MAGS TRIP EMAD NESS
VALID FROM EXPIRES END 05/06 44/20
OF-3
MALFUNCTION, MAJ.
UNCON 0x09 ISSUER ISSUE
DC-44-20 SORT CODE
●
●
security professional by day
white hat hacker by night, weekends & when traveling..
DEFCON goon
DC4420 P.O.C. (London)
●
●
who am i ?
●
●
●
●
●
old skewl
thoroughly insecure and yet still in use security by obscurity (again!)
because it’s there
i have no life
why mag stripe ?
swipe cards
spot the room key…
spot the room key…
spot the ATM card…
spot the ATM card…
equipment – makstripe
http://www.makinterface.de
Parallel port
Read / Write all 3 tracks
Raw data
Does not care about checksums
Does not care about parity Windows support only 🙁
Doesn’t work with VMWare 🙁 🙁
● ● ● ●
– –
●
–
●
http://www.sephail.net/articles/magstripe/
●
–
●
Read all 3 tracks plus non-standard
Raw data
Does not care about checksums Does not care about parity
●
– –
Audio output
Analyse WAV files offline
equipment
●
Read only
equipment – makstripe
equipment – makstripe
equipment – makstripe
analysis – makstripe
write – makstripe
●
–
●
–
●
–
standard track formats track 1
IATA – 210 BPI, 7 bit, 79 alphanumeric characters track 2
ABA – 75 BPI, 5 bit, 40 numeric characters
track 3
THRIFT – 210 BPI, 5 bit, 107 numeric characters
track standards – IATA
Track 1: 210 BPI, 7 bit, 79 Alphanumeric characters
track standards – IATA
Data format Airport Flight No. Day of year
Start Format From To Flight Class Day Seat Passenger End LRC
track standards – IATA
YVR LHR 19K LAURIE/ADAM MR Start Format From To Flight Class Day Seat Passenger End LRC
%WYVRLHRBA 0084 W 034019K LAURIE/ADAM MR ?E
before
after
●
–
●
– – –
hotel door locks passive
all logic in the lock
active
reader only
all logic on back-end centralised alarms & reporting
passive locks
Key TYPE correct?
passive locks
Housekeeping Open OneTime Open Guest Lockout
Crime Scene Lockout
Key TYPE correct?
SPECIAL key?
Perform SPECIAL
REJECT
passive locks
Housekeeping Open OneTime Open Guest Lockout
Crime Scene Lockout
Key TYPE correct?
SPECIAL key?
Perform SPECIAL
REJECT
REJECT
Correct ROOM?
RESCINDED key?
passive locks
Housekeeping Open OneTime Open Guest Lockout
Crime Scene Lockout
Key TYPE correct?
SPECIAL key?
Perform SPECIAL
REJECT
REJECT
Correct ROOM?
RESCINDED key?
NEW key?
EXPIRED key?
passive locks
Housekeeping Open OneTime Open Guest Lockout
Crime Scene Lockout
Key TYPE correct?
SPECIAL key?
Perform SPECIAL
REJECT
REJECT
Correct ROOM?
RESCINDED key?
RESCIND previous
NEW key?
EXPIRED key?
OPEN
● ●
keycard – multiple keys
;5101153528010176630125000120000000000?8 ;5101153528020176630125000120000000000?;
Start ;
;
Property? 510115 510115
Room No. 3528 3528
Key No. 01 012
Magic Number? 01766 01766
Expire 30125 30125
Key Type? 0001200.. 0001200..
End LRC ? 8 ? 8;
● ● ●
;5101153528010176630125000120000000000?8 ;5101153528020176630125000120000000000?; ;5101153528030176630125000120000000000?:
keycard – new key!
Start ;
;
;
Property? 510115 510115 510115
Room No. 3528 3528 3528
Key No. 01 012 03
Magic Number? 01766 01766 01766
Expire 30125 30125 30125
Key Type? 0001200.. 0001200.. 0001200..
