Transcription
Sławomir Jasekslawomir.jasek@securing.plslawekjaA 2018 practical guideto hacking NFC/RFIDSlightly edited version of the slightly edited original photo :)https://vimeo.com/267613809Confidence, Kraków, 4.06.2018
Sławomir JasekEnjoy appsec (dev, break, build.) since2003.Pentesting, consultancy, training - web,mobile, embedded.„Smart lockpicking” trainings – HITB, HiP,Deepsec, . www.smartlockpicking.comSignificant part of time for research.
TodayHacking RFID is not as hard as you may think.Most common systems, practical knowledge.UID-based access control.Cracking Mifare Classic.Decoding the data, creating hotel „master”card.Mobile NFC access control.
DisclaimerThese materials are foreducational and researchpurposes only.Do not attempt to break the law!https://giphy.com/gifs/ZikyVyLF7aEaQ
RFID/NFC usageAccess control, hotels, car keys,attendance monitoring, racetiming.Bus, train, ski pass, football,museum tickets.E-wallets, loyalty cards, libraries,laundries.Contactless payments, passports, -eat
Card types, frequencies, .125 kHz („low frequency”)RFIDEM4XX (Unique), HID Prox,Indala, Honeywell, AWID, .13.56MHz („high frequency”)NFCMifare/DESFire, iCLASS, Legic,Calypso, contactless payments, .868MHz (UHF),otherVehicle id,asset tracking.
How to recognize card type? No, by the form not.
RFID implantsPatrick Paumen @vicarious1984, Hardwear.io 2017https://www.youtube.com/watch?v o5FHAm1pgWw
lants-travel-card-in-hand-court-says-nice-try/
Your mobile phone can recognize most HF cards125 kHz („low frequency”)RFIDEM4XX (Unique), HID Prox,Indala, Honeywell, AWID, .13.56MHz („high frequency”)NFCMifare/DESFire, iCLASS, Legic,Calypso, contactless payments, .868MHz (UHF),otherVehicle id,asset tracking.
ACCESS CONTROL:CARD UID
What is stored on card?125 kHz („low frequency”)RFIDUIDEM41XX(„Unique”)UIDHID Prox II,Indala.13.56MHz („high frequency”)NFCUIDMifare
What’s stored on the card?The simplest cards store just individual ID 3-10 bytes (most often 4).Read-onlyFreely accessible to readReader checks for registered ID.UID valid?UID
The UIDSecurity: UID is set in factoryand cannot be altered. Onlyvendor knows how to make atag.Guess what happened next?
Special tags – allow to change UID (starting at 0.30)125 kHz („low frequency”)RFIDUIDT5577UID13.56MHz („high frequency”)NFCUID„MAGICUID”ANY UIDANY UIDEM41XX(„Unique”)HID Prox II,Indala.Mifare
RFID card clonerLowFrequencyLow HighFrequency
RFID Cloner in actionhttps://www.youtube.com/watch?v M0Z-kYL5CEU
PN532 libnfcNXP PN531/532/533 – one of most commonHF NFC chips built in various readers, e.g.ACR122u USB ( 50 EUR).Libnfc: open source library exploiting"hidden" raw mode of NXP PN532 - usefulfor emulation, relay, cloning, cracking, .http://nfc-tools.org/index.php/Main Page
PN532 bare modulesThe cheapestones may haveantenna issues
Our „NFC research toolkit”PN532 board UART USBMagic card tags to crackSeveral NFC challengessmartlockpicking.com/nfc-tookit
Place original card on the readerroot@kali: # nfc-listnfc-list uses libnfc 1.7.1NFC device: pn532 uart:/dev/ttyUSB0 opened1 ISO14443A passive target(s) found:ISO/IEC 14443A (106 kbps) target:Card UIDATQA (SENS RES): 00 04UID (NFCID1): 3c 3d f1 0dSAK (SEL RES): 08
Place „Magic” card on the reader, set new UIDroot@kali: # nfc-mfsetuid 3c3df10dNFC reader: pn532 uart:/dev/ttyUSB0 openedSent bits:26 (7 bits)Received bits: 04 00Sent bits:93 20Received bits: 0c 5c ee 0d b3Sent bits:93 70 0c 5c ee 0d b3 5c(.)c2
Banks, offices, apartments, .This will work in morebuildings than youthink.https://giphy.com/gifs/iI6eeGjwScTCM
Detecting magic cards?Magic cards rely on special, nonstandard command to unlock thisfeature.Sent bits:50 00 57 cdSent bits:40 (7 bits)Received bits: a (4 bits)(.)It is possible to detect and discardsuch m
Chinese answer to this problem?Cards with direct write to manufacturer block (nospecial commands needed). Can also be detected.Magic cards with one-time write!7-byte UID? 7-byte magic card!
EMULATE CARD?
