That's right, you could win an ESPKey or a clear RFID badge from Red Team Alliance. Plus, we're extending last week's Miracle Fruit Tablets giveaway another week! Be one of 10 lucky winners to get an ESPKey, clear RFID badge, or set of Miracle Fruit tablets by entering this week's free giveaway now at gimme.scamstuff.com (no purchase necessary, giveaway ends 2/6/2020)
@@dafoex ? I don't understand your comment. Who are "we"? How do "we" fall flat on our faces? Who are the people "that could help fix things"? OOP is incredibly easy to learn, so anyone willing to put in a bit of time can fix the open source software. I'm not trying to be rude, I am genuinely curious.
@@buddergolem9463not in the case of Android or any mainstream open source project. only problem is people who refuse to Google, refuse to use their brain and create spam aka low-effort posts asking what they could easily solve with one google.
It's also worth mentioning that those are rarely used in practice. As a security integrator, I can say my experience is that I may install 1 out of a 100. That is because it is more expensive and the sales guys like to sell the cheaper systems so they can upcharge and pocket the rest.
And then of course, if they install REX Motions then forget about security. Give me a can of compressed air and I'm in. Security is only as good as your weakest link.
@@brwa5176you must work for a higher end establishment then in my installation experience this is not the case. Either way I’m sure there are ways to defeat it
I love the very strong attempt to provide an “everyday” reason to know all this throughout the channel. On the contrary there is also a successful attempt to scare me and yourselves. Keep up the power moves.
Knowing how to do it is literaly the only way to know how to stop it in the security bis not that i have a legit reason to know i just dont want to call a smith to break into my own car or house i also like to help my friends and coworkers out too when im there
Kevin D I’ve been looking for tabletop RPGs with a sci-fi setting but have been unsuccessful. What do you play? I love D&D but I love cyberpunk dystopia more.
I can imagine someone entering a building illegally and got caught. Police: "where did you learn how to do this?" Perp: " Because I'm a MODERN ROGUEEEE!!!"
So, for the last couple years, I've been having a bunch of fun watching Modern Rogue, InRange TV, and Deviant's talks at various conventions. And now within a month or two, Deviant shows up on MR and InRange! It's like finding out your cool friends actually know each other and get along, it's friggin' awesome!
RFID is a lot more secure nowadays, yes a few places still use easily cloneable cards, but most use some form of encryption and a a nonce (random number) to verify that both the card and the reader are not spoofing. If you try to copy a card, and you don’t know the encryption key, the card will refuse to send data. The skimmer is still an issue as far as I’m aware, but you still won’t be able to make a card if you do t know the encryption.
Yes and No. If you check out Deviant Ollam's channel, one of his talks he did mentioned that even the more secure systems, most of the time the readers also have a Prox system in-place and enabled as a built in backup. So while you may not be able to spoof at higher end card, you can still fool the sensor in other ways to trigger a door open.
You also run into circumstances where an organisation doesn't control the whole building so while they have whizz bang encryption in their readers and protocols on the wire to the controller, they do dumb stuff like make building lifts with it's legacy system part of their security framework. Hell, I've seen the "break glass" emergency switches mounted *in* the public lobby area because the only way to get to the emergency stairs is through that door - rather than building a path that didn't require basically disabling security.
As a security integrator myself, I will have to say that in my experience, the sales guys are still selling the unencrypted HID Prox readers. In fact, it is rare when I install anything encrypted. I have the Proxmark 3 and use it to clone company cards when I'm at a company that doesn't have a guest badge for IT vendors. I've cloned my own cards to transfer them to keyfobs instead so I don't have to carry my badge everywhere I go. Instead, it's right there on my keychain.
@@freman In many places it's actually part of the fire code. Nothing they can do about it. I just did an office recently that wanted to have a fail secure crash bar on the stairwell door but fire code says it must be fail-safe so if the fire alarms go off then the doors unlock. This way the fire department can access the floor from the stairwell. It's fail-safe so that way if the power fails it will also be unlocked. The owner didn't like it but there was nothing he could do about it due to the fire code.
I work with this in Sweden and this is widely known in the security industry, I would love to see them explain with mifare which is the by far most used one in new/renovationer building. Possibly go into differences in mif/ mig lite and mif 4K.
I'd actually thought about this for some time, since I do work for an airport as a baggage handler. And to know it would be that easy for somebody to break into an airport using tools like this is just amazing to me.
More credit cards than door access cards. Credit cards have a wee bit more security built in. Especially on the payment terminal. The lost mythbusters episode on that covered how easy it is to duplicate credit cards and do it from a distance. Chip and pin still remains the most secure but the danger of old RFID credit cards was the credit card number wasn't encrypted! This ment you could steal credit card numbers from wallets without touching them, hence all the RFID protection wallets have these days... Oh passports were also vulnerable to this.
@@RookDarkFox it is. Adam savage was doing some appearance at a convention irrc, and he said they were going to do a show on how vulnerable the chips are, but they decided not to due to legal reasons.
@@user-lw8jk6nv7l Like Phil says, wireless credit cards, and chips aren't just static data being shouted out, which can then be copied. There's a cryptographic challenge and response process, which prevents straight up copying of the card as shown in this video, as the card's secret is never revealed directly. There are other vulnerabilities that are a lot more difficult to exploit, but it's not nearly as easy as copying an access card.
I've been reading quite a few comments saying how newer cards are encrypted (chap smart cards). I work on large industrial and government systems almost daily and can tell you the number and types of things that are still 'secured' by the lowest level cards (26 bit) is scary. I have literally cloned a card in front of a security director of a weapons lab with one of those eBay blue guns and it still took them over a year to upgrade because the way government financing works.
Industry polling say that 26-bit, standard Weigand is still the majority of installations in the US. Some companies have moved to 'smart' cards (13.56MHz) but it is far, far lower conversion rate than you would hope/expect. These techniques will get you in most places today. When security people show this to C-Level executives they freak out, initially. Then, they ask how much will it cost to replace all the readers and rebadge every employee and they quickly sweep it under the rug. Trust me, rebadging hundreds, thousands, tens of thousands of employees for a changeover is a logistical nightmare.
@@thezfunk I wish I could tell you what I do, it is super scary the number of facilities in the US that are using ancient access technologies. A lot of the US is actually about a decade or more behind most of the rest of the world. I have stories.
haha i used to work for a non-union automobile company, they used RFID badge readers outside the building to get in. i always thought about doing this given how easy it was, but i couldn't risk my job in that period of my life.
my god I LOVE this! it's so interesting to learn about, I'd love to see more of this pen testing strategies and absolutely demolishing the sense of security I have of buildings
Check out Deviant's channel, hes got hours of to talks on how to beat locks, doors, access control systems, elevators, and how these all get applied to pen testing.
The more interesting aspect of this video is related to what information you can get from bugging the readers. Cloning cards and replay attacks are only going to work against systems that aren't using cryptographic access cards
Not gonna lie. I like this video just for the ad. I don't know anything about that specific company but i have always wanted that type of business to exist. Great video still.
I imagine that after destroying so many sources of "security", Jason begins scheming to destroy the sponsors of thier videos because they produce "security" and Murphy holds Jason back.
I plan on doing that at school. I’m trying to find out the frequency that they use in their fobs, then I’m just gonna purchase one, strip it down, and put it in a sonic
Company: "dang, that DeviantOllam fellow decoded our top master key, better install prox cards!" The following week: "Now he's got everyone's card code and is randomly badging in as other people! We have to stop him!" Deviant: /hides in elevator/
In Australia JayCar sells an RFID cloning "educational kit" that was capable of so much more than just RFID for just $30AUD and that's in a local store. It's very close to performing most of the features of the more expensive unit displayed here
Couple years ago, the Dutch transit system used RFID card for opening gates/ credit. But with some cheap read/writer u could add "money" and travel for free.
The ESP key that they use is the ESP chip loaded with custom firmware and additional hardware that automatically strips the wires when you press them into the slots on the chip. I'm not saying it's not pricey, but they're not just reselling it for a $75 markup.
The US was actually first to get Apple Pay, which is leaps and bounds ahead of Chip an PIN (I finally have it where I live and use it wherever I get the oppertunity). Yes mag stripe is a joke, it's like he said, you may as well have your bank account written on a bit of paper. The banks here moved from MIFARE Classic (compromised 9 years ago) to MIFARE Plus (a bandaid patch to the Classic technology) a couple of year ago, better, but nothing compaired to Apple Pay and Google Wallet. Banks suck at security.
@@NZSpides again, US BANKING is 20 years behind (like it is a real thing) a branded (in this case apple) solution does not somehow make it a leap forward all the tech was already there (so much so, that apply talked to companies, and worked with them in bringing banking tech (again, already in use, and for many many many years before hand) into a form that made it easier the tech apple uses is 20+ years (in the sense of what is making the payment) face ID, or fingerprint, or pin, thats what you enter into the phone (the phone at that point is handling security, so the payment device, that is really the only difference, and again, isn't new)
Jeremy Sims I was referring to the point that every transaction with your account is unique. The actual technology after that hasn’t changed in years. Banks use insurance to cover the fraudulent transaction which helps them but screws the user that has to go change all their account info for payment sites.
I love how the WiFi network from the creds skimmer is called "Eve's Android". It looks inconspicuous because a random hotspot could be on, and its called "Eve" as in "Eavesdroper".
