Somebody gave me a tag 'once used to access the bicycle parking at work'
because of my interest in RFID tags. So I checked the tag with the proxmark3
and the proxmark3 had no trouble finding the keys and getting full access
in very little time.
I made sure that these tags are no longer used because otherwise I had a good
argument to replace that system fast! And they are indeed deprecated, which
also means I can write about my experiences without causing new risks.
It's already known the mifare classic is insecure, no news here. But seeing
how fast a current proxmark3 can find the keys and dump the contents of
the card with the full access confirms this insecurity again.
First I tried seeing what kind of tag this was:
[usb|script] pm3 --> hf search
[+] UID: 6A BB 43 5C
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
[usb|script] pm3 --> hf mf list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 68 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error)
| CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 2048 | Rdr |0d 37 21! 92 f2 | !! |
32544 | 34592 | Rdr |5d 37 21! 71! 71 | !! |
35808 | 36064 | Rdr |a1(1) | |
37088 | 37344 | Rdr |a3(1) | |
38368 | 38624 | Rdr |a5(1) | | INCR(0)
39648 | 39904 | Rdr |a7(1) | |
So far I've read the public information the card gives to any compatible
NFC reader.
My earlier failure with an RFID T5577 tag that came with the proxmark3
made me order a bunch of new ones via 10 Pcs T5577 writable RFID tag and while I was
browsing that store I found 100 pcs ntag213 NFC sticker and I had some ideas for Mifare
Ultralight tags, starting with
failing to convert used public transport tickets to NDEF tags.
Today the package came in and the first thing I wanted to do was set up an
Mifare Ultralight as NDEF tag. The fun part is the tag was already set up
that way, so with NXP tagwriter for Android it was really easy to put a
data set with an URL on a tag. Full log below.
The downside is that the tag can't be reset to use for other things than NDEF
tag, since the NDEF identifier is in the one-time-programmable bits. An attempt
to zero out these bits on a tag indeed failed. Reading the NT2H1311G0DU
datasheet makes me realize this is as intended and matches the 'ntag213' in
the description.
The fun part is that scanning the tag with my samsung phone opens the url,
no questions asked. This behavior inspired me to set up a tag to link to the
2023 version of the Rickroll. I see security implications from just opening
a URL without letting the user decide whether this is a good idea.
While working with the other NFC tags I had a crazy idea: what if I can
'recycle' used one-time public transport tickets as NDEF tags. The one-time
public transport tickets are mifare ultralight tags just like the
touchatag tag.
I've been interested in RFID and RFID security for years, the first post
on my website is from 2010: I found out this week that the rfid card my employer uses to give out coffee is also a mifare classic card.
Since that moment I collected all kinds of contactless cards with the idea
to check into their security. Mostly from our wintersport holidays since ski
passes use rfid technology to make reading them on wintersport easy.
Now the time has come to check my collection with the proxmark3. The simple
approach is to scan for tags with lf search or hf search.
Touchatag tags
In 2010 these were a great idea to put tags on products. These are Mifare
Ultralight MF0ICU1:
It's been a while since I played with rfid technology but recently some news
around LF cards has made me interested again. The proxmark3 is the best
device for going deep with rfid technology so I considered buying one.
Reading various sources about the availability of proxmark3 hardware taught
me the latest and greatest version (currently Proxmark3 RDV4) has not a lot
of advantages over the previous version (RDV3) which is available at
seriously lower prices from several webshops. So I ordered one using
aliexpress and the wait started.
Today the proxmark3 came in. I built the software for Linux using the
guide at proxmark3 Linux Installation Instructions
where I noticed I had to add packages libbz2-dev and
gcc-arm-none-eabi by hand to get things to compile/build correctly.
After doing the firmware upgrade dance I started testing and looking around.
The proxmark3 detects 125 kHz (LF) and 13.56 MHz (HF) cards fine. With the
order came a blank card which is both a 13.56 MHz Mifare 1K with changeable UID
and a 125 kHz T5577. There were also two small keyring tags, a mifare 1K and a
mifare 4K.
First attempts
The proxmark3 shows information for all the cards I tried. To my surprise the
skipass from our last ski trip to Austria was an HF only card, I thought ski
passes used 125 kHz technology so they could be read through jackets or other
layers more easily. It's an ISO 15693 tag and I can access all data easily.
[usb] pm3 --> hf search
🕗 Searching for ISO15693 tag...
[+] UID: E0 16 24 66 09 99 B3 70
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+] Valid ISO 15693 tag found
[usb] pm3 --> hf 15 info
[+] UID: E0 16 24 66 09 99 B3 70
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+] Using UID... E0 16 24 66 09 99 B3 70
[=] --- Tag Information ---------------------------
[=] -------------------------------------------------------------
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+] UID: E0 16 24 66 09 99 B3 70
[+] SYSINFO: 00 0F 70 B3 99 09 66 24 16 E0 02 00 33 03 02
[+] - DSFID supported [0x02]
[+] - AFI supported [0x00]
[+] - IC reference supported [0x02]
[+] - Tag provides info on memory layout (vendor dependent)
[+] 4 (or 3) bytes/blocks x 52 blocks
As all the tag readers in that ski area are on-line anyway, I guess the card
is just a big serial number and all the checking whether the user isn't trying
to do something that wasn't paid for is done in central computers.
First error
While trying to clone an LF card into the T5577 I managed to make the T5577
card end up in a weird state: it now only returns 0x0000 or 0xFFFF patterns
on read depending on the communication configuration.
On 9 December this year was the annual SURFcert Capture The Flag (CTF) event.
The end result is that team "I'm not a robot" from Radbout University Nijmegen won
with the most points.
When I participate in a CTF, I like to keep notes and write about my
experiences and what I learned solving the challenges. Being on the 'other'
side creating the challenges is as much fun, but while creating the challenges
you have to be really silent about it. For me personally it is extra
challenging because one of the regular SURFcert CTF players works with me in
the same team.
But sometimes designing a challenge and making it happen gives the same great
feeling as actually solving it! This was the case with the challenge that
ended up as Scan the radio on the SURFcert CTF. The name of
the challenge was somewhat confusing by design: there was a challenge which
was designed to make people use a 1990s style ghettoblaster radio,
there was a challenge mentioning 'broadcast' which was actually about
names of wifi networks and this challenge. All three were marked 'physical'
with a description of the challenge.
For this challenge I wanted to create an NFC tag that could be read easily.
I found out information can be put in NFC tags using the NDEF standard (NFC
Data Exchange Format) which has options to embed URLs, options to start
certain apps or simple strings. I wanted a simple string with a flag as
our flag format was SCF2022- plus 32 characters uppercase. I found out the
developer of proxmark is working on NDEF support but it is all quite new.
At this point I was worried I had to write my own code and use parts from a
fresh library to get an NDEF message on a card. I did bring some MiFare classic
cards home to test on. But searching for information I came across
NDEF and Magic Mifare Cards with the very important remark:
My suggestion would be to get an Android phone
with nxp reader chip (there are many) and use tagwriter from NXP to format and
write ndef data to the Mifare classic chip.
I do have NFC TagWriter by NXP
on a smartphone, I just haven't used it a lot.
And indeed it was really easy to create an NDEF dataset with a string,
write this to a MiFare classic and read this with an Android phone with NFC
support, even without opening the NXP TagInfo application.
So that was an easy challenge to make, a lot easier than I first thought.
Or was it? The final test would be to read this on an Apple iphone too.
And there came the snag, the Apple iphone doesn't work with MiFare classic
tags somehow. But the person who helped me test it had another tag with an
NDEF message on it, and that worked fine. So the conclusion was that another
type of tag would work better. Luckily one of the other people of the team
creating the SURFcert CTF has a big collection of NFC tags and it turned
out the tag given out by Tweakers reads fine on Android and iphone.