High Frequency: Chameleon MiniCan emulatemultiple HF tagsBattery-powered99.96 EURhttp://kasper-oswald.de/gb/chameleonmini/
Chameleon: Chinese optionsStarting at 45 on AliexpressMultiple LEDsChinese manufacturer addedinteresting new features GUI,recently eonMinirebootedGUI
Low Frequency: EM41XXEM4095, starting at 2
ProxmarkOpen-source FPGA hardware software200-300 (depending on vendor)proxmark.org
Proxmark „easy” – cheaper but less stableDeveloped by Elechouse for Chinese market.Fixed antennas, less memory, no external batteryconnector. Generally works, but sometimesproblems with antennas.Elechouse does not make it any more. Currentlyavailable on Aliexpress starting from 75 - byother vendors, impersonating Elechouse
A new, promising player, about /proxmark3-rdv-40
Brute UID? In some cases it makes sense125 kHz („low �)UID13.56MHz („high frequency”)NFCUIDMostly sequential,may be brutedHID Prox II,Indala.MostlyrandomMifare
USING SMARTPHONE?
HF (e.g. Mifare): read UID using mobile phoneAndroid applications:NFC d com.wakdev.wdnfcMifare Classic Tool:https://play.google.com/store/apps/details?id de.syss.MifareClassicTool
HF (e.g Mifare): read UID using mobile phone
How about emulating UID?Not that easy.We can manipulate NFC ControllerInterface, but it requires root.NCIYour phone may emulate cards (e.g.mobile payments), but by design theUID is random.Android OSNFC chipset
Android: NXP NFC chip (e.g. Nexus 5X)Modify /etc/libnfc-nxp.conf (requires root)Put your UID hereNote: it may depend on NFC chip firmware version.
Android Broadcom NFC chip (e.g. Nexus 5)In /etc/libnfc-brcm-20791b05.conf, add to NFA DM START UP CFGLength of UID (e.g.04, 07.)33 04 XX XX XX XXNCI parameterYour UID
DEMOhttps://youtu.be/94u9YSJQpFA
The same with GUI: NFC card ?id com.yuanwofei.cardemulatorRequires root (modifies /etc/libnfc-. files).
NFC card emulator
iPhone (jailbreak required)Custom app, downloadfrom Cydia (3.99 ):http://limneos.net/nfcwriter
DEMOhttps://youtu.be/f3LmvhHwFNc
CLONE FROM APICTURE?
Anyone has such numbers on a tag?
EM tags with printed numbers
Decoding numbersExample numbers on Mifare card:4 bytes of UID0281219940 dec 10 C3 13 64 hex12784484 dec C3 13 64 hex3 bytes of UIDsometimes inversed
EM41XX example tag ID: 3C009141F5Example numberFormatConversion09519605DEZ8Last 6 hex converted to dec (9141F5 hex 09519605 dec)0009519605DEZ10Last 8 hex converted to dec00145.16885DEZ5.5Digits 4-7 hex converted to dec "." last 4 hex converted to dec060.16885DEZ3.5AFirst 2 hex digits "." last 4 converted to dec000.16885DEZ3.5BDigits 3,4 "." last 4 converted to dec145.16885DEZ3.5CDigits 5,6 hex converted to dec "." last 4 hex converted to dec00257707557365IK2 DEZ14 entire hex converted to dec
Possibility to clone UID from esscard
tatus/908578046583635968
BTW, 283915218128896
ICLASS
Protected identity data stored on card125 kHz („low frequency”)RFIDUIDUID13.56MHz („high frequency”)NFCUIDInsecure UIDanyone can read itEM41XX(„Unique”)HID Prox II,Indala.ProtectedUIDMifareiClass
iClass securityiCLASS was specifically designed to make access control more powerful, moreversatile, and more secure. All radio frequency data transmission between the tagand reader is encrypted using a secure algorithm. By using industry standardencryption techniques, iCLASS reduces the risk of compromised data or duplicatedtags. For even higher security, the tag data may also be protected with DES ortriple-DES resource files/iclass tag ds en.pdf
The access key is stored in readerOnly valid readercan access thedata stored oncardProtectedUID
The same key stored in every readerIs there any problem?„Break a single readeronce and enter anywhere”Milosch Meriac, 2010
The hack: readout protection bypassMilosch Meriac, Henryk Plotz ity.pdfhttps://www.youtube.com/watch?v mZNSYw9oH4Y
The iClass leaked keyNot the exact form of key needed,also just the first key (allows only toclone data) to decode cleartext datayou need second 3935876870144
Introducing iClass SE, Seos, mobile accesshttp://www.emacs.es/downloads/WP/20140723 iCLASS Seos Card Whitepaper EXTERNAL v1.0.pdf
By the way.Want to learn more about readoutprotection?Come visit our booth (near chill zone), I willshow you how to bypass it on STM32 (oneof the most common IoT microcontrollers).Today at 15.15, tomorrow at 12:35.