With a proper smartcard you may implement a full PKI with certification checks on the cards and a crypto-tunnel for every component. It was be done with some goverment ID-Cards for the public. A crypto-RFID-reader with full certification isn't cheap and you should have some security for the goverment issued usage certificates. Nowdays only the police some big companies uses this as it failed in implementation. My bank tested it 4 years for online banking. (Now there are forced implementation for lawyers, doc's and debt collection company).
knowing is a fraction of the goal. Its like me sayin I know how to shoot like Micheal Jordan. or I could be like Kobe and Study and apply and be a legend 5X Champ #RipKobe24
If you pick me I'd be thrilled I've watched your videos since scam school I work at a hotel in maintenance and I'd love to show my boss all of our flaws in our systems 😉 love all the red team alliance and modern rogue vids
How to stop a card cloner from cloning your card: 1) Get something to block the RFID. (passive) 2) Card Companies... install a momentary on/switch into the card. (active) - Literally just a pressable microswitch, something like a flat indent you press your finger into, that closes the circuit in the RFID circuit in the card, and BAM, allows the RFID circuit to function.
They could still clone it if they pressed that switch though, or if they hid their reader somewhere near the legit reader. The encrypted way is better because it allows the public to use their cards in the same way, and it makes them pretty much unspoofable.
@@GameCyborgCh try austria, people get angry when you try and talk them into using cards instead of cash. EU is trying to remove 1 and 2 (euro-)cent coins since they are basically worthless... some people here are VERY opinionated on that idea
The first debit cards and atm machines like many other tech are actually tested in Australia because of our laid back attitude to technology and change.Google devices first tested in Australia.
So... I know of BSL3 laboratories that use rfid tech for access and they're working with anthrax....... Being afraid is the appropriate reaction. Also "look like you belong" is the best advice for pen testing.
Didn't watch the entire video yet, but RFID is a pretty generic term and a lot of RFID systems (such as the one on payment cards) can literally not mathematically be cloned. My knowledge of access control systems is far more limited, but as far as I know some of them are the old 'number on a card' approach, but definitely not all.
@@DavidMulderOne it's the one he says "Oh the light bar? That's" and he names it and says it can be cloned. Honestly though the bigger security measure is all the cameras and the relatively small staff. People know who's supposed to be there and who isn't. Also the on sight 24/7 FBI agent is pretty good too.
This kind of thing really scares me. I'm not sure I can support this video with algorithmic comment boosting... Drat! How can I be critical of the content via an attached forum without actually increasing the video's electronic footprint?! I can't!! You win again, Modern Rogue, but there will be a next time!
0,74 € on aliexpress... maybe he wanted to say "80 cents" instead of "80 bucks"? but this thing looks like a really nice toy for all sorts of projects, didn't know that this stuff got THAT cheap, definitely on my wishlist now!
Don't forget, am radios can operate without power. Turning on via the radio wave, then, instead of transmitting a pass code, turns on a small speaker/earpiece, to listen to the broadcast.
there is RIFD writers/readers available on Google play store... and phone can be used for broadcast that copies id or used to write on external chip I tested it to copy "key" to laundry room of my apartment building.. on external RIFD chip
43 years making my living as a geek. the guy on the right - burgundy shirt - is a type. there is one in every lab. same beard, same voice, same delivery. typically named Howard.
Don't know about the US, but in Germany security systems usually use temper protection. No chance you unscrew an access control panel without causing an alarm. I'd expect a more low key method like an additional cover which could be produced using flexible PCBs with black mask
Just continued to watch. What? 95% of systems don't use tamper protection in the US?!?! So basically nobody knows how to build security systems over there? And temper protection is usually done by a single push switch instead of vulnarable magnet sensors. 100% reliable and older than LEDs and ICs themselves. Again, don't know about the US but I just can't imagine all of you being so incompetent...
Two things. 1) I am a little disappointed Ollam didn't show off the rfid implant he has in his hand. Its like real life freakin magic. 2) RFID is used in a variety of playing cards (specifically casinos and televised poker tournaments) to be able to see what cards players have without having to have a table cam show what cards a player is holding.
The ESP chip is $5 but the ESP Key module that they use has the firmware already loaded, and it has special hardware to automatically strip the wires and connect to them when you shove them into the little slots on the chip.
![You’re Probably Not Red Teaming... And Usually I’m Not, Either [SANS ICS 2018]](http://i.ytimg.com/vi/mj2iSdBw4-0/mqdefault.jpg)
That's right, you could win an ESPKey or a clear RFID badge from Red Team Alliance. Plus, we're extending last week's Miracle Fruit Tablets giveaway another week! Be one of 10 lucky winners to get an ESPKey, clear RFID badge, or set of Miracle Fruit tablets by entering this week's free giveaway now at gimme.scamstuff.com (no purchase necessary, giveaway ends 2/6/2020)
I'm the winner. Fact.
