RFID Vulnerabilities, Flaws and Exploits

Mauro Risonho de Paula Assumpção Backtrack Brazil firebits@backtrack.com.br

NÃO ENVIADO AO EVENTO

What is RFID?

• Radio Frequency Identification• Identification devices where the interface

for communication with the reader is wireless

• It encompasses the physical layer and communication protocols for identification devices (people, goods comsume, animals, etc.)

• May be proprietary or standardized

Main types

• Memory cards with access control – Main applications are: ticketing in public

transport and physical access control – Memory is divided into sectors where each

sector is protected by an encryption key – Operates at 13.56 MHz with a maximum

range for reading / writing to 10cm – Mifare standard card is the ISO14443 series

Main types

• Proximity cards for physical access control – Besides the Mifare, there are several others

also known as proximity cards – Contactless cards from a proprietary format:

• Indala, HID iClass, HID Prox and other

– Operating in the 125MHz band with short-range

Main types

• Cryptographic cards – There are also cards with contactless

cryptographic coprocessor – Can have both interfaces (contact and

contactless) – We also support the standard ISO14443

Where the fun begins ...

A little more on the Mifare

Mifare Classic

• Structure of memory – 16 sectors – 4 blocks per sector (one block = 16 bytes) – Control access by individual sector

• Key A and Key B • Access conditions

– Each key has 48 bits – Serial number + manufacturer information are

hardcoded in the block 0/setor 0

Mifare Classic

• Structure of memory

BlocksSector

Mifare Classic

• Serial number – 4 or 7 bytes static (hardcoded) – 7 random bytes, where each new channel of

communication established with the reader a new serial number is generated

Mifare Classic

• Block diagram

Interface RF

EE

PR

OM

Antena

Autenticação

Anti-colisão

ALU

Cripto

InterfaceEEPROM

Mifare Classic

• Main components – Interface RF

– Anti-collision: allows interaction of two or more cards with a single reader (ISO 14443)

– Authentication: controls access to any region of memory

– ALU (Arithmetic Logