What type of card are we dealing with?

The first thing when looking into a new card is to figure out what it actually is. Luckily there’s not a shortage of tools we can use for this these days, starting with your standard smart phone.

Most Android devices (and newer iPhones) have NFC built in, which allows reading one of the primary types of electronic cards. Most cards are split into low frequency (often just called RFID), and high frequency (often called NFC, though they’re technically RFID too). By attempting to read a card like this using your mobile phone, you can easily see which the system uses.

In our case, I opened up a free tool I often use for this kind of thing, NFC Tools, and scanned the Busit card:

NFC Tools shows us a lot of information about the Busit card already

The most important thing we can see on this screen is the Tag Type, listed as “NXP Mifare Classic 1k”. A little searching around the internet seems to indicate this is a common type of card for transportation systems, and more importantly for us, it’s considered very insecure.

Mifare Classic, and other bad decisions

Looking into the relevant Android APIs, it looks like we’re going to be able to develop something that can read and write information, but first, we’re going to need to know the keys in use for the Busit card.

The tool we’ve used so far (NFC Tools) hasn’t given us the option of cracking the keys for the Mifare Classic, so we’ll need to investigate another approach. In my case, I have access to a Proxmark3, which is capable of attacking the Mifare Classic protocol.

The Proxmark3 RDV2

Once I had the Proxmark3 set up and working on my PC, I was able to start probing the card and performing attacks. By running the command “hf search”, I was able to see the Busit card I had has a weak PRNG. In my experience, most Mifare Classic cards have this same issue.

Now we have everything we need to begin an attack. To speed things up, we can check for default keys on the Busit card. People have contributed a large number of common keys to the Proxmark3 repository, so we might get lucky. We just run the “hf mf chk * ? default_keys.dic” command, which means “hi-frequency mifare check every sector and every slot, using every default key from default_keys.dic”.

Turns out the keys for Busit don’t really require cracking

Lo and behold, the Proxmark3 steps have been completely unnecessary! The Busit card uses the “default” keys of FFFFFFFFFFFF (which is the computer equivalent of setting your password to “1”).

With the keys obtained, we can begin looking at the data on the card and building our Android application.