@@gaijinexec probably never :p
I’m 90% sure the modern rouge is just Brian and Jason planning a super elaborate heist
I want.
Dude I had no idea sounds awesome though! :D Love the show!
6:25 "It's open source man. If it doesn't work you can just fix it". The perfect argument!
I love open source, but of course the people that could help fix things and don't are where we all fall flat on our faces.
@@dafoex ? I don't understand your comment. Who are "we"? How do "we" fall flat on our faces?
Who are the people "that could help fix things"? OOP is incredibly easy to learn, so anyone willing to put in a bit of time can fix the open source software.
I'm not trying to be rude, I am genuinely curious.
@@trones9204 he means instead of using the knowledge to fix it they use it to exploit the issue for their benefit
@@buddergolem9463not in the case of Android or any mainstream open source project. only problem is people who refuse to Google, refuse to use their brain and create spam aka low-effort posts asking what they could easily solve with one google.
It's worth mentioning that the more expensive RFID tags use an active challenge-response system, where the number broadcast is different every time.
It's also worth mentioning that those are rarely used in practice. As a security integrator, I can say my experience is that I may install 1 out of a 100. That is because it is more expensive and the sales guys like to sell the cheaper systems so they can upcharge and pocket the rest.
And then of course, if they install REX Motions then forget about security. Give me a can of compressed air and I'm in. Security is only as good as your weakest link.
@@BLavins all the readers I'm familiar with use this challenge response approach.
@@brwa5176I challenge this and expect a response
@@brwa5176you must work for a higher end establishment then in my installation experience this is not the case. Either way I’m sure there are ways to defeat it
I love the very strong attempt to provide an “everyday” reason to know all this throughout the channel.
On the contrary there is also a successful attempt to scare me and yourselves.
Keep up the power moves.
@@tenchraven That sounds awesome and I wish I could be your player. No homo
It's helps inform people of vulnerabilities in THEIR own security
Knowing how to do it is literaly the only way to know how to stop it in the security bis not that i have a legit reason to know i just dont want to call a smith to break into my own car or house i also like to help my friends and coworkers out too when im there
Kevin D I’ve been looking for tabletop RPGs with a sci-fi setting but have been unsuccessful. What do you play? I love D&D but I love cyberpunk dystopia more.
Babak Javadi's glasses look like they were added in post.
I thought the same thing. They look like a snapchat filter
I think that is the point of them they look cool.
Yeah it looks pretty cool.
@@jimmyat my other thought is they may be anti face reconization.
If anyone knows the brand of those glasses, please post it. They look freaking awesome.
I'm really enjoying the newer security/privacy based videos you guys are doing.
I can imagine someone entering a building illegally and got caught.
Police: "where did you learn how to do this?"
Perp: " Because I'm a MODERN ROGUEEEE!!!"
That will be a legendary police video
Prep?
Then you yell 'GO AWAY COP GUYS' and slam a flash bang into the ground before running away.
@@AG.Floats oops is supposed to be perp short of perpetrator. But autocorrect...
@@AG.Floatsa perp is a suspected criminal like a suspect
Honestly, the episodes with these guys are great. Both in terms of content and subject but also in terms of presentation
These new modern rouge episodes have been A+, really great seeing this channel grow.
Hey Brian and Jason! Proudly been watching for nearly 10 years now. Much love and respect!
wow! Thanks so much, man!
So, for the last couple years, I've been having a bunch of fun watching Modern Rogue, InRange TV, and Deviant's talks at various conventions. And now within a month or two, Deviant shows up on MR and InRange! It's like finding out your cool friends actually know each other and get along, it's friggin' awesome!
1:39 the glasses looked like they where edited on
Thought i was the only one
True
dude has snapchat filter glasses
Yeah It was big trippy first like 2 minutes I just stared! Like wait, what?
Came here to say this. Ten Points.
"There are different things to put in different places."
-Babak
As someone getting into cybersecurity, these episodes are amazing.
If you're into cyber security, then you should have read about this years ago.... this is way old news
@@NZSpides Everyone progresses at a different pace, with different starting points, end goals, and starts at a different time in their life.
RFID is a lot more secure nowadays, yes a few places still use easily cloneable cards, but most use some form of encryption and a a nonce (random number) to verify that both the card and the reader are not spoofing. If you try to copy a card, and you don’t know the encryption key, the card will refuse to send data.
The skimmer is still an issue as far as I’m aware, but you still won’t be able to make a card if you do t know the encryption.
thats my understanding as well.
