2022-12-14 Making a CTF challenge with an NFC tag
On 9 December this year was the annual SURFcert Capture The Flag (CTF) event. The end result is that team "I'm not a robot" from Radbout University Nijmegen won with the most points. When I participate in a CTF, I like to keep notes and write about my experiences and what I learned solving the challenges. Being on the 'other' side creating the challenges is as much fun, but while creating the challenges you have to be really silent about it. For me personally it is extra challenging because one of the regular SURFcert CTF players works with me in the same team. But sometimes designing a challenge and making it happen gives the same great feeling as actually solving it! This was the case with the challenge that ended up as Scan the radio on the SURFcert CTF. The name of the challenge was somewhat confusing by design: there was a challenge which was designed to make people use a 1990s style ghettoblaster radio, there was a challenge mentioning 'broadcast' which was actually about names of wifi networks and this challenge. All three were marked 'physical' with a description of the challenge. For this challenge I wanted to create an NFC tag that could be read easily. I found out information can be put in NFC tags using the NDEF standard (NFC Data Exchange Format) which has options to embed URLs, options to start certain apps or simple strings. I wanted a simple string with a flag as our flag format was SCF2022- plus 32 characters uppercase. I found out the developer of proxmark is working on NDEF support but it is all quite new. At this point I was worried I had to write my own code and use parts from a fresh library to get an NDEF message on a card. I did bring some MiFare classic cards home to test on. But searching for information I came across NDEF and Magic Mifare Cards with the very important remark:My suggestion would be to get an Android phone with nxp reader chip (there are many) and use tagwriter from NXP to format and write ndef data to the Mifare classic chip.I do have NFC TagWriter by NXP on a smartphone, I just haven't used it a lot. And indeed it was really easy to create an NDEF dataset with a string, write this to a MiFare classic and read this with an Android phone with NFC support, even without opening the NXP TagInfo application. So that was an easy challenge to make, a lot easier than I first thought. Or was it? The final test would be to read this on an Apple iphone too. And there came the snag, the Apple iphone doesn't work with MiFare classic tags somehow. But the person who helped me test it had another tag with an NDEF message on it, and that worked fine. So the conclusion was that another type of tag would work better. Luckily one of the other people of the team creating the SURFcert CTF has a big collection of NFC tags and it turned out the tag given out by Tweakers reads fine on Android and iphone. So that's how the 'scan the radio' challenge was to notice the clearly not from 1992 tweakers tag on the ghettoblaster radio, scan it with the standard NFC support in a smartphone or use NXP TagInfo and find the flag. While creating this challenge I also tried writing information to the tags which were given out / sold about 15 years ago which looked like a circle with a hex serial number. I always assumed they were just a serial number to look up in a database. But they turned out to be actual NDEF tags with the hex serial number on the outside as an URL: For the tag with 04B7CC193E2580 on the outside:
protocol 01 http://www uri field ttag.be/m/04B7CC193E2580 But ttag.be has changed owners since this was active and it's now redirecting to 609.es which is a real-estate agent in Spain. I guess everybody who scans a round tag with a serial number wonders how they end up with a real-estate agent.
2022-11-18 Current thoughts on hardware hacking
I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH with a confirmation from the vendor that this is a device completely out of support. Which confirms the public information I found when I started looking into this device. This was all related to the course in hardware hacking I took and applying the new knowledge. So now I can look back on this experience and think about my future here. Hardware hacking has serious links to my current job as technical security specialist. In my work I regularly have to look at vulnerabilities and assess the chance and impact of misuse of the vulnerability. With hardware hacking I find vulnerabilities by researching hardware. This helps me understand the chance and impact factor of other vulnerabilities. There is also a link to my education: part of that was MTS electronics. I learned how to solder, before SMD components were a thing and I think I got some explanation about switching mode power supplies at the end. As I got into computers I didn't do much with this education but the last years in amateur radio have made me get out the soldering iron again. There is a clear link to my hobby of amateur radio. My interest in amateur radio is linked to wanting to know how things actually work. Hardware hacking is also done with RF signals so I may get into more RF related hardware hacking. My current thought is that I want to continue in this subject. It's given me joy: getting into a device in new and unexpected ways gives joy! I have learned new things. I noticed I need to feed the brain regularly with new information and actually learning something new is much better brainfood than browsing social media. At the same time social media is the way to learn more about this subject and interact with other people interested in this subject. I ended up on /r/hardwarehacking on reddit and already learned from others and shared some of my own insights! There is the thing about RFID/NFC security. I have looked into this in the past, mostly by getting the tools to peek into the MiFare classic cards. I am considering going further with this area of hardware hacking. Prices of hacking tools for this area like the proxmark3 or the flipper zero are above the 'nice to try a few things' level. On the other hand I think I could have loads of fun there, and the overlap with amateur radio is very clear. At the end of this bit of writing: thanks to people who share their hardware hacking experiences on-line! Thanks to Jilles Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal, @Flashback Team on youtube, Make Me Hack on youtube, and Boschko Security for sharing their stories and knowledge.
