Mifare Cracking

Cracking Mifare Classic. Decoding the data, creating hotel „master” card. Mobile NFC access control. Disclaimer These materials are for educational and research. The NFC tag I analyzed is a so called “Mifare Classic 1k” tag. 1k stands for the size of data the tag can store. There are also other types like the “Mifare Classic 4k” and the “Mifare Mini” each having a different memory size. It can also be used for cracking Mifare Classic keys. The Proxmark is the tool behind all major RFID Security Research breakthroughs: Mifare Classic Crypto cracking, Mifare PRNG analysis, VingCard exploitation & defeat to name a few. Feb 01, 2019 MFOC – MiFare classic Offline Cracker The easiest and most basic tool to use against MIFARE tags, is MFOC. It tries different keys against a MIFARE tags. Once MFOC finds a correct key the tool can “guess” the other keys and dump the memory of the tag.

Overview

Why?
MIFARE Classic?
MIFARE Ultralight?
Reading and capturing contents of the card
About this manufacturer block (Sector 0 – Block 0)
The UID thing that messes with my head
Writing a 4Byte dump on a different card

Why?

The MIFARE NFC card is used in many environments. I got a trash card, a card that I have to use to open the underground trash bin, that I want to clone. As the replacement costs for a lost / broken card is €10 a clone would be a good investment.

By holding the card in front of the reader, I can open the trashcan, ohw happy days.

In my search for information, I found the following pages interesting:

http://www.proxmark.org/forum/viewtopic.php?id=1535
http://www.shopnfc.it/en/content/7-nfc-device-compatibility
http://publications.icaria.de/mct/releases/2.0/
http://www.scnf.org.uk/smartstore/4-7_B_ID_Questions_Answeres_V8.pdf
http://cache.nxp.com/documents/data_sheet/MF1S70YYX_V1.pdf?pspll=1
https://learn.adafruit.com/adafruit-pn532-rfid-nfc/mifare
http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf (Ultralight / 7Byte UID)
https://www.kismetwireless.net/code-old/svn/hardware/kisbee-02/firmware/drivers/rf/pn532/helpers/
http://stackoverflow.com/questions/21700718/serials-on-nfc-tags-truly-unique-cloneable
http://stackoverflow.com/questions/28409934/editing-functionality-of-host-card-emulation-in-android
https://store.ryscc.com/products/new-proxmark3-kit

MIFARE Classic?

Some informational dumps:

16 bits CRC per block
Anticollision loop
1kB or 4kB of EEPROM
CRYPTO1 strem cipher (mjah, closetozerosecurity)
Manufacturer / data / value blocks

MIFARE Ultralight?

MiFare Ultralight cards typically contain 512 bits (64 bytes) of memory, including 4 bytes (32-bits) of OTP (One Time Programmable) memory where the individual bits can be written but not erased.

MiFare Ultralight cards have a 7-byte UID that uniquely identifies the card.

Reading and capturing contents of the card

After some investigation I noticed that my Samsung mobile phone has a NFC reader.
I used the https://github.com/ikarus23/MifareClassicTool on my Samsung S6, the the result was a bit disappointing:

After some googling, I found that the hardware chip, used to read NFC tags, was just not on my S6.
But it showed that it was on an old S3, that I had laying around, it just worked like a charm on my Samsung Galaxy S3 with Android 6:

On a Samsung S3

In order to read the contents of the card, the MIFARE card can be red easily.

Use the supplied key sets and start mapping and read tag

Detailed information about every sector on the card (if any data would be present except the UID)

So the only interesting information is in Sector: 0, also called the manufacturer block.
I also noticed that the UID was 7Byte, making it a MIFARE Ultralight card grrrrrrr…

About this manufacturer block (Sector 0 – Block 0)

This part of the card is the only interesting part, as no other data is written to any sector/block as far as I can see.
In order to understand the difference between a 4Byte and 7Byte UID (i.e. MIFARE Classic vs MIFARE Utralight), I have added some pictures:

A more detailed picture explains some more information is included after the serial number on block 0:

A more detailed picture of the 7byte UID:

The UID thing that messes with my head

As you could see on my tag info, the UID on my trash card is 7 byte, so it works a bit different than the 4 byte one.

The different types of UID are explained as follows:

ISO/IEC 14443 Type A defines a Unique IDentifer to be used for card selection and activation. The standard defines single, double and triple size UIDs which correspondingly consist of 4, 7 and 10 Byte.

What is the difference between a 4 Byte UID and a 4 Byte ID?

A 4 byte UID is an identifier which has been assigned by the card manufacturer using a controlled database. This database ensures that a
single identifier is not used twice. In contradiction, a 4 byte ID is an identifier which may be assigned to more then one contactless chip over the production time of a product so that more then one card with the same identified may be deployed into one particular contactless system.

Writing a 4Byte dump on a different card

As it is just cool to write a cards dump back, I have found a 4Byte UID MIFARE Classic 1kB card.

