That's right, you could win an ESPKey or a clear RFID badge from Red Team Alliance. Plus, we're extending last week's Miracle Fruit Tablets giveaway another week! Be one of 10 lucky winners to get an ESPKey, clear RFID badge, or set of Miracle Fruit tablets by entering this week's free giveaway now at gimme.scamstuff.com (no purchase necessary, giveaway ends 2/6/2020)
@@dafoex ? I don't understand your comment. Who are "we"? How do "we" fall flat on our faces? Who are the people "that could help fix things"? OOP is incredibly easy to learn, so anyone willing to put in a bit of time can fix the open source software. I'm not trying to be rude, I am genuinely curious.
@@buddergolem9463not in the case of Android or any mainstream open source project. only problem is people who refuse to Google, refuse to use their brain and create spam aka low-effort posts asking what they could easily solve with one google.
It's also worth mentioning that those are rarely used in practice. As a security integrator, I can say my experience is that I may install 1 out of a 100. That is because it is more expensive and the sales guys like to sell the cheaper systems so they can upcharge and pocket the rest.
And then of course, if they install REX Motions then forget about security. Give me a can of compressed air and I'm in. Security is only as good as your weakest link.
@@brwa5176you must work for a higher end establishment then in my installation experience this is not the case. Either way I’m sure there are ways to defeat it
I love the very strong attempt to provide an “everyday” reason to know all this throughout the channel. On the contrary there is also a successful attempt to scare me and yourselves. Keep up the power moves.
Knowing how to do it is literaly the only way to know how to stop it in the security bis not that i have a legit reason to know i just dont want to call a smith to break into my own car or house i also like to help my friends and coworkers out too when im there
Kevin D I’ve been looking for tabletop RPGs with a sci-fi setting but have been unsuccessful. What do you play? I love D&D but I love cyberpunk dystopia more.
I can imagine someone entering a building illegally and got caught. Police: "where did you learn how to do this?" Perp: " Because I'm a MODERN ROGUEEEE!!!"
So, for the last couple years, I've been having a bunch of fun watching Modern Rogue, InRange TV, and Deviant's talks at various conventions. And now within a month or two, Deviant shows up on MR and InRange! It's like finding out your cool friends actually know each other and get along, it's friggin' awesome!
RFID is a lot more secure nowadays, yes a few places still use easily cloneable cards, but most use some form of encryption and a a nonce (random number) to verify that both the card and the reader are not spoofing. If you try to copy a card, and you don’t know the encryption key, the card will refuse to send data. The skimmer is still an issue as far as I’m aware, but you still won’t be able to make a card if you do t know the encryption.
Yes and No. If you check out Deviant Ollam's channel, one of his talks he did mentioned that even the more secure systems, most of the time the readers also have a Prox system in-place and enabled as a built in backup. So while you may not be able to spoof at higher end card, you can still fool the sensor in other ways to trigger a door open.
You also run into circumstances where an organisation doesn't control the whole building so while they have whizz bang encryption in their readers and protocols on the wire to the controller, they do dumb stuff like make building lifts with it's legacy system part of their security framework. Hell, I've seen the "break glass" emergency switches mounted *in* the public lobby area because the only way to get to the emergency stairs is through that door - rather than building a path that didn't require basically disabling security.
As a security integrator myself, I will have to say that in my experience, the sales guys are still selling the unencrypted HID Prox readers. In fact, it is rare when I install anything encrypted. I have the Proxmark 3 and use it to clone company cards when I'm at a company that doesn't have a guest badge for IT vendors. I've cloned my own cards to transfer them to keyfobs instead so I don't have to carry my badge everywhere I go. Instead, it's right there on my keychain.
@@freman In many places it's actually part of the fire code. Nothing they can do about it. I just did an office recently that wanted to have a fail secure crash bar on the stairwell door but fire code says it must be fail-safe so if the fire alarms go off then the doors unlock. This way the fire department can access the floor from the stairwell. It's fail-safe so that way if the power fails it will also be unlocked. The owner didn't like it but there was nothing he could do about it due to the fire code.
I work with this in Sweden and this is widely known in the security industry, I would love to see them explain with mifare which is the by far most used one in new/renovationer building. Possibly go into differences in mif/ mig lite and mif 4K.
I've been reading quite a few comments saying how newer cards are encrypted (chap smart cards). I work on large industrial and government systems almost daily and can tell you the number and types of things that are still 'secured' by the lowest level cards (26 bit) is scary. I have literally cloned a card in front of a security director of a weapons lab with one of those eBay blue guns and it still took them over a year to upgrade because the way government financing works.
Industry polling say that 26-bit, standard Weigand is still the majority of installations in the US. Some companies have moved to 'smart' cards (13.56MHz) but it is far, far lower conversion rate than you would hope/expect. These techniques will get you in most places today. When security people show this to C-Level executives they freak out, initially. Then, they ask how much will it cost to replace all the readers and rebadge every employee and they quickly sweep it under the rug. Trust me, rebadging hundreds, thousands, tens of thousands of employees for a changeover is a logistical nightmare.
@@thezfunk I wish I could tell you what I do, it is super scary the number of facilities in the US that are using ancient access technologies. A lot of the US is actually about a decade or more behind most of the rest of the world. I have stories.
More credit cards than door access cards. Credit cards have a wee bit more security built in. Especially on the payment terminal. The lost mythbusters episode on that covered how easy it is to duplicate credit cards and do it from a distance. Chip and pin still remains the most secure but the danger of old RFID credit cards was the credit card number wasn't encrypted! This ment you could steal credit card numbers from wallets without touching them, hence all the RFID protection wallets have these days... Oh passports were also vulnerable to this.
@@DarkFoxDK it is. Adam savage was doing some appearance at a convention irrc, and he said they were going to do a show on how vulnerable the chips are, but they decided not to due to legal reasons.
@@user-lw8jk6nv7l Like Phil says, wireless credit cards, and chips aren't just static data being shouted out, which can then be copied. There's a cryptographic challenge and response process, which prevents straight up copying of the card as shown in this video, as the card's secret is never revealed directly. There are other vulnerabilities that are a lot more difficult to exploit, but it's not nearly as easy as copying an access card.
I'd actually thought about this for some time, since I do work for an airport as a baggage handler. And to know it would be that easy for somebody to break into an airport using tools like this is just amazing to me.
The more interesting aspect of this video is related to what information you can get from bugging the readers. Cloning cards and replay attacks are only going to work against systems that aren't using cryptographic access cards
If I had the mentality and the initial funds.. with zero concern for being a criminal.. this channel has truly taught me to be the ultimate mastermind behind breaking and entering, skimming, hacking and build and creating weapons and self defense.. you can truly become the ultimate human just by watching this
I plan on doing that at school. I’m trying to find out the frequency that they use in their fobs, then I’m just gonna purchase one, strip it down, and put it in a sonic
Not gonna lie. I like this video just for the ad. I don't know anything about that specific company but i have always wanted that type of business to exist. Great video still.
I imagine that after destroying so many sources of "security", Jason begins scheming to destroy the sponsors of thier videos because they produce "security" and Murphy holds Jason back.
haha i used to work for a non-union automobile company, they used RFID badge readers outside the building to get in. i always thought about doing this given how easy it was, but i couldn't risk my job in that period of my life.
my god I LOVE this! it's so interesting to learn about, I'd love to see more of this pen testing strategies and absolutely demolishing the sense of security I have of buildings
Check out Deviant's channel, hes got hours of to talks on how to beat locks, doors, access control systems, elevators, and how these all get applied to pen testing.
The Modern Rogue The 'Temple' is where the prayers are made, you are welcome to enter the temple. Remember to take off your shoes before entering. People through the Temple with shoes on is what causes headaches. So when you next experience a headache, it is someONE running through your mind aka: Temple with their shoes ON. .. Now explain the meaning and origin of the word > ON < az in when switching a light ON. Therein lies the clue. You just have to figure it out. Which is highly unlikely.
Company: "dang, that DeviantOllam fellow decoded our top master key, better install prox cards!" The following week: "Now he's got everyone's card code and is randomly badging in as other people! We have to stop him!" Deviant: /hides in elevator/
In Australia JayCar sells an RFID cloning "educational kit" that was capable of so much more than just RFID for just $30AUD and that's in a local store. It's very close to performing most of the features of the more expensive unit displayed here
How to stop a card cloner from cloning your card: 1) Get something to block the RFID. (passive) 2) Card Companies... install a momentary on/switch into the card. (active) - Literally just a pressable microswitch, something like a flat indent you press your finger into, that closes the circuit in the RFID circuit in the card, and BAM, allows the RFID circuit to function.
They could still clone it if they pressed that switch though, or if they hid their reader somewhere near the legit reader. The encrypted way is better because it allows the public to use their cards in the same way, and it makes them pretty much unspoofable.
The ESP key that they use is the ESP chip loaded with custom firmware and additional hardware that automatically strips the wires when you press them into the slots on the chip. I'm not saying it's not pricey, but they're not just reselling it for a $75 markup.
I love how the WiFi network from the creds skimmer is called "Eve's Android". It looks inconspicuous because a random hotspot could be on, and its called "Eve" as in "Eavesdroper".
Couple years ago, the Dutch transit system used RFID card for opening gates/ credit. But with some cheap read/writer u could add "money" and travel for free.
The US was actually first to get Apple Pay, which is leaps and bounds ahead of Chip an PIN (I finally have it where I live and use it wherever I get the oppertunity). Yes mag stripe is a joke, it's like he said, you may as well have your bank account written on a bit of paper. The banks here moved from MIFARE Classic (compromised 9 years ago) to MIFARE Plus (a bandaid patch to the Classic technology) a couple of year ago, better, but nothing compaired to Apple Pay and Google Wallet. Banks suck at security.
