![Mifare Cracking Mifare Cracking](/uploads/1/2/4/6/124605414/604849754.jpg)
Hacking MIFARE & RFID
As we start this series, you won’t find anything that hasn’t already been discussed before. This is not a new topic, but rather my own vision of the many different things that’ve been done concerning RFID. Other Proof of Concepts (PoCs) I’ve read were not so thorough, this is my attempt at being more thorough so others have a better understanding.
The main goal
The goal here is to cover the process of cloning and editing RFID tags. MIFARE Classic ones especially, which are still widely used nowadays despite the many hacks found throughout the last few years. This is not intended to teach you all about RFID, NFC, and MIFARE hacking. So, before we jump in let’s learn some basics.
The NFC tag I analyzed is a so called “Mifare Classic 1k” tag. 1k stands for the size of data the tag can store. There are also other types like the “Mifare Classic 4k” and the “Mifare Mini” each having a different memory size. It can also be used for cracking Mifare Classic keys. Cracking Mifare Classic. Decoding the data, creating hotel „master” card. Mobile NFC access control. Apr 21, 2018 Installed, because it has Mifare Classic DarkSide Key Recovery Tool. This is an advanced approach into cracking the encryption keys. The MiFare RFID hack, writes Geeta Dayal, used a few tools not in the arsenal of your average code-duffer. But now that researchers have done the heavy lifting, subsequent cracks will be much.
RFID, NFC & MIFARE : The Basics
Radio Frequency Identification (RFID), is a technology that uses electromagnetic fields to automatically identify and/or track “tags” that contain electronically stored information. Some tags are passive, therefore they are activated by the electromagnetic fields generated by nearby readers. Some tags are active and require a local power source, such as a battery. They are capable of operating hundreds of meters from the closest RFID reader. The use of RFID always implies three things:
- a tag
- a reader
- an antenna (ranging from Low to High and Ultra High frequencies)
Near Field Communication (NFC), is a set of communication protocols. These protocols enable two electronic devices to trade information within 4 centimeters (~2 inches) of each other. NFC operates within the same range of frequencies of RFID. NFC was created as a new way of communicating with other RFID tags.
NFCs main purpose was to break out of the standard tag/reader “read-only” pattern. This is to allow both devices to become reader, antenna, and tag.
MIFARE, is a trademark for a series of chips widely used in contactless smart cards and proximity cards. It is often incorrectly used as a synonym of RFID. MIFARE is owned by NXP semiconductors which was previously known as Philips Electronics.
The reason behind this misuse is simple. MIFARE chips represent approximately 80% of the RFID passive tags in the world.
Think of MIFARE as being the most used type of RFID tags. NFC is simply a newer technology to interact with the first two. With that little bit of knowledge, let’s focus on MIFARE. The MIFARE family is split into subcategories which can be briefly describe here:
- MIFARE Classic 1K/4K: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has reaaally simple security mechanisms for access control
- MIFARE Ultralight: a 64 bytes version of MIFARE Classic. It’s low costs make it widely used as disposable tickets for events or transportation.
- MIFARE Plus: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
- MIFARE DESFire: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
Where my research comes in…
In 2018, my employer started handing out U-KEYs to be used to load funds onto and buy coffee and snacks from different vending machines around the building. With this being 2019, contactless payment is becoming more common with your credit cards/smartphones. These technologies have gone through rigorous testing to ensure users data is securure and so far it’s pretty solid, but what about these little keys?
Turns out with a little bit of research, those keys are simply MIFARE Classic 1K and the associated security mechanisms are actually quite simple. But how simple?
Breaking down MIFARE Classic tag structure
This classic tag structure is a whopping 1,024 bytes in size. Those 1,024 bytes are split into 16 sectors (0 to 15) which are each split into 4 blocks (0 to 3). That’s 16 bytes on each row (Figure 1.1). When we get into modifying data our focus will be a certain byte of data in the 7th byte of the 2nd block of the sector 13.
Every sector has a common structure: 3 blocks of data, and 1 “access control” block. The access control blocks contain Key A, Key B, and the Access Bits. See (Figure 1.2) The A & B keys can be standard (as in the most commonly used) or unique and set by the tag owner, and the access bits determine the rights on each sectors (read, write, both or none).
Moving forward, the only different sector will be sector 0, block 0. This one does not have an access control block but rather a manufacturer block instead. This is where the tag’s manufacturers can store an unique ID (UID) and information like the date of creation. The Manufacturer block is a Read-Only block. Manufacturers do not want end users to modify their data (Figure 1.3).
Let’s run through the four best Android emulators on offer for Mac users. The Nox App Player is a great choice if you’re looking for an Android emulator for gaming. It’s capable of supporting gaming controllers, vital if you take your gaming seriously. You can use Nox to test your apps, too, but it’s designed with gamers in mind. Android emulator for mac. Nox is a simple Android emulator to set up (download the installer, double-click it, drag the app icon into Applications and you're good to go), works fine on Mac, doesn't cost anything and has a.
Knowing how memory is stored, how can it be read? And more importantly, how can it be modified? When we present the tag to a reader, the reader sends a POR (PowerOn Reset). This will get our tag out of its “sleep” passive mode. If the sent request is standard, the tag and the reader will start to communicate and share an encrypted session key. (Figure 2.1)
These operations on a tag are quite simple, visible in Figure 2.1:
- AUTHENTICATE
- READ/WRITE/DECREMENT/INCREMENT – always sent in encrypted session.
