Cracking HiTag2 Crypto - Weaponising Academic Attacks for Breaking and Entering

Presented at TROOPERS18 (2018), March 12, 2018, 1:30 p.m. (Unknown duration).

HiTag2 RFID uses cryptography to authenticate and encrypt communications between a reader and a tag - this technology is used in secure building access and in car immobilizers. I have implemented the three attacks in the 2012 academic paper, ‘Gone in 360 Seconds' by Roel Verdult, Flavio D. Garcia and Josep Balasch, and the attack in the 2016 academic paper, ‘Lock It and Still Lose It' by Garcia et al, that permit rapid cracking of the crypto so that tags can be easily cloned.

HiTag2 is an RFID technology operating at 125KHz. It is distinguished from many others in the same field by its use of 2-way communications for authentication and its use of encryption to protect the data transmissions - the majority of RFID technologies at 125KHz feature no authentication or encryption at all. As a result it has been widely used to provide secure building access and has also been used as the technology that implements car immobilisers.

In 2012, academic researchers Roel Verdult, Flavio D. Garcia and Josep Balasch published the seminal paper, ‘Gone in 360 Seconds: Hijacking with Hitag2' that presented three attacks on the encryption system used in HiTag2. They implemented their attacks on the Proxmark 3 device (an RFID research and hacking tool) and gave several high-profile demonstrations, but didn't release any of their code or tools. Since then, the forums supporting Proxmark 3 and RFIDler (another RFID hacking tool) have received many requests for implementations of these attacks, but until recently none had been forthcoming. Garcia et al went on to produce a fast correlation attack in the 2016 paper, ‘Lock It and Still Lose It'.

In this talk I will explain how HiTag2 RFID works in detail, including the PRNG and the authentication and encryption protocols, and will present my own implementations of the attacks, written for RFIDler and supported by desktop computers. The first attack uses a nonce replay to misuse the integrity protection of the comms in order to allow access to the readable RFID tag pages without needing to know the key. The second and third attacks use time/memory trade-off brute force and cryptanalytic attacks to recover the key, such that the contents of the read-protected pages can also be accessed. The attacks are weaponised and permit cloning of tags, which I will demonstrate.

This talk will require 1.5 hours to cover all the material, including demonstrations of all three attacks.

All tools are publicly available on the ApertureLabs/RFIDler github.


Presenters:

  • Kev Sheldrake
    Kevin Sheldrake is a penetration tester and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and systems administrator of ‘secure' systems, an infosec policy consultant, a penetration tester, a reverse engineer and an entrepreneur who founded and ran his own security consulting company. His current interests (4+ years) are IoT, crypto and RFID; he reverse engineers and hacks devices that his employer intends to sell. He has a Masters degree, is a Chartered Engineer and, in the past, has been a CHECK Team Leader, a CISSP and held CLAS. He privately mentors others on the Stanford and Maryland crypto courses available on coursera.org. Kev has presented at 44Con on RFID crypto (Cracking HiTag2 Crypto); EMF Camp, DEFCON 4420 and DEFCON 441452 on hacking embedded devices (Inside our Toys); presented on building debuggers for embedded devices at Securi-Tay (Phun with Ptrace()); and also presented a lengthy take down on the use of NLP in Social Engineering at DEFCON 4420 (Social Engineering LIES!). He has also presented regularly at his employer's internal security conference, winning best talk in 2014 for ‘Embedded Nonsense', a talk about hacking an IoT device and reversing its crypto, which he subsequently presented at Cyber Security Challenge.

Links:

Similar Presentations: