WIXLIB

Sławomir Jasekslawomir.jasek@securing.plslawekjaA 2018 practical guideto hacking NFC/RFIDSlightly edited version of the slightly edited original photo :)https://vimeo.com/267613809Confidence, Kraków, 4.06.2018

Sławomir JasekEnjoy appsec (dev, break, build.) since2003.Pentesting, consultancy, training - web,mobile, embedded.„Smart lockpicking” trainings – HITB, HiP,Deepsec, . www.smartlockpicking.comSignificant part of time for research.

TodayHacking RFID is not as hard as you may think.Most common systems, practical knowledge.UID-based access control.Cracking Mifare Classic.Decoding the data, creating hotel „master”card.Mobile NFC access control.

DisclaimerThese materials are foreducational and researchpurposes only.Do not attempt to break the law!https://giphy.com/gifs/ZikyVyLF7aEaQ

RFID/NFC usageAccess control, hotels, car keys,attendance monitoring, racetiming.Bus, train, ski pass, football,museum tickets.E-wallets, loyalty cards, libraries,laundries.Contactless payments, passports, -eat

Card types, frequencies, .125 kHz („low frequency”)RFIDEM4XX (Unique), HID Prox,Indala, Honeywell, AWID, .13.56MHz („high frequency”)NFCMifare/DESFire, iCLASS, Legic,Calypso, contactless payments, .868MHz (UHF),otherVehicle id,asset tracking.

How to recognize card type? No, by the form not.

RFID implantsPatrick Paumen @vicarious1984, Hardwear.io 2017https://www.youtube.com/watch?v o5FHAm1pgWw

lants-travel-card-in-hand-court-says-nice-try/

Your mobile phone can recognize most HF cards125 kHz („low frequency”)RFIDEM4XX (Unique), HID Prox,Indala, Honeywell, AWID, .13.56MHz („high frequency”)NFCMifare/DESFire, iCLASS, Legic,Calypso, contactless payments, .868MHz (UHF),otherVehicle id,asset tracking.

ACCESS CONTROL:CARD UID

What is stored on card?125 kHz („low frequency”)RFIDUIDEM41XX(„Unique”)UIDHID Prox II,Indala.13.56MHz („high frequency”)NFCUIDMifare

What’s stored on the card?The simplest cards store just individual ID 3-10 bytes (most often 4).Read-onlyFreely accessible to readReader checks for registered ID.UID valid?UID

The UIDSecurity: UID is set in factoryand cannot be altered. Onlyvendor knows how to make atag.Guess what happened next?

Special tags – allow to change UID (starting at 0.30)125 kHz („low frequency”)RFIDUIDT5577UID13.56MHz („high frequency”)NFCUID„MAGICUID”ANY UIDANY UIDEM41XX(„Unique”)HID Prox II,Indala.Mifare

RFID card clonerLowFrequencyLow HighFrequency

RFID Cloner in actionhttps://www.youtube.com/watch?v M0Z-kYL5CEU

PN532 libnfcNXP PN531/532/533 – one of most commonHF NFC chips built in various readers, e.g.ACR122u USB ( 50 EUR).Libnfc: open source library exploiting"hidden" raw mode of NXP PN532 - usefulfor emulation, relay, cloning, cracking, .http://nfc-tools.org/index.php/Main Page

PN532 bare modulesThe cheapestones may haveantenna issues

Our „NFC research toolkit”PN532 board UART USBMagic card tags to crackSeveral NFC challengessmartlockpicking.com/nfc-tookit

Place original card on the readerroot@kali: # nfc-listnfc-list uses libnfc 1.7.1NFC device: pn532 uart:/dev/ttyUSB0 opened1 ISO14443A passive target(s) found:ISO/IEC 14443A (106 kbps) target:Card UIDATQA (SENS RES): 00 04UID (NFCID1): 3c 3d f1 0dSAK (SEL RES): 08

Place „Magic” card on the reader, set new UIDroot@kali: # nfc-mfsetuid 3c3df10dNFC reader: pn532 uart:/dev/ttyUSB0 openedSent bits:26 (7 bits)Received bits: 04 00Sent bits:93 20Received bits: 0c 5c ee 0d b3Sent bits:93 70 0c 5c ee 0d b3 5c(.)c2

Banks, offices, apartments, .This will work in morebuildings than youthink.https://giphy.com/gifs/iI6eeGjwScTCM

Detecting magic cards?Magic cards rely on special, nonstandard command to unlock thisfeature.Sent bits:50 00 57 cdSent bits:40 (7 bits)Received bits: a (4 bits)(.)It is possible to detect and discardsuch m

Chinese answer to this problem?Cards with direct write to manufacturer block (nospecial commands needed). Can also be detected.Magic cards with one-time write!7-byte UID? 7-byte magic card!

EMULATE CARD?

High Frequency: Chameleon MiniCan emulatemultiple HF tagsBattery-powered99.96 EURhttp://kasper-oswald.de/gb/chameleonmini/

Chameleon: Chinese optionsStarting at 45 on AliexpressMultiple LEDsChinese manufacturer addedinteresting new features GUI,recently eonMinirebootedGUI

Low Frequency: EM41XXEM4095, starting at 2

ProxmarkOpen-source FPGA hardware software200-300 (depending on vendor)proxmark.org

Proxmark „easy” – cheaper but less stableDeveloped by Elechouse for Chinese market.Fixed antennas, less memory, no external batteryconnector. Generally works, but sometimesproblems with antennas.Elechouse does not make it any more. Currentlyavailable on Aliexpress starting from 75 - byother vendors, impersonating Elechouse

A new, promising player, about /proxmark3-rdv-40

Brute UID? In some cases it makes sense125 kHz („low �)UID13.56MHz („high frequency”)NFCUIDMostly sequential,may be brutedHID Prox II,Indala.MostlyrandomMifare

USING SMARTPHONE?

HF (e.g. Mifare): read UID using mobile phoneAndroid applications:NFC d com.wakdev.wdnfcMifare Classic Tool:https://play.google.com/store/apps/details?id de.syss.MifareClassicTool

HF (e.g Mifare): read UID using mobile phone

How about emulating UID?Not that easy.We can manipulate NFC ControllerInterface, but it requires root.NCIYour phone may emulate cards (e.g.mobile payments), but by design theUID is random.Android OSNFC chipset

Android: NXP NFC chip (e.g. Nexus 5X)Modify /etc/libnfc-nxp.conf (requires root)Put your UID hereNote: it may depend on NFC chip firmware version.

Android Broadcom NFC chip (e.g. Nexus 5)In /etc/libnfc-brcm-20791b05.conf, add to NFA DM START UP CFGLength of UID (e.g.04, 07.)33 04 XX XX XX XXNCI parameterYour UID

DEMOhttps://youtu.be/94u9YSJQpFA

The same with GUI: NFC card ?id com.yuanwofei.cardemulatorRequires root (modifies /etc/libnfc-. files).

NFC card emulator

iPhone (jailbreak required)Custom app, downloadfrom Cydia (3.99 ):http://limneos.net/nfcwriter

DEMOhttps://youtu.be/f3LmvhHwFNc

CLONE FROM APICTURE?

Anyone has such numbers on a tag?

EM tags with printed numbers

Decoding numbersExample numbers on Mifare card:4 bytes of UID0281219940 dec 10 C3 13 64 hex12784484 dec C3 13 64 hex3 bytes of UIDsometimes inversed

EM41XX example tag ID: 3C009141F5Example numberFormatConversion09519605DEZ8Last 6 hex converted to dec (9141F5 hex 09519605 dec)0009519605DEZ10Last 8 hex converted to dec00145.16885DEZ5.5Digits 4-7 hex converted to dec "." last 4 hex converted to dec060.16885DEZ3.5AFirst 2 hex digits "." last 4 converted to dec000.16885DEZ3.5BDigits 3,4 "." last 4 converted to dec145.16885DEZ3.5CDigits 5,6 hex converted to dec "." last 4 hex converted to dec00257707557365IK2 DEZ14 entire hex converted to dec

Possibility to clone UID from esscard

tatus/908578046583635968

BTW, 283915218128896

ICLASS

Protected identity data stored on card125 kHz („low frequency”)RFIDUIDUID13.56MHz („high frequency”)NFCUIDInsecure UIDanyone can read itEM41XX(„Unique”)HID Prox II,Indala.ProtectedUIDMifareiClass

iClass securityiCLASS was specifically designed to make access control more powerful, moreversatile, and more secure. All radio frequency data transmission between the tagand reader is encrypted using a secure algorithm. By using industry standardencryption techniques, iCLASS reduces the risk of compromised data or duplicatedtags. For even higher security, the tag data may also be protected with DES ortriple-DES resource files/iclass tag ds en.pdf

The access key is stored in readerOnly valid readercan access thedata stored oncardProtectedUID

The same key stored in every readerIs there any problem?„Break a single readeronce and enter anywhere”Milosch Meriac, 2010

The hack: readout protection bypassMilosch Meriac, Henryk Plotz ity.pdfhttps://www.youtube.com/watch?v mZNSYw9oH4Y

The iClass leaked keyNot the exact form of key needed,also just the first key (allows only toclone data) to decode cleartext datayou need second 3935876870144

Introducing iClass SE, Seos, mobile accesshttp://www.emacs.es/downloads/WP/20140723 iCLASS Seos Card Whitepaper EXTERNAL v1.0.pdf

By the way.Want to learn more about readoutprotection?Come visit our booth (near chill zone), I willshow you how to bypass it on STM32 (oneof the most common IoT microcontrollers).Today at 15.15, tomorrow at 12:35.

