Content

What’s in Larry’s RFID hacking box?

We’ve been asked a number of times for advice on RFID equipment that can be used to start experimenting with RFID technologies. We’ve heard your request loud and clear; I’m going to give you a rundown of what is in my current kit.

RFIDGear.JPG

Start at the Beginning

The first reader that I picked up was the PhidgetRFID board.

Phidgets.jpg

It was inexpensive, included all the bits and pieces I needed for interfacing (USB built in) along with some sample applications and open community. It reads uniqely numbered EN4x02 series tag quite well. This reader is read only, and operates in the 125 kHz spectrum.

Moving On Up

Shortly there after I realized that I wanted to write tags. Of course I was familiar with the RFIDIOt project and I wanted a writer that would work with that particular code. I picked up an ACG reader with USB interface from Major Malfunction (the author of RFIDIOt) in order to help support the project.

ACG.jpg

It was expensive and it needed to be imported to me from the UK but I couldn’t find an equivalent reader elsewhere that could come close to the cost. I picked up the ACG LF USB reader, which works like a champ reading and writing to all manners of tags. If I had to do it again, I’d upgrade to the ACG LAHF USB which wasn’t available at the time. While I was there, I also picked up the ultra cheap USB Keyboard Wedge Verification LF Reader just for fun.

Keyboard_wedge.jpg

Unfortunatley the next project that I wanted to purse involved the reading of ISO 14443A/B tags, which wasn’t supported by my ACG reader (the upgraded model does, hence my recommendation for the upgrade). In order to support the reading of ISO 14443A/B tags, I picked up the Omnikey Cardman 5321, which also has a smart card reader as well.

Omnikey.jpg

Ooh, two hacking tools in one! I did acquire this reader much cheaper here in the US. The supplier no longer has them available but there are several that are Google-able. In typical fashion I wanted to be able to read ISO 14443A/B tags in order to read PayPass RFID tags which I found out isn’t supported by RFIDIOt…yet. A chat with Major Malfunction at Defcon revealed that he is close to being able to support the PayPass chips.

Going Standalone

I was also fortunate to be able to acquire some Parallax modules form the Defcon Wireless village RFID scavenger hunt a few years ago. Thorn put them together in a kit to build a standalone EN4X02 reader with serial LCD display.

Parallax.jpg

It worked great, but I’ve got some new plans for the modules, such as integrating them with an Arduino and a few extra goodies for good measure.

The Latest Goods

A few weeks ago I picked up a VivoPay Paypass 3000 reader off of ebay for a few dollars (under $10).

VIVOPay.jpg

It was “tested and working” and it does appear to be that way. Unfortunatley I need to construct a serial adapter for it and my tools seem to be missing. I have some headed my way this after noon, so this is an ongoing project.
The neat option with this reader is the PayPass support. It will read the card and handle all of the over the air encryption. The module handles all of the decryption, and hands off the clear text of the tag voa serial; this is the paort that would be handed to the Point of Sale System. Bonus, let’s use the intended purpose of the hardware do the crypto for us, and interface with 3ric’s pwnpass script. Stay tuned for more goodies with this one.
[Update: During the writing of this post, I was successful in building the serial adapter and testing it with the tools from VIVOtech, as well as the pwnpass script. However, I think that this reader has an old version of firmware that cannot understand the commands issued to it. I have to call VIVOtech to get ahold of the latest firmware, which I’m told is fairly easy to do.]
You’ll note that I don’t have any inventory of active RFID equipment; all of my gear is passive. I haven’t had any experience with any active gear, and for me, the cost is more prohibitive.
Right now, that’s what I’ve got in my kit and I’ve found I can read just about any type of tag that I can encounter, from passports to physical security cards. Some are a work in progress, but they are just a matter of time. Scan away! Also, I’m more than willing to let you scan my RFID implant in person should we meet.
Larry “haxorthematrix” Pesce

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.