Tastic RFID Thief -- The Journey


As a project for my wireless security course this past semester, I decided to try and build my own Tastic RFID Thief.  I had seen Francis Brown of Bishop Fox present this device at DEFCON in 2013, and while I had sufficient interest, I lacked the appropriate incentive to part with the cash needed to complete it--thankfully, my course provided that missing element.

The project was daunting, as my previous electronics experience had consisted primarily of putting batteries in things, blowing the dust out of the bottom of NES cartridges, and a failed attempt to solder a loose rear-defrost wire to the back window of a '93 Chevy Corsica.  So, to prepare, I acquired several of these traffic light kits with which to hone my solder-ninja skills and work towards eventual electronic sage-dom.

Stock image.  Actual implementations were significantly less elegant.

After struggling through a few complications (including initially having only a thick crafting solder to work with), I felt ready to begin work on the Tastic.

Some assembly required
I used several references to aid in the building process.  Primarily, of course, was the Bishop Fox guide, which provided the Arduino code and the files needed to have the custom PCB manufactured.  Of significant help was Shubham Shah's guide, which detailed many of the steps necessary for the process.  Special mention should also go to Sopwith, whose own Tastic endeavor included a recommendation for OSH Park for PCB sourcing:  OSH Park able to have three boards fabricated and delivered to me within 10 days of my having placed the order--and at a very reasonable cost.

They're so PURPLE!
I set to work soldering and managed to assemble most of the device without burning the board, components, or myself.  For this feat alone, I felt I had achieved something remarkable, regardless of whether or not it would actually work.

An ersatz "time-lapse" of components being added to the PCB
It's ALIVE!!!

Due to my novice skillset, I was apprehensive about semi-permanently soldering the Arduino Nano to the PCB; so, I made a small modification by adding female headers to create a socket for the Nano.  Doing this raised the overall profile, however, and required trimming the ICSP header pins to allow it to fit within the limited space available in the MaxiProx reader.  Speaking of the reader...

At the beginning of November, I had managed to win an auction for a used HID MaxiProx 5375AGN for around $200.  Per the tracking information, the item shipped from California on November 6th...



..but was apparently incapable of achieving the necessary escape velocity to break free from the infamous "black hole" USPS facility in Bell Gardens. I like to imagine it found a new use somewhere, like serving as a cheese tray or cutting board.

With Thanksgiving break and the subsequent last week of classes quickly approaching, I made the decision to purchase a brand new MaxiProx reader so that I could complete the project.  I was able to acquire one for approximately $350, and had it within two days.


Cue choir of angels
With this integral piece of hardware now in my possession, I completed the final assembly.  While the original design indicates to cut a hole in the cover for the LCD, I was wary of sawing through part of a new piece of a equipment, and ended up leaving the LCD crammed uncomfortably inside the housing of the unit.

I performed an initial test of the reader by attempting to read some of the myriad proximity cards I had procured over the weeks leading up to the project. Imagine my absolute horror upon realizing that--although the reader was successfully detecting a card was present--the data being captured was merely a long sting of zeroes for every single card.

Somehow, I managed to prevent myself from succumbing to an anxiety attack or a deep, sudden fit of depression, and instead set to work troubleshooting.  I quickly determined that one of the wires running from the PCB to the interface on the reader was connected to the wrong terminal.  After a quick fix, all subsequent tests were successful

That's more like it.
Later tests were performed with the assistance of group members from my wireless security class. The reader was placed into a shoulder bag, and attempts were made to capture HID tags of several different form factors (clamshell, thinline, keyfob) in various conditions.  Average read range for clamshell and thinline cards was around 19 - 20", with the keyfob range coming in at about half of that distance.

Now, that I've proven to myself that I could build the thing, I really have no idea what to do with it.  I have thought of a few physical modifications I would make, but nothing that would really affect the purpose or functionality of the device.  Future entries may cover the possible modifications, as well as the custom countermeasure I developed to prevent a tag from being captured.

1 comment:

  1. I WOULD LIKE TO HAVE ALL INFORMATION AS ABLE TO BUIL ARFID THIEF THAT TAKES TWO BATTERS CAN TRANSFUR MONEY INTO MY ACCOUNT

    ReplyDelete