pneumatic, so pressure was supplied from a 7-800psi CO2 paintball gun through this quick disconnect. [Larry] needed an adapter to connect to the 1/4″ regulator input. He made the small chamber, with each connection, and found that it acted as a helpful expansion chamber for the gas supply.

The lower pressure storage chamber is fed about 100psi from the regulator. To release the pressure to the firing chamber, he used this electric water sprinkler solenoid. These take around 12VDC and slightly slow the pressure expansion into the firing chamber

The trigger was built using a simple safety mechanism – two momentary push buttons have to be depressed to fire the sprinkler solenoid.

The get a good seal on the Shmooball, he cut down a beer cozy to act as reusable wadding.

The wadding fits quite well around the 2.75″ Shmooball. The twine keeps the wadding from going the way of the Shmooball.

A velcro mounted laser pointer provides quick aim for chasing tricky speakers.

Thanks to [Larry] for giving us the tour!

Yesterday I caught an interesting talk on recovering passwords from drive images by [David Smith]. He found that he could take a system image, strip out all the strings that were stored by various programs and use them to build a dictionary of possible passwords. By limiting string lengths and matching for known password policies, he was able to further filter his dictionary for likely passwords.