News items for tag rfid - Koos van den Hout

2023-08-16 Mifare classic 1k: keys found in 5 seconds with the proxmark3
Somebody gave me a tag 'once used to access the bicycle parking at work' because of my interest in RFID tags. So I checked the tag with the proxmark3 and the proxmark3 had no trouble finding the keys and getting full access in very little time.

I made sure that these tags are no longer used because otherwise I had a good argument to replace that system fast! And they are indeed deprecated, which also means I can write about my experiences without causing new risks.

It's already known the mifare classic is insecure, no news here. But seeing how fast a current proxmark3 can find the keys and dump the contents of the card with the full access confirms this insecurity again.

First I tried seeing what kind of tag this was:
[usb|script] pm3 --> hf search

[+]  UID: 6A BB 43 5C 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands

[+] Valid ISO 14443-A tag found

[usb|script] pm3 --> hf mf list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 68 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                  
                         | CRC | Annotation
          0 |       2048 | Rdr |0d  37  21! 92  f2                                                       |  !! | 
      32544 |      34592 | Rdr |5d  37  21! 71! 71                                                       |  !! | 
      35808 |      36064 | Rdr |a1(1)                                                                    |     | 
      37088 |      37344 | Rdr |a3(1)                                                                    |     | 
      38368 |      38624 | Rdr |a5(1)                                                                    |     | INCR(0)
      39648 |      39904 | Rdr |a7(1)                                                                    |     | 
So far I've read the public information the card gives to any compatible NFC reader.
Read the rest of Mifare classic 1k: keys found in 5 seconds with the proxmark3

Tags: , ,
2023-07-05 Writing to new Mifare Ultralight tags
My earlier failure with an RFID T5577 tag that came with the proxmark3 made me order a bunch of new ones via 10 Pcs T5577 writable RFID tag and while I was browsing that store I found 100 pcs ntag213 NFC sticker and I had some ideas for Mifare Ultralight tags, starting with failing to convert used public transport tickets to NDEF tags.

Today the package came in and the first thing I wanted to do was set up an Mifare Ultralight as NDEF tag. The fun part is the tag was already set up that way, so with NXP tagwriter for Android it was really easy to put a data set with an URL on a tag. Full log below.

The downside is that the tag can't be reset to use for other things than NDEF tag, since the NDEF identifier is in the one-time-programmable bits. An attempt to zero out these bits on a tag indeed failed. Reading the NT2H1311G0DU datasheet makes me realize this is as intended and matches the 'ntag213' in the description.

The fun part is that scanning the tag with my samsung phone opens the url, no questions asked. This behavior inspired me to set up a tag to link to the 2023 version of the Rickroll. I see security implications from just opening a URL without letting the user decide whether this is a good idea.
Read the rest of Writing to new Mifare Ultralight tags

Tags: , ,
2023-06-30 Trying to recycle mifare ultralight cards as NDEF tags.. and failing
While working with the other NFC tags I had a crazy idea: what if I can 'recycle' used one-time public transport tickets as NDEF tags. The one-time public transport tickets are mifare ultralight tags just like the touchatag tag.
Read the rest of Trying to recycle mifare ultralight cards as NDEF tags.. and failing

Tags: , ,
2023-06-29 RFID cards and the proxmark3: skidata ski card from Geilo Norway 2015
In March 2015 we went on a ski trip to Geilo ski area in Norway. And I kept two ski cards. Time to analyze them with the proxmark3.
[usb] pm3 --> hf search 
 🕖  Searching for ISO15693 tag...            
[+]  UID: E0 16 24 66 07 50 CE 09
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102

[+] Valid ISO 15693 tag found

[usb] pm3 --> hf 15 info                      

[+]  UID: E0 16 24 66 07 50 CE 09
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+] Using UID... E0 16 24 66 07 50 CE 09

[=] --- Tag Information ---------------------------
[=] -------------------------------------------------------------
[+]       TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+]        UID: E0 16 24 66 07 50 CE 09
[+]    SYSINFO: 00 0F 09 CE 50 07 66 24 16 E0 02 00 33 03 02 
[+]      - DSFID supported        [0x02]
[+]      - AFI   supported        [0x00]
[+]      - IC reference supported [0x02]
[+]      - Tag provides info on memory layout (vendor dependent)
[+]            4 (or 3) bytes/blocks x 52 blocks

Read the rest of RFID cards and the proxmark3: skidata ski card from Geilo Norway 2015

Tags: ,
2023-06-15 Going through the stack of old RFID cards with the proxmark3: touchatag tags
Touchatag RFID tags in bag I've been interested in RFID and RFID security for years, the first post on my website is from 2010: I found out this week that the rfid card my employer uses to give out coffee is also a mifare classic card. Since that moment I collected all kinds of contactless cards with the idea to check into their security. Mostly from our wintersport holidays since ski passes use rfid technology to make reading them on wintersport easy.

Now the time has come to check my collection with the proxmark3. The simple approach is to scan for tags with lf search or hf search.

