Upload
travis-terry
View
217
Download
0
Embed Size (px)
Citation preview
8/12/2019 Defcon_Presentation.pdf
1/87
Anatomy
Russell Ryan
Zack Anderson
Alessandro Chiesa
Subway Hackof a
For updated slides and code, see: http://web.mit.edu/zacka/www/subway/
8/12/2019 Defcon_Presentation.pdf
2/87
what this talk is:Pen-testing a subway system
8/12/2019 Defcon_Presentation.pdf
3/87
what this talk is not:evidence in court
(hopefully)
8/12/2019 Defcon_Presentation.pdf
4/87
Youll learn how to Generate stored-value fare cards
Reverse engineer magstripes
Hack RFID cards
Use software radio to sniff Use FPGAs to brute force
Tap into the fare vending network Social engineer
WARCART!
8/12/2019 Defcon_Presentation.pdf
5/87
AND THIS IS VERY ILLEGAL!So the following material is for educational use only.
8/12/2019 Defcon_Presentation.pdf
6/87
8/12/2019 Defcon_Presentation.pdf
7/87
ATTACK
PHYSICAL
SECURITY
8/12/2019 Defcon_Presentation.pdf
8/87
there is almost always a free way to get in
8/12/2019 Defcon_Presentation.pdf
9/87
turnstile control boxes open
almost everywhere
8/12/2019 Defcon_Presentation.pdf
10/87
computer screens visible through
windows
8/12/2019 Defcon_Presentation.pdf
11/87
door keys left in open boxes
8/12/2019 Defcon_Presentation.pdf
12/87
door keys left in open boxes
4 3 7 6 6
t t f th t ill
8/12/2019 Defcon_Presentation.pdf
13/87
state-of-the-art surveillance
often unattended
8/12/2019 Defcon_Presentation.pdf
14/87
documents left in the open
8/12/2019 Defcon_Presentation.pdf
15/87
8/12/2019 Defcon_Presentation.pdf
16/87
h t f d Eb
8/12/2019 Defcon_Presentation.pdf
17/87
what we found on Ebay
8/12/2019 Defcon_Presentation.pdf
18/87
ATTACK
THE
MAGCARD
8/12/2019 Defcon_Presentation.pdf
19/87
pick the hardware
8/12/2019 Defcon_Presentation.pdf
20/87
$139.95
Spark Fun Electronics
3-Track Lo-Co
Includes source code
$5 reader)
Band-Pass Filter400kHz width
FIR LPF w/ shifted center
charlie card + reader FFT
8/12/2019 Defcon_Presentation.pdf
55/87
Band Pass Filter
400kHz
13.56MHz reader -> card transmission
8/12/2019 Defcon_Presentation.pdf
56/87
12.71MHz card -> reader transmission
time
time
GNU radio RFID toolchain
8/12/2019 Defcon_Presentation.pdf
57/87
Tune Radiosreceiver #1 to 13.56MHzreceiver #2 to 12.71MHz
Band-Pass Filter400kHz width
FIR LPF w/ shifted center
DemodulateRemove carrier by converting
complex IQ to magnitude
subcarrier
(card-> reader)
carrier
(reader -> card)
Demodulate
Remove carrier by convertingcomplex IQ to magnitude
GNU radio RFID toolchain
8/12/2019 Defcon_Presentation.pdf
58/87
Tune Radiosreceiver #1 to 13.56MHzreceiver #2 to 12.71MHz
Band-Pass Filter400kHz width
FIR LPF w/ shifted center
DemodulateRemove carrier by converting
complex IQ to magnitude
subcarrier
(card-> reader)
carrier
(reader -> card)
Demodulate
Remove carrier by convertingcomplex IQ to magnitude
Manchester DecoderConvert transitions to bits
Modified Miller Decoder
Convert transitions to bits
to file
8/12/2019 Defcon_Presentation.pdf
59/87
sniffing the turnstile
challenge/response pairs
attacks on the MIFARE card
8/12/2019 Defcon_Presentation.pdf
60/87
attacks on the MIFARE card
Goal: get secret key (can clone card with it)
Brute Forcesniff handshake and use an
FPGA to crack key.
Filter function weaknessesreduce key space.
See:
www.cs.virginia.edu/~kn5f/
Mifare.Cryptanalysis.htm
For info on reducing key space
attacks on the MIFARE card
8/12/2019 Defcon_Presentation.pdf
61/87
attac s o t e ca d
Goal: get secret key (can clone card with it)
Brute Forcesniff handshake and use an
FPGA to crack key.
Filter function weaknessesreduce key space.
Manipulate PRG Timingrandom challenge depends on
clock cycles since powered up
thus it is not random.
This enables replay attacks:
Timing allows selection of specific
challenges. With deterministic challenges,
data can be replayed.
