Timothy Neilen    Books    Now    Quotes

My first flag! BSides Brisbane 2019 CTF - RFID

Category: IoT

Points: 250

Solves: 3

Story: This security gate controls access to a manager-only area of the office! One of the managers is very paranoid, so he has a script setup to rotate his keycard every 60 seconds.

Scope: You need to hijack a card to gain swipe access to the managers area.

IoT Village: Access Control Nano and Reader

The table had a selection of various RFID / NFC cards, as well as Arduino Nano clones and RC522 proximity modules.

I was able to get the RC522 proximity module properly interfacing with the Nano clone after finding a handy pin out diagram on the Ardruino Stack Exchange and the MFRC522 Arduino Library which is maintained by miguelbalboa.

I performed some research into the NXP MIFARE Classic 1K cards, and after reviewing the datasheet I determined that byte 9 could have user data written to them. I tried reading a couple of the cards using the DumpInfo, but couldn’t find any useful data on them or they were blank.

When scanning an invalid card against the reader to actuate the gate it would give an Access Denied error, and then show a timestamp - I figured that the timestamp needed to be written to the card, as it wasn’t possible to change the serial number or other data outside the user data bytes.

I struggled for a good 30 minutes trying to write the timestamp data using Arduino IDE and the example code.. I almost conceded defeat but recalled that my phone (Samsung Galaxy S10) can read and write NFC, so as a last ditch effort I download NFC Tools from the Google Play Store.

Using NFC Tools I was able to read AND write data to the card easily, and most importantly quickly - as I only had 60 seconds between writing and reading the card.

After a few attempts to get the timestamp in the correct format and written to the card, I was able to open up the gate and now had my very first flag: flag{j98Ndgk7G3}

Thanks @coderPatros for the photo of the Access Control setup.