SiRFIDaL - Simple RFID authentication for Linux

Hey everybody,

Some of you might recall that I made a bunch of scripts a while ago to login with RFID and NFC chips, based solely on the UID. Well, just to let you know, I used the long Easter weekend to do a much needed code cleanup - and I added a few of functionalities too.

I’ve renamed the project SiRFIDaL - Simple RFID authentication for Linux. It’s not a terribly clever name, but then I’m not a very imaginative guy. At least it says what it does. Also, nobody else was using it :slight_smile:

You’ll find everything here:

It now features a secure authentication server, and client applications to do various things.

The server supports:

  • PC/SC readers
  • Serial (RS232 and CPC) readers
  • Keyboard wedges
  • NFC-enabled Android devices (cellphones) as external readers

The client applications included are:

  • User administration tool - to add and remove users - kind of like adduser / deluser but for RFID chips
  • PAM module - to do console and X login with your chip
  • Automated screensaver locker / unlocker
  • Autotyper - to send custom strings to predefined windows when you scan your chip, like entering your Thunderbird or Firefox master password automatically for instance
  • A beeper - if your reader doesn’t have one, this will play sounds from your computer instead
  • A small tool to view the scanned UIDs (only works as root, for security reasons)

It still doesn’t have a proper installer, but I’ve cleaned up the documentation considerably. Anything that’s not in the README is in the scripts in the form of comments. The server and utilities should be fairly straightforward to install, and it’s not too difficult to set the parameters in the scripts themselves.

In any case, if you want to give it a spin and you run into difficulties, just ask me :slight_smile:

With those scripts, you don’t ever need to enter a password again in Linux.

16 Likes

Finally picked up an old laptop, it boots to GRUB only currently. Once I figure out how to make it boot from my USB, this will be the first thing I pick up for it!

1 Like

I just added support for NFC-enabled cellphones as an external reader for the server. It’s a bit of a hack if I’m honest, but it works well.

So, even if you don’t have a proper reader, you too can enjoy passwordless authentication under Linux now :slight_smile:

1 Like

Still working on getting ubuntu running, 14 hours and no luck yet, but once I do I will let you know how I feel about all of your work! Not that you asked for feedback however.

1 Like

Feedback is welcome of course!

3 Likes

I did some Android hacking this afternoon, and I found a way to turn a cellphone into a bona fide persistent NFC reader - that is, a reader that not only reads tags, but also reports continuously whether the transponder is within range. It turns out, Android keeps the connection with the transponder open as long as it’s in the EM field, and I found a simple way to extract that status.

So now, SiRFIDaL can make a cellphone behave exactly like an ACR122! You can conceivable enable the right option to prevent it from sleeping when it’s connected to USB, put it face down on your table and use it as a regular reader - including leaving an NFC card on it to keep your session open, and closing the session by taking the card out.

It doesn’t require root, nor does even require installing anything: the server simply does the trick in the background over USB. I’m mighty proud of that one :slight_smile:

8 Likes

Ok… That’s pretty damn cool, and gives me a possibly amazing idea (though I’m not caffeinated yet so… debatable).

For the bookcase door I’m gonna setup, if I use one or more shelves for random tech stuff (which was already the plan),I could have an old phone “charging”, and wave the chip over it to open the lock without having to have a reader showing anywhere or worry about something imbedded in the wood being too far to get a consistent read, while nothing looks out of the ordinary…

4 Likes

Well that was my intention - reuse old cellphones that would normally go to the landfill as NFC readers. It has to be connected to USB, so it don’t matter if it can’t hold a charge, and the reader is usually at the back, so it doesn’t matter if it has a broken screen neither. Busted phones make great NFC readers.

You can certainly use one to do what you describe. The only bit you’d need is an interface and a piece of code to actuate the lock.

3 Likes

Checked out this road and then some a while back. If you guys want to lose your shit a little, check out this guy’s stuff

6 Likes

Yes I’ve played quite a lot with code from him. In fact, one of my first crack at the “cellphone as NFC reader” idea involved vsmartcard, which is a brillant idea that was sadly left somewhat unfinished. Ultimately I decided to roll my own, as the whole scheme involving vsmartcard was way too Rube Goldberg.

2 Likes

If anyone is interested, I added a keyboard wedge emulator: now you can “type” UIDs into any console or window as if they came from a keyboard, with any type of reader - PC/SC, serial, another keyboard wedge or a cellphone.

Even if your reader is already a keyboard wedge, you might be interested if you’re not in the US, because the SiRFIDaL emulator takes local keyboard layouts into account. By default, it always generates the right keystrokes to adapt to different keyboard layouts. So essentially, you can use SiRFIDaL to localize your US-layout-only keyboard wedge.

