29:07 - Yubikey literally did all three of these correctly (through FIDO/U2F/passkeys). * One physical token, many credentials, and all secure and isolated from each other because each credential is just a data slot in the same simple protocol - not separate apps. * No extra hardware - the protocol works over USB and NFC * User interface - Built-in PIN/passphrase (with a separate one for administration), and touch-to-confirm. Credential storage and other settings are managed through an app on your phone or PC, which is fine, I don't need a built-in interface for that. I love my Yubikey, and I would trust it over my phone any day. (But of course, it is not my only authentication factor)
@@DxBlack that's not an overview, that's a smattering of anecdotes. this covered a very small subset of the fascinating topic of SIM card hacks, the coverage was very superficial, and there was very limited analysis into larger trends and lessons learned. this guy managed to make an incredibly deep well of hacker lore look boring and shallow.
If I lose my gym card, that’s fine-I report it as lost, they block it, and I get a new one, I will still have my drivers license, credit card and what else I might have. But if I lose my smartphone with this proposed "solution" I lose everything, even my ID card in the future. How will I then prove to authorities that I am who I say I am? It's like putting all your investments in the same one basket, you just don't do it. You spread the risk.
Oh I love this, definitely going to check out his product. While I generally approve of a move toward using portable computers for access control, there are a few areas where we aren't so clearly ready for the move yet. Firstly, NFC is subject to spoofing and MITM. While QR codes do have some drawbacks that require careful thought around the protocol built on them due to shoulder surfing, it's really easy to tell when someone is tampering with or intercepting your QR code. Secondly, the problem with endpoint security is serious and I don't think TEE is the full answer. ARM Morello will help us understand user intention a lot more clearly when it arrives. Finally, modern phone security UI varies wildly on how closely the designer read Ka-Ping Yee's Secure Interaction Principles. "Fingerprint to approve" is a good example that fails to appreciate a wide range of common attacks covered in the SIP. If we can address these, maybe we can finally get that utopia of the world securely in our pocket.
Did they make brownout detection a mandatory function? If I remember right with iCLASS SE and ELITE you have to buy the cards directly from HID and they are horribly expensive.
When the power goes out - how do you open the doors? Having fail open is a security issue in itself, Doors closed is a health and safety issue. Keys, whilst insecure in themselves may be more secure? Lockpicking is easy when you have a lock in a vice, very different when trying a genuine lock in a door.
Some doors by fire code must not restrict exit ... Thru fire exit doors, not all doors are exits. Many doors have locks to prevent entry, but allow exit.
A few things, some are battery backup. Also for the magnet ones you can buy them in 2 flavors, 1) the power going to the magnet is always on to keep it closed. 2) there is no power to it until it needs to open. if you buy #1 then when the power turns off the door is open, nothing to keep it closed. But most common is a battery backup system for the doors.
Top-notch systems require an Apple device with FaceID and a PIN. Touch phone to reader, enter PIN. App on phone notifies, you unlock your phone and unlock the zone with FaceID in an app. This is what I‘ve seen installed in major companies in Europe.
@@CGoody564 Oh I know nothing xD I just figured that rather then only being able to send out info about the credit card to the reader, and receive info about the vicinity of a reader so it knows when to send it... I realize I really don't know how it works.
Why on Earth would I ever put my personal credit and debit cards on a device that is known to be constantly connected to the Internet, even when "turned off" and almost certainly has at least one backdoor in it somewhere, if not put in by the manufacturer, at least put in by the NSA. Yeah no, I'll take a YubiKey any day.
Yeeeaaah, no. I do not ever intend for my phone to _be_ my credit card, even if the infra becomes universal (as a Home Depot employee, we _literally just this month_ finally got Apple Pay at our store). Phones get stolen all the time, and if you steal a phone, and they put their payment cards, id cards, everything else on there... it doesn't matter if it's "password protected", you can always bypass that and *_become_* that person with little effort.
29:07 - Yubikey literally did all three of these correctly (through FIDO/U2F/passkeys).
* One physical token, many credentials, and all secure and isolated from each other because each credential is just a data slot in the same simple protocol - not separate apps.
* No extra hardware - the protocol works over USB and NFC
* User interface - Built-in PIN/passphrase (with a separate one for administration), and touch-to-confirm. Credential storage and other settings are managed through an app on your phone or PC, which is fine, I don't need a built-in interface for that.
I love my Yubikey, and I would trust it over my phone any day. (But of course, it is not my only authentication factor)
oh. so, not an overview of the history of smart card hacking, actually just an ad for a startup. excellent stuff there
There were at least 3 examples of historical hacks of smart cards...