WIEGAND
Typical architectureaWIEGAND
3 wires – black, green, whiteGNDDATA0DATA1
Transmitting 1’s and 0’sDATA0 (GREEN)5V0VDATA1 (WHITE)5V0V„0”„1”
Card data transmitted: most common ocol/24-wiegand-converter
Typical architectureaSometimessecured, or hardto clone a cardMost commonlyWIEGANDcleartext bitsExternal wall reader, quiteoften easy to detach
Wiegand sniffers: BLEKey
Install covertly in the reader, control from mobile apphttp://www.blekeyrfid.com
ESP32 - wifiRFID-Tool, -RFID-ToolVery similar, ESPKey:https://github.com/octosavvi/ESPKey
RFID TOOLhttps://www.youtube.com/watch?v 0o8r ufRrFo
Best practices?Tamper protection in readers.Multiple layers of security - intrusion detection,monitoring, behavioral analysis, .OSDP (Open Supervised Device Protocol) – AESencryption, wire monitoring.
ACCESS TO CARD DATA
What is stored on card: additional data?125 kHz („low frequency”)RFIDUIDUIDJust UID, no dataEM41XX(„Unique”)HID Prox II,Indala.13.56MHz („high frequency”)NFCUIDOther carddataMifare
Mifare UltralightVery common e.g. in ticketing(especially for single ticket) and hotelsystems.First Ultralight cards: nocryptographic security, just write lockprotections.
Android mobile ils?id com.samsung.sprc.fileselector
Android mobile applicationChoose „READ” andplace the tagScanned content
Android mobile app - writeThis trick works in lots of hotels!Special „magic” card needed tochange also UID (first sectors).Only a few cards support „directwrite” – possible to use withAndroid.
Ultralight EV1, CUltralight: no securityUltralight EV1– Simple password (option)– ECC authenticity check - possible to clone using specialtagsUltralight C: 3DES
Mifare ClassicThe MIFARE Classic family is the most widely usedcontactless smart card ICs operating in the 13.56 MHzfrequency range with read/write ds/2015/03/MIFARE Classic EV1.pdfCity cards, access control, student id, memberships,internal payment, tourist card, ski pass, hotels, .
It’s everywhere.
Mifare classic data structureSector 4 blocks of 16 bytes.Last block of a sector: 2 different keys (e.g. forseparate read/write) access rights for the keysSector 0Block 0 – READ ONLY UIDBlock 1Block 2KeyA access rights KeyBSector 1Block 4Block 5Block 6KeyA access rights KeyB
Lot’s of cards use simple keysFFFFFFFFFFFF (default key)A0A1A2A3A4A5D3F7D3F7D3F7000000000000.
Using Android mobile app?Mifare Classic Tool – free, opensourceNote: you need NXP NFC chipset(most current olhttps://play.google.com/store/apps/details?id de.syss.MifareClassicTool
The dumpedcontent
Mifare Classic cracking processTry default, leakedh keysFew secondsHave allkeys?YESHOORAY!
Mifare Classic cracking processTry default, leakedh keysHave allkeys?YESFew secondsNO?HOORAY!
Mifare Classic cracking processTry default, leakedh keysHave allkeys?YESFew secondsNOHave atleast onekey?YESnestedHOORAY!
What if we could not brute the key?„Nested” attack - exploits weakness inRNG and auth to other sector basedon previous auth.Required at least one key to any sector.Technical details (2008):http://www.cs.ru.nl/ r 0Key: FFFFFFFFSector 1Key: unknownSector 2Key: unknownSector 3Key: unknownSector 4Key: unknown.
How to exploit it?PN532 libnfc MFOC by Nethembahttps://github.com/nfc-tools/mfocCan take several minutes. Come find outyourself – it is one of our challenges!
Using proxmark?5 seconds(about 2s/key)
Mifare Classic cracking processTry default, leakedh keysFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew secfew minHOORAY!
Mifare Classic cracking processTry default, leakedh keysFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew secfew minNO?HOORAY!
But what if all the keys are unknown?„Darkside” attack, Nicolas T. Courtois –side channel. Tech details (2009):https://eprint.iacr.org/2009/137.pdfLibnfc: MFCUK by Andrei Costinhttps://github.com/nfc-tools/mfcukPN532 may take 30 minutes for one key.Having one key - proceed with „nested”.Sector 0Key: unknownSector 1Key: unknownSector 2Key: unknownSector 3Key: unknownSector 4Key: unknown.
Mifare Classic cracking processTry default, leakedh keys30 secFew secondsHave atleas
Open-source FPGA hardware software 200-300 (depending on vendor) proxmark.org. Proxmark „easy” –cheaper but less stable Developed by Elechouse for Chinese market. Fixed antennas, less memory, no external battery connector. Generally works, but sometimes problems with antennas. Elechouse does not make it any more. Currently available on Aliexpress starting from 75 - by other