Unlocking RFID Security: A Deep Dive into Flipper Zero and the Vulnerabilities of Multiclass Readers

Presented at CactusCon 12 (2024), Feb. 17, 2024, 2 p.m. (30 minutes).

Embark on a captivating journey into the realm of physical security, where we unravel the complexities of RFID/NFC hacking. We will take a closer look at HID's iClass systems to understand the strengths as well as the weaknesses that were revealed in Milosch Meriac's acclaimed "Heart of Darkness" paper. Additionally we explore the emergence of the updated Picopass SE class cards. We'll discuss the vulnerabilities of multiclass readers, the potential for downgrade attacks, and the implications of these security vulnerabilities. Learn how the Flipper Zero Unleashed Firmware can be used to exploit these vulnerabilities, and how the security of multiclass readers can be reduced to that of a simple 125 KHz RFID reader. This talk will also shed light on the potential for privilege escalation through enumeration and brute forcing, and the risks associated with facility codes and card naming conventions. Whether you're a PEN tester, a hardware hacker, or simply interested in the world of physical security, this talk promises to be a captivating journey into the heart of RFID security.

Presenters:

  • Noah Pitts - Cybersecurity Student @ GCU
    Noah Pitts is a security enthusiast & aspiring adult who enjoys splitting his free time equally between OSINT, snowboarding & music.
  • Morgan Hunting - Cybersecurity student @GCU | Pentester
    Morgan is a cybersecurity student who loves to learn about the ever growing threats we are facing each day.

Links:

Similar Presentations: