Last month, the Dutch government issued a warning about the security of access keys based on the ubiquitous MiFare Classic RFID chip. Thewarning comes on the heels of an ingenious hack, spearheaded by Henryk Plotz, a German researcher, and Karsten Nohl, a doctoral candidate incomputer science at the University of Virginia, that demonstrated a way to crack the encryption on the chip.
Mifare Ultralight Rfid Tags
Millions upon millions of MiFare Classic chips are used worldwide in contexts such as payment cards for public transportationnetworks throughout Asia, Europe and the U.S. and in building-access passes.
The report asserts that systems employing MiFare will likely be secure for another two years, since hacking the chipseems to be an involved and expensive process. But in a recent report published by Nohl, titled 'Cryptanalysis of Crypto-1,' he presents anattack that recovers secret keys in mere minutes on an average desktop PC.
In December, Nohl and Plotz gave a presentation on MiFare's security vulnerabilities at the 24th Chaos Communications Congress (24C3), the annual four-day conference organized by Germany's notorious hacking collective, the Chaos Computer Club (CCC). Thousands of hackers from far-flung locales converged on Berlin between Christmas and New Year's for a raft of talks and project demonstrations.
In their popular talk at 24C3, punctuated by bursts of raucous applause, Nohl presented an overview of radio frequency identification security vulnerabilities and the process of hacking the MiFare chip's means of encryption, known as the Crypto-1 cipher. 'This is the first public announcement that the Crypto-1 cipher on the MiFare tag is known,' said Nohl in December at the 24C3 talk. 'We will give out further details next year.'
Get out the microscopes
To hack the chip, Nohl and Plotz reverse-engineered the cryptography on the MiFare chip through a painstaking process. They examined theactual MiFare Classic chip in exacting detail using a microscope and the open-source OpenPCD RFID reader and snapped several in-depthphotographs of the chip's architecture. The chip is tiny -- about a 1-millimeter-square shred of silicon -- and is composed sed of severallayers.
The researchers sliced off the minuscule layers of the chip and took photos of each layer. There are thousands of tiny blocks on thechip -- about 10,000 in all -- each encoding something such as an AND gate or an OR gate or a flip-flop.
Analyzing all of the blocks on the chip would have taken forever, but there was a shortcut. 'We couldn't actually look at all 10,000 of these small building blocks, so we wanted to categorize them a bit before we started analyzing,' said Nohl at 24C3. 'We observed that there aren't actually 10,000 different ones. They're all taken from a library of cells. There are only about 70 different types of gates; we ended up writing MATLAB scripts that once we select one instance of a gate finds allthe other ones.'
To find the cryptographically important regions of the chip, Nohl and Plotz scanned for clues in the blocks: long strings of flip-flops thatwould implement the register important to the cipher, XOR gates that are virtually never used in control logic, and blocks on the edge ofthe chip that were sparsely connected to the rest of the chip, but strongly connected to each other.
They then reconstructed the circuit using their data, and from the reconstruction, they read the functionality. It was a painful process, but once it was done, the researchers had decoded the security on the chip, unveiling several vulnerabilities. Among the potential securityrisks they uncovered was a 16-bit random number generator that was easy to manipulate -- so easy, in fact, that they were able to coax thegenerator into producing the same 'random' number in every transaction, effectively crippling the security.
Simpler from here on out
A potential attacker wouldn't have to go through all of the steps that Nohl and Plotz had to undertake to hack the RFID chip. A diagram ofthe Crypto-1 cipher, published in Nohl's recent paper, shows that the heart of the cipher is a 48-bit linear feedback shift register and afilter function. To find bits of the key, an attacker would send challenges to the reader and analyze the first bit of key stream sentback to the reader.
Though there are some tricks to generating these challenges, it is computationally not a terribly expensive, or expansive, procedure.'The number of challenges needed to recover key bits with high probability varies for different bits, but generally does not exceed afew dozen,' writes Nohl in the paper.
