Crack Mifare 1k

Posted on by  admin

Last month, the Dutch government issued a warning about the security of access keys based on the ubiquitous MiFare Classic RFID chip. The warning comes on the heels of an ingenious hack, spearheaded by Henryk Plotz, a German researcher, and Karsten Nohl, a doctoral candidate in computer science at the University of Virginia, that a way to crack the encryption on the chip. Millions upon millions of MiFare Classic chips are used worldwide in contexts such as payment cards for public transportation networks throughout Asia, Europe and the U.S. And in building-access passes. The report asserts that systems employing MiFare will likely be secure for another two years, since hacking the chip seems to be an involved and expensive process. But in a recent report published by Nohl, titled he presents an attack that recovers secret keys in mere minutes on an average desktop PC.

In December, Nohl and Plotz gave a presentation on MiFare's security vulnerabilities at the 24th Chaos Communications Congress (24C3), the annual four-day conference organized by Germany's notorious hacking collective, the Chaos Computer Club (CCC). Thousands of hackers from far-flung locales converged on Berlin between Christmas and New Year's for a raft of talks and project demonstrations. In their popular talk at 24C3, punctuated by bursts of raucous applause, Nohl presented an overview of radio frequency identification security vulnerabilities and the process of hacking the MiFare chip's means of encryption, known as the Crypto-1 cipher.

Www.nethemba.com Other Mifare Classic mistakes reader­side accepts invalid frame­lengths the parity bit is encrypted, but the internal state will not shift the first bit of the next byte will → be encrypted by the same keystream bit.

Crack mifare 1k 1

The Samsung TecTile NFC tag stickers use MIFARE Classic chips. This means only devices with an NXP NFC controller chip can read or write these tags. At the moment BlackBerry phones, the Nokia Lumia 610 (August 2012), the Google Nexus 4, Google Nexus 7 LTE and Nexus 10 (October 2013) can't read/write TecTile stickers. Re: Cracking Mifare Classic 1K You must ask the seller if block0 is writable with normal write command or only using special commands, this is the only way to know if it is a 1st or2nd generation card (hoping he will tell you the truth).

'This is the first public announcement that the Crypto-1 cipher on the MiFare tag is known,' said Nohl in December at the 24C3 talk. 'We will give out further details next year.'

Get out the microscopes To hack the chip, Nohl and Plotz reverse-engineered the cryptography on the MiFare chip through a painstaking process. They examined the actual MiFare Classic chip in exacting detail using a microscope and the open-source OpenPCD RFID reader and snapped several in-depth photographs of the chip's architecture. The chip is tiny - about a 1-millimeter-square shred of silicon - and is composed sed of several layers. The researchers sliced off the minuscule layers of the chip and took photos of each layer. There are thousands of tiny blocks on the chip - about 10,000 in all - each encoding something such as an AND gate or an OR gate or a flip-flop. Analyzing all of the blocks on the chip would have taken forever, but there was a shortcut.

'We couldn't actually look at all 10,000 of these small building blocks, so we wanted to categorize them a bit before we started analyzing,' said Nohl at 24C3. 'We observed that there aren't actually 10,000 different ones. They're all taken from a library of cells. There are only about 70 different types of gates; we ended up writing MATLAB scripts that once we select one instance of a gate finds all the other ones.'

To find the cryptographically important regions of the chip, Nohl and Plotz scanned for clues in the blocks: long strings of flip-flops that would implement the register important to the cipher, XOR gates that are virtually never used in control logic, and blocks on the edge of the chip that were sparsely connected to the rest of the chip, but strongly connected to each other. They then reconstructed the circuit using their data, and from the reconstruction, they read the functionality. It was a painful process, but once it was done, the researchers had decoded the security on the chip, unveiling several vulnerabilities.

Crack Mifare 1k 1

Among the potential security risks they uncovered was a 16-bit random number generator that was easy to manipulate - so easy, in fact, that they were able to coax the generator into producing the same 'random' number in every transaction, effectively crippling the security. Simpler from here on out A potential attacker wouldn't have to go through all of the steps that Nohl and Plotz had to undertake to hack the RFID chip.

A diagram of the Crypto-1 cipher, published in Nohl's recent paper, shows that the heart of the cipher is a 48-bit linear feedback shift register and a filter function. To find bits of the key, an attacker would send challenges to the reader and analyze the first bit of key stream sent back to the reader. Though there are some tricks to generating these challenges, it is computationally not a terribly expensive, or expansive, procedure. 'The number of challenges needed to recover key bits with high probability varies for different bits, but generally does not exceed a few dozen,' writes Nohl in the paper. At 24C3, Nohl warned against the increasing ubiquity of RFID tags.

'We need some level of authentication, some security that has yet to be added to many of these applications,' he said. He pointed to the increasing use of RFID tags in public transit systems, car keys, passports, and even World Cup tickets - and the potential worrying privacy implications of large-scale RFID tagging of products by big retailers such as Wal-Mart Stores Inc. If you rely on MiFare Classic security for anything, you may want to start moving to a different system.

Comments are closed.