@@NZSpides again, US BANKING is 20 years behind (like it is a real thing) a branded (in this case apple) solution does not somehow make it a leap forward all the tech was already there (so much so, that apply talked to companies, and worked with them in bringing banking tech (again, already in use, and for many many many years before hand) into a form that made it easier the tech apple uses is 20+ years (in the sense of what is making the payment) face ID, or fingerprint, or pin, thats what you enter into the phone (the phone at that point is handling security, so the payment device, that is really the only difference, and again, isn't new)
Jeremy Sims I was referring to the point that every transaction with your account is unique. The actual technology after that hasn’t changed in years. Banks use insurance to cover the fraudulent transaction which helps them but screws the user that has to go change all their account info for payment sites.
With a proper smartcard you may implement a full PKI with certification checks on the cards and a crypto-tunnel for every component. It was be done with some goverment ID-Cards for the public. A crypto-RFID-reader with full certification isn't cheap and you should have some security for the goverment issued usage certificates. Nowdays only the police some big companies uses this as it failed in implementation. My bank tested it 4 years for online banking. (Now there are forced implementation for lawyers, doc's and debt collection company).
I recently decided I wanted to get into microcontroller development and mentioned it to my friends. They ended up getting me an Arduino starter kit and an extra Arduino Nano. But here's the relevant bit: I had mentioned getting a WiFi shield, and my friends bought the wrong thing, instead getting me a pack of 3 NodeMCU ESP8266 WiFi boards.... imagine my shock to see that those are THE SAME boards being used here to man-in-the-middle attack an RFID reader! That's so cool! (Also, they're ridiculously cheap for blank ones -- a 3-pack is only $13 on Amazon -- so I assume the $80 is mostly paying for the premade code someone wrote and preloaded onto it to use it as an ESPKey?)
knowing is a fraction of the goal. Its like me sayin I know how to shoot like Micheal Jordan. or I could be like Kobe and Study and apply and be a legend 5X Champ #RipKobe24
So... I know of BSL3 laboratories that use rfid tech for access and they're working with anthrax....... Being afraid is the appropriate reaction. Also "look like you belong" is the best advice for pen testing.
Didn't watch the entire video yet, but RFID is a pretty generic term and a lot of RFID systems (such as the one on payment cards) can literally not mathematically be cloned. My knowledge of access control systems is far more limited, but as far as I know some of them are the old 'number on a card' approach, but definitely not all.
@@DavidMulderOne it's the one he says "Oh the light bar? That's" and he names it and says it can be cloned. Honestly though the bigger security measure is all the cameras and the relatively small staff. People know who's supposed to be there and who isn't. Also the on sight 24/7 FBI agent is pretty good too.
@@GameCyborgCh try austria, people get angry when you try and talk them into using cards instead of cash. EU is trying to remove 1 and 2 (euro-)cent coins since they are basically worthless... some people here are VERY opinionated on that idea
43 years making my living as a geek. the guy on the right - burgundy shirt - is a type. there is one in every lab. same beard, same voice, same delivery. typically named Howard.
Don't forget, am radios can operate without power. Turning on via the radio wave, then, instead of transmitting a pass code, turns on a small speaker/earpiece, to listen to the broadcast.
0,74 € on aliexpress... maybe he wanted to say "80 cents" instead of "80 bucks"? but this thing looks like a really nice toy for all sorts of projects, didn't know that this stuff got THAT cheap, definitely on my wishlist now!
Fun fact; you don't need a $300 gizmo and a laptop to read and write data to RFID tags. Some phones with NFC (especially the Nexus line) are capable of doing this from an app and doesn't require rooting. The tough trick to pull off at the moment is making the phone broadcast the card code so you don't need to write the data to a tag, you just read a tag and then use your phone to emulate the card.
Two things. 1) I am a little disappointed Ollam didn't show off the rfid implant he has in his hand. Its like real life freakin magic. 2) RFID is used in a variety of playing cards (specifically casinos and televised poker tournaments) to be able to see what cards players have without having to have a table cam show what cards a player is holding.
If you pick me I'd be thrilled I've watched your videos since scam school I work at a hotel in maintenance and I'd love to show my boss all of our flaws in our systems 😉 love all the red team alliance and modern rogue vids
The ESP chip is $5 but the ESP Key module that they use has the firmware already loaded, and it has special hardware to automatically strip the wires and connect to them when you shove them into the little slots on the chip.
I just went to redteamalliace to look around opened there web site and only then realized that I just more or less opened a hackers link they probably now have access to all my information now
The first debit cards and atm machines like many other tech are actually tested in Australia because of our laid back attitude to technology and change.Google devices first tested in Australia.
![BOWKYLION - วิงวอน (ex-change) [Official MV]](http://i.ytimg.com/vi/cLdnZWDaO-w/mqdefault.jpg)
That's right, you could win an ESPKey or a clear RFID badge from Red Team Alliance. Plus, we're extending last week's Miracle Fruit Tablets giveaway another week! Be one of 10 lucky winners to get an ESPKey, clear RFID badge, or set of Miracle Fruit tablets by entering this week's free giveaway now at gimme.scamstuff.com (no purchase necessary, giveaway ends 2/6/2020)
I'm the winner. Fact.
@@gaijinexec probably never :p
I’m 90% sure the modern rouge is just Brian and Jason planning a super elaborate heist
I want.
Dude I had no idea sounds awesome though! :D Love the show!
6:25 "It's open source man. If it doesn't work you can just fix it". The perfect argument!
I love open source, but of course the people that could help fix things and don't are where we all fall flat on our faces.
@@dafoex ? I don't understand your comment. Who are "we"? How do "we" fall flat on our faces?
Who are the people "that could help fix things"? OOP is incredibly easy to learn, so anyone willing to put in a bit of time can fix the open source software.
I'm not trying to be rude, I am genuinely curious.
@@trones9204 he means instead of using the knowledge to fix it they use it to exploit the issue for their benefit
@@buddergolem9463not in the case of Android or any mainstream open source project. only problem is people who refuse to Google, refuse to use their brain and create spam aka low-effort posts asking what they could easily solve with one google.
It's worth mentioning that the more expensive RFID tags use an active challenge-response system, where the number broadcast is different every time.
It's also worth mentioning that those are rarely used in practice. As a security integrator, I can say my experience is that I may install 1 out of a 100. That is because it is more expensive and the sales guys like to sell the cheaper systems so they can upcharge and pocket the rest.
And then of course, if they install REX Motions then forget about security. Give me a can of compressed air and I'm in. Security is only as good as your weakest link.
@@BLavins all the readers I'm familiar with use this challenge response approach.
@@brwa5176I challenge this and expect a response
@@brwa5176you must work for a higher end establishment then in my installation experience this is not the case. Either way I’m sure there are ways to defeat it
I love the very strong attempt to provide an “everyday” reason to know all this throughout the channel.
On the contrary there is also a successful attempt to scare me and yourselves.
Keep up the power moves.
@@tenchraven That sounds awesome and I wish I could be your player. No homo
It's helps inform people of vulnerabilities in THEIR own security
Knowing how to do it is literaly the only way to know how to stop it in the security bis not that i have a legit reason to know i just dont want to call a smith to break into my own car or house i also like to help my friends and coworkers out too when im there
Kevin D I’ve been looking for tabletop RPGs with a sci-fi setting but have been unsuccessful. What do you play? I love D&D but I love cyberpunk dystopia more.
Babak Javadi's glasses look like they were added in post.
I thought the same thing. They look like a snapchat filter
I think that is the point of them they look cool.
Yeah it looks pretty cool.
@@jimmyat my other thought is they may be anti face reconization.
If anyone knows the brand of those glasses, please post it. They look freaking awesome.
I'm really enjoying the newer security/privacy based videos you guys are doing.
I can imagine someone entering a building illegally and got caught.
Police: "where did you learn how to do this?"
Perp: " Because I'm a MODERN ROGUEEEE!!!"
That will be a legendary police video
Prep?
Then you yell 'GO AWAY COP GUYS' and slam a flash bang into the ground before running away.
@@AG.Floats oops is supposed to be perp short of perpetrator. But autocorrect...
@@AG.Floatsa perp is a suspected criminal like a suspect
1:39 the glasses looked like they where edited on
Thought i was the only one
True
dude has snapchat filter glasses
Yeah It was big trippy first like 2 minutes I just stared! Like wait, what?
Came here to say this. Ten Points.
Honestly, the episodes with these guys are great. Both in terms of content and subject but also in terms of presentation
Look up Deviant Ollam's defcon talks they're really good
So, for the last couple years, I've been having a bunch of fun watching Modern Rogue, InRange TV, and Deviant's talks at various conventions. And now within a month or two, Deviant shows up on MR and InRange! It's like finding out your cool friends actually know each other and get along, it's friggin' awesome!
RFID is a lot more secure nowadays, yes a few places still use easily cloneable cards, but most use some form of encryption and a a nonce (random number) to verify that both the card and the reader are not spoofing. If you try to copy a card, and you don’t know the encryption key, the card will refuse to send data.
The skimmer is still an issue as far as I’m aware, but you still won’t be able to make a card if you do t know the encryption.
thats my understanding as well.
Yes and No. If you check out Deviant Ollam's channel, one of his talks he did mentioned that even the more secure systems, most of the time the readers also have a Prox system in-place and enabled as a built in backup. So while you may not be able to spoof at higher end card, you can still fool the sensor in other ways to trigger a door open.
You also run into circumstances where an organisation doesn't control the whole building so while they have whizz bang encryption in their readers and protocols on the wire to the controller, they do dumb stuff like make building lifts with it's legacy system part of their security framework.
