Red Team OTA: Physical Intrusion Systems

Part 1: RFID/NFC

In this part, we discover the RFID/NFC systems currently in use and ways to analyze but also to attack them with the Proxmark3 device.

Assignment 1: LF targets

• Identify the technology manually & automatically
• Decoding manually and automatically
• Useful tools

Assignment 2: HF MIFARE Classic

• Cracking sectors with known and unknown keys
• Analysis
• Automatic attacks

Assignment 3: HF MIFARE Classic

• Snooping
• Cracking keys offline
• Recovering all blocks

Assignment 4: HF MIFARE Ultralight

• Hotel room cases
• Cracking pages
• The different versions
• Mitigations and bypasses

Assignment 4: HF MIFARE DESFire

• Emulating ID
• Cracking weak keys
• Mitigations and some attacks

ICopy-X

Demonstration with the ICopy-X + comparisons.

Part 2: Bluetooth LE

During pentests or Red Team tests, we can face several physical intrusion systems using Bluetooth LE technology. In this part, we learn how to identify these systems, study the security level, and see our opportunities based on our previous analysis.

Assignment 1: Association

• Identifying targets
• Performing MITM on a basic device without security
• Analyzing the communication

Assignment 2: Injection

• Manipulation of exchanged data
• Injecting traffic

Assignment 3: Secured cases

• Cracking some secured communications
• Performing MITM
• Injecting data
• Rolling code hooking

Further attacks on BT5

• Scanning
• Challenges with BT5

Part 3: nRF

Sometimes it is just overkill to enter a room, especially when you can turn a legit mouse or keyboard into a bug. Here we study the case of significant nRF devices and see how we can attack them.

Assignment 1: Capture

• Scanning devices
• Capturing traffic
• Analyzing the traffic

Assignment 2: Injection

• Sniffing & Injecting keystrokes

Assignment 3: Secure devices

• Capturing exchanged AES keys to be reused
• Injecting traffic
• Further analysis

Part 4: Garage door remotes

When doors are challenging to intrude during the day, some openings exist when attacking garage doors. Therefore, this final part shows how to deal with current systems and have permanent access to intrude on a building from the parking place or any other scenarios.

Assignment 1: Analysis

• Identifying an interesting signal
• Demodulating, decoding, and analyzing it

Assignment 2: Replay attack

• Replaying unsecured commands
• Fuzzing button pushes

Assignment 3: Secure remotes

• Dealing with rolling code with various attacks
• Quick wins
• Intruding the garage door

De/resync attacks

• Weak implementations problems

The content of private trainings can be arranged depending on your needs. We also provide additional content as follows:

• Fuzzing the RFID or Bluetooth LE protocol stacks
• Hardware attacks in depth on Sub-GHz systems
• How to build implants
• etc.

• Knowledge of Linux administration
• Basics in programming (like Python, C/C++, Rust, etc.) is always a plus
• Understanding of pentesting (network and applications) or Red teaming is also a plus