For this first article we will be working on RFID and more precisely on the MIFARE technology. In this article you won’t find anything that has never been done before, but rather my own vision of many different things that have been done about RFID, and maybe a try at being more thorough than some other proofs of concept. The main goal here is to cover the process of cloning and editing some RFID tags, especially MIFARE Classic ones, which are still widely used nowadays despite the many hacks found through the last few years.
DISCLAIMER: What follows is the result of independent research and personal work and does not represent in any way the company I worked or am working for. This is in no way intended to help you in your shady or criminal activities, anything illegal you’d do after reading this is none of my responsibility.
ID, MIFARE & NFC : The basics
RFID, which stands for Radio Frequency Identification, is a technology that uses electromagnetic fields to automatically identify and/or track “tags” that contain electronically stored information. Some tags are passive, therefore they are activated by the electromagnetic fields generated by nearby readers. Some tags are active and have a local power source (such as a battery) and may operate hundreds of meters from the closest RFID reader. The use of RFID always implies three things:
- 1 tag
- 1 reader
- 1 antenna (ranging from Low to High and Ultra High frequencies)
Near Field Communication (NFC), is a set of communication protocols that enable two electronic devices to trade information within 4 centimeters of each other. NFC is operating within the range of frequencies of RFID as it was created as a new way of communicating with it. Indeed, the NFC main purpose was to break out of the standard tag/reader “read-only” pattern, and allow both devices to become both reader, antenna, and tag, and therefore trade informations.
MIFARE, which is often incorrectly used as a synonym of RFID, is a trademark for a serie of chips widely used in contactless smart cards and proximity cards. MIFARE is owned by NXP semiconductors which was previously known as Philips Electronics. The reason behind this misuse is simply that MIFARE chips represent approximately 80% of the RFID passive tags in the world. Think of it as MIFARE being the most representative type of RFID tags, and NFC is simply a newer technology to interact with the first two. Now that’s settled, let’s focus on MIFARE.
The MIFARE family is split into subcategories which I will briefly describe here:
- MIFARE Classic 1K/4K: basically just a memory storage device, the memory (1024 or 4096 bytes) is divided into sectors and blocks with reaaally simple security mechanisms for access control, most of the time used for regular access badges;
- MIFARE Ultralight: a 64 bytes version of MIFARE Classic, its low costs make it widely used as disposable tickets for events or transportation;
- MIFARE Plus: announced as a replacement of MIFARE Classic, the Plus subfamily brings a new level of security up to 128-bit AES encryption;
- MIFARE DESFire: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
At some point, I was given a U-KEY which can be be used to load funds onto and buy coffee and snacks from different vending machines around. With this being 2019, contactless payment is becoming more common with your credit cards/smartphones. These technologies have gone through rigorous testing to ensure users data is secure and so far it’s pretty solid, but what about these little keys?
Well as it turned out, those keys are simply MIFARE Classic 1K, and we know from our researches that the security mechanisms implied are quite simple. But how simple ?
Breaking down MIFARE Classig tag structure
This classic tag structure is a whopping 1,024 bytes in size. Those 1,024 bytes are split into 16 sectors (0 to 15) which are each split into 4 blocks (0 to 3). That’s 16 bytes on each row (Figure 1.1). When we get into modifying data our focus will be a certain byte of data in the 7th byte of the 2nd block of the sector 13.
Every sector has a common structure: 3 blocks of data, and 1 “access control” block. Those access control blocks are made of a Key A, a Key B, and access bits in between. The A & B keys can be standard (as in the most commonly used) or unique and set by the tag owner, and the access bits determine the rights on each sectors (read, write, both or none).
Moving forward, the only different sector will be sector 0, block 0. This one does not have an access control block but rather a manufacturer block instead. This is where the tag’s manufacturers can store an unique ID (UID) and information like the date of creation. The Manufacturer block is a Read-Only block. Manufacturers do not want end users to modify their data and especially the UID. Knowing how memory is stored, how can it be read? And more importantly, how can it be modified? When we present the tag to a reader, the reader sends a POR (PowerOn Reset). This will get our tag out of its “sleep” passive mode. If the sent request is standard, the tag and the reader will start to communicate and share an encrypted session key.
NB: The whole process of writing data on a tag is shorter than 9 milliseconds.
These operations on a tag are quite simple:
-> READ/WRITE/DECREMENT/INCREMENT – always sent in encrypted session.
-> TRANSFER – writes the result of one of the previous operations to non-volatile memory.
-> RESTORE – prepares the current value of blocks to be over-written.
Moving on from here, you might have a few questions. Some that come to mind are:
– How strong is this encrypted session?
– Is that encryption crackable?
– Does the tag have any way of checking the modification requests sent from a legitimate reader?
– Can we spoof those requests to modify it with our own data?
Don’t miss the next article if you want your answers! =D