Defcon_Presentation.pdf

8/12/2019 Defcon_Presentation.pdf

1/87

Anatomy

Russell Ryan

Zack Anderson

Alessandro Chiesa

Subway Hackof a

For updated slides and code, see: http://web.mit.edu/zacka/www/subway/


2/87

what this talk is:Pen-testing a subway system


3/87

what this talk is not:evidence in court

(hopefully)


4/87

Youll learn how to Generate stored-value fare cards

Reverse engineer magstripes

Hack RFID cards

Use software radio to sniff Use FPGAs to brute force

Tap into the fare vending network Social engineer

WARCART!


5/87

AND THIS IS VERY ILLEGAL!So the following material is for educational use only.


6/87


7/87

ATTACK

PHYSICAL

SECURITY


8/87

there is almost always a free way to get in


9/87

turnstile control boxes open

almost everywhere


10/87

computer screens visible through

windows


11/87

door keys left in open boxes


12/87

door keys left in open boxes

4 3 7 6 6

t t f th t ill


13/87

state-of-the-art surveillance

often unattended


14/87

documents left in the open


15/87


16/87

h t f d Eb


17/87

what we found on Ebay


18/87

ATTACK

THE

MAGCARD


19/87

pick the hardware


20/87

$139.95

Spark Fun Electronics

3-Track Lo-Co

Includes source code

$5 reader)

Band-Pass Filter400kHz width

FIR LPF w/ shifted center

charlie card + reader FFT


55/87

Band Pass Filter

400kHz

13.56MHz reader -> card transmission


56/87

12.71MHz card -> reader transmission

time

time

GNU radio RFID toolchain


57/87

Tune Radiosreceiver #1 to 13.56MHzreceiver #2 to 12.71MHz



DemodulateRemove carrier by converting

complex IQ to magnitude

subcarrier

(card-> reader)

carrier

(reader -> card)

Demodulate

Remove carrier by convertingcomplex IQ to magnitude

GNU radio RFID toolchain


58/87

Tune Radiosreceiver #1 to 13.56MHzreceiver #2 to 12.71MHz



DemodulateRemove carrier by converting

complex IQ to magnitude

subcarrier

(card-> reader)

carrier

(reader -> card)

Demodulate

Remove carrier by convertingcomplex IQ to magnitude

Manchester DecoderConvert transitions to bits

Modified Miller Decoder

Convert transitions to bits

to file


59/87

sniffing the turnstile

challenge/response pairs

attacks on the MIFARE card


60/87


Goal: get secret key (can clone card with it)

Brute Forcesniff handshake and use an

FPGA to crack key.

Filter function weaknessesreduce key space.

See:

www.cs.virginia.edu/~kn5f/

Mifare.Cryptanalysis.htm

For info on reducing key space



61/87

attac s o t e ca d

Goal: get secret key (can clone card with it)

Brute Forcesniff handshake and use an

FPGA to crack key.

Filter function weaknessesreduce key space.

Manipulate PRG Timingrandom challenge depends on

clock cycles since powered up

thus it is not random.

This enables replay attacks:

Timing allows selection of specific

challenges. With deterministic challenges,

data can be replayed.

Keep on transmitting

those add $5 commands


62/87


63/87

brute force itwhen all else fails


64/87

KwickBreak FPGA Brute-ForcerExecutes known plaintext attack to recover key


65/87

FPGA

Brute

Forcing

Platform

Code

Generator

KwickBreakGUI

Crypto-1 DES

FPGA

generates

uses

interfaces w/

runs on

Hardware Used

Opal Kelly

XEM3001

www.opalkelly.com


66/87

writing a (trivial) XOR module


67/87

module xorPlugin(

input wire clk,

input wire [47:0] key,

input wire [47:0] plaintext,output reg [47:0] encrypted,

output reg ready);

always @(posedge clk) beginready


68/87

./kwickbreakGenerator.py

>>>Please enter your plugin module name, as written.

xorPluginOutput filename (and path)

xorBruteForceUtil.vHow many cores would you like on the chip?

50If you have a pipelined design, how many clock delays for valid data?

0xorBruteForceUtil.v successfully written!

Now just create a new project in Xilinx ISE,

load the files, and synthesize

Done!

Subways using MiFare Classic


69/87

- Boston (CharlieCard)

- London (Oyster Card)

- Netherlands (OV-Chipkaart)- Minneapolis

- South Korea (Upass)

- Hong Kong

- Beijing

- Madrid (Sube-T)- Rio de Janeiro (RioCard)

- New Delhi

- Bangkok and more


70/87

ATTACK

THE

NETWORK

network security


71/87

Performed site surveys of T stations and

offices (no WiFi found)

Performed wireless device audit

Found unguarded network switches


72/87

fiber switches in unlocked roomconnect fare vending machines to the internal network


73/87

Social Engineering


74/87

Executed the PHANTOM MEETING attack

Gained access to internal

network drops and computers

Nobody suspected a thing as we walked intooffices and conference rooms

So we took it up a notch.


75/87

first there waswardialing

c.1983 - 2000 2001 2002 2006 2007 - 2008


76/87

then there waswardriving

c.1983 - 2000 2001 2002 2006 2007 - 2008


77/87

then there waswarwalking

c.1983 - 2000 2001 2002 2006 2007 - 2008


78/87

then there waswarflying

c.1983 - 2000 2001 2002 2006 2007 - 2008

andwarboating


79/87

then there waswar-rocketing

c.1983 - 2000 2001 2002 2006 2007 - 2008


80/87

then there waswarballooning

c.1983 - 2000 2001 2002 2006 2007 - 2008


81/87

and nowwarcarting

c.1983 - 2000 2001 2002 2006 2007 - 2008

19dBi WiFi Antennadirectional

Two Laptops

Pan/Tilt Mechanismattachments include antennas

or a smokegrenade launcher

WarC

art


82/87

Control Boxw/ key switch for activation

for control and data logging

900 MHz Antennadirectional, great for cordless

phones

Flash Drive Dropperfor U3 hacksaws

12dBi WiFi Antennaomnidirectional

25-1300 MHz Antennageneral coverage, great for

picking up the police

Scannerto pick up various

communications

Lights

2M candlepower fornight operations

PA Speaker

For announcements andintimidating music

CCD Cameratrip documentationAntenna Switch Box

To toggle between antennas

and radios

We decided to take it to the MBTA headquartersWe decided to take it to the MBTA headquarters


83/87

And then we ran into some problems with the police


84/87

Thats one of the WarCartssmoke grenades, by the way

So to avoid ending up like this


85/87

We turned back


86/87

contributions contributions


87/87

1) Exploited physical security holes

2) Reverse engineered the CharlieTicket

3) Wrote code to analyze & generate magcards

4) Wrote a toolchain for analyzing 13.56MHz RFIDtransactions using the USRP+GNUradio

5)Attacked problems with the MIFARE Classic cards

6) Wrote brute forcer-generator to crack keys on an FPGA

7) Developed software to reduce MQ to SAT, allowing keyrecovery

8) Wrote code to read and clone MIFARE cards (given thekey)

Documents

Defcon_Presentation.pdf