Yes and No. If you check out Deviant Ollam's channel, one of his talks he did mentioned that even the more secure systems, most of the time the readers also have a Prox system in-place and enabled as a built in backup. So while you may not be able to spoof at higher end card, you can still fool the sensor in other ways to trigger a door open.
You also run into circumstances where an organisation doesn't control the whole building so while they have whizz bang encryption in their readers and protocols on the wire to the controller, they do dumb stuff like make building lifts with it's legacy system part of their security framework.
Hell, I've seen the "break glass" emergency switches mounted *in* the public lobby area because the only way to get to the emergency stairs is through that door - rather than building a path that didn't require basically disabling security.
As a security integrator myself, I will have to say that in my experience, the sales guys are still selling the unencrypted HID Prox readers. In fact, it is rare when I install anything encrypted. I have the Proxmark 3 and use it to clone company cards when I'm at a company that doesn't have a guest badge for IT vendors. I've cloned my own cards to transfer them to keyfobs instead so I don't have to carry my badge everywhere I go. Instead, it's right there on my keychain.
@@freman In many places it's actually part of the fire code. Nothing they can do about it. I just did an office recently that wanted to have a fail secure crash bar on the stairwell door but fire code says it must be fail-safe so if the fire alarms go off then the doors unlock. This way the fire department can access the floor from the stairwell. It's fail-safe so that way if the power fails it will also be unlocked. The owner didn't like it but there was nothing he could do about it due to the fire code.
When you already know, but watches it anyway since it's the best collab ever.
I work with this in Sweden and this is widely known in the security industry, I would love to see them explain with mifare which is the by far most used one in new/renovationer building. Possibly go into differences in mif/ mig lite and mif 4K.
I'd actually thought about this for some time, since I do work for an airport as a baggage handler. And to know it would be that easy for somebody to break into an airport using tools like this is just amazing to me.
This is essentially the lost mythbusters episode that adam savage talked about.
Not really. Tap to pay has a little more smarts than simple access cards, and aren't vulnerable to the types of attacks in this video.
More credit cards than door access cards.
Credit cards have a wee bit more security built in. Especially on the payment terminal.
The lost mythbusters episode on that covered how easy it is to duplicate credit cards and do it from a distance.
Chip and pin still remains the most secure but the danger of old RFID credit cards was the credit card number wasn't encrypted! This ment you could steal credit card numbers from wallets without touching them, hence all the RFID protection wallets have these days...
Oh passports were also vulnerable to this.
@@RookDarkFox it is. Adam savage was doing some appearance at a convention irrc, and he said they were going to do a show on how vulnerable the chips are, but they decided not to due to legal reasons.
well, the "legal reasons" were: "Credit card companies threatened to stop buying advertisements at discovery channel"
@@user-lw8jk6nv7l Like Phil says, wireless credit cards, and chips aren't just static data being shouted out, which can then be copied. There's a cryptographic challenge and response process, which prevents straight up copying of the card as shown in this video, as the card's secret is never revealed directly. There are other vulnerabilities that are a lot more difficult to exploit, but it's not nearly as easy as copying an access card.
I was kind of hoping that Deviant would use the back of his hand to open the lock.
Oh yeah he's got a chip
Thats coming, they covered implants while they were there
@@screwball69 It would just have been the perfect moment right now to make jason and bryan just flip their shit.
@@Volvary Agreed
Deviant Olaf, cyber-intrusion agent.
Look up Deviant Ollam's defcon talks they're really good
this was one of the exciting videos I ever seen, I loved the instructors and the interviewers. Thank you sm!
When the modern rogue posts a video... while I’m watching a modern rogue video
Edit: I do appear to have spelt Rogue wrong. I have fixed it now.
nice.
Spell it right R-O-G-U-E!
--Brian
As Mother Nature intended.
Hey Virgil wheres your profile picture from? Ive seen it multiple times before.
@@jonathangrey2183 there is no "C"
Holly crap i know this is gonna be good. Ollam has 3, 1 hr long talks on YT about physical building security and its amazing. Mans hype
Can you link it please?
I've been reading quite a few comments saying how newer cards are encrypted (chap smart cards). I work on large industrial and government systems almost daily and can tell you the number and types of things that are still 'secured' by the lowest level cards (26 bit) is scary. I have literally cloned a card in front of a security director of a weapons lab with one of those eBay blue guns and it still took them over a year to upgrade because the way government financing works.
I hear you, man. Same here, I'm also a security integrator and I keep reading the same comments and think, "if they only knew."
Industry polling say that 26-bit, standard Weigand is still the majority of installations in the US. Some companies have moved to 'smart' cards (13.56MHz) but it is far, far lower conversion rate than you would hope/expect. These techniques will get you in most places today.