So that's how the 'scan the radio' challenge was to notice the clearly not
from 1992 tweakers tag on the ghettoblaster radio, scan it with the standard
NFC support in a smartphone or use NXP TagInfo and find the flag.
While creating this challenge I also tried writing information to the tags
which were given out / sold about 15 years ago which looked like a circle with
a hex serial number. I always assumed they were just a serial number to look up
in a database. But they turned out to be actual NDEF tags with the hex serial
number on the outside as an URL:
For the tag with 04B7CC193E2580 on the outside: protocol 01 http://wwwuri field ttag.be/m/04B7CC193E2580
But ttag.be has changed owners since this was active and it's now
redirecting to 609.es which is a real-estate agent in Spain. I guess
everybody who scans a round tag with a serial number wonders how they end up
with a real-estate agent.
I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH
with a confirmation from the vendor that this is a device completely out of
support. Which confirms the public information I found
when I started looking into this device.
This was all related to the course in hardware hacking I took and applying
the new knowledge.
So now I can look back on this experience and think about my future here.
Hardware hacking has serious links to my current job as technical security
specialist. In my work I regularly have to look at vulnerabilities and assess
the chance and impact of misuse of the vulnerability. With hardware hacking
I find vulnerabilities by researching hardware. This helps me understand the
chance and impact factor of other vulnerabilities.
There is also a link to my education: part of that was MTS electronics. I
learned how to solder, before SMD components were a thing and I think I got
some explanation about switching mode power supplies at the end. As I got into
computers I didn't do much with this education but the last years in amateur
radio have made me get out the soldering iron again.
There is a clear link to my hobby of amateur radio. My interest in amateur
radio is linked to wanting to know how things actually work. Hardware hacking
is also done with RF signals so I may get into more RF related hardware
hacking.
My current thought is that I want to continue in this subject. It's given me
joy: getting into a device in new and unexpected ways gives joy! I have learned
new things. I noticed I need to feed the brain regularly with new information
and actually learning something new is much better brainfood than browsing
social media. At the same time social media is the way to learn
more about this subject and interact with other people interested in this
subject. I ended up on /r/hardwarehacking on reddit
and already learned from others and shared some of my own insights!
There is the thing about RFID/NFC security. I have looked into this in the
past, mostly by getting the tools to peek into the MiFare classic cards. I am
considering going further with this area of hardware hacking. Prices of hacking
tools for this area like the proxmark3 or the flipper zero are above the 'nice
to try a few things' level. On the other hand I think I could have loads of fun
there, and the overlap with amateur radio is very clear.
At the end of this bit of writing: thanks to people who share their hardware
hacking experiences on-line! Thanks to Jilles
Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal,
@Flashback Team on youtube,
Make Me Hack on youtube,
and Boschko Security for sharing
their stories and knowledge.
For the first time in years I was staying in a hotel again for one night.
The key for the hotel was a creditcard sized plastic card so I assumed
immediately it was an RFID based card.
Years ago I would have needed my linux laptop and the touchatag NFC reader
to understand more about the keycard, but we're in some form of the future now,
so I used NFC taginfo by NXP
on my phone and held the keycard up to the phone.
The taginfo app made the happy noise and told me it was an NXP mifare classic
card. The app even told me most sectors had a default key of
FF:FF:FF:FF:FF:FF. One sector was not accessible due to a different
key but with mfoc (Mifare Classic offline cracker) or one of the other attacks
on the Mifare classic I could probably get access to that sector.
So in theory with something like the proxmark I could clone keycards of other
visitors. Or clone the keycard of the cleaning crew which gives a lot more
access.
Update:
A bit of searching finds this: Researchers Find Way to Create Master Keys to Hotels - F-Secure Blog.
I don't know if the lock I looked at is the same system as the system in this
article.