
Zigfrid – A Passive RFID Fuzzer - wolframio
https://z4ziggy.wordpress.com/2017/07/21/zigfrid-a-passive-rfid-fuzzer/
======
IshKebab
Somehow this post skips an explanation of what it actually does. It's a
passive RFID tag that sends 40 bits of data (5 bytes). The bits are changed in
sequence. More of a brute force attack than a fuzzer.

~~~
geekuillaume
From the comments in the source, the code needs 20 clock cycles to send a new
tag, it's running at 125kHz and each tag is 40 bits long. How can this device
bruteforce the tag at this rate? Won't it be extremely slow compared to the
number of possible tags?

~~~
TheSoftwareGuy
Well let's do the math

125 kHz _2 bits /cycle = 250 bits /sec

A 2^40 bit string has 1099511627776 combinations, and would require
1099511627776 _40 = 43980465111040 bits to besent to try all of them. That
would take 43980465111040/250 seconds or about 5575 years

And that's under ideal "spherical object in a vacuum" conditions.

So yeah your right, unless they get lucky.

~~~
thatsso1999
I believe your math is off by a factor of 1000.

125kHz = 125,000 cycles/sec * 2 bits/cycle = 250,000 bits/sec

250,000 bits/sec / 40 bits/code = 6250 codes/sec

2^40 = 1,099,511,627,776 possible codes / 6250 codes/sec ~= 175,921,860 sec ~=
5.578 years

While this is still an extremely long time for the worst case, by the looks of
other comments, as well as the author's video, it appears extremely doubtful
that most RFID readers have anywhere near 40 bits of security - and it takes
about 10 seconds (65536/6250) for the fuzzer to brute force all codes 16 bits
or less.

~~~
TheSoftwareGuy
Shoot you're right, it's kHz not Hz haha I'll update my comment.

------
contingencies
I found the following interesting.

 _Using a curtain capacitors combo might initiate a DoS attack on the reader
which will prevent legitimate tags from being read correctly after placing it
against a reader only once. A hard reset to the reader will be required to
resume work. Just FYI._

Seems like a cute way to create a diversionary scene or frustrate physical
security personnel in physical pen testing.

------
keyme
Why bruteforce when you can just passively listen for a working code (once
someone else uses their card)?

40 bits of bruteforce at 125khz, with every code being 40 bits long, results
in 3125 codes/sec at best, thus it will take roughly 11 years.

~~~
Goopplesoft
They include a video of a parking garage being opened after just a few
iterations. The code used in commercial applications could often be lower bits
given criminal prosecution is a larger deterrent than code security. Although,
OP may have set a specific range for that demo.

------
ivanbakel
Wonder if there's some sort of low-power hardware-easy problem you could use
to reduce the request rate for individuals, instead of just shutting the
device down when it detects a brute-force attempt. Seems to me that having
hardware that breaks inconspicuously means you can't leave it as unmanned as
you'd want to.

~~~
joshvm
With these kind of systems (like a parking meter) you could add a 2-3 second
delay between each attempt. Most people wouldn't notice the slowdown, but it
would make brute forcing so slow that it would be useless in the field. This
also works for things like logins on websites where the time taken to
authenticate can be a second or two without annoying the user (vs loading a
page which should be instant).

There is absolutely no reason why anything RFID controlled, like a door
mechanism, should allow key entries at full speed (3k keys/sec someone
posted).

~~~
ynezz
It's usually easier and faster to get the sniff of the communication between
MCU and the reader(UART,I2C,SPI,USB) in some cases you've to dump MCU's flash
or EEPROM to get an idea about the keying scheme used in particular product
range.

------
Goopplesoft
This made me wonder if iOS 11's CoreNFC API can be used in similar ways. It
would be cool to consolidate my tags (building and office) if they speak NFC.

~~~
ynezz
You can do this with some cards/tags with rooted Android phone(some tweaks are
needed in the NFC subsystem) with certain NFC chipsets. It needs to be card
with broken crypto (Mifare) so you can obtain the password and then copy
complete card's content. The door reader shouldn't rely on the card's UID
(unique serial number) as this can't be spoofed, the chipsets doesn't allow
this.

I don't waste time with closed systems, so I can't comment directly on iOS
capabilities, but I would guess, that it's going to be almost impossible to
make it working in such locked down iOS world.

~~~
aspenmayer
What Android versions/handsets/tweaks/etc do you recommend for NFC work?