Touchatag tags

In 2010 these were a great idea to put tags on products. These are Mifare Ultralight MF0ICU1:
[usb] pm3 --> hf mfu info 

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight (MF0ICU1)  
[+]        UID: 04 C8 54 19 3E 25 80 
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 10 ( ok )
[+]       BCC1: 82 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: FF 7F  - 1111111101111111
[+] OneTimePad: E1 10 06 00  - 11100001000100000000011000000000
Read the rest of Going through the stack of old RFID cards with the proxmark3: touchatag tags

Tags: , ,
2023-06-02 Playing with a Proxmark3
It's been a while since I played with rfid technology but recently some news around LF cards has made me interested again. The proxmark3 is the best device for going deep with rfid technology so I considered buying one.

Reading various sources about the availability of proxmark3 hardware taught me the latest and greatest version (currently Proxmark3 RDV4) has not a lot of advantages over the previous version (RDV3) which is available at seriously lower prices from several webshops. So I ordered one using aliexpress and the wait started.

Today the proxmark3 came in. I built the software for Linux using the guide at proxmark3 Linux Installation Instructions where I noticed I had to add packages libbz2-dev and gcc-arm-none-eabi by hand to get things to compile/build correctly.

After doing the firmware upgrade dance I started testing and looking around. The proxmark3 detects 125 kHz (LF) and 13.56 MHz (HF) cards fine. With the order came a blank card which is both a 13.56 MHz Mifare 1K with changeable UID and a 125 kHz T5577. There were also two small keyring tags, a mifare 1K and a mifare 4K.

First attempts

The proxmark3 shows information for all the cards I tried. To my surprise the skipass from our last ski trip to Austria was an HF only card, I thought ski passes used 125 kHz technology so they could be read through jackets or other layers more easily. It's an ISO 15693 tag and I can access all data easily.
[usb] pm3 --> hf search 
 🕗  Searching for ISO15693 tag...            
[+]  UID: E0 16 24 66 09 99 B3 70
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102

[+] Valid ISO 15693 tag found
[usb] pm3 --> hf 15 info

[+]  UID: E0 16 24 66 09 99 B3 70
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+] Using UID... E0 16 24 66 09 99 B3 70

[=] --- Tag Information ---------------------------
[=] -------------------------------------------------------------
[+]       TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+]        UID: E0 16 24 66 09 99 B3 70
[+]    SYSINFO: 00 0F 70 B3 99 09 66 24 16 E0 02 00 33 03 02 
[+]      - DSFID supported        [0x02]
[+]      - AFI   supported        [0x00]
[+]      - IC reference supported [0x02]
[+]      - Tag provides info on memory layout (vendor dependent)
[+]            4 (or 3) bytes/blocks x 52 blocks
As all the tag readers in that ski area are on-line anyway, I guess the card is just a big serial number and all the checking whether the user isn't trying to do something that wasn't paid for is done in central computers.

First error

While trying to clone an LF card into the T5577 I managed to make the T5577 card end up in a weird state: it now only returns 0x0000 or 0xFFFF patterns on read depending on the communication configuration.

Tags: , , ,
2022-12-14 Making a CTF challenge with an NFC tag
On 9 December this year was the annual SURFcert Capture The Flag (CTF) event. The end result is that team "I'm not a robot" from Radbout University Nijmegen won with the most points.

When I participate in a CTF, I like to keep notes and write about my experiences and what I learned solving the challenges. Being on the 'other' side creating the challenges is as much fun, but while creating the challenges you have to be really silent about it. For me personally it is extra challenging because one of the regular SURFcert CTF players works with me in the same team.

But sometimes designing a challenge and making it happen gives the same great feeling as actually solving it! This was the case with the challenge that ended up as Scan the radio on the SURFcert CTF. The name of the challenge was somewhat confusing by design: there was a challenge which was designed to make people use a 1990s style ghettoblaster radio, there was a challenge mentioning 'broadcast' which was actually about names of wifi networks and this challenge. All three were marked 'physical' with a description of the challenge.

For this challenge I wanted to create an NFC tag that could be read easily. I found out information can be put in NFC tags using the NDEF standard (NFC Data Exchange Format) which has options to embed URLs, options to start certain apps or simple strings. I wanted a simple string with a flag as our flag format was SCF2022- plus 32 characters uppercase. I found out the developer of proxmark is working on NDEF support but it is all quite new.

At this point I was worried I had to write my own code and use parts from a fresh library to get an NDEF message on a card. I did bring some MiFare classic cards home to test on. But searching for information I came across NDEF and Magic Mifare Cards with the very important remark:
My suggestion would be to get an Android phone with nxp reader chip (there are many) and use tagwriter from NXP to format and write ndef data to the Mifare classic chip.
I do have NFC TagWriter by NXP on a smartphone, I just haven't used it a lot.

And indeed it was really easy to create an NDEF dataset with a string, write this to a MiFare classic and read this with an Android phone with NFC support, even without opening the NXP TagInfo application.

So that was an easy challenge to make, a lot easier than I first thought. Or was it? The final test would be to read this on an Apple iphone too.