At 24C3, Nohl warned against the increasing ubiquity of RFID tags. 'We need some level of authentication, some security that has yet to be added to many of these applications,' he said. He pointed to the increasing use of RFID tags in public transit systems, car keys,passports, and even World Cup tickets -- and the potential worrying privacy implications of large-scale RFID tagging of products by big retailers such as Wal-Mart Stores Inc.
The gist? If you rely on MiFare Classic security for anything, you may want to start moving to a different system.
This information is intended to help give some pointers about the actual cracking process of cards, so you can load keys to use with Metrodroid.
Please don't file GitHub issues about this. I can't give email support about this process either, or do a crack-by-mail service.
It is not possible to crack a card with just your Android phone, as it does not permit low level access to the NFC hardware.
Mifare Classic is used by many older public transit smartcard systems.
There is a newer revision of the card, Mifare Plus, which can emulate Mifare Classic cards without the with less security flaws. Unfortunately, there's not always an easy way to tell what card you have, so at worst you may be out some money. On some of the transit card pages, there may be a way to check based on the appearance of the card -- but these are specific to each agency.
In order to continue, you'll need a Linux computer with a libnfc-compatible NFC device. You'll also need to be familiar with compiling software on Linux, and fetching specific git versions of things.
However, if you're using the proxmark3 you can also run on non-Linux systems.
In order to read Mifare Classic cards with your phone, you'll also need a phone with an NXP NFC chipset. You can verify Mifare Classic support in Metrodroid's about screen. If you don't have support for Mifare Classic, this exercise is pretty much pointless.
However, you can always still sideload card dumps onto your phone or the emulator to read them. But this novelty is not for everyone.
Kit builds
PN532 is the 'cheap, basic and slow' option, which uses the software packages described below.
It's a pain to get the code required built, and it only works on Linux. If your time isn't valuable to you, and you're comfortable patching specific git versions of software, go this way.
Proxmark3 is the 'expensive, powerful and quick' option.
It's easy to get the software built, but it's a significant investment to buy the hardware. If you're interested in more experimentation with RFID technology, buy this device.
I've personally bought all three of these devices, and after buying the Proxmark3 I don't use my PN532 kits much anymore.
I'd recommend trying to build the software before committing to a hardware purchase. Then you will be less frustrated if you've made the 'wrong choice'.
PN532 Adafruit version (57.90 USD)
- 1 x FTDI Serial TTL-232 USB Cable = 17.95 USD
- 1 x PN532 NFC/RFID controller breakout board = 39.95 USD
To assemble, you'll need to solder the headers for the FTDICABLE
port of the board. The cable will simply work after that (black wire is ground). There's no need to solder other jumpers for the headers.
You may want to use a cable tie to secure the FTDI cable to the board.
PN532 Dealextreme AU direct version (25.00 USD)
- 1 x DMDG 13.56MHz PN532 On-board Antenna NFC module = 20.58 USD
- 1 x 3.3V ~ 5V USB to TTL FT232RL Module = 4.42 USD
- Jumper wires
- USB Mini-B cable
This also will require some jumper wires and a USB mini-B cable. You'll need to connect TX on the RFID board to RX on the FTDI module, and vice versa, as well as connect GND and 5v/VCC.
You'll need to set both SET0 and SET1 to L (UART). By default it is setup for SPI mode on the Raspberry Pi header.
It won't require any soldering unless you want to make it permanent.
Note: This is for the AU direct site. This has a 30 USD minimum order amount. You may also find these parts on the global and other regional Dealextreme sites, but I haven't tested them. They may have other quirks.
proxmark3 (288 USD)
proxmark3 is a RFID Swiss Army Knife. It can also be used for cracking Mifare Classic keys. This doesn't use any of the instructions described here, instead see the proxmark3 wiki page for more information.
The price quoted is for the bare board and HF antenna from Ryscc (US). As this is open hardware, there are many manufacturers of equipment, which have variations, such as different antenna connectors, in-built antennas, and operating from battery without a host.
Wherever you source the hardware from, you will need to do a firmware upgrade of the device, which is fairly easy. While the project started around 2007, it is still has active development from a small but dedicated community.
It is more expensive, however the cracking process is very reliable and quick, taking typically around 5 minutes to fully crack and dump the card (compared to around an hour for the PN532).
