1 00:00:06,760 --> 00:00:09,340 - [Instructor] NFC is built on RFID technology. 2 00:00:09,340 --> 00:00:11,140 One of the main differences 3 00:00:11,140 --> 00:00:14,910 is that NFC provides two way wireless communication, 4 00:00:14,910 --> 00:00:18,910 and RFID rather, is mostly one way. 5 00:00:18,910 --> 00:00:20,780 As we discussed in lesson one, 6 00:00:20,780 --> 00:00:23,160 NFC is actually used on payment systems, 7 00:00:23,160 --> 00:00:26,280 and it's also used to bootstrap other wireless technologies. 8 00:00:26,280 --> 00:00:30,410 For example, it can help with Bluetooth pairing. 9 00:00:30,410 --> 00:00:33,030 It can also be used in batch readers 10 00:00:33,030 --> 00:00:36,096 to provide an identity card, for example, 11 00:00:36,096 --> 00:00:39,080 or an access token, to allow you into a building 12 00:00:39,080 --> 00:00:42,020 or to use a computer or an application. 13 00:00:42,020 --> 00:00:43,460 Some of the security concerns 14 00:00:43,460 --> 00:00:46,990 with NFC is basically similar to RFID. 15 00:00:46,990 --> 00:00:49,557 So you can perform frequency jamming 16 00:00:49,557 --> 00:00:52,060 for denial of service attacks, 17 00:00:52,060 --> 00:00:55,860 or you can also perform relay or replay attacks, 18 00:00:55,860 --> 00:00:58,290 in the case of man-in-the-middle scenarios. 19 00:00:58,290 --> 00:01:01,931 And especially, if somebody actually has gained access 20 00:01:01,931 --> 00:01:03,360 to unencrypted data. 21 00:01:03,360 --> 00:01:06,230 Of course, there's also the potential of theft, 22 00:01:06,230 --> 00:01:08,960 or if your phone or your batch is actually lost. 23 00:01:08,960 --> 00:01:11,560 All that is actually possible. 24 00:01:11,560 --> 00:01:14,990 Now, NFC attacks are a little bit more difficult to execute 25 00:01:14,990 --> 00:01:18,100 than the traditional attacks that you learn in this course 26 00:01:18,100 --> 00:01:20,844 and in the first course of this series. 27 00:01:20,844 --> 00:01:22,310 So this is because you have to be 28 00:01:22,310 --> 00:01:25,360 in close proximity of your victim. 29 00:01:25,360 --> 00:01:27,580 However, they're still definitely possible. 30 00:01:27,580 --> 00:01:31,870 So for example, what if you actually attract a controller? 31 00:01:31,870 --> 00:01:35,130 So an an NFC controller or an RFID controller. 32 00:01:35,130 --> 00:01:37,020 Well controllers should not be accessible 33 00:01:37,020 --> 00:01:40,900 through the internet, and you should practice segmentation 34 00:01:40,900 --> 00:01:44,870 in your organization, but many folks leave them out there. 35 00:01:44,870 --> 00:01:49,250 And also, they're using unsecured protocols like Telnet. 36 00:01:49,250 --> 00:01:51,590 So if you actually do a quick Shodan search 37 00:01:51,590 --> 00:01:53,720 for a controller that is fairly popular, 38 00:01:53,720 --> 00:01:54,820 it's called Vertex. 39 00:01:54,820 --> 00:01:56,890 So you will actually see dozens 40 00:01:56,890 --> 00:02:00,440 of these controllers exposed on the internet. 41 00:02:00,440 --> 00:02:02,540 Now let's take a look at another example. 42 00:02:02,540 --> 00:02:06,140 So a security researcher called Bishop Fox 43 00:02:06,140 --> 00:02:10,610 created a tool called the Tastic RFID Thief. 44 00:02:10,610 --> 00:02:12,840 And this is actually a silent, long range 45 00:02:12,840 --> 00:02:16,220 RFID and NFC reader that can actually steal 46 00:02:16,220 --> 00:02:20,240 the proximity batch information from an unsuspected employee 47 00:02:20,240 --> 00:02:22,790 as they actually physically walk near 48 00:02:22,790 --> 00:02:25,970 the actual concealed device, so near this tool. 49 00:02:25,970 --> 00:02:30,750 Specifically, it is actually targeting the 125 kilohertz 50 00:02:30,750 --> 00:02:35,750 low frequency RFID batch systems used for physical security. 51 00:02:35,840 --> 00:02:40,336 You can even use this tool to weaponize the 13.56 megahertz, 52 00:02:40,336 --> 00:02:44,584 which is actually a high frequency NFC RFID reader. 53 00:02:44,584 --> 00:02:49,584 Like those for HID iCLASS access control systems. 54 00:02:50,060 --> 00:02:52,840 Now his goal was actually to make it easier 55 00:02:52,840 --> 00:02:55,910 for security professionals and pen testers 56 00:02:55,910 --> 00:02:57,390 to actually recreate these tools, 57 00:02:57,390 --> 00:02:59,190 so it's completely open source, 58 00:02:59,190 --> 00:03:02,060 so that they can actually perform RFID and NFC 59 00:03:02,060 --> 00:03:04,110 physical penetration testing. 60 00:03:04,110 --> 00:03:06,130 He actually has detailed information 61 00:03:06,130 --> 00:03:08,970 about how you can actually build one of these tools 62 00:03:08,970 --> 00:03:10,300 at his website, 63 00:03:10,300 --> 00:03:12,900 at the link that I'm actually showing in the screen.