Dumping the MIFARE CRYPTO1

By Devon Reilly

Introduction:

Radio Frequency Identification (RFID) is a form of wireless communication identification through radio waves. This kind of tech has been around for years and has been upgraded since its conception, such as the development of MIFARE cards from NXP Semiconductors. These cards are mainly used in access control systems and transportation systems.

Tools:

The main tool used for this is the proxmark3, which is used to read, modify, and write data from the chips through the connected machine. This tool is used for either intercepting messages between the reader or the writer, or it will be used to send messages from a “reader” and receive the response data straight from the card.

Vulnerabilities:

The MIFARE Classic cards use a proprietary cypher algorithm called CRYPTO1. This custom cryptographic algorithm was created specifically for this type of card; as it turns out, it’s usually not a good idea to create custom encryption algorithms. Due to CRYPTO1’s vulnerability of having a very small key size of 48-bits, it is very easy to brute force with a nested attack or through sniffing. The way the decryption is broken is through a nested attack, which is a very useful attack technique against the CRYPTO1 algorithm, as it authenticates the block with the default key or known key and reads the tag’s Nt. This will continue with the derivative of Nt in conjunction with linear feedback shift register. From there the timing distance is computing along with the next Nt values, and ks1, ks2, and ks3. The second way authentication keys could be found is through a mutual authentication handshake that occurs between the reader and the card, which will send the readers authentication key and authenticates the blocks on the card, which will send the encrypted data to the reader.

https://upload.wikimedia.org/wikipedia/en/1/10/Crypto1.png[1]

Conclusion:

MIFARE 1k Classic chips are very insecure authentication devices which can easily be sniffed or decrypted manually and dumped. The main reason these cards are widely used is due to their ease of use and their cheap cost. Many systems such as the one I was using to test have the option of a few different chip standards, such as MIFARE Classic, MIFARE Plus, and the MIFARE DESFire. Certain chips such as the more secure DESFire have more authentication modules, standard AES encryption, 128-bit encryptions, and 28 applications each containing 32 files. While the DESFire is the standard for government identification and transportation services, it is more expensive and requires more synchronization with the readers which can be resource intensive. A bare minimum option for MIFARE that should be used is the MIFARE Plus, which is an improvement on the Classic, but still has some flaws.

Reproduce:

  1. We need to install the proxmark software and flash it to the proxmark3.
  2. Load up the software with the command “pm3”.
  3. Once in the proxmark menu, its best to start off with “hw tune” to test the antennas and see if everything is working correctly, upon which we can go into either high frequency (hf) or low frequency (lf) modes
  4. The chip of interest to us is in high frequency, so we will type “hf” into the terminal to go into the high frequency options
  5.  We need to find the details on the specific chip so we need to run the “hf se”(search) command which will find the UID, ATQA, SAK for ISO 14443a chips, as well as the type of card and the PRNG.
  1. Now that we have the type of card, we can dive into the MIFARE options with “hf mf” and check the card for default keys with “hf mf fchk 1 d”. This does a fast check of the high frequency MIFARE card of the 1k variant that was shown in the search and dumps it to a bin file.
  1. Now that we have a visual representation of the sectors, sides, and known keys we can start nested attacks. Due to the PRNG being hardened (aka unpredictable) we are unable to use darkside attacks, nested, staticnested, or leverage the MIFARE NACK bug. This means we will need to use a hardnested attack. For hardnested attacks we will need to know at least one key, which is in sector 1 A, “FFFFFFFFFFFF”. We will try attacking block 4 A with “hf mf hardnested 0 A FFFFFFFFFFFF 4 A”(target blocks are in multiples of 4), this uses the key from sector 0 A against 4 A.
  1. Now that we have the key for Sector 4 A, it will be more efficient to add every found key to a dictionary to use for other sectors. Create a file called “keys.dic” and add the first key and the one we just found in.
  2. We can run “hf mf fchk 1 keys.dic” to try authenticating all the sectors to see if that key has duplicates. Once run we will see that the new key only authenticated sector 001 A.
  3. Run the hardnested command with the new key “hf mf hardnested 1 A dfXxXxXxXxXx 1 B”, which will return 9eXxXxXxXxXx. We can run the check command, which will get us a table with sectors 0 AB, 1 AB, and 15AB completed, and add the key to keys.dic.
  4. We need to run the command on the next one with “hf mf hardnested 4 A dfXxXxXxXxXx 8 A” which returns 9aXxXxXxXxXx. When we run the check command, we will see that all the sectors have valid keys to authenticate and are now dump-able.
  1. Now that we have all of the keys, we can use the check command with a d “hf mf fchk 1 keys.dic d” to extract all the keys to a bin file.
  2. To extract the physical unencrypted data from the card we need to dump the data with “hf mf dump”
  3. Now we want to change the uid of the new card, check the current uid of the original card “hf se” and do the same with the new one. Then change the uid of the new card to that of the original with “hf mf csetuid E2XxXxXx 0004 08”. We can run “hf se” again to see the changes to the new card.
  1. We need to write the data to the new card now with “hf mf restore 1”, which restores the dump.bin file. Now we have a fully working card, and the ability to make unlimited copies.

[1] “Crypto-1 – Wikipedia.” https://en.wikipedia.org/wiki/Crypto-1, pdf. Accessed 14 Nov. 2020.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s