At Defcon 21 earlier this month ExploitHub and Rift Recon held #LOLBitcoin, a party at a two story Sky Villa in the Palms Hotel. In order to get in, guests had to solve a multi-phase crypto challenge (Walkthrough posted on the ExploitHub blog) or receive a VIP pass. Here Rift Recon engineer John Norman describes our setup utilized for the party.
With 10 days to go before Blackhat, and an epic party planned at the Palms Hotel, we had a problem. Some of the key sponsors were still on the fence about doing the RFID-based party access system we’d proposed earlier. With the deadline fast approaching, our fearless leader decided it was time to just “go all in” on the project and asked if it was too late to roll out something amazing.
Fortunately, I had just completed a redesign of Open Access, an open-source security and RFID research platform. The Open Access is a full-featured access control and security system, designed around a robust industrial controller project I had done earlier. The system features (2) standard RFID reader inputs, 4x5A relay outputs, 5x alarm zone inputs, a real-time clock, and optional direct-connection to a Raspberry Pi Linux PC.
My new intern Melissa Dunn had just finished building and programming the first two prototypes of this open-source security system, and I got to work building it out into an awesome party system.
First, I modified the Open Access for Arduino code (http://code.google.com/p/open-access-control) to work with the new on-board micro and peripherals. I added logic that would allow 2 different classes of users to be logged and identified by the Raspberry Pi, via it’s on-board 3.3V UART connection over serial.
Next, I wrote scripts for Raspberry Pi to do the following:
1. Automatically connect to the system and log to a file via minicom.
2. Display a “Welcome to the LOL Bitcoin” party logo when idle.
3. Tail the minicom log and search for successful access messages from either the “challenge” or “VIP” class of invites.
4. Display a graphics directly out the HDMI of the Raspberry Pi for the appropriate class of badge.
5. Display a “No bitcoin for you!” graphic for an unidentified/unknown badge attempt.
I programmed the card ranges for 500 EM-4102 class cards I had on hand. Since time was tight, I sent them directly to the Rift Recon team already in Vegas.
And finally, I packaged everything up into a bomb-proof Pelican 1050 case and made my way to Vegas.
End result: 400+ attendees, with zero failures. Regrettably, nobody tried to come in with a spoofed or cloned badge. I purposely chose an inexpensive, easy-to-clone badge for cost reasons, and to make it potentially hackable if someone put some effort into it.
What does it mean when a gathering of 10,000+ of the world’s best hackers aren’t immediately hacking this?
To me, it signals that while there is plenty of published research on-line with regards to 125Khz RFID hacking, there isn’t much out there in the way of a ready-made, “just works” solution. While it’s feasible to start a fire with a finely polished Coke can, many security researchers would rather buy an off-the-shelf Zippo lighter if they could.