RFID tags are supposed to be robust to situations such as a quick removal from the powering field when the user swipes a tag over a reader. In this talk, we describe the various physical effects that can happen when an EEPROM write or erase operation is interrupted, and we explain how to control these side effects to learn about the inner mechanisms of security features and to challenge them. We show how to defeat four types of security features on different tags: erasing OTP bits, recovering a locking password, unlocking a read-only UID and resetting a secure counter. We attack them successfully thanks to the different tools we developed and we share these tools to the community to facilitate future research.
Philippe Teuwen (@doegox) is a Security Tech Leader at Quarkslab happily sailing across the frontier between hardware and software, having enabled new vector attacks and open source tools such as adaptation of side-channel techniques towards whitebox cryptography, this talk topic: EEPROM tear-off attacks defeating various RFID security features, etc. He's in the editorial team of the International Journal of PoC||GTFO and loves organizing Hardware CTFs.
Christian Herrmann a.k.a “Iceman” (@herrmann1001) is .NET Developer with for 17+ Years, Certified MCPD Enterprise Architect, Founder of IceSQL AB, RFID Evangelist (Major Proxmark3 Contributor since 2013, Forum Admin on http://proxmark.org/) and Co-Founder of RFID Research Group (Co-Designer of Proxmark3 RDV4 and Contributing Dev of Chameleon Mini)