Operation ZOOKEEPER
Description:
Our hack is a device that performs a man-in-the-middle attack on an RFID scanner. It logs card data and allows the user to use logged card data to enter the place that they've bugged with this device at their leisure.
Inspiration:
We were motivated by the desire to crack the UMass RFID system.
What it does:
It takes the place of an RFID scanner, logs the card data of the unsuspecting card users, and then uses it to unlock the door/building that it's attached to.
How we built it:
We hooked up Arduinos to both the Adafruit and the RFID scanner. We divided into two teams, one attempting read and decode the bits read in from the student IDs through the scanner and the other attempting to write those bit sequences to dummy cards to see if the RFID scanner could be tricked. We had to pivot our plans and simply build a device that employed MitM attacks instead. So after we finished reading and decoding bits from the cards, we could send that data to the web service we started building. We wanted this web service to be hosted on a Raspberry Pi so that we could have an all-in-one device to conduct our exploits. So we started setting up a Raspberry Pi as well. Meanwhile, some members worked in tandem to design and implement the web service. After we got the service working on our development machines, we deployed it on the Raspberry Pi and polished it to a satisfactory degree.
Challenges we ran into:
There were multiple challenges related to the cards and RFID scanner. Particularly, the protocols/standards that permeate the RFID scanners and cards are proprietary and information that would aid in their exploitation was either sparse or outdated online. An example of this trouble first occurred when we attempted to scan our student IDs using the Adafruit. After multiple attempts and further research, we discovered that it was not able to read the protocol used in our student IDs (ISO14443b). When we resorted to using the scanner with an Arduino hooked up, we found it difficult to find a way to reverse engineer the data being spit out by the RFID scanner. Thus we found we had to simplify our project. There was one instance in which we were attempting to write bits onto the sample card(s) supplied with the Adafruit(s). The team member who was working on this had accidentally written over an authorization byte and found that he no longer had write access to bytes past it. One member attempted soldering for the first time and got it right after a few attempts. It was hard to have everyone to contribute technically (programming, hardware, etc.) among six team members. Using git with 3/4 people pushing and pulling at once was also a challenge. As a result, merge conflicts arose and had to be resolved.
Accomplishments that we're proud of:
We were able to read and decode card data past a certain point. Some of us got to learn hardware skills (soldering, connecting pins, etc.) on the spot. Others were able write code in programming languages that they don't normally get a chance to use (ex: C/C++ for Arduino). One or two members were able to further their research into and understanding of security-related topics that they're passionate about. And design and writing work, normally daunting to programmers, was undertaken and completed to a surprisingly high standard.
What we learned:
Some of us learned how to solder and work with hardware. Others learned web design skills (HTML/CSS). Some also learned more about web programming concepts like routing callbacks. All gained an appreciation for those who reverse engineer proprietary systems.
What's next:
Those members who are in the UMass PenTesting team want to continue this project to hack the UMass RFID system during their weekly meetings.
Built with:
In terms of hardware we used an RFID scanner, an Arduino, a Raspberry Pi, an Adafruit RFID NFC/RFID Shield, and various chipped cards including UMass Student IDs. On the software side, we programmed the Arduino in C/C++ and the web server + the Arduino-web server interface in Python/Flask.
Prizes we're going for:
HAVIT RGB Mechanical Keyboard
TBI Pro Gaming Headset
DragonBoard 410c
$100 Amazon Gift Cards
Raspberry Pis & PiHut Essential Kits
Grand Prize
Jetbrains Pro Software
Lutron Caseta Wireless Kit
Misfit Shine 2
Raspberry Pi Arcade Gaming Kit