Cracking HiTag2 Crypto - Weaponising Academic Attacks for Breaking and Entering

Explore the intricacies of cracking HiTag2 crypto in this 45-minute conference talk from 44CON 2017. Delve into the world of RFID technology as Kevin Sheldrake weaponizes academic attacks for breaking and entering. Learn about HiTag2's unique features, including 2-way authentication and encryption, and its widespread use in secure building access and car immobilizers. Discover the implementation of three attacks on RFIDler, based on the 2012 research by Verdult, Garcia, and Balasch. Understand the nonce replay attack that exploits integrity protection, allowing access to readable RFID tag pages without knowing the key. Gain insights into HiTag2 RFID functionality, encryption methods, and the challenges faced during implementation. Witness live demonstrations of weaponized attacks enabling tag cloning. Explore topics such as data modulation, encoding, HiTag2 password mode, crypto overview, encryption techniques, and various commands. Enhance your knowledge of RFID security and learn practical applications for ethical hacking and penetration testing.

Intro
Why copy 125KHz RFID tags?
Simple 125KHz RFID tag
How simple 125KHz RFID works
Data modulation and encoding
HiTag2 password mode
HiTag2 crypto overview Tag
HiTag2 encryption
Feedback function, LO
HiTag2 commands
Emulate reader START AUTH
Nonce replay attack
Find encrypted 'read po' command
Find one encrypted 'read' command
Find all encrypted 'read' commands
Flip 'page' bit
Read page data
New RFIDler commands
Demo
Tag cloning
Closing remarks