When security people show this to C-Level executives they freak out, initially. Then, they ask how much will it cost to replace all the readers and rebadge every employee and they quickly sweep it under the rug. Trust me, rebadging hundreds, thousands, tens of thousands of employees for a changeover is a logistical nightmare.
@@thezfunk I wish I could tell you what I do, it is super scary the number of facilities in the US that are using ancient access technologies. A lot of the US is actually about a decade or more behind most of the rest of the world. I have stories.
imagine how old the systems are that North korea or Iran use to protect thier weapons systems.
haha i used to work for a non-union automobile company, they used RFID badge readers outside the building to get in. i always thought about doing this given how easy it was, but i couldn't risk my job in that period of my life.
my god I LOVE this! it's so interesting to learn about, I'd love to see more of this pen testing strategies and absolutely demolishing the sense of security I have of buildings
Oh there are tons of things that will demolish that sense of security :)
deviant does a pretty awesome talk here: ua-cam.com/video/rnmcRTnTNC8/v-deo.html
it's all about crazy physical penetration he's done.
Check out Deviant's channel, hes got hours of to talks on how to beat locks, doors, access control systems, elevators, and how these all get applied to pen testing.
THANKS FOR THE VALUTA CONVERSION - WAS A GREAT TOUCH ;)
The more interesting aspect of this video is related to what information you can get from bugging the readers. Cloning cards and replay attacks are only going to work against systems that aren't using cryptographic access cards
Not gonna lie. I like this video just for the ad. I don't know anything about that specific company but i have always wanted that type of business to exist. Great video still.
I imagine that after destroying so many sources of "security", Jason begins scheming to destroy the sponsors of thier videos because they produce "security" and Murphy holds Jason back.
And Jason Murphy holds Jason Murphy back?
@@zackthemaniac5754 +1 lol
Split personality's?
Murphy is the side of Jason Murphy that we see, Jason comes out when the cameras aren't rolling.
This was one great video! I enjoyed every moment of it. Thank you for this video! Well done!
I can just imagine someone placing a RFID chip in a Sonic screwdriver prop and just using that to open doors where they work
Ashton Minden I believe someone did it with the London Underground rfid card and a sonic
I plan on doing that at school. I’m trying to find out the frequency that they use in their fobs, then I’m just gonna purchase one, strip it down, and put it in a sonic
I'm waiting for my proxmark in the mail, I'm totally gonna try that. Thanks for the idea.
@@will_scarborough6487 then you will go to jail for a felony.
Genius
i am glad to see the deviant out and about! i love the defcon talks he gives!
"F*cking magnets, how do they work?" Terrific reference by that dude.
Icp
Whoop whoop
Had to look through the comments as soon as I heard that to see who else caught it. Whoop! Whoop!
with each episode this channel becomes more entertaining, intriguing and terrifying. I love it.
Company: "dang, that DeviantOllam fellow decoded our top master key, better install prox cards!"
The following week:
"Now he's got everyone's card code and is randomly badging in as other people! We have to stop him!"
Deviant: /hides in elevator/
Sir, with all due respect, how do I know you're not him? He could be any one of us, just using a cloned badge.
I see you saw Deviant's elevator talk.
@@---cr8nw He could be any one of us. He could be you, he could be me! He could even be--
**BLAM**
*spy dies*
V, is that you??
In Australia JayCar sells an RFID cloning "educational kit" that was capable of so much more than just RFID for just $30AUD and that's in a local store. It's very close to performing most of the features of the more expensive unit displayed here
Watching these videos, I REALLY wanna see a heist movie that is so painfully accurate, it could be used as a how to guide.
Love your work you inspire me all the time
PS. love your videos was just watching one as you posted
I saw Deviants name in my notification and stopped what I was watching to start this
Couple years ago, the Dutch transit system used RFID card for opening gates/ credit. But with some cheap read/writer u could add "money" and travel for free.
This guy's glasses make him look like a cartoon.
I was gonna say looks like a snap chat filter
For me it was the painted on beard.
I love the way Jason shakes people's hands to make sure they can't have too tight a grip
BRO I KNEW IT WAS BRIAN FROM SCAMSCHOOL!!! His voice is so unique. I was like wait a second....where's his Pointy mohawk
Thanks, we have these readers all over our work and now I want to go pop one open!
It’s so easy, it’s anticlimactic af.
*NEXT EPISODE:* Bi-fold prison wallet.
This cool as I work for a company that does dispensing cabinets for industrial supplies and the information can come in handy!
The most mind blowing part of this video was the $5 ESP chip being sold at a $80 price tag.
The ESP key that they use is the ESP chip loaded with custom firmware and additional hardware that automatically strips the wires when you press them into the slots on the chip. I'm not saying it's not pricey, but they're not just reselling it for a $75 markup.