Hell, I've seen the "break glass" emergency switches mounted *in* the public lobby area because the only way to get to the emergency stairs is through that door - rather than building a path that didn't require basically disabling security.
As a security integrator myself, I will have to say that in my experience, the sales guys are still selling the unencrypted HID Prox readers. In fact, it is rare when I install anything encrypted. I have the Proxmark 3 and use it to clone company cards when I'm at a company that doesn't have a guest badge for IT vendors. I've cloned my own cards to transfer them to keyfobs instead so I don't have to carry my badge everywhere I go. Instead, it's right there on my keychain.
@@freman In many places it's actually part of the fire code. Nothing they can do about it. I just did an office recently that wanted to have a fail secure crash bar on the stairwell door but fire code says it must be fail-safe so if the fire alarms go off then the doors unlock. This way the fire department can access the floor from the stairwell. It's fail-safe so that way if the power fails it will also be unlocked. The owner didn't like it but there was nothing he could do about it due to the fire code.
Hey Brian and Jason! Proudly been watching for nearly 10 years now. Much love and respect!
wow! Thanks so much, man!
These new modern rouge episodes have been A+, really great seeing this channel grow.
I work with this in Sweden and this is widely known in the security industry, I would love to see them explain with mifare which is the by far most used one in new/renovationer building. Possibly go into differences in mif/ mig lite and mif 4K.
I was kind of hoping that Deviant would use the back of his hand to open the lock.
Oh yeah he's got a chip
Thats coming, they covered implants while they were there
@@screwball69 It would just have been the perfect moment right now to make jason and bryan just flip their shit.
@@Volvary Agreed
Deviant Olaf, cyber-intrusion agent.
I've been reading quite a few comments saying how newer cards are encrypted (chap smart cards). I work on large industrial and government systems almost daily and can tell you the number and types of things that are still 'secured' by the lowest level cards (26 bit) is scary. I have literally cloned a card in front of a security director of a weapons lab with one of those eBay blue guns and it still took them over a year to upgrade because the way government financing works.
I hear you, man. Same here, I'm also a security integrator and I keep reading the same comments and think, "if they only knew."
Industry polling say that 26-bit, standard Weigand is still the majority of installations in the US. Some companies have moved to 'smart' cards (13.56MHz) but it is far, far lower conversion rate than you would hope/expect. These techniques will get you in most places today.
When security people show this to C-Level executives they freak out, initially. Then, they ask how much will it cost to replace all the readers and rebadge every employee and they quickly sweep it under the rug. Trust me, rebadging hundreds, thousands, tens of thousands of employees for a changeover is a logistical nightmare.
@@thezfunk I wish I could tell you what I do, it is super scary the number of facilities in the US that are using ancient access technologies. A lot of the US is actually about a decade or more behind most of the rest of the world. I have stories.
imagine how old the systems are that North korea or Iran use to protect thier weapons systems.
As someone getting into cybersecurity, these episodes are amazing.
If you're into cyber security, then you should have read about this years ago.... this is way old news
@@NZSpides Everyone progresses at a different pace, with different starting points, end goals, and starts at a different time in their life.
When the modern rogue posts a video... while I’m watching a modern rogue video
Edit: I do appear to have spelt Rogue wrong. I have fixed it now.
nice.
Spell it right R-O-G-U-E!
--Brian
As Mother Nature intended.
Hey Virgil wheres your profile picture from? Ive seen it multiple times before.
@@jonathangrey2183 there is no "C"
When you already know, but watches it anyway since it's the best collab ever.
"There are different things to put in different places."
-Babak
This is essentially the lost mythbusters episode that adam savage talked about.
Not really. Tap to pay has a little more smarts than simple access cards, and aren't vulnerable to the types of attacks in this video.
More credit cards than door access cards.
Credit cards have a wee bit more security built in. Especially on the payment terminal.
The lost mythbusters episode on that covered how easy it is to duplicate credit cards and do it from a distance.
Chip and pin still remains the most secure but the danger of old RFID credit cards was the credit card number wasn't encrypted! This ment you could steal credit card numbers from wallets without touching them, hence all the RFID protection wallets have these days...
Oh passports were also vulnerable to this.
@@DarkFoxDK it is. Adam savage was doing some appearance at a convention irrc, and he said they were going to do a show on how vulnerable the chips are, but they decided not to due to legal reasons.
well, the "legal reasons" were: "Credit card companies threatened to stop buying advertisements at discovery channel"
@@user-lw8jk6nv7l Like Phil says, wireless credit cards, and chips aren't just static data being shouted out, which can then be copied. There's a cryptographic challenge and response process, which prevents straight up copying of the card as shown in this video, as the card's secret is never revealed directly. There are other vulnerabilities that are a lot more difficult to exploit, but it's not nearly as easy as copying an access card.
I'd actually thought about this for some time, since I do work for an airport as a baggage handler. And to know it would be that easy for somebody to break into an airport using tools like this is just amazing to me.
