On 9 December this year was the annual SURFcert Capture The Flag (CTF) event.
The end result is that team "I'm not a robot" from Radbout University Nijmegen won
with the most points.
When I participate in a CTF, I like to keep notes and write about my
experiences and what I learned solving the challenges. Being on the 'other'
side creating the challenges is as much fun, but while creating the challenges
you have to be really silent about it. For me personally it is extra
challenging because one of the regular SURFcert CTF players works with me in
the same team.
But sometimes designing a challenge and making it happen gives the same great
feeling as actually solving it! This was the case with the challenge that
ended up as Scan the radio on the SURFcert CTF. The name of
the challenge was somewhat confusing by design: there was a challenge which
was designed to make people use a 1990s style ghettoblaster radio,
there was a challenge mentioning 'broadcast' which was actually about
names of wifi networks and this challenge. All three were marked 'physical'
with a description of the challenge.
For this challenge I wanted to create an NFC tag that could be read easily.
I found out information can be put in NFC tags using the NDEF standard (NFC
Data Exchange Format) which has options to embed URLs, options to start
certain apps or simple strings. I wanted a simple string with a flag as
our flag format was SCF2022- plus 32 characters uppercase. I found out the
developer of proxmark is working on NDEF support but it is all quite new.
At this point I was worried I had to write my own code and use parts from a
fresh library to get an NDEF message on a card. I did bring some MiFare classic
cards home to test on. But searching for information I came across
NDEF and Magic Mifare Cards with the very important remark:
My suggestion would be to get an Android phone
with nxp reader chip (there are many) and use tagwriter from NXP to format and
write ndef data to the Mifare classic chip.
I do have NFC TagWriter by NXP
on a smartphone, I just haven't used it a lot.
And indeed it was really easy to create an NDEF dataset with a string,
write this to a MiFare classic and read this with an Android phone with NFC
support, even without opening the NXP TagInfo application.
So that was an easy challenge to make, a lot easier than I first thought.
Or was it? The final test would be to read this on an Apple iphone too.
And there came the snag, the Apple iphone doesn't work with MiFare classic
tags somehow. But the person who helped me test it had another tag with an
NDEF message on it, and that worked fine. So the conclusion was that another
type of tag would work better. Luckily one of the other people of the team
creating the SURFcert CTF has a big collection of NFC tags and it turned
out the tag given out by Tweakers reads fine on Android and iphone.
So that's how the 'scan the radio' challenge was to notice the clearly not
from 1992 tweakers tag on the ghettoblaster radio, scan it with the standard
NFC support in a smartphone or use NXP TagInfo and find the flag.
While creating this challenge I also tried writing information to the tags
which were given out / sold about 15 years ago which looked like a circle with
a hex serial number. I always assumed they were just a serial number to look up
in a database. But they turned out to be actual NDEF tags with the hex serial
number on the outside as an URL:
For the tag with 04B7CC193E2580 on the outside: protocol 01 http://wwwuri field ttag.be/m/04B7CC193E2580
But ttag.be has changed owners since this was active and it's now
redirecting to 609.es which is a real-estate agent in Spain. I guess
everybody who scans a round tag with a serial number wonders how they end up
with a real-estate agent.
I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH
with a confirmation from the vendor that this is a device completely out of
support. Which confirms the public information I found
when I started looking into this device.
This was all related to the course in hardware hacking I took and applying
the new knowledge.
So now I can look back on this experience and think about my future here.
Hardware hacking has serious links to my current job as technical security
specialist. In my work I regularly have to look at vulnerabilities and assess
the chance and impact of misuse of the vulnerability. With hardware hacking
I find vulnerabilities by researching hardware. This helps me understand the
chance and impact factor of other vulnerabilities.
There is also a link to my education: part of that was MTS electronics. I
learned how to solder, before SMD components were a thing and I think I got
some explanation about switching mode power supplies at the end. As I got into
computers I didn't do much with this education but the last years in amateur
radio have made me get out the soldering iron again.
There is a clear link to my hobby of amateur radio. My interest in amateur
radio is linked to wanting to know how things actually work. Hardware hacking
is also done with RF signals so I may get into more RF related hardware
hacking.
My current thought is that I want to continue in this subject. It's given me
joy: getting into a device in new and unexpected ways gives joy! I have learned
new things. I noticed I need to feed the brain regularly with new information
and actually learning something new is much better brainfood than browsing
social media. At the same time social media is the way to learn
more about this subject and interact with other people interested in this
subject. I ended up on /r/hardwarehacking on reddit
and already learned from others and shared some of my own insights!
There is the thing about RFID/NFC security. I have looked into this in the
past, mostly by getting the tools to peek into the MiFare classic cards. I am
considering going further with this area of hardware hacking. Prices of hacking
tools for this area like the proxmark3 or the flipper zero are above the 'nice
to try a few things' level. On the other hand I think I could have loads of fun
there, and the overlap with amateur radio is very clear.
At the end of this bit of writing: thanks to people who share their hardware
hacking experiences on-line! Thanks to Jilles
Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal,
@Flashback Team on youtube,
Make Me Hack on youtube,
and Boschko Security for sharing
their stories and knowledge.
For the first time in years I was staying in a hotel again for one night.
The key for the hotel was a creditcard sized plastic card so I assumed
immediately it was an RFID based card.
Years ago I would have needed my linux laptop and the touchatag NFC reader
to understand more about the keycard, but we're in some form of the future now,
so I used NFC taginfo by NXP
on my phone and held the keycard up to the phone.
The taginfo app made the happy noise and told me it was an NXP mifare classic
card. The app even told me most sectors had a default key of
FF:FF:FF:FF:FF:FF. One sector was not accessible due to a different
key but with mfoc (Mifare Classic offline cracker) or one of the other attacks
on the Mifare classic I could probably get access to that sector.
So in theory with something like the proxmark I could clone keycards of other
visitors. Or clone the keycard of the cleaning crew which gives a lot more
access.
Update:
A bit of searching finds this: Researchers Find Way to Create Master Keys to Hotels - F-Secure Blog.
I don't know if the lock I looked at is the same system as the system in this
article.
I haven't done anything with NFC in ages. Almost three years ago I
dug up my knowledge again and learned about UID changeable cards
and before that the last real digging into RFID was 11 years ago:
Interesting development with the magna carta rfid card.
Anyway, my interest is renewed due to several factors, with "just looking for
something to learn about and enjoy the process" as main one. As a first step I
dug up my trusty touchatag reader and the collection of RFID tokens/cards. The
touchatag reader still doesn't see any of the collected ski passes so I guess
those are for other frequencies.
The collection of RFID tokens includes a number of one-use public transport
tickets. Those are based on Mifare Ultralight "MF0ICU1" according to NXP
TagInfo. The little bit that annoys me is that NXP TagInfo manages to list the
transport company and the transaction date/time while I can't find any listing
of the fields in a Mifare Ultralight for transport use online on a first
search. Later searches (see below) give a lot more!
So I have to do some digging myself. And maybe get a few more recent
one-time-use public transport tickets to get an idea.
Na mijn experimenten met RFID kaarten
in 2011 heb ik er een tijd niets aan gedaan. Het afgelopen half jaar kwam
het onderwerp weer op door wat beveiligingsvragen rond RFID kaarten en heb ik
weer de software uitgezocht.
Naast de linux tools is RFID support onder Android nu ook normaal en ik heb
ontdekt dat NFC TagInfo by NXP
prima software is om snel een kaart te onderzoeken. Bij sommige MiFare
classic kaarten geeft deze software dan al een melding dat er standaard
bekende sleutels ('factory default keys') gebruikt worden.
In vergelijking met 2011 is het wel anders dat Mifare classic kaarten met
een wijzigbare UID (uniek kaartnummer) gewoon te koop zijn (zoek op
'UID changeable card') en de wijziging kan met nfc-mfsetuid wat
onderdeel is van libnfc
en dus bij een moderne linux uit package libnfc-examples komt.
Een complete clone van een mifare classic kaart is dus prima mogelijk, zie
bijvoorbeeld deze beschrijving:
Cloning Mifare 1K cards (engelstalig).
I recently learned that more than one Android mobile phone with NFC support
has the same Unique ID: 01020304 (hex). If you want to use RFID
tokens for authentication for certain tasks and let users bring their own
tokens you need to block this specific not so unique ID.
Together with the fact that there are cards on the market where you can
change the UID this means depending on an RFID UID only for authentication
needs a serious risk assessment. But gaining access to more information on an
ISO/IEC 14443 RFID device means that you either have to set the rules
for the card (and probably pay for it) or make a rule for every type of
card you find and still have issues.
In the UK the first tests are done with contactless payments based on RFID.
According to the specifications eavesdropping on the transaction signals
should not be possible from further than 10 centimeters. And predictably
radio signals don't follow specifications: At a distance of 45 centimeter
the data was received using equipment which could be hid in a backpack in
a shopping trolley.
Via Contactless cards: data intercepted - Southgate Amateur Radio News
Yet another flawed mifare in public transport implementation:
Hackers Expose Security Holes That Allow 'Free Rides for Life' - mashable.com.
This time the city of Turin in Italy implemented a ticket system based on
Mifare Ultralights.
Original Mifare Ultralight tags are not very secure (there is no
crypto involved at all) and the spread of NFC enabled systems (such
as smartphones) can turn simple vulnerabilities into widespread system
failures.
Interesting to me is that the earlier vulnerabilities in Mifare systems in
the Netherlands and England aren't mentioned in this article.