From Security Weekly Wiki
Revision as of 19:39, 13 July 2007 by Jconlin (talk | contribs)
Jump to navigationJump to search

RFIDIOt, Ubuntu Feisty Fawn and Cloning EN 4X05 RFID tags

  • Prerequisites:

First off we will need to install python, and some additional modules. We need Python 2.5, python-serial, python-psyco, python-imaging, python-pycrypt, and python-imaging-tk. If we want to be able to read passports at some point, we will also need to install OpenSSL. My install contained OpenSSL already, so this os more of a note for those looking to use this with a different distro.

Using Aptitude under Ubuntu, we need to perform the following:

sudo aptitude install python2.5 python2.5-dev python-serial python-psyco python-imaging python-pycrypt and python-imaging-tk

Once those are installed, we can successfully use RFIDIOt after configuring it.

  • Attaching the reader:

In this example I'm using the ACG RFID reader. As this reader implements the FTDI serial converter, Feisty Fawn already will recognize the device (with issues, so keep reading). On other distros, you may need to load the kernel module manually with:

modprobe ftdi_sio vendor=0x0403 product=0xdd20

Under Feisty Fawn, I encountered some issues with utilizing the USB ACG reader. After careful inspection of dmesg output, I was able to determine that the UB reader was connected properly, and disconnected by another module. The module was brltty, which is used by Feisty Fawn to support braille terminals. In my case, a braille terminal isn't going to do me a lot of good. The best way I have found to resolve this issue, is to remove the braille terminal module support (and X11 braille terminal support) altogether. We can do this with the following command:

sudo aptitude remove brltty brltty-X11

It is important at this step to answer NO to the first question asked by aptitude about package dependency removal! You will note that by trying to remobe brltty-X11, aptitude attempts to remove ubuntu-desktop , which contains the X server! If we still want a GUI, this is a bad idea. If we answer yes to the SECOND question posed by aptitude we will be all set. We'll note that this question omits the removal of ubuntu-desktop.

  • Configuring RFIDIOt

In this example I'm using version 0.1p, although the configuration has been the same for as may revisions back as I have tried it. Forst off, we need to define a reader type, port and speed. We can do this by editing the RFIDIOtconfig.py file (with vi), located in our RFIDIOt directory. In this file, we need to make sure that these settings are true:

  • 1.) In the serial port section, line="/dev/ttyUSB0" is uncommented, and all other directives are commented out.
  • 2.) In the reader type section, readertype= RFIDIOt.refidiot.READER_ACG is uncommented, and all other directives are commented out.
  • 3.) In the speed section, speed= 9600 is uncommented, and all other directives are commented out.

Once these configurations are complete, RFIDIOt is ready for use with our reader.

  • Cloning an EN 4X05 tag:

Adam has made this real easy to do! With our reader attached, in our RFIDIOt directory we will execute:

./unique.py CLONE

Unique will then wait for the source tag to be presented. When the source tag has been successfully read, it will wait for a writable tag to be presented. Don't worry if your source is read multiple times - the reader can tell that it is the same tag, and not writable. When presented with a writable tag that can emulate a unique tag (Q5 or HITAG), it will automaticaly write the source information!

  • Testing the clone:

Adam has also included another great python program for reading multiple successive tags called multiselect. we can execute it from the RFIDIOt directory with:


The software will then wait for tags to be presented and will keep reading until removed, where it will continue to wait. We can exit at any time with a CTRL-C. I've also found that this is a great way to pre-test the tags before cloning: I've found that the implantable tags (implanted or not) are finicky reading and writing, and work much better at certain angles and orientations.

Stories for Discussion

Greek Wiretapping - [Larry] - An interesting read on tapping cell phones, what can go wrong in a forensics process, and potential for an inside jobs. Interesting details on how the hack was performed - rootkit for very specialized equipment

PDF SPAM on the rise - [Larry] - Ugh, before it was images, now it is PDFs. We spent all of this time not allowing images to be displayed in mail clients, so now they send us PDFs. Who blocks PDFs? That isn't really practical, and we all know that, even though our users have been taught otherwise, they still open odd attachments form people they don't know.

WinPcap Privilege escalation - [Larry] - Now maybe not that big of a deal, but think about how many good windows tools use WinPcap.

How to beat an Audit - [Larry] - I wouldn't say that this is beating an Audit. I'd say that this is a good set of practices that you should be doing anyway. If they are good, and you are doing them, it isn't really beating anything. we can discuss the 8 suggestions from the article...

0-day has 348 Day lifecycle - [Larry] - How do you know? By definition, a 0-day is something not public, that you don't know about. So, how do you measure the unknown?

F-Secure FSCSI-ies stuff up - [Larry] - Wow, this is neat. F-Secure demoed a tool for visually analyzing what malware/viruses do to your system, by comparing a clean state to a post infected state. The tool shows relationships and new items installed, started and modified. It's like the Gibson interface for Malware!

Cyberstalking Potential Employers - [Larry] - Much like google hacking, here are a few other methods to learn about the network of a potential employer before you interview there. Not only that, but it may help you reveal more partners, subsidiaries and other things that you may not know about.

Security blogger pushes "crudware" - [Larry] ...well, not really. He let his blogger account expire, and someone claimed it when it went back to rotation. The new owner forced malware to unsuspecting visitors. Beware url squatters...something similar but different happened to our compatriot Victor Cajiao.

802.1X for non PCs - [Larry] - Oh dear god, thank you! Now no more lower security networks for PDAs, VOIP phones, and all of the other devices without a supplicant. While not available yet, please give these guys a word of encouragement. It looks as though it might be FREE too...

Sun Java Runtime Environment vulnerability allows remote compromi - [Joe] - "A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet."

Other Stories of Interest

YouTube used as a tool to spread malware - [Joe] - This is hilarious- the hacker advertises a Grand Theft Auto mod through a demo video on YouTube. Not only is the video totally lame, but the download link he posts in the video to get the mod is really a trojan