The more interesting aspect of this video is related to what information you can get from bugging the readers. Cloning cards and replay attacks are only going to work against systems that aren't using cryptographic access cards
If I had the mentality and the initial funds.. with zero concern for being a criminal.. this channel has truly taught me to be the ultimate mastermind behind breaking and entering, skimming, hacking and build and creating weapons and self defense.. you can truly become the ultimate human just by watching this
I can just imagine someone placing a RFID chip in a Sonic screwdriver prop and just using that to open doors where they work
Ashton Minden I believe someone did it with the London Underground rfid card and a sonic
I plan on doing that at school. I’m trying to find out the frequency that they use in their fobs, then I’m just gonna purchase one, strip it down, and put it in a sonic
I'm waiting for my proxmark in the mail, I'm totally gonna try that. Thanks for the idea.
@@will_scarborough6487 then you will go to jail for a felony.
Genius
Not gonna lie. I like this video just for the ad. I don't know anything about that specific company but i have always wanted that type of business to exist. Great video still.
I imagine that after destroying so many sources of "security", Jason begins scheming to destroy the sponsors of thier videos because they produce "security" and Murphy holds Jason back.
And Jason Murphy holds Jason Murphy back?
@@zackthemaniac5754 +1 lol
Split personality's?
Murphy is the side of Jason Murphy that we see, Jason comes out when the cameras aren't rolling.
Holly crap i know this is gonna be good. Ollam has 3, 1 hr long talks on YT about physical building security and its amazing. Mans hype
Can you link it please?
Watching these videos, I REALLY wanna see a heist movie that is so painfully accurate, it could be used as a how to guide.
haha i used to work for a non-union automobile company, they used RFID badge readers outside the building to get in. i always thought about doing this given how easy it was, but i couldn't risk my job in that period of my life.
my god I LOVE this! it's so interesting to learn about, I'd love to see more of this pen testing strategies and absolutely demolishing the sense of security I have of buildings
Oh there are tons of things that will demolish that sense of security :)
deviant does a pretty awesome talk here: th-cam.com/video/rnmcRTnTNC8/w-d-xo.html
it's all about crazy physical penetration he's done.
Check out Deviant's channel, hes got hours of to talks on how to beat locks, doors, access control systems, elevators, and how these all get applied to pen testing.
The Modern Rogue
The 'Temple' is where the prayers are made, you are welcome to enter the temple.
Remember to take off your shoes before entering.
People through the Temple with shoes on is what causes headaches.
So when you next experience a headache, it is someONE running through your mind aka: Temple
with their shoes ON.
.. Now explain the meaning and origin of the word > ON < az in when switching a light ON.
Therein lies the clue. You just have to figure it out. Which is highly unlikely.
Company: "dang, that DeviantOllam fellow decoded our top master key, better install prox cards!"
The following week:
"Now he's got everyone's card code and is randomly badging in as other people! We have to stop him!"
Deviant: /hides in elevator/
Sir, with all due respect, how do I know you're not him? He could be any one of us, just using a cloned badge.
I see you saw Deviant's elevator talk.
@@---cr8nw He could be any one of us. He could be you, he could be me! He could even be--
**BLAM**
*spy dies*
V, is that you??
I love the way Jason shakes people's hands to make sure they can't have too tight a grip
I saw Deviants name in my notification and stopped what I was watching to start this
this was one of the exciting videos I ever seen, I loved the instructors and the interviewers. Thank you sm!
"F*cking magnets, how do they work?" Terrific reference by that dude.
Icp
Whoop whoop
Had to look through the comments as soon as I heard that to see who else caught it. Whoop! Whoop!
In Australia JayCar sells an RFID cloning "educational kit" that was capable of so much more than just RFID for just $30AUD and that's in a local store. It's very close to performing most of the features of the more expensive unit displayed here
BRO I KNEW IT WAS BRIAN FROM SCAMSCHOOL!!! His voice is so unique. I was like wait a second....where's his Pointy mohawk
with each episode this channel becomes more entertaining, intriguing and terrifying. I love it.
How to stop a card cloner from cloning your card:
1) Get something to block the RFID. (passive)
2) Card Companies... install a momentary on/switch into the card. (active)
- Literally just a pressable microswitch, something like a flat indent you press your finger into, that closes the circuit in the RFID circuit in the card, and BAM, allows the RFID circuit to function.
They could still clone it if they pressed that switch though, or if they hid their reader somewhere near the legit reader. The encrypted way is better because it allows the public to use their cards in the same way, and it makes them pretty much unspoofable.
+Daniel Nunya Bidnezz
Best way to stop a card cloner from cloning your card is to *USE CASH.*
:
THANKS FOR THE VALUTA CONVERSION - WAS A GREAT TOUCH ;)
"couple bucks"
Try 10 for 1 dollar depending on the type. (Like the NTAG RFID tokens you can use to make Nintendo Amiibo's at home.)