If you're interested in more experimentation with RFID, then this is the tool for you, as this device has many features.
It supports Darkside, Nested and Hardnested attacks against MIFARE Classic (including hardened) cards, as well as sniffing RFID communication and extracting keys from a 'legitimate' MIFARE Classic reader.
Electra x vst. • 236 additional waveforms. • Enhanced sound quality.
The dumpkeys.bin
file generated by the proxmark client can be renamed to have a .farebotkeys
extension, and can be loaded straight into Metrodroid. dumpdata.bin
is a mfc
file like described below.
Cracking with the PN532
PN532 is a fairly old NXP NFC chipset that is common in low end devices and NFC readers. The cracking process will only work on Linux, and even then it is slow and not extremely reliable.
libnfc configuration file
This is for a PN532 NFC chipset connected via UART, with a USB-UART adapter on /dev/ttyUSB0
. You may need to be in the dialout
group in order to write to the serial device.
Have no keys at all? (darkside)
You'll want to begin by using mfcuk
. This tool is basically unmaintained, and does not function against current libnfc. The current master
version of mfcuk
does not work either. You'll need current libnfc
for the second tool, so this will walk through building it in a different prefix.
Check out nfc-tools/libnfc@6752951, and nfc-tools/mfcuk@1b6d022, and install these into a different prefix, eg:
Once you have built both tools, you can then run it with:
There should be a lot of output given to stdout. You want the diff Nt
value to stay below about 300, and auths <= diff Nt * 256
. If the numbers stay about the same, or the number of diff Nt
increases above 300, then there is either an issue with your reader, or you have a Mifare Plus card.
This process should not take more than an hour, though if the card and/or isn't reliable you'll want to tweak the delay options (-s
and -S
to make it run slower).
Once this is complete, you will get output with a 6 byte key (represented as 10 hex digits; ie: base16 encoded) for one of the sectors. From here you can proceed with the instructions for 'At least 1 known key'
At least one known key?
Old / weak card (nested)
nfc-tools/mfoc works with the current version of libnfc. You should be able to just clone the repository and build it against your system libnfc.
You run the tool, specifying keys like the following:
You can specify many keys, and there are also some hard coded default keys you can try.
This should take no more than an hour.
After this is complete, you will have a complete (binary) dump of the card in mycard.mfc
, as well as a list of keys.
New card (hardnested)
There are tools around to do this with libnfc compatible readers, but I haven't tried them.
Cracking with the Proxmark3
.camrec codec for windows media player. See https://github.com/proxmark/proxmark3/wiki/Mifare%20HowTo
Mifare Ultralight C Card
dumpkeys.bin
can be loaded straight into Metrodroid if you rename it to have a .farebotkeys
extension.
dumpdata.bin
is a raw memory dump of the card, and is the same as files with .mfc
and .mfd
extension.
Importing keys into Metrodroid
You only need one of the sets of keys (either the A key or the B key) in order to read the data on the card. You don't need to specify it many times.
In the extra
folder there is a tool textkeys_to_farebotkeys which will take a newline separated, base16 encoded list of keys, and turn it into a farebotkeys file:
You can also convert a card dump into a farebotkeys file with mfcdump_convert.py. This will by default extract the 'A' keys from a mfc
/mfd
dump file (from mfoc) and turn it into a farebotkeys or JSON file (documentation).
Once this is complete, copy the file to your phone, then open it. Metrodroid will then prompt you to scan the card the keys are for, and it will be added to your local database. After that, you'll be able to read the card with your phone.
Mifare Ultralight Ntag213
Importing card dumps
If you want to do some testing, or your phone doesn't support Mifare Classic, you can import the mfc dump files from mfoc with mfcdump_convert.py:
You can then copy this to your phone. Then import it with 'Scanned Cards' > 'Import' > 'Import from File'. This also works with Google Drive.
Need more information here. Information suggests that this is difficult.
Needs more info -- Metrodroid can't authenticate with these cards yet.
Needs more info -- Metrodroid can't authenticate with these cards yet.