And there came the snag, the Apple iphone doesn't work with MiFare classic tags somehow. But the person who helped me test it had another tag with an NDEF message on it, and that worked fine. So the conclusion was that another type of tag would work better. Luckily one of the other people of the team creating the SURFcert CTF has a big collection of NFC tags and it turned out the tag given out by Tweakers reads fine on Android and iphone.

So that's how the 'scan the radio' challenge was to notice the clearly not from 1992 tweakers tag on the ghettoblaster radio, scan it with the standard NFC support in a smartphone or use NXP TagInfo and find the flag.

While creating this challenge I also tried writing information to the tags which were given out / sold about 15 years ago which looked like a circle with a hex serial number. I always assumed they were just a serial number to look up in a database. But they turned out to be actual NDEF tags with the hex serial number on the outside as an URL:

For the tag with 04B7CC193E2580 on the outside:
protocol 01 http://www uri field

But has changed owners since this was active and it's now redirecting to which is a real-estate agent in Spain. I guess everybody who scans a round tag with a serial number wonders how they end up with a real-estate agent.

Tags: , ,
2022-11-18 Current thoughts on hardware hacking
Corinex CXWC-HD200-WNeH uart connected
Corinex CXWC-HD200-WNeH uart connected
Picture by Koos van den Hout, license CC-BY-SA
I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH with a confirmation from the vendor that this is a device completely out of support. Which confirms the public information I found when I started looking into this device. This was all related to the course in hardware hacking I took and applying the new knowledge.

So now I can look back on this experience and think about my future here. Hardware hacking has serious links to my current job as technical security specialist. In my work I regularly have to look at vulnerabilities and assess the chance and impact of misuse of the vulnerability. With hardware hacking I find vulnerabilities by researching hardware. This helps me understand the chance and impact factor of other vulnerabilities.

There is also a link to my education: part of that was MTS electronics. I learned how to solder, before SMD components were a thing and I think I got some explanation about switching mode power supplies at the end. As I got into computers I didn't do much with this education but the last years in amateur radio have made me get out the soldering iron again.

There is a clear link to my hobby of amateur radio. My interest in amateur radio is linked to wanting to know how things actually work. Hardware hacking is also done with RF signals so I may get into more RF related hardware hacking.

My current thought is that I want to continue in this subject. It's given me joy: getting into a device in new and unexpected ways gives joy! I have learned new things. I noticed I need to feed the brain regularly with new information and actually learning something new is much better brainfood than browsing social media. At the same time social media is the way to learn more about this subject and interact with other people interested in this subject. I ended up on /r/hardwarehacking on reddit and already learned from others and shared some of my own insights!

There is the thing about RFID/NFC security. I have looked into this in the past, mostly by getting the tools to peek into the MiFare classic cards. I am considering going further with this area of hardware hacking. Prices of hacking tools for this area like the proxmark3 or the flipper zero are above the 'nice to try a few things' level. On the other hand I think I could have loads of fun there, and the overlap with amateur radio is very clear.

At the end of this bit of writing: thanks to people who share their hardware hacking experiences on-line! Thanks to Jilles Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal, @Flashback Team on youtube, Make Me Hack on youtube, and Boschko Security for sharing their stories and knowledge.

Tags: , , , , ,
2022-07-14 Don't use mifare classic cards for stored value
More than 11 years ago I wrote about the Magna Carta card systems for access / payment and the use of the mifare classic (in Dutch). I found a strong statement on the Magna Carta website back then that using mifare classic for stored value was a really bad idea, since the encryption on the card is broken.

It's now 2022 and I read MIFARE Cracking about a company using a mifare classic for stored value which shows the steps from discovering what type of card that company uses to the option of manipulating the stored monetairy value on the card.

Found via Travis Goodspeed on twitter - A practical article on cloning a Mifare Classic employee badge to tamper with the snack machine.

Tags: , ,
2022-07-02 Checking hotel keycard security
For the first time in years I was staying in a hotel again for one night. The key for the hotel was a creditcard sized plastic card so I assumed immediately it was an RFID based card.

Years ago I would have needed my linux laptop and the touchatag NFC reader to understand more about the keycard, but we're in some form of the future now, so I used NFC taginfo by NXP on my phone and held the keycard up to the phone.

The taginfo app made the happy noise and told me it was an NXP mifare classic card. The app even told me most sectors had a default key of FF:FF:FF:FF:FF:FF. One sector was not accessible due to a different key but with mfoc (Mifare Classic offline cracker) or one of the other attacks on the Mifare classic I could probably get access to that sector.

So in theory with something like the proxmark I could clone keycards of other visitors. Or clone the keycard of the cleaning crew which gives a lot more access.

Update: A bit of searching finds this: Researchers Find Way to Create Master Keys to Hotels - F-Secure Blog. I don't know if the lock I looked at is the same system as the system in this article.

Tags: , ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites
This page generated by $Id: newstag.cgi,v 1.43 2023/06/14 14:07:16 koos Exp $ in 0.045442 seconds.