Red Team Alliance - RFID and Electronic Physical Access Control System Hacking - DCTLV2025

Name of Training: RFID and Electronic Physical Access Control System Hacking
Trainer(s): Red Team Alliance
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2500 
Hardware: $820 (all students in class will be issued and make use of a Proxmark3 RDV4.01 with an array of test RFID credentials and re-writable RFID credentials, an ESPkey and service tools, and our custom RFID Door Simulator and workbench analysis unit.  If you wish to retain this equipment at the end of class, students may opt to pay this additional equipment fee during registration.)

Course Description: 

Practical security is the foundation of any security model.  Beyond firewalls and network hardening, government and enterprise alike must consider how security infrastructure safeguards digital, material, and human assets. Physical security is foundational to the ability to resist unauthorized access or malicious threat.

In this training developed by world-renowned access-control expert Babak Javadi, students will be immersed in the mysteries of PACS tokens, RFID credentials, readers, alarm contacts, tamper switches, door controllers, and back-haul protocols that underpin Physical Access Control Systems (PACS) across the globe. The course provides a holistic and detailed view of modern access control and outlines common design limitations that can be exploited. Penetration testers will gain a practical understanding of what PACS looks like in the field, and how to intercept, clone, downgrade, replay, and bypass one's way through the system. Defenders, designers, and directors will come with away with best practices and techniques that will resist attacks.

Participation will include hands-on practical experience with tools, exploits, and refined methods for compromising modern Physical Access Control Systems.

Course Outline: 

1. Fundamentals of Modern PACS Designs
2. Sensor Manipulation and Bypass Methods
3. Historical and Modern Security Tokens Including
   1. Magnetic Stripe
   2. 125KHz RFID Technologies including Prox, Indala, ioProx, EM, and others
   3. 13.56MHz and NFC RFID Technologies including iCLASS, MIFARE, iCLASS SE, Seos, DESFire, and others
4. Understanding and Use of "Magic" RFID Credentials in Cloning Operations
5. Integration Challenges of Biometric Authentication
6. Practical Instruction, Understanding, and Use of the Proxmark3 RFID Research and Attack Tool
7. Reader Weaponization and Extended-Range RFID Cloning
8. Tech Downgrade Attacks: Techniques for Identifying Vulnerable System Configurations of Seos and DESFire EV1/EV2
9. Principal Methods of Operation of Door Controllers, Control Panels, and their Associated Weaknesses
10. Deploying Denial of Service Attacks
11. Wiegand Protocol Sniffing, Interception, and Replay
12. RFID and Access Control Attacks Using the FlipperZero Platform and Accessories
    

Difficulty Level:

Beginning to Intermediate

Suggested Prerequisites:

Should be comfortable with using a command-line interface for the Proxmark tool.  

What Students Should Bring: 

Ideally, all participants should have a laptop capable of running Windows 10 or Windows 11 natively (not in a VM) with local admin rights. The laptop should not be running in restricted "S Mode" for Windows. While it is possible to install and run the class software on MacOS or Linux (it is open source software with a GitHub repo) we must stress that *no official support will be provided during class for these alternate platforms* so anyone opting to bring a Macbook or Linux machine must be 100% confident in their ability to clone a repo, compile from source, and troubleshoot any unexpected problems or edge cases.

If a student has their own Proxmark or FlipperZero that is fine, and we're happy to get these devices updated with the latest firmware and modifications, but classroom units of these and other tools and hardware will be available to all students.  If students have RFID credentials which they are particularly interested in exploring, they may also bring those for analysis at the end of class.

Trainer(s) Bio:

Babak Javadi is the President and Founder of The CORE Group, and one of the original co-founding Directors of TOOOL, The Open Organisation of Lockpickers. As a keystone member of the security industry, he is well-recognized expert in professional circles hacker community. Babak's expertise extends to a wide range of security disciplines ranging from high security mechanical cylinders to alarm systems & physical access control systems. Over the past fifteen years Babak has presented and provided trainings a wide range of commercial and government agencies, including Black Hat, The SANS Institute, the USMA at West Point, and more.

Bryan Black is a seasoned physical security professional and esteemed assessment specialist with a comprehensive expertise spanning various facets of site security. His areas of specialization encompass video surveillance, intrusion detection/prevention, access control, network infrastructure, and penetration testing. With an illustrious track record of over a decade, he has collaborated closely with local and state law enforcement, federal and intelligence agencies, as well as prominent private sector corporations. Through these partnerships, he has been instrumental in advising clients and businesses on navigating the constantly evolving threat landscape. He is frequently acknowledged for his discerning critique of prevailing installations and practices within the industry. During his leisure hours, he leverages his engineering background and personal maker space to engage in product development. His endeavors encompass the meticulous design and refinement of innovative tools and procedures aimed at optimizing the efficiency and efficacy of both red and blue team engagement protocols.

While paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam also sat on the Board of Directors of the US division of TOOOL --The Open Organisation Of Lockpickers -- for 14 years... acting as the the nonprofit's longest-serving Board Member. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a SAVTA certified safe technician, a GSA certified safe and vault inspector, member of the International Association of Investigative Locksmiths, a Life Safety and ADA Consultant, and an NFPA Fire Door Inspector. At multiple annual security conferences Deviant started Lockpick Village workshop areas, and he has conducted physical security training sessions for Black Hat, the SANS Institute, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, Los Alamos National Lab, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.

Registration Terms and Conditions: 

Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after July 8, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions.