Mifare Cracking Software
A student at the University of Virginia has discovered a way to break through the encryption code of RFID chips used in up to 2 billion smart cards used to open doors and board public transportation systems., a graduate student working with two researchers based in Germany, said the problem lies in what he calls weak encryption in the MiFare Classic, an RFID chip manufactured. Now that he's broken the encryption, Nohl said he would only need a laptop, a scanner and a few minutes to get the cryptographic key to an RFID door lock and create a duplicate card to open it at will.And that, according to Ken van Wyk, principal consultant at, is a big security problem for users of the technology. 'It turns out it's a pretty huge deal,' said van Wyk. 'There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it's used in sensitive government facilities — and I know for a fact it's being used in sensitive government facilities.' Van Wyk told Computerworld that one European country has deployed military soldiers to guard some government facilities that use the MiFare Classic chip in their smart door key cards.
'Deploying guards to facilities like that is not done lightly,' he added. Bible download in plain text crossword. 'They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun.
They're safeguarding their systems.' He declined to identify the European country.Manuel Albers, a spokesman for NXP Semiconductors, said the company has confirmed some of Nohl's findings.
However, he said there are no plans to take the popular chip off the market.' The MiFare chip was first introduced in 1994.
At the time, the security level was very high,' he said in an interview. 'The 48-bit key lengths for encryption was state of the art.' Related: Albers added that the company has other, more secure chips in its product portfolio these days, but the is a relatively inexpensive, entry-level chip.
Anyone needing a highly secure smart card should make sure there's layered security and not just depend on the chip's encryption, he said.' We have to start this discussion, really, at the level where we differentiate between the security level the chip provides and the additional security features an entire card provides. You're dealing with a layered security system, like strands to a rope,' said Albers, noting that between 1 billion and 2 billion smart cards with this MiFare Classic-type chip have been sold. 'As long as there's demand for this product and system integrators saying this product is good enough for their platforms, we will continue to offer it.' Albers noted that NXP recently released MiFare Plus, which is backward-compatible with the MiFare Classic while offering better security.
He said the company did not release the updated chip because of Nohl's findings, but it did use some of his information when designing it.' The problem is the card and the card reader,' said Nohl. 'They speak the same cryptography language that is flawed. Both need to be replaced.
Mifare Desfire Ev1 Crack
There is a lot of infrastructure to be replaced. The encryption is not standard. It uses two short keys.' While Albers said 'the majority' of the smart cards with this chip are used as bus or subway cards, both van Wyke and Nohl said the real problem lies in the cards that are used as door locks.' I don't think people want to steal other people's bus tickets,' said Nohl.
'But think about chemical waste storage buildings or military facilities. The stakes are a lot higher. If you break in, you don't get a $2 bus ticket, but you get whatever is in that warehouse. These cards are used around the world to secure high-level buildings.
All these applications will suffer as soon as somebody with criminal intent finds the details that we have.' Nohl explained that since the MiFare Classic smart cards use a radio chip, he can easily scan them for information. If someone came out of a building, carrying a smart card door key, he could walk past them with a laptop and scanner in a backpack or bag and scan their card. He also could walk past the door and scan for data from the reader.Once he's captured information from a smart card and the card reader on the door, he would have enough information to find the cryptographic key and duplicate a smart card with the necessary encryption information to open the door.How long would it take him to capture the necessary information?
About two minutes, he said.Van Wyk thinks Nohl might be humble in his estimate. 'He says it would take him two minutes to crack it?
I'd like to know what he did with the other minute and 55 seconds,' he said. 'It is so easy to crack most of that stuff I don't think it's general to RFID, but there are a lot of RFID implementations that haven't done this very well. You could do RFID well, but it turns out that not many vendors are.'
Mifare Card Programming
Easy tutorial about hacking our first MIFAR/RFID Tag. RFID is a technology widely used in our lives, from our building access badges, to payment facilities, or even our gates’ remotes. As we’ve seen in the previous post, some of them are utilizing little to no security mechanisms, like MIFARE. Today we will start working on a really basic series of hacks. What you will need HardwareWhat’s covered can be done with a simple RFID card reader found on Amazon for 30€ (35$). Mine was the simply because it was the most mentioned one on a few forums and blog posts I had read at the time. Consequently, it would make things easier for support if any issues arise.With the previous post, we saw that tags a have a specific block of memory reserved to the manufacturer, including an UID (Unique IDentifier).
If you want to try and clone a tag, you will need to be able to spoof this UID, so I also ordered a few tags ( and ) with an UID rewritable. ACS ACR122U SoftwareAny.NIX distribution will do the trick (Windows too eventually), but after a bit of trial and error, I figured out working on RFID and NFC works better with security oriented distributions like Kali or ParrotSec. They already include all the tools and libraries needed to do the job.I also found out working in Virtual Machines (VMs) can sometimes be a pain. The host always keep a bit of control over the USB ports (via probes).
This is annoying bc our card reader needs full access to those ports at any time. Without full access time-outs during read/write operations will occur and can permanently damage a tag.NB: For those of you getting an error when trying to run any NFC related operations on an ACR122. Nfc-list – Figure 2.1When done, the device is detected and active, interface is opened, and there is an ISO/IEC 14443A compliant tag in range.
This tag is a barbaric term for a MIFARE card. Our first relevant information, this MIFARE tag’s UID is 7BE88C21. MFOC – MiFare classic Offline CrackerThe easiest and most basic tool to use against MIFARE tags, is MFOC. It tries different keys against a MIFARE tags. Once MFOC finds a correct key the tool can “guess” the other keys and dump the memory of the tag. (Figure 2.2).
MFOC’s black magic – Figure 2.3In figure 2.3, MFOC is using the sector 00 as an exploit sector simply because both A & B keys are known for this tag (hence any sector from 0 to 11 could be used as an exploit sector). MFOC is then sending probes onto the “uncracked” sectors and will compare the answer’s delay with a positive one onto sector 00, similar to how a works.With the last 4 uncracked sectors have unveiled their B keys, MFOC is able to authenticate.
Now we have both A & B keys. Now we will dump the memory of the entire tag in the file location specified, as seen in Figure 2.4. Hexeditor of the dump file – Figure 2.5In Figure 2.5 above, the red area is actually a whole sector as we detailed in the first article, and on line 2B0 you can see the A key, A0A1A2A3A4A5, and B key, B0B1B2B3B4B5, which is separated by the 8 access bits 78 77 88 69 of the concerned sector. NFC-MFCLASSICThe tag I worked on is the building access tag for my apartment. Lucky for me all sectors were using a default key and the dump only took me 20-25 seconds.
From here I copied my building badge. I did this to see if my building’s scanner could tell the difference between the original tag and a clone (UID included).This brings us to a new tool nfc-mfclassic. This tool will allow us to write dump files on the new tag and is quite simple to use. A quick look at the man page is all that is needed. This tells us all we need to know. We can write dumps on a new tag with a w options, but a W (notice the uppercase) will not only write the whole dump’s data but will also rewrite the UID.Let’s try to write the dump we just created with mfoc onto the new tag ordered on Amazon, using the A keys stored in the dump file itself (Figure 2.6). Figure 2.7 ConclusionIn conclusion, we’ve identified how to use a few basic NFC and MIFARE commands to read and detect a tag.
With the few more MFOC commands we were able to crack a generic NFC key. Eventually, we dump the content of the tag’s memory if it was using default keys. This makes up more than 75% of the tags I have tried so far. With this information,the knowledge of cloning different MIFARE classic tags. A few things you might be asking yourself. What to do if no default keys are used?. What if you want to edit the content of the data and give you access somewhere you shouldn’t be?That, my friends, will be for the next article of this RFID series.
Comments are closed.