Its more like their selling their code for 75$ and the chip for convenience
So I just discovered deviant ollam yesterday and was continuing my binge when I saw this vid
Yes. He is a gateway ‘drug’ into infocrack.
The guy talking about the technology looks like his glasses are put on with cgi on his close up
I’m SOOO glad I’m not the ONLY person who noticed that!!!
bruh
Interesting. I really appreciate you showing pricing in NZD, thanks!
that moment brian kinda learns that US banking tech (chip and pin, and RFID in debit cards) is 20 years behind the rest of the world
Seemed weird to me when he said "a couple of years ago" since I remember I had paywave visa cards 7 years ago in my backasswards country.
It wasn’t a long time ago Visa & Mastercard actually stopped The Mythbusters from releasing the RFID episode.
The US was actually first to get Apple Pay, which is leaps and bounds ahead of Chip an PIN (I finally have it where I live and use it wherever I get the oppertunity).
Yes mag stripe is a joke, it's like he said, you may as well have your bank account written on a bit of paper.
The banks here moved from MIFARE Classic (compromised 9 years ago) to MIFARE Plus (a bandaid patch to the Classic technology) a couple of year ago, better, but nothing compaired to Apple Pay and Google Wallet.
Banks suck at security.
@@NZSpides again, US BANKING is 20 years behind (like it is a real thing)
a branded (in this case apple) solution does not somehow make it a leap forward
all the tech was already there (so much so, that apply talked to companies, and worked with them in bringing banking tech (again, already in use, and for many many many years before hand) into a form that made it easier
the tech apple uses is 20+ years (in the sense of what is making the payment)
face ID, or fingerprint, or pin, thats what you enter into the phone (the phone at that point is handling security, so the payment device, that is really the only difference, and again, isn't new)
Jeremy Sims I was referring to the point that every transaction with your account is unique. The actual technology after that hasn’t changed in years.
Banks use insurance to cover the fraudulent transaction which helps them but screws the user that has to go change all their account info for payment sites.
Thanks for asking the right question. But please never ever interrupt them
I can'thelp seeing his glasses as a post-production special-effect
Stoked to see Deviant on here!!
I love how the WiFi network from the creds skimmer is called "Eve's Android". It looks inconspicuous because a random hotspot could be on, and its called "Eve" as in "Eavesdroper".
With a proper smartcard you may implement a full PKI with certification checks on the cards and a crypto-tunnel for every component.
It was be done with some goverment ID-Cards for the public. A crypto-RFID-reader with full certification isn't cheap and you should have some security for the goverment issued usage certificates.
Nowdays only the police some big companies uses this as it failed in implementation. My bank tested it 4 years for online banking. (Now there are forced implementation for lawyers, doc's and debt collection company).
"couple bucks"
Try 10 for 1 dollar depending on the type. (Like the NTAG RFID tokens you can use to make Nintendo Amiibo's at home.)
When you buy cards in bulk it makes out or less than $1/piece. Cards made by HID are a bit more expensive.
Love the conversions. Well done.
I understand Brian is very excited about this stuff but he keep interrupting my man trying to explain how this tech works.
This video is amazing. I had no idea 💡 it was that easy. $2 and a taco 🌮! Best line!
"fear not my paranoid and ignorant juggalos; she is not a scientist"
This is legit just what I was going to search for when opening the UA-cam app.
Now i know how to get into the principals office
knowing is a fraction of the goal. Its like me sayin I know how to shoot like Micheal Jordan. or I could be like Kobe and Study and apply and be a legend 5X Champ #RipKobe24
thanks for including IDR in the conversion :D
You should do a video of the best rogues throughout history
If you pick me I'd be thrilled I've watched your videos since scam school I work at a hotel in maintenance and I'd love to show my boss all of our flaws in our systems 😉 love all the red team alliance and modern rogue vids
How to stop a card cloner from cloning your card:
1) Get something to block the RFID. (passive)
2) Card Companies... install a momentary on/switch into the card. (active)
- Literally just a pressable microswitch, something like a flat indent you press your finger into, that closes the circuit in the RFID circuit in the card, and BAM, allows the RFID circuit to function.
They could still clone it if they pressed that switch though, or if they hid their reader somewhere near the legit reader. The encrypted way is better because it allows the public to use their cards in the same way, and it makes them pretty much unspoofable.
+Daniel Nunya Bidnezz
Best way to stop a card cloner from cloning your card is to *USE CASH.*
:
Good to see Deviant use the same great Wera screwdriver I carry in my work belt, for nearly all lock related jobs.
I still can't believe the US is so far behind on contactless payments. We've had tap for the longest time here in Canada.
you think the US is far behind? then come to germany.
@@GameCyborgCh try austria, people get angry when you try and talk them into using cards instead of cash.