Content of Sector: 0

Ebay has a solution for everyting. UID writable MIFARE Classic cards. These cards make it possible to write Sector 0 – block 0 (i.e. the manufacturer block).

Write tag and enable writing to manufacturer block

Click start mapping and write dump

Compare the two tags, only the SAK is different, I hope that will still work in a real live situation

Original card

Hacking MIFARE & RFID

As we start this series, you won’t find anything that hasn’t already been discussed before. This is not a new topic, but rather my own vision of the many different things that’ve been done concerning RFID. Other Proof of Concepts (PoCs) I’ve read were not so thorough, this is my attempt at being more thorough so others have a better understanding.

The main goal

The goal here is to cover the process of cloning and editing RFID tags. MIFARE Classic ones especially, which are still widely used nowadays despite the many hacks found throughout the last few years. This is not intended to teach you all about RFID, NFC, and MIFARE hacking. So, before we jump in let’s learn some basics.

RFID, NFC & MIFARE : The Basics

Radio Frequency Identification (RFID), is a technology that uses electromagnetic fields to automatically identify and/or track “tags” that contain electronically stored information. Some tags are passive, therefore they are activated by the electromagnetic fields generated by nearby readers. Some tags are active and require a local power source, such as a battery. They are capable of operating hundreds of meters from the closest RFID reader. The use of RFID always implies three things:

a tag
a reader
an antenna (ranging from Low to High and Ultra High frequencies)

Near Field Communication (NFC), is a set of communication protocols. These protocols enable two electronic devices to trade information within 4 centimeters (~2 inches) of each other. NFC operates within the same range of frequencies of RFID. NFC was created as a new way of communicating with other RFID tags.

NFCs main purpose was to break out of the standard tag/reader “read-only” pattern. This is to allow both devices to become reader, antenna, and tag.

Mifare Cracking Tool

MIFARE, is a trademark for a series of chips widely used in contactless smart cards and proximity cards. It is often incorrectly used as a synonym of RFID. MIFARE is owned by NXP semiconductors which was previously known as Philips Electronics.

The reason behind this misuse is simple. MIFARE chips represent approximately 80% of the RFID passive tags in the world.

Think of MIFARE as being the most used type of RFID tags. NFC is simply a newer technology to interact with the first two. With that little bit of knowledge, let’s focus on MIFARE. The MIFARE family is split into subcategories which can be briefly describe here:

MIFARE Classic 1K/4K: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has reaaally simple security mechanisms for access control
MIFARE Ultralight: a 64 bytes version of MIFARE Classic. It’s low costs make it widely used as disposable tickets for events or transportation.
MIFARE Plus: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
MIFARE DESFire: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.

Where my research comes in…

In 2018, my employer started handing out U-KEYs to be used to load funds onto and buy coffee and snacks from different vending machines around the building. With this being 2019, contactless payment is becoming more common with your credit cards/smartphones. These technologies have gone through rigorous testing to ensure users data is securure and so far it’s pretty solid, but what about these little keys?

Turns out with a little bit of research, those keys are simply MIFARE Classic 1K and the associated security mechanisms are actually quite simple. But how simple?

Breaking down MIFARE Classic tag structure

This classic tag structure is a whopping 1,024 bytes in size. Those 1,024 bytes are split into 16 sectors (0 to 15) which are each split into 4 blocks (0 to 3). That’s 16 bytes on each row (Figure 1.1). When we get into modifying data our focus will be a certain byte of data in the 7th byte of the 2nd block of the sector 13.

Every sector has a common structure: 3 blocks of data, and 1 “access control” block. The access control blocks contain Key A, Key B, and the Access Bits. See (Figure 1.2) The A & B keys can be standard (as in the most commonly used) or unique and set by the tag owner, and the access bits determine the rights on each sectors (read, write, both or none).

Moving forward, the only different sector will be sector 0, block 0. This one does not have an access control block but rather a manufacturer block instead. This is where the tag’s manufacturers can store an unique ID (UID) and information like the date of creation. The Manufacturer block is a Read-Only block. Manufacturers do not want end users to modify their data (Figure 1.3).

Knowing how memory is stored, how can it be read? And more importantly, how can it be modified? When we present the tag to a reader, the reader sends a POR (PowerOn Reset). This will get our tag out of its “sleep” passive mode. If the sent request is standard, the tag and the reader will start to communicate and share an encrypted session key. (Figure 2.1)

Cracking Mifare Ultralight

These operations on a tag are quite simple, visible in Figure 2.1:

Mifare Cracking Windows

AUTHENTICATE
READ/WRITE/DECREMENT/INCREMENT – always sent in encrypted session.
TRANSFER – writes the result of one of the previous operations to non-volatile memory.
RESTORE – prepares the current value of blocks to be over-written.

Moving on from here, you might have a few questions. Some that come to mind are:

How strong is this encrypted session?
Is that encryption crackable?
Does the tag have any way of checking the modification requests sent from a legitimate reader?
Can we spoof those requests to modify it with our own data?

Check out the next article if you want your answers. =D