End LRC ? 8 ? 8; ? :
● ●
keycard – rescinding
;5101150611010700431125000120000000000?6
;5101150611010703231125000120000000000?3
Start ;
;
Property? 510115 510115
Room No. 0611 0611
Key No. 01 01
Magic Number? 07004 07032
Expire 31125 31125
Key Type? 0001200.. 0001200..
End LRC ? 6 ? 3
RESCINDING keys
New magic number
Lock stores last 100 keys
12345
85123 56787 23677 …
●
–
●
●
–
●
security
●
–
active locks
all locks connected to central computer
one wire
checking done against live database
key swipe as messaging system room clean, out of service etc.
–
●
–
access attempts raise alarm!
audit trail
much more expensive harder to retrofit
non-standard stripes
non-standard equipment
●
●
– – –
●
–
(carbon chloride, methane tetrachloride, perchloromethane, tetrachloroethane, or benziform)
+ iron filings
banned as a carcinogen!! =:O
–
magnasee
magnetic field visualisation
head alignment
audio 1/2” Tape lead-in
Carbon Tetrachloride!
magnasee
magnasee
magnasee
magnasee
magnasee
magnasee
size matters!
size matters!
British Rail track is 2.5 times the width of ISO standard
size matters!
But BPI is the same…
data matters!
●
–
dmsb
●
–
–
●
–
●
http://www.alcrypto.co.uk
data analysis
decode standard track formats & character sets Joseph Battaglia
http://www.sephail.net/articles/magstripe/
binchop
aid to look for patterns and parity
Major Malfunction
demonstration
making sense of the data
●
–
http://www.magtek.com/documentation/public/99875065-4.pdf
character sets
attack combining
mmirda + magstripe = drinks are on me!
evolution
next generation
● ●
RFID biometric
●
–
RFID I/O tools: RFIDIOt
http://rfidiot.org
python library
ISO 14443A/B
MIFARE® Standard, MIFARE® 4k, MIFARE® Pro, MIFARE® Ultralight, MIFARE® DESFIRE, MIFARE® SmartMX, SLE 55Rxx, SLE 66CL160S, SLE 66CLX320P, SR176, SRIX4K, ISO14443A Tags, ISO14443B Tags, Jewel Tag (IRT0302B11 KSW DIY Eng. Sample), Sharp B, ASK GTML2ISO, TOSMART P064
–
support for ACG Dual ISO reader
http://www.acg.de
no drivers required – serial device
● ●
● ●
●
●
●
MIFARE tags Block layout
Access controls Demonstration
MIFARE 1K – block layout
Sector 0 Sector 2 Sector 3 Sector … Sector 15
Block 0 Manufacturer
Block 1 Block 15 Block 19 Bllock .1.. Blolocckk61
Block 2
Block 26 Blolocckk120 Block … Blolocckk62
Block 3 Sector trailer
Block 73 Sector trailer
Blolocckk131 Sector trailer
Bllock .3.. Sector trailer
Blolocckk63 Sector trailer
Access control Block
block block block block
Block 0 Block 60 Manufacturer block
Block 0
Block 4 Manufacturer
Block 0
Block 8 Manufacturer
Block 0 Block …
Manufacturer
16 sectors, 4 blocks per sector, 16 bytes per block = 1024 bytes
manufacturer block layout
SeBcytoter0 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 Serial Number C Manufacturer data
Whole block is read only
Check byte
access control block layout
SeBcytoter0
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
●
●
–
●
– –
KeyA Access Control WRITE only Bits
KeyB or DATA
KeyA can never be read
KeyB may be read and/or written
depending on ACB
ACB for various combinations
who may read/write keys
who may increment/decrement/restore value blocks
●
data block
SeBcytoter0 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 Value
16 bytes free storage
value block
SeBcytoter0 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 Value Value Value Adr Adr Adr Adr
Value stored 3 times
Twice non-inverted, once inverted
●
–
●
– – – –
(inverted)
(i) (i)
Address byte stored 4 times
Twice non-inverted, twice inverted Audit trails
Backup
Read only (by value commands)
tag operations
Card Select
Sector Login
Read/Write etc.
demonstration
Questions?
oh dear…
majormal@pirateradio.org http://www.alcrypto.co.uk