EU is trying to remove 1 and 2 (euro-)cent coins since they are basically worthless... some people here are VERY opinionated on that idea
It doesn't affect you. Not sure why people always care so much what the U.S does.
@@andyk2594 1 and 2 cent coins are actually less than worthless, they cost more to make than they are worth
@@andyk2594 I didn't say it effected me, just that I was surprised. Plus, I'm Canadian so it impossible not to deal with the US in some way.
The best combination of UA-camrs I've ever seen
When you come to the modern rogue for their humor and possibly to learn a new skill...
But leave scared shitless
Thanks Jason and Brian :)
Nice demonstration, very educational and clear.
If I had this I would clone garage key cards in my city for free parking
The first debit cards and atm machines like many other tech are actually tested in Australia because of our laid back attitude to technology and change.Google devices first tested in Australia.
Never been here this early.... Wassup notification squad
Trying to figure out how to transfer my credentials onto a ring. Extremely helpful. Thanks
Am I the only one who isn't as impressed or shocked by any of this as these guys pretend it is?
Fun video! I was interested in taking a class with the Red Team Alliance, but it doesn't look like they have any classes here in Austin.
So... I know of BSL3 laboratories that use rfid tech for access and they're working with anthrax.......
Being afraid is the appropriate reaction.
Also "look like you belong" is the best advice for pen testing.
Didn't watch the entire video yet, but RFID is a pretty generic term and a lot of RFID systems (such as the one on payment cards) can literally not mathematically be cloned. My knowledge of access control systems is far more limited, but as far as I know some of them are the old 'number on a card' approach, but definitely not all.
@@DavidMulderOne it's the one he says "Oh the light bar? That's" and he names it and says it can be cloned.
Honestly though the bigger security measure is all the cameras and the relatively small staff. People know who's supposed to be there and who isn't. Also the on sight 24/7 FBI agent is pretty good too.
This kind of thing really scares me. I'm not sure I can support this video with algorithmic comment boosting... Drat! How can I be critical of the content via an attached forum without actually increasing the video's electronic footprint?! I can't!! You win again, Modern Rogue, but there will be a next time!
The bald guy’s glasses look like they are a cartoon.
nifty episode, must feed the algorithm seymour
I love how they say that a esp8266 costs $80. It's like a 2 dollar device.
0,74 € on aliexpress... maybe he wanted to say "80 cents" instead of "80 bucks"? but this thing looks like a really nice toy for all sorts of projects, didn't know that this stuff got THAT cheap, definitely on my wishlist now!
Don't forget, am radios can operate without power. Turning on via the radio wave, then, instead of transmitting a pass code, turns on a small speaker/earpiece, to listen to the broadcast.
Am I the only one who thinks "Dr. Venture"?
Omg yes!
there is RIFD writers/readers available on Google play store...
and phone can be used for broadcast that copies id or used to write on external chip
I tested it to copy "key" to laundry room of my apartment building.. on external RIFD chip
Next stop Area 51 underground Bunker complex from Independence Day where they store the bodies and the spacecraft
43 years making my living as a geek. the guy on the right - burgundy shirt - is a type. there is one in every lab. same beard, same voice, same delivery. typically named Howard.
Last few vids have made me a billionaire
Cheers guys
LMAO
Don't know about the US, but in Germany security systems usually use temper protection.
No chance you unscrew an access control panel without causing an alarm.
I'd expect a more low key method like an additional cover which could be produced using flexible PCBs with black mask
Just continued to watch.
What? 95% of systems don't use tamper protection in the US?!?!
So basically nobody knows how to build security systems over there?
And temper protection is usually done by a single push switch instead of vulnarable magnet sensors.
100% reliable and older than LEDs and ICs themselves.
Again, don't know about the US but I just can't imagine all of you being so incompetent...
It's no longer surprising how easy it is to do this kind of stuff.
Some car key fobs do have a battery, but they mainly extend the range of some of the capabilities of the key fob
Two things.
1) I am a little disappointed Ollam didn't show off the rfid implant he has in his hand. Its like real life freakin magic.
2) RFID is used in a variety of playing cards (specifically casinos and televised poker tournaments) to be able to see what cards players have without having to have a table cam show what cards a player is holding.
1:29 love it how there is a translation for silly units to actual meaningful units
Esp module: $80.
Me: I bought them for $5 and are standing there just turning on the lights :O
The ESP chip is $5 but the ESP Key module that they use has the firmware already loaded, and it has special hardware to automatically strip the wires and connect to them when you shove them into the little slots on the chip.
Quite the interesting line of thought for the everyday experience.. very informative, thank you.
"Magnets are behind 99% of penetrations"
-Brian Brushwood (2020, colorized, UA-cam)
Deviant Ollam videos are the best!