@@DxBlack that's not an overview, that's a smattering of anecdotes. this covered a very small subset of the fascinating topic of SIM card hacks, the coverage was very superficial, and there was very limited analysis into larger trends and lessons learned. this guy managed to make an incredibly deep well of hacker lore look boring and shallow.
to be fair he also spent the first third of his talk demonstrating the futility of his startup.... at least he's honest?
should have guessed from his outfit 😂
Saying "Smartcards are dumb", because every card with an IC capable of doing authentication falls under the category of a Smartcard, is dumb.
literally was trying to figure out smart cards today and this showed up after I did my searching
I always love listening to defcon talks, I know nothing about computers but it’s always good to learn anything
If I lose my gym card, that’s fine-I report it as lost, they block it, and I get a new one, I will still have my drivers license, credit card and what else I might have. But if I lose my smartphone with this proposed "solution" I lose everything, even my ID card in the future. How will I then prove to authorities that I am who I say I am? It's like putting all your investments in the same one basket, you just don't do it. You spread the risk.
Finally Defcon is back 🎉
Oh I love this, definitely going to check out his product.
While I generally approve of a move toward using portable computers for access control, there are a few areas where we aren't so clearly ready for the move yet. Firstly, NFC is subject to spoofing and MITM. While QR codes do have some drawbacks that require careful thought around the protocol built on them due to shoulder surfing, it's really easy to tell when someone is tampering with or intercepting your QR code. Secondly, the problem with endpoint security is serious and I don't think TEE is the full answer. ARM Morello will help us understand user intention a lot more clearly when it arrives. Finally, modern phone security UI varies wildly on how closely the designer read Ka-Ping Yee's Secure Interaction Principles. "Fingerprint to approve" is a good example that fails to appreciate a wide range of common attacks covered in the SIP. If we can address these, maybe we can finally get that utopia of the world securely in our pocket.
Ouww yeah! - When the door unlook, incredible! - I love my 'Flipper' :D - Awesome Talk, man Awesome Talk!
Did they make brownout detection a mandatory function?
If I remember right with iCLASS SE and ELITE you have to buy the cards directly from HID and they are horribly expensive.
His name is “Chad Shortman” 😅
When the power goes out - how do you open the doors? Having fail open is a security issue in itself, Doors closed is a health and safety issue. Keys, whilst insecure in themselves may be more secure? Lockpicking is easy when you have a lock in a vice, very different when trying a genuine lock in a door.
Some doors by fire code must not restrict exit ... Thru fire exit doors, not all doors are exits. Many doors have locks to prevent entry, but allow exit.
A few things, some are battery backup. Also for the magnet ones you can buy them in 2 flavors, 1) the power going to the magnet is always on to keep it closed. 2) there is no power to it until it needs to open. if you buy #1 then when the power turns off the door is open, nothing to keep it closed. But most common is a battery backup system for the doors.
The video description boasts of high-profile attack analysis and live demos that don't exist.
I've worked in the security field all my life basically... Try to getting a root shell on some of these boards is trivial.
brilliant product
Top-notch systems require an Apple device with FaceID and a PIN.
Touch phone to reader, enter PIN.
App on phone notifies, you unlock your phone and unlock the zone with FaceID in an app.
This is what I‘ve seen installed in major companies in Europe.
defcon did faceid in 2019
This is certainly one of the best DEFCON talks I've seen. Very light on the jargon for once!
… AOW is “Any other weapon”
So it's possible in theory to run Doom on a credit card?
"Can it run doom" if can display graphics, yes it can.
So out phones have a chip like our credit card but with a memory...
Knowing nothing, I see a future where that can be used to hack phones.
Idk where you're getting "but with memory" from; it is explicitly stated that those credit card chips have memory themselves
@@CGoody564 Oh I know nothing xD I just figured that rather then only being able to send out info about the credit card to the reader, and receive info about the vicinity of a reader so it knows when to send it... I realize I really don't know how it works.
Why on Earth would I ever put my personal credit and debit cards on a device that is known to be constantly connected to the Internet, even when "turned off" and almost certainly has at least one backdoor in it somewhere, if not put in by the manufacturer, at least put in by the NSA.
Yeah no, I'll take a YubiKey any day.
My flipper zero just crapped on this video.
I guess it FLIPPED you off
@@casualamber nope, guess again
Yeeeaaah, no. I do not ever intend for my phone to _be_ my credit card, even if the infra becomes universal (as a Home Depot employee, we _literally just this month_ finally got Apple Pay at our store). Phones get stolen all the time, and if you steal a phone, and they put their payment cards, id cards, everything else on there... it doesn't matter if it's "password protected", you can always bypass that and *_become_* that person with little effort.
Why bother when your bank will always reimburse (immediately) any misused funds due to your phone theft.
@@FaeLLe Good luck _proving you are who you say you are_ without your phone.