2022-07-14 Don't use mifare classic cards for stored value
More than 11 years ago I wrote about the Magna Carta card systems for access / payment and the use of the mifare classic (in Dutch). I found a strong statement on the Magna Carta website back then that using mifare classic for stored value was a really bad idea, since the encryption on the card is broken. It's now 2022 and I read MIFARE Cracking about a company using a mifare classic for stored value which shows the steps from discovering what type of card that company uses to the option of manipulating the stored monetairy value on the card. Found via Travis Goodspeed on twitter - A practical article on cloning a Mifare Classic employee badge to tamper with the snack machine.
2022-07-02 Checking hotel keycard security
For the first time in years I was staying in a hotel again for one night. The key for the hotel was a creditcard sized plastic card so I assumed immediately it was an RFID based card. Years ago I would have needed my linux laptop and the touchatag NFC reader to understand more about the keycard, but we're in some form of the future now, so I used NFC taginfo by NXP on my phone and held the keycard up to the phone. The taginfo app made the happy noise and told me it was an NXP mifare classic card. The app even told me most sectors had a default key of FF:FF:FF:FF:FF:FF. One sector was not accessible due to a different key but with mfoc (Mifare Classic offline cracker) or one of the other attacks on the Mifare classic I could probably get access to that sector. So in theory with something like the proxmark I could clone keycards of other visitors. Or clone the keycard of the cleaning crew which gives a lot more access. Update: A bit of searching finds this: Researchers Find Way to Create Master Keys to Hotels - F-Secure Blog. I don't know if the lock I looked at is the same system as the system in this article.
2022-01-21 Looking at RFID cards and NFC again
I haven't done anything with NFC in ages. Almost three years ago I dug up my knowledge again and learned about UID changeable cards and before that the last real digging into RFID was 11 years ago: Interesting development with the magna carta rfid card. Anyway, my interest is renewed due to several factors, with "just looking for something to learn about and enjoy the process" as main one. As a first step I dug up my trusty touchatag reader and the collection of RFID tokens/cards. The touchatag reader still doesn't see any of the collected ski passes so I guess those are for other frequencies. The collection of RFID tokens includes a number of one-use public transport tickets. Those are based on Mifare Ultralight "MF0ICU1" according to NXP TagInfo. The little bit that annoys me is that NXP TagInfo manages to list the transport company and the transaction date/time while I can't find any listing of the fields in a Mifare Ultralight for transport use online on a first search. Later searches (see below) give a lot more! So I have to do some digging myself. And maybe get a few more recent one-time-use public transport tickets to get an idea.Read the rest of Looking at RFID cards and NFC again
2020-11-17 Mifare classic is still insecure... and still in use
I came across Using MIFARE Classic in 2020 - revk which statesSo please, do not use MIFARE Classic as if they are secure!and I couldn't agree more. There seem to be newer attacks that are even faster to crack the keys, which I will give a try soon.
2019-03-08 Nieuwe experimenten met RFID kaarten
Na mijn experimenten met RFID kaarten in 2011 heb ik er een tijd niets aan gedaan. Het afgelopen half jaar kwam het onderwerp weer op door wat beveiligingsvragen rond RFID kaarten en heb ik weer de software uitgezocht. Naast de linux tools is RFID support onder Android nu ook normaal en ik heb ontdekt dat NFC TagInfo by NXP prima software is om snel een kaart te onderzoeken. Bij sommige MiFare classic kaarten geeft deze software dan al een melding dat er standaard bekende sleutels ('factory default keys') gebruikt worden. In vergelijking met 2011 is het wel anders dat Mifare classic kaarten met een wijzigbare UID (uniek kaartnummer) gewoon te koop zijn (zoek op 'UID changeable card') en de wijziging kan met nfc-mfsetuid wat onderdeel is van libnfc en dus bij een moderne linux uit package libnfc-examples komt. Een complete clone van een mifare classic kaart is dus prima mogelijk, zie bijvoorbeeld deze beschrijving: Cloning Mifare 1K cards (engelstalig).
2015-02-16 Non-unique RFID Unique numbers
I recently learned that more than one Android mobile phone with NFC support has the same Unique ID: 01020304 (hex). If you want to use RFID tokens for authentication for certain tasks and let users bring their own tokens you need to block this specific not so unique ID. Together with the fact that there are cards on the market where you can change the UID this means depending on an RFID UID only for authentication needs a serious risk assessment. But gaining access to more information on an ISO/IEC 14443 RFID device means that you either have to set the rules for the card (and probably pay for it) or make a rule for every type of card you find and still have issues.
In the UK the first tests are done with contactless payments based on RFID. According to the specifications eavesdropping on the transaction signals should not be possible from further than 10 centimeters. And predictably radio signals don't follow specifications: At a distance of 45 centimeter the data was received using equipment which could be hid in a backpack in a shopping trolley. Via Contactless cards: data intercepted - Southgate Amateur Radio News
2013-08-07 (#)Items with tag rfid before 2013-08-07
Yet another flawed mifare in public transport implementation: Hackers Expose Security Holes That Allow 'Free Rides for Life' - mashable.com. This time the city of Turin in Italy implemented a ticket system based on Mifare Ultralights. Original Mifare Ultralight tags are not very secure (there is no crypto involved at all) and the spread of NFC enabled systems (such as smartphones) can turn simple vulnerabilities into widespread system failures. Interesting to me is that the earlier vulnerabilities in Mifare systems in the Netherlands and England aren't mentioned in this article.