WIEGAND

Typical architectureaWIEGAND

3 wires – black, green, whiteGNDDATA0DATA1

Transmitting 1’s and 0’sDATA0 (GREEN)5V0VDATA1 (WHITE)5V0V„0”„1”

Card data transmitted: most common ocol/24-wiegand-converter

Typical architectureaSometimessecured, or hardto clone a cardMost commonlyWIEGANDcleartext bitsExternal wall reader, quiteoften easy to detach

Wiegand sniffers: BLEKey

Install covertly in the reader, control from mobile apphttp://www.blekeyrfid.com

ESP32 - wifiRFID-Tool, -RFID-ToolVery similar, ESPKey:https://github.com/octosavvi/ESPKey

RFID TOOLhttps://www.youtube.com/watch?v 0o8r ufRrFo

Best practices?Tamper protection in readers.Multiple layers of security - intrusion detection,monitoring, behavioral analysis, .OSDP (Open Supervised Device Protocol) – AESencryption, wire monitoring.

ACCESS TO CARD DATA

What is stored on card: additional data?125 kHz („low frequency”)RFIDUIDUIDJust UID, no dataEM41XX(„Unique”)HID Prox II,Indala.13.56MHz („high frequency”)NFCUIDOther carddataMifare

Mifare UltralightVery common e.g. in ticketing(especially for single ticket) and hotelsystems.First Ultralight cards: nocryptographic security, just write lockprotections.

Android mobile ils?id com.samsung.sprc.fileselector

Android mobile applicationChoose „READ” andplace the tagScanned content

Android mobile app - writeThis trick works in lots of hotels!Special „magic” card needed tochange also UID (first sectors).Only a few cards support „directwrite” – possible to use withAndroid.

Ultralight EV1, CUltralight: no securityUltralight EV1– Simple password (option)– ECC authenticity check - possible to clone using specialtagsUltralight C: 3DES

Mifare ClassicThe MIFARE Classic family is the most widely usedcontactless smart card ICs operating in the 13.56 MHzfrequency range with read/write ds/2015/03/MIFARE Classic EV1.pdfCity cards, access control, student id, memberships,internal payment, tourist card, ski pass, hotels, .

It’s everywhere.

Mifare classic data structureSector 4 blocks of 16 bytes.Last block of a sector: 2 different keys (e.g. forseparate read/write) access rights for the keysSector 0Block 0 – READ ONLY UIDBlock 1Block 2KeyA access rights KeyBSector 1Block 4Block 5Block 6KeyA access rights KeyB

Lot’s of cards use simple keysFFFFFFFFFFFF (default key)A0A1A2A3A4A5D3F7D3F7D3F7000000000000.

Using Android mobile app?Mifare Classic Tool – free, opensourceNote: you need NXP NFC chipset(most current olhttps://play.google.com/store/apps/details?id de.syss.MifareClassicTool

The dumpedcontent

Mifare Classic cracking processTry default, leakedh keysFew secondsHave allkeys?YESHOORAY!

Mifare Classic cracking processTry default, leakedh keysHave allkeys?YESFew secondsNO?HOORAY!

Mifare Classic cracking processTry default, leakedh keysHave allkeys?YESFew secondsNOHave atleast onekey?YESnestedHOORAY!

What if we could not brute the key?„Nested” attack - exploits weakness inRNG and auth to other sector basedon previous auth.Required at least one key to any sector.Technical details (2008):http://www.cs.ru.nl/ r 0Key: FFFFFFFFSector 1Key: unknownSector 2Key: unknownSector 3Key: unknownSector 4Key: unknown.

How to exploit it?PN532 libnfc MFOC by Nethembahttps://github.com/nfc-tools/mfocCan take several minutes. Come find outyourself – it is one of our challenges!

Using proxmark?5 seconds(about 2s/key)

Mifare Classic cracking processTry default, leakedh keysFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew secfew minHOORAY!

Mifare Classic cracking processTry default, leakedh keysFew secondsHave atleast onekey?NOHave allkeys?YESYESnestedfew secfew minNO?HOORAY!