The Last HOPE is off and running in NYC. [Karsten Nohl] started the day by presenting The (Im)possibility of Hardware Obfuscation. [Karsten] is well versed in this subject having worked on a team that the broke the MiFare crypto1 RFID chip. The algorithm used is proprietary so part of their investigation was looking directly at the hardware. As [bunnie] mentioned in his Toorcon silicon hacking talk, silicon is hard to design even before considering security, it must obey the laws of physics (everything the hardware does has to be physically built), and in the manufacturing process the chip is reverse engineered to verify it. All of these elements make it very interesting for hackers. For the MiFare crack, they shaved off layers of silicon and photographed them. Using Matlab they visually identified the various gates and looked for crypto like parts. If you’re interested in what these logic cells look like, [Karsten] has assembled The Silicon Zoo. The Zoo has pictures of standard cells like inverters, buffers, latches, flip-flops, etc. Have a look at [Chris Tarnovsky]’s work to learn about how he processes smart cards or [nico]’s guide to exposing standard chips we covered earlier in the week.
rfid189 Articles
Microwaving RFID Cards
Buzzsurf microwaved an RFID card so you don’t have to. Pointless, but real, unlike those piles of $20s.
[via Synaptic Seepage]
Robot Chairs
Chairs may be among the most useful inventions known to humanity, but that doesn’t mean that a clever engineer or two can’t improve on the idea. As proof, we offer you this list of robotic chairs that do much more than provide a place to put your rear in.
RFID Reader Denial Of Service
While in Vancouver, Canada for CanSecWest we had a chance to catch up with [Marc]. He showed off a very simple Denial-of-Service attack that works for most commercial RFID reader systems. He worked out this physical DoS with [Adam Laurie], whose RFID work we featured last year.
24C3 Mifare Crypto1 RFID Completely Broken
Another highlight for us at CCC was [Karsten Nohl] and [Henryk Plötz] presenting how they reversed Philips crypto-1 “classic” Mifare RFID chips which are used in car keys, among other things. They analyzed both the silicon and the actual handshaking over RF. Looking at the silicon they found about 10K gates. Analyzing with Matlab turned up 70 unique functions. Then they started looking “crypto-like” parts: long strings of flip-flops used for registers, XORs, things near the edge that were heavily interconnected. Only 10% of the gates ended up being crypto. They now know the crypto algorithm based on this analysis and will be releasing later in the year.
The random number generator ended up being only 16-bit. It generates this number based on how long since the card has been powered up. They controlled the reader (an OpenPCD) which lets them generate the same “random” seed number over and over again. This was actually happening on accident before they discovered the flaw.
One more broken security-through-obscurity system to add to the list. For more fun, watch the video of the presentation.
RFID Guardian V3 Released
[fbz] wanted to make sure that everyone knows that RFID Guardian has released the latest version of their design. I had a hard time finding a good shot of the hardware, so I went with the Nokia phone control application. There’s a short explanation of the project here. I’d point at the use examples on the site, but it seems that their MYSQL server is running out of memory. After seeing this talk at shmoocon last year, and a bit more reinforcement at defcon, there are definitely some good uses for the guardian. (Once you get past the slow start, Major’s intro is funny as hell. – jump past the first 8 minutes or you’ll be bored.)
OpenBeacon: Active RFID Platform
The OpenBeacon project is an open source hardware and software active RFID device. OpenBeacon tags consist of 2.4GHz transceivers and a PIC16F684. One use of the project was to create CCC Sputnik to show the downsides to information culled using data mining from large tracking systems. People who chose to participate and wear the Sputnik tags did so voluntarily to create a database of material for further study. The hardware schematics (PDF) for the first version tags as well as the firmware for all versions has been released. Further creative uses of the OpenBeacon project are strongly encouraged.
As a reminder, the 24C3, the 24th Chaos Communication Congress, call for participation ends on October 12th. The theme this year encompasses all hardware projects and more specifically, steampunk themed submissions. Check out the CCC events blog for more information.