- TRANSFER – writes the result of one of the previous operations to non-volatile memory.
- RESTORE – prepares the current value of blocks to be over-written.
Mifare Cracking Iphone
Moving on from here, you might have a few questions. Some that come to mind are:
- How strong is this encrypted session?
- Is that encryption crackable?
- Does the tag have any way of checking the modification requests sent from a legitimate reader?
- Can we spoof those requests to modify it with our own data?
Check out the next article if you want your answers. =D
Hacking MIFARE & RFID
As we start this series, you won’t find anything that hasn’t already been discussed before. This is not a new topic, but rather my own vision of the many different things that’ve been done concerning RFID. Other Proof of Concepts (PoCs) I’ve read were not so thorough, this is my attempt at being more thorough so others have a better understanding.
The main goal
The goal here is to cover the process of cloning and editing RFID tags. MIFARE Classic ones especially, which are still widely used nowadays despite the many hacks found throughout the last few years. This is not intended to teach you all about RFID, NFC, and MIFARE hacking. So, before we jump in let’s learn some basics.
RFID, NFC & MIFARE : The Basics
Radio Frequency Identification (RFID), is a technology that uses electromagnetic fields to automatically identify and/or track “tags” that contain electronically stored information. Some tags are passive, therefore they are activated by the electromagnetic fields generated by nearby readers. Some tags are active and require a local power source, such as a battery. They are capable of operating hundreds of meters from the closest RFID reader. The use of RFID always implies three things:
Mifare Cracking Machine
- a tag
- a reader
- an antenna (ranging from Low to High and Ultra High frequencies)
Near Field Communication (NFC), is a set of communication protocols. These protocols enable two electronic devices to trade information within 4 centimeters (~2 inches) of each other. NFC operates within the same range of frequencies of RFID. NFC was created as a new way of communicating with other RFID tags.
NFCs main purpose was to break out of the standard tag/reader “read-only” pattern. This is to allow both devices to become reader, antenna, and tag.
MIFARE, is a trademark for a series of chips widely used in contactless smart cards and proximity cards. It is often incorrectly used as a synonym of RFID. MIFARE is owned by NXP semiconductors which was previously known as Philips Electronics.
The reason behind this misuse is simple. MIFARE chips represent approximately 80% of the RFID passive tags in the world.
Think of MIFARE as being the most used type of RFID tags. NFC is simply a newer technology to interact with the first two. With that little bit of knowledge, let’s focus on MIFARE. The MIFARE family is split into subcategories which can be briefly describe here:
- MIFARE Classic 1K/4K: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has reaaally simple security mechanisms for access control
- MIFARE Ultralight: a 64 bytes version of MIFARE Classic. It’s low costs make it widely used as disposable tickets for events or transportation.
- MIFARE Plus: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
- MIFARE DESFire: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
Where my research comes in…
In 2018, my employer started handing out U-KEYs to be used to load funds onto and buy coffee and snacks from different vending machines around the building. With this being 2019, contactless payment is becoming more common with your credit cards/smartphones. These technologies have gone through rigorous testing to ensure users data is securure and so far it’s pretty solid, but what about these little keys?
Cracking Mifare Plus
Turns out with a little bit of research, those keys are simply MIFARE Classic 1K and the associated security mechanisms are actually quite simple. But how simple?
Cracking Mifare Classic 1k
Breaking down MIFARE Classic tag structure
This classic tag structure is a whopping 1,024 bytes in size. Those 1,024 bytes are split into 16 sectors (0 to 15) which are each split into 4 blocks (0 to 3). That’s 16 bytes on each row (Figure 1.1). When we get into modifying data our focus will be a certain byte of data in the 7th byte of the 2nd block of the sector 13.
Every sector has a common structure: 3 blocks of data, and 1 “access control” block. The access control blocks contain Key A, Key B, and the Access Bits. See (Figure 1.2) The A & B keys can be standard (as in the most commonly used) or unique and set by the tag owner, and the access bits determine the rights on each sectors (read, write, both or none).
Moving forward, the only different sector will be sector 0, block 0. This one does not have an access control block but rather a manufacturer block instead. This is where the tag’s manufacturers can store an unique ID (UID) and information like the date of creation. The Manufacturer block is a Read-Only block. Manufacturers do not want end users to modify their data (Figure 1.3).
Knowing how memory is stored, how can it be read? And more importantly, how can it be modified? When we present the tag to a reader, the reader sends a POR (PowerOn Reset). This will get our tag out of its “sleep” passive mode. If the sent request is standard, the tag and the reader will start to communicate and share an encrypted session key. (Figure 2.1)
These operations on a tag are quite simple, visible in Figure 2.1:
- AUTHENTICATE
- READ/WRITE/DECREMENT/INCREMENT – always sent in encrypted session.
- TRANSFER – writes the result of one of the previous operations to non-volatile memory.
- RESTORE – prepares the current value of blocks to be over-written.
Moving on from here, you might have a few questions. Some that come to mind are:
- How strong is this encrypted session?
- Is that encryption crackable?
- Does the tag have any way of checking the modification requests sent from a legitimate reader?
- Can we spoof those requests to modify it with our own data?
Check out the next article if you want your answers. =D