Alright, so my school uses NFC readers to operate the printer’s and some doors. They utilise MiFare classic 1k cards to operate these, which if you know MiFare these can be read and written to easily with any phone that is NFC compatible. However, for this insecurity to be of any use I need to make it so my card can become anyone else’s so that I could literally open doors with a flick of my wrist – which is how doors are usually opened, but these ones are locked.

In order to change my cards identity I would need to edit the UID, which is impossible on the cards the school provides as the sector you want to edit that contains this information (Sector 0) is blocked off from rewriting as it is the manufacturer block. This was a setback but drew me to a conclusion, IT isn’t setting these cards UIDs – they are assigning the Sector 0 random UIDs to student and teachers names on their system.

So, I bought a rewritable MiFare classic 1k card. Enabling me to become anyone by writing to the card via my phone (which has been tested on friends cards, and it works) – but only if I know their UID.

This is where I am at. And now this is where I am hoping to go.

I could get the UIDs from teachers cards by placing my phone momentarily on the card and reading it – but this takes a couple of seconds and we aren’t allowed phones out at school, so if a teacher saw it would look suspicious and I would most likely have the phone confiscated. So how do I get those desirable UIDs?

(The following is all theory)

Enter the stealthy Raspberry Pi (loaded with Kali, battery pack attached) and a USB female to (2) male splitter. I will simply place the Pi behind a printer, un-attach the USB NFC reader connected to the printer and instead connect it to the splitter – one of the two ports going back into the printer (allowing it to function as normal) and the other port going into the Pi running nfc-list, dumping all UIDs it receives to a file.

The problem is, I’ll end up with a bunch of UIDs and I won’t know who they belong to. I’ll just have to trial and error each one to see if the UID is one worth copying, or not.

Thanks for reading,

Sincerely, hacktheor3m.