![Mifare Mifare](/uploads/1/1/9/5/119589690/600740240.jpg)
Cloning a MIFARE Classic 1k
Mathieu Bridon - https://mathieu.daitauha.fr
Mifare Reader Attack: Sniffing, Cracking, Emulation, Open! LAB401 Academy - CHAMELEON MINI Tutorial. Posted by Sam Jenkins on Jul 16, 2020. Try cracking the keys With the original still on the reader, run the following command: console $ mfcuk - C - R 0: A - s 50 - S 50 - O original. Dmp - v 3 mfcuk - 0. 8 Mifare Classic DarkSide Key Recovery Tool - 0. May 11, 2019 It turned out they were using a Mifare Classic card. This type of card can easily be hacked as the encryption keys protecting the data are vulnerable to several exploits.
You will need writable NFC tags, compatible with MIFARE Classic 1k. Make suretheir sector 0 is writable. I usedthose (just the tags).
1. Try dumping the tag
Place the original on the reader, then try dumping it:
The above command might return an error like:
That means your original doesn't use the default keys used by
mfoc
. If that'sthe case, then follow along with step 2.Instead, if you didn't get an error then congratulations, your tag is even lesssecure than you thought, and the
original.dmp
file is a full dump of youroriginal tag. Proceed directly to step 3.2. Try cracking the keys
With the original still on the reader, run the following command:
It might take a while (on my laptop it took around 30 minutes), but eventuallythe command will finish.
The output should say something like the following:
This means
mfcuk
succeeded in cracking the encryption. In the above example,the secret key is 1234567890AB
. Note the one you obtained for your tag. Inthe rest of this page, I will refer to the key as ${KEY}
.Armed with the secret key, try again dumping the tag: (this is essentially thesame as the first step, but specifying the key)
This might again take some time (on my laptop it took around 1h40), but whenthe command eventually finishes, you should see the following: (among otherthings)
At this point, the
original.dmp
file is a full dump of your original tag.3. Dump the new, empty tag
This seems to be necessary, to make the new tag writable.
Replace the original tag by the new one on the reader, then run the following:
4. Write to the new tag
You can now copy the dump of the original onto the new tag:
Once this finishes, your new tag should be an exact copy of the original one.Congratulations, you're done. Go and try your new tag.
You might get the following error:
This means the sector 0 of your new tag is not writable. You'll need to useanother tag.
Hacking MIFARE & RFID
As we start this series, you won’t find anything that hasn’t already been discussed before. This is not a new topic, but rather my own vision of the many different things that’ve been done concerning RFID. Other Proof of Concepts (PoCs) I’ve read were not so thorough, this is my attempt at being more thorough so others have a better understanding.
The main goal
The goal here is to cover the process of cloning and editing RFID tags. MIFARE Classic ones especially, which are still widely used nowadays despite the many hacks found throughout the last few years. This is not intended to teach you all about RFID, NFC, and MIFARE hacking. So, before we jump in let’s learn some basics.
RFID, NFC & MIFARE : The Basics
Radio Frequency Identification (RFID), is a technology that uses electromagnetic fields to automatically identify and/or track “tags” that contain electronically stored information. Some tags are passive, therefore they are activated by the electromagnetic fields generated by nearby readers. Some tags are active and require a local power source, such as a battery. They are capable of operating hundreds of meters from the closest RFID reader. The use of RFID always implies three things:
- a tag
- a reader
- an antenna (ranging from Low to High and Ultra High frequencies)
Near Field Communication (NFC), is a set of communication protocols. These protocols enable two electronic devices to trade information within 4 centimeters (~2 inches) of each other. NFC operates within the same range of frequencies of RFID. NFC was created as a new way of communicating with other RFID tags.
NFCs main purpose was to break out of the standard tag/reader “read-only” pattern. This is to allow both devices to become reader, antenna, and tag.
MIFARE, is a trademark for a series of chips widely used in contactless smart cards and proximity cards. It is often incorrectly used as a synonym of RFID. MIFARE is owned by NXP semiconductors which was previously known as Philips Electronics.
The reason behind this misuse is simple. MIFARE chips represent approximately 80% of the RFID passive tags in the world.
Mifare Cracking Software
Think of MIFARE as being the most used type of RFID tags. NFC is simply a newer technology to interact with the first two. With that little bit of knowledge, let’s focus on MIFARE. The MIFARE family is split into subcategories which can be briefly describe here:
- MIFARE Classic 1K/4K: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has reaaally simple security mechanisms for access control
- MIFARE Ultralight: a 64 bytes version of MIFARE Classic. It’s low costs make it widely used as disposable tickets for events or transportation.
- MIFARE Plus: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
- MIFARE DESFire: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
Where my research comes in…
In 2018, my employer started handing out U-KEYs to be used to load funds onto and buy coffee and snacks from different vending machines around the building. With this being 2019, contactless payment is becoming more common with your credit cards/smartphones. These technologies have gone through rigorous testing to ensure users data is securure and so far it’s pretty solid, but what about these little keys?
Turns out with a little bit of research, those keys are simply MIFARE Classic 1K and the associated security mechanisms are actually quite simple. But how simple?
Breaking down MIFARE Classic tag structure
This classic tag structure is a whopping 1,024 bytes in size. Those 1,024 bytes are split into 16 sectors (0 to 15) which are each split into 4 blocks (0 to 3). That’s 16 bytes on each row (Figure 1.1). When we get into modifying data our focus will be a certain byte of data in the 7th byte of the 2nd block of the sector 13.
Mifare Desfire Ev1 Cracking
Every sector has a common structure: 3 blocks of data, and 1 “access control” block. The access control blocks contain Key A, Key B, and the Access Bits. See (Figure 1.2) The A & B keys can be standard (as in the most commonly used) or unique and set by the tag owner, and the access bits determine the rights on each sectors (read, write, both or none).
Moving forward, the only different sector will be sector 0, block 0. This one does not have an access control block but rather a manufacturer block instead. This is where the tag’s manufacturers can store an unique ID (UID) and information like the date of creation. The Manufacturer block is a Read-Only block. Manufacturers do not want end users to modify their data (Figure 1.3).
Knowing how memory is stored, how can it be read? And more importantly, how can it be modified? When we present the tag to a reader, the reader sends a POR (PowerOn Reset). This will get our tag out of its “sleep” passive mode. If the sent request is standard, the tag and the reader will start to communicate and share an encrypted session key. (Figure 2.1)
These operations on a tag are quite simple, visible in Figure 2.1:
Mifare Cracking Tool
- AUTHENTICATE
- READ/WRITE/DECREMENT/INCREMENT – always sent in encrypted session.
- TRANSFER – writes the result of one of the previous operations to non-volatile memory.
- RESTORE – prepares the current value of blocks to be over-written.
Moving on from here, you might have a few questions. Some that come to mind are:
- How strong is this encrypted session?
- Is that encryption crackable?
- Does the tag have any way of checking the modification requests sent from a legitimate reader?
- Can we spoof those requests to modify it with our own data?
Check out the next article if you want your answers. =D