Keep on transmitting
those add $5 commands
8/12/2019 Defcon_Presentation.pdf
62/87
8/12/2019 Defcon_Presentation.pdf
63/87
brute force itwhen all else fails
8/12/2019 Defcon_Presentation.pdf
64/87
KwickBreak FPGA Brute-ForcerExecutes known plaintext attack to recover key
8/12/2019 Defcon_Presentation.pdf
65/87
FPGA
Brute
Forcing
Platform
Code
Generator
KwickBreakGUI
Crypto-1 DES
FPGA
generates
uses
interfaces w/
runs on
Hardware Used
Opal Kelly
XEM3001
www.opalkelly.com
8/12/2019 Defcon_Presentation.pdf
66/87
writing a (trivial) XOR module
8/12/2019 Defcon_Presentation.pdf
67/87
module xorPlugin(
input wire clk,
input wire [47:0] key,
input wire [47:0] plaintext,output reg [47:0] encrypted,
output reg ready);
always @(posedge clk) beginready
8/12/2019 Defcon_Presentation.pdf
68/87
./kwickbreakGenerator.py
>>>Please enter your plugin module name, as written.
xorPluginOutput filename (and path)
xorBruteForceUtil.vHow many cores would you like on the chip?
50If you have a pipelined design, how many clock delays for valid data?
0xorBruteForceUtil.v successfully written!
Now just create a new project in Xilinx ISE,
load the files, and synthesize
Done!
Subways using MiFare Classic
8/12/2019 Defcon_Presentation.pdf
69/87
- Boston (CharlieCard)
- London (Oyster Card)
- Netherlands (OV-Chipkaart)- Minneapolis
- South Korea (Upass)
- Hong Kong
- Beijing
- Madrid (Sube-T)- Rio de Janeiro (RioCard)
- New Delhi
- Bangkok and more
8/12/2019 Defcon_Presentation.pdf
70/87
ATTACK
THE
NETWORK
network security
8/12/2019 Defcon_Presentation.pdf
71/87
Performed site surveys of T stations and
offices (no WiFi found)
Performed wireless device audit
Found unguarded network switches
8/12/2019 Defcon_Presentation.pdf
72/87
fiber switches in unlocked roomconnect fare vending machines to the internal network
8/12/2019 Defcon_Presentation.pdf
73/87
Social Engineering
8/12/2019 Defcon_Presentation.pdf
74/87
Executed the PHANTOM MEETING attack
Gained access to internal
network drops and computers
Nobody suspected a thing as we walked intooffices and conference rooms
So we took it up a notch.
8/12/2019 Defcon_Presentation.pdf
75/87
first there waswardialing
c.1983 - 2000 2001 2002 2006 2007 - 2008
8/12/2019 Defcon_Presentation.pdf
76/87
then there waswardriving
c.1983 - 2000 2001 2002 2006 2007 - 2008
8/12/2019 Defcon_Presentation.pdf
77/87
then there waswarwalking
c.1983 - 2000 2001 2002 2006 2007 - 2008
8/12/2019 Defcon_Presentation.pdf
78/87
then there waswarflying
c.1983 - 2000 2001 2002 2006 2007 - 2008
andwarboating
8/12/2019 Defcon_Presentation.pdf
79/87
then there waswar-rocketing
c.1983 - 2000 2001 2002 2006 2007 - 2008
8/12/2019 Defcon_Presentation.pdf
80/87
then there waswarballooning
c.1983 - 2000 2001 2002 2006 2007 - 2008
8/12/2019 Defcon_Presentation.pdf
81/87
and nowwarcarting
c.1983 - 2000 2001 2002 2006 2007 - 2008
19dBi WiFi Antennadirectional
Two Laptops
Pan/Tilt Mechanismattachments include antennas
or a smokegrenade launcher
WarC
art
8/12/2019 Defcon_Presentation.pdf
82/87
Control Boxw/ key switch for activation
for control and data logging
900 MHz Antennadirectional, great for cordless
phones
Flash Drive Dropperfor U3 hacksaws
12dBi WiFi Antennaomnidirectional
25-1300 MHz Antennageneral coverage, great for
picking up the police
Scannerto pick up various
communications
Lights
2M candlepower fornight operations
PA Speaker
For announcements andintimidating music
CCD Cameratrip documentationAntenna Switch Box
To toggle between antennas
and radios
We decided to take it to the MBTA headquartersWe decided to take it to the MBTA headquarters
8/12/2019 Defcon_Presentation.pdf
83/87
And then we ran into some problems with the police
8/12/2019 Defcon_Presentation.pdf
84/87
Thats one of the WarCartssmoke grenades, by the way
So to avoid ending up like this
8/12/2019 Defcon_Presentation.pdf
85/87
We turned back
8/12/2019 Defcon_Presentation.pdf
86/87
contributions contributions
8/12/2019 Defcon_Presentation.pdf
87/87
1) Exploited physical security holes
2) Reverse engineered the CharlieTicket
3) Wrote code to analyze & generate magcards
4) Wrote a toolchain for analyzing 13.56MHz RFIDtransactions using the USRP+GNUradio
5)Attacked problems with the MIFARE Classic cards
6) Wrote brute forcer-generator to crack keys on an FPGA
7) Developed software to reduce MQ to SAT, allowing keyrecovery
8) Wrote code to read and clone MIFARE cards (given thekey)