When you buy cards in bulk it makes out or less than $1/piece. Cards made by HID are a bit more expensive.
The guy talking about the technology looks like his glasses are put on with cgi on his close up
I’m SOOO glad I’m not the ONLY person who noticed that!!!
bruh
The most mind blowing part of this video was the $5 ESP chip being sold at a $80 price tag.
The ESP key that they use is the ESP chip loaded with custom firmware and additional hardware that automatically strips the wires when you press them into the slots on the chip. I'm not saying it's not pricey, but they're not just reselling it for a $75 markup.
Its more like their selling their code for 75$ and the chip for convenience
i am glad to see the deviant out and about! i love the defcon talks he gives!
I understand Brian is very excited about this stuff but he keep interrupting my man trying to explain how this tech works.
Thanks for asking the right question. But please never ever interrupt them
This guy's glasses make him look like a cartoon.
I was gonna say looks like a snap chat filter
For me it was the painted on beard.
This was one great video! I enjoyed every moment of it. Thank you for this video! Well done!
I love how the WiFi network from the creds skimmer is called "Eve's Android". It looks inconspicuous because a random hotspot could be on, and its called "Eve" as in "Eavesdroper".
So I just discovered deviant ollam yesterday and was continuing my binge when I saw this vid
Yes. He is a gateway ‘drug’ into infocrack.
I can'thelp seeing his glasses as a post-production special-effect
Couple years ago, the Dutch transit system used RFID card for opening gates/ credit. But with some cheap read/writer u could add "money" and travel for free.
*NEXT EPISODE:* Bi-fold prison wallet.
Othee guy's glasses look like they're really jankily tracking his face when he's looking into the camera and it's so surreal.
that moment brian kinda learns that US banking tech (chip and pin, and RFID in debit cards) is 20 years behind the rest of the world
Seemed weird to me when he said "a couple of years ago" since I remember I had paywave visa cards 7 years ago in my backasswards country.
It wasn’t a long time ago Visa & Mastercard actually stopped The Mythbusters from releasing the RFID episode.
The US was actually first to get Apple Pay, which is leaps and bounds ahead of Chip an PIN (I finally have it where I live and use it wherever I get the oppertunity).
Yes mag stripe is a joke, it's like he said, you may as well have your bank account written on a bit of paper.
The banks here moved from MIFARE Classic (compromised 9 years ago) to MIFARE Plus (a bandaid patch to the Classic technology) a couple of year ago, better, but nothing compaired to Apple Pay and Google Wallet.
Banks suck at security.
@@NZSpides again, US BANKING is 20 years behind (like it is a real thing)
a branded (in this case apple) solution does not somehow make it a leap forward
all the tech was already there (so much so, that apply talked to companies, and worked with them in bringing banking tech (again, already in use, and for many many many years before hand) into a form that made it easier
the tech apple uses is 20+ years (in the sense of what is making the payment)
face ID, or fingerprint, or pin, thats what you enter into the phone (the phone at that point is handling security, so the payment device, that is really the only difference, and again, isn't new)
Jeremy Sims I was referring to the point that every transaction with your account is unique. The actual technology after that hasn’t changed in years.
Banks use insurance to cover the fraudulent transaction which helps them but screws the user that has to go change all their account info for payment sites.
With a proper smartcard you may implement a full PKI with certification checks on the cards and a crypto-tunnel for every component.
It was be done with some goverment ID-Cards for the public. A crypto-RFID-reader with full certification isn't cheap and you should have some security for the goverment issued usage certificates.
Nowdays only the police some big companies uses this as it failed in implementation. My bank tested it 4 years for online banking. (Now there are forced implementation for lawyers, doc's and debt collection company).
You should do a video of the best rogues throughout history
Good to see Deviant use the same great Wera screwdriver I carry in my work belt, for nearly all lock related jobs.
I recently decided I wanted to get into microcontroller development and mentioned it to my friends. They ended up getting me an Arduino starter kit and an extra Arduino Nano. But here's the relevant bit: I had mentioned getting a WiFi shield, and my friends bought the wrong thing, instead getting me a pack of 3 NodeMCU ESP8266 WiFi boards.... imagine my shock to see that those are THE SAME boards being used here to man-in-the-middle attack an RFID reader! That's so cool!
(Also, they're ridiculously cheap for blank ones -- a 3-pack is only $13 on Amazon -- so I assume the $80 is mostly paying for the premade code someone wrote and preloaded onto it to use it as an ESPKey?)
"fear not my paranoid and ignorant juggalos; she is not a scientist"
This video is amazing. I had no idea 💡 it was that easy. $2 and a taco 🌮! Best line!
Now i know how to get into the principals office
knowing is a fraction of the goal. Its like me sayin I know how to shoot like Micheal Jordan. or I could be like Kobe and Study and apply and be a legend 5X Champ #RipKobe24
This is legit just what I was going to search for when opening the TH-cam app.
So... I know of BSL3 laboratories that use rfid tech for access and they're working with anthrax.......
Being afraid is the appropriate reaction.
Also "look like you belong" is the best advice for pen testing.
Didn't watch the entire video yet, but RFID is a pretty generic term and a lot of RFID systems (such as the one on payment cards) can literally not mathematically be cloned. My knowledge of access control systems is far more limited, but as far as I know some of them are the old 'number on a card' approach, but definitely not all.
@@DavidMulderOne it's the one he says "Oh the light bar? That's" and he names it and says it can be cloned.
Honestly though the bigger security measure is all the cameras and the relatively small staff. People know who's supposed to be there and who isn't. Also the on sight 24/7 FBI agent is pretty good too.
Thanks, we have these readers all over our work and now I want to go pop one open!
It’s so easy, it’s anticlimactic af.
I still can't believe the US is so far behind on contactless payments. We've had tap for the longest time here in Canada.
you think the US is far behind? then come to germany.
@@GameCyborgCh try austria, people get angry when you try and talk them into using cards instead of cash.
EU is trying to remove 1 and 2 (euro-)cent coins since they are basically worthless... some people here are VERY opinionated on that idea
It doesn't affect you. Not sure why people always care so much what the U.S does.
@@andyk2594 1 and 2 cent coins are actually less than worthless, they cost more to make than they are worth
@@andyk2594 I didn't say it effected me, just that I was surprised. Plus, I'm Canadian so it impossible not to deal with the US in some way.
This cool as I work for a company that does dispensing cabinets for industrial supplies and the information can come in handy!
Next stop Area 51 underground Bunker complex from Independence Day where they store the bodies and the spacecraft
43 years making my living as a geek. the guy on the right - burgundy shirt - is a type. there is one in every lab. same beard, same voice, same delivery. typically named Howard.
When you come to the modern rogue for their humor and possibly to learn a new skill...
But leave scared shitless
Thanks Jason and Brian :)
1:29 love it how there is a translation for silly units to actual meaningful units
If I had this I would clone garage key cards in my city for free parking
Trying to figure out how to transfer my credentials onto a ring. Extremely helpful. Thanks
Am I the only one who isn't as impressed or shocked by any of this as these guys pretend it is?
Love your work you inspire me all the time
PS. love your videos was just watching one as you posted
Am I the only one who thinks "Dr. Venture"?
Omg yes!
Don't forget, am radios can operate without power. Turning on via the radio wave, then, instead of transmitting a pass code, turns on a small speaker/earpiece, to listen to the broadcast.
Last few vids have made me a billionaire
Cheers guys
LMAO
babak and deviant are sick names
I love how they say that a esp8266 costs $80. It's like a 2 dollar device.
0,74 € on aliexpress... maybe he wanted to say "80 cents" instead of "80 bucks"? but this thing looks like a really nice toy for all sorts of projects, didn't know that this stuff got THAT cheap, definitely on my wishlist now!
Fun fact; you don't need a $300 gizmo and a laptop to read and write data to RFID tags. Some phones with NFC (especially the Nexus line) are capable of doing this from an app and doesn't require rooting. The tough trick to pull off at the moment is making the phone broadcast the card code so you don't need to write the data to a tag, you just read a tag and then use your phone to emulate the card.
Two things.
1) I am a little disappointed Ollam didn't show off the rfid implant he has in his hand. Its like real life freakin magic.
2) RFID is used in a variety of playing cards (specifically casinos and televised poker tournaments) to be able to see what cards players have without having to have a table cam show what cards a player is holding.
You two 100% need to go to Defcon with these guys!
The bald guy’s glasses look like they are a cartoon.
If you pick me I'd be thrilled I've watched your videos since scam school I work at a hotel in maintenance and I'd love to show my boss all of our flaws in our systems 😉 love all the red team alliance and modern rogue vids
Never been here this early.... Wassup notification squad
Interesting. I really appreciate you showing pricing in NZD, thanks!
Esp module: $80.
Me: I bought them for $5 and are standing there just turning on the lights :O
The ESP chip is $5 but the ESP Key module that they use has the firmware already loaded, and it has special hardware to automatically strip the wires and connect to them when you shove them into the little slots on the chip.
RFID came to the US a couple years ago. I'm 20 years old born in Germany and I remember them from when I was younger.
It's no longer surprising how easy it is to do this kind of stuff.
love the miles to km conversion popup
"Magnets are behind 99% of penetrations"
-Brian Brushwood (2020, colorized, TH-cam)
The best combination of TH-camrs I've ever seen
I just went to redteamalliace to look around opened there web site and only then realized that I just more or less opened a hackers link they probably now have access to all my information now
Didn’t expect to see my favorite ramen shop’s tshirt on TH-cam
Lmao Deviant Olaf
That's how his name is pronounced tho. He has a video on his channel about it.
The first debit cards and atm machines like many other tech are actually tested in Australia because of our laid back attitude to technology and change.Google devices first tested in Australia.