Major Malfunction = Larry Pesce

This past weekend Major Malfunction presented on and released his RFIDiot tools as Shmoocon. I was in attendance and had the opportunity to talk with him earlier in the weekend.

He presented his tools, all based in Python, to the audience and demonstrated a number of cloning attacks, as well as the ability to read the new UK passports. The UK passports contain all of the information needed to create a new one – including a digital version of the picture.

The challenge that he faced with the passports, is that a key is required to read the RFID chip. However, he was able to obtain all of the information that was needed to brute force the required key in only a few hours, using only the information printed on the envelope.

It also seems that Major Malfunction has a keen interest in cloning of humans. Well, not so much the humans, but their implanted RFID chips. As you may be aware, I have an implanted chip, and spent some time on stage with Major to have him clone me in front of a live audience. He was successful in cloning my chip, and was able to utilize it to unlock my laptop.

Now you may be asking, “Why would Larry allow someone to clone his implanted chip?”. The reasons are simple:

  • The number is publicly available from the video of the implantation [view it here]. It was always intended to be public.
  • The implant was done for research and education. To me, assisting in the demo was the perfect opportunity to educate about the insecurities in RFID. I’m taking the hit so you don’t have to.
  • I’m encouraging people to use my implant for evil (or good). I know of some (secret) plans for my RFID chip at the Wireless Village at DEFCON 15. I’m willing to participate to help educate, and make the whole system better.
  • I know the major inherent weaknesses in the system, so any project I’m using it for personally does not contain any live data (test data only). For access control purposes (such as a home, office or car), you can bet that you have to pass through one or more other security systems first! Likely, you’ll only be able to open something useless, like an empty drawer. The safe or front door, forget it.

Mike Poor shouted to me while I was walking off stage to take the cloned card that Major Malfunction retained. I thought it was humorous, but at that point my RFID implant was already compromised; on the internet, displayed on the screen at the conference, and possibly already cloned to one or more cards in Major’s possession. I’d already stepped beyond the point of no return. I’m OK with that too.

To plug Major Malfunction’s works, go check out his website. Go download and play with his tools, and he also has a bunch of hardware for sale as well, which were actually used in his presentation.

Go forth and hack RFID, including mine.

– Larry
[email protected]

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.