RFID Cooking with Mifare Classic
This article was contributed by MI1.
RFID Cooking with Mifare Classic
DISCLAIMER: The information and reference implementation is provided:
- For informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems
- As-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader
- NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to such as ticketing systems, public transport, University/ISIC cards, building access systems or whatsoever systems using Mifare Classic as core technology)
- This article contain no original research. All the research and implementation was made by other people and communities and is publicly available. We made this two cents just for fun and because we love BackTrack.
- This is not A-Z guide so try harder!
0x00 - Preface
Some of you may have read that the proprietary symmetric key cryptographic algorithm of the MIFARE Classic card has been broken. The MIFARE Classic card is used in physical access control systems (PACS) and contact less payment systems (including tollway and public transportation systems). By some estimates, there are 500 million MIFARE cards deployed worldwide, and the majority of them are MIFARE Classic cards.
Mifare Classic is a inexpensive, entry-level chip, based on ISO/IEC 14443 Type A, 1kB or 4kB. Uses 13.56 Mhz contactless smartcard standard, proprietary CRYPTO1 with 48 bits keys. There is no protection against cloning or modifications. Anyone with 50 € reader can use this weakness against your infrastructure. At least one sector is always encrypted with default key. After cracking all keys, hackers are able to change name, students university number, expiration date... This cookbook is proof of concept how easy that can be done. Chosen ingredients: Backtrack | Touchatag starter package Tested on: BackTrack 4 R2, BackTrack 5 Final, (32bit)
root@bt:~# apt-get install flex libpcsclite-dev libusb-dev checkinstall
0x01 - Hardware
Touchatag - ACR122U
Touchatag is ACS ACR122(U) NFC Reader USB RFID reader. The USB reader works at 13.56MHz (High Frequency RFID) and has a readout distance of about 4 cm (1 inch) when used with the Touchatag RFID tags. This product is made by Advanced Card Systems Limited and seems to be available in different layouts but hardware doesn't differ so much. They are all using a PN532 NFC Controller chip and a ST7 microcontroler unit.
0x02 - Software
root@bt:~# wget http://www.acs.com.hk/drivers/eng/ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip root@bt:~# unzip -d acr122u ACR122U_driver_Lnx_Mac10.5_10.6_1.02_P.zip root@bt:~# cd acr122u root@bt:~# tar -jxvf acsccid-1.0.2.tar.bz2 root@bt:~# cd acsccid-1.0.2 root@bt:~# ./configure root@bt:~# make root@bt:~# checkinstall -D -y --install
Open Source Near Field Communication (NFC) Library /LIBNFC/
Libnfc is the first free NFC SDK and Programmers API released under the GNU Lesser General Public License.
root@bt:~# apt-get install -y debhelper libtool && wget http://libnfc.googlecode.com/files/libnfc-1.4.2.tar.gz root@bt:~# tar xfvz libnfc-1.4.2.tar.gz &&cd libnfc-1.4.2 root@bt:~# svn checkout http://libnfc.googlecode.com/svn/tags/libnfc-1.4.2/debian root@bt:~# dpkg-buildpackage -rfakeroot root@bt:~# dpkg -i ../libnfc*.deb
Check your reader / target with nfc-list.
root@bt:~# nfc-list nfc-list use libnfc 1.4.2 (r891) Connected to NFC device: ACS ACR122U 00 00 / ACR122U103 - PN532 v1.6 (0x07) 1 ISO14443A passive target(s) was found: ATQA(SENS_RES):00 02 UID (NFCID1): xx xx xx xx SAK (SEL_RES): 18
If your reader is rejected because of the firmware (log message: „Firmware (x.y) is bogus!“) just disable version checking. All you need to do is change ifdDriverOptions (line 55 in Info.plist) to skip version checking like this:
root@bt:~# nano /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist
Afterwards, restart the pcscd daemon and your Touchatag reader should be recognized and ready.