2 Likes

I saw this the other day, and thought it was a little gimmicky, but would work for your project/product.
I had a few ideas, but for this thread, you could take the dongle and simply plug it in OR connect to USB header internally.
It comes in LF OR HF options, both can have a “barcode” scanner also.
so scan implant then scan QR code, on wallet card or wall, underside desk.
Hillbilly 2FA.

#Aliexpress NZ$ 91.50 10%OFF | Long Range RFID Chip Reader USB Interface Proximity 125Khz 13.56MHz ID IC Smart Card NFC Blue-tooth Reader Android Mobile Phone
https://a.aliexpress.com/_d8cNWYZ
Like I said, gimmicky, but a neat little reader I thought I would share here.
I can move to Anti-derailment thread if you want…

2 Likes

Nice one. I especially like that fact that it’s not BLE: I’ve never had anything but problems with BLE devices - particularly the long connect time for devices that are supposed to work instantly, like smartlocks.

As for using a QR code scanner to login, well, SiRFIDaL can do that as long as your device is a HID device. It doesn’t really know whether it’s reading off of a RFID reader, a keyboard or something else: all it knows is that it gets keyboard scancodes.

As a matter of fact, I use a USB 2D barcode scanner at work as a third authentication factor to log into my development box, for shits and giiggles. So, I need to enter my password, scan my implant on the ACR122U and scan a barcode to log in. My barcode authentication happens to be the barcode on a Coke bottle hiding in plain sight right next to the computer. I’d say it’s pretty secure, even without using challenge/response :slight_smile:

2 Likes

I don’t suppose you have access to a Mac and would be interested in making SiRFIDaM? Apple is killing me on this!

1 Like

I don’t. But MacOS is Unix, and there are very few Linux-specific things in SiRFIDaL, despite the name.

The server uses PCSClite and the Python binding for it if you want to use a PC/SC reader, and adb if you want to use a cellphone as a reader. Those things have been ported to MacOS as far as I can tell. The PAM module relies on pam_exec, and that too exists in MacOS (which uses OpenPAM instead of Linux-PAM). The user admin tool is straight POSIX, and so is the getuids diagnostic tool.

So the core system - server, PAM module, useradm and getuids tools - should be fairly straightforward to get going.

As for the other utilities:

  • The autotyper is a X11 utility. I’m not sure MacOS supports X11 calls out of the box.
  • The beeper uses PortAudio, which has been ported to MacOS.
  • The screensaver locker/unlocker is straight POSIX, but designed to work with Gnome and derivatives. If you’re lucky and you find similar screensaver control commands in MacOS, it’ll work.
  • The keyboard wedge emulator is the only bit that’s truly Linux-specific: it uses the UInput mechanism, which is only found in the Linux kernel. So that won’t work for sure.

All the SiRFIDaL components are written in Python3. So testing if a component works is only a matter of installing Python3, installing the relevant modules listed in the script in the “import” lines, fixing up the file paths for MacOS in the parameters, and seeing if it runs. No compilation required or anything. Each component is self-contained in a single file, for simplicity of installation: plop the files somewhere you want and run them.

So you could easily give it a shot yourself. Have a look at the headers and the parameters sections in the scripts: it’s documented and fairly clean.

3 Likes

I’ll try and get to it during this lockdown, thanks! Will report back here if I have any findings.

1 Like

Don’t suppose you ordered one of these and will be reporting back on how the read performance is with implants?

Wishful thinking I’m sure :stuck_out_tongue: it’s very tempting to me for PAT testing, lots of barcodes to scan to keep up with Test and Tag laws!

3 Likes

I didn’t, and I probably won’t for the foreseeable future, because I have zero need for a wireless reader at the moment. Unless there’s a very specific use case for it - which I’ve yet to encounter - I can’t see what problem a wireless reader solves that a wired reader doesn’t. And since I try to stay away from battery-powered devices whenever possible, I probably won’t order one just as a fun toy either.

That’s fair, but @Pilgrimsmaster seems like the sort of person who might :wink:

I possibly should have tagged them to be clearer but it was more directed there haha

1 Like

I saw the notification, all good

I was going to, I still might, I will let everybody know if I do.
My DT KBR1 reader has never worked properly, I was going to permanently wire it into my laptop, but no point since it doesn’t work.
This product would do the same job, but I wouldn’t bother wiring the dongle internally, because I have space for a replacement KBR1, but I thought the dongle size might be a good option for people with super thin laptops to consider.
Also I like the dual functionality with the scanner option.
If it was a dual frequency reader, I would have grabbed one
Long story short.
No I didn’t, but I might…
:grinning:

3 Likes