MFOC -Mifare Classic Offline Cracker
Mifare Classic Offline Cracker is a tool that can recover keys from Mifare Classic cards. Thanks to Norbert Szetei and Pavol Luptak for their attack's implementation. MFOC is utility to compute (crack) all keys (A and B) to all sectors, providing at least one of the keys is already known. Keys file is the file, where mfoc will store cracked keys. Format of that file is compatible with nfc-mfclassic, so you can then use it to dump the card into file, or write a dump onto the card.
root@bt:~# wget http://nfc-tools.googlecode.com/files/mfoc-0.10.2.tar.gz && tar -xvzf mfoc-0.10.2.tar.gz root@bt:~# cd mfoc-0.10.2 root@bt:~# autoreconf -vis root@bt:~# ./configure root@bt:~# make root@bt:~# checkinstall -D -y --install
0x03 - Dumping & Cooking
psscd coordinates the loading of drivers for card readers. It allows applications to access smart cards and readers without knowing details of the card or reader. It is a resource manager that coordinates communications with smart card readers and smart cards and cryptographic tokens that are connected to the system. I prefer start pcscd in foreground (no daemon) with pcscd -f. Then it's time to start mfoc. Use high number of probes, because default number of probes for a key recovery for one sector is 20. Whole cracking could take from 30 minutes to 30 hours.
You can also use the -k key parameter, to add a key to the list of known keys, which is being tried against your card in the initial phase. The -k option somehow didn't work for me, so I always compile my known keys directly into mfoc.c Search for “Array with default Mifare Classic keys” Not sure about other countries, but in country where I live keys are the same. Once you have keys from all sectors, you should be able to use RFID-Fu against other cards, which is epic fail.
root@bt:~# nfc-mfclassic --help Usage: nfc-mfclassic r|w a|b <dump.mfd> [<keys.mfd>] r|w - Perform read from (r) or write to (w) card a|b - Use A or B keys for action <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card) <keys.mfd> - MiFare Dump (MFD) that contain the keys (optional) Or: nfc-mfclassic x <dump.mfd> <payload.bin> x - Extract payload (data blocks) from MFD <dump.mfd> - MiFare Dump (MFD) that contains wanted payload <payload.bin> - Binary file where payload will be extracted
Keep in mind that card UID will be not affected (not changed) with this process. Buy some blank card or Proxmark III if that is what you want. If you are now thinking about dumping your electronic wallet right after recharge and when credit comes to zero, writing content back, then please don't do it. What can stop you from doing that? Well, probably only your conscience, but if the card gets blocked in 24 hours after first use then don't complain. Yes, there are online checking and billing systems out there for basic cards.
0x04 – ISIC Issue
With ISIC- International Student Identity Card attacker can abuse around ten service not only one. ISIC cards are widely used for entrance, transportation, dining payments and various others services or discounts. According to homepage there are 4.5 million cardholders in 120 countries. Cards should be replaced with more secure types ASAP. It is possible to do much more than that, but sufficient for demonstration let's play a little...
At some universities, there is only one entry security check – ISIC. As you can see this is trivial to bypass. We did many tests with public transportation systems and with university systems. Results are all the same – those systems are easily hackable.
0x06 – Conclusion
Finally, when will people learn their lesson? Cryptographic algorithms should be public so that they can be scrutinized and tested. Secret algorithms aren’t more valuable because they are secret. Anyone needing a highly secure smart card should make sure there's layered security and not just depend on the chip's encryption.
0x07 – What's next?
- Since i have access to Proxmark III which is universal RFID hacking tool which can be used for 100% accurate cloning (even UID), i may once write second edition about c00king with Mifare Classic and HID Prox...
- Arming BackTrack with GSM attack suite?
0x08 – Thanks
This cookbook was made with great help from h4f guys, many thanks to Vulcano and Back.
0x09 – References & Links
For further reading about this topic please see following:
- http://www.cs.virginia.edu/~kn5f/pdf/K.Nohl.PhD Implementable.Privacy.for.RFID.Systems.pdf
0x0A - About
MI1 is a "full time security enthusiast" with university degree in the field of informatics. Recently focusing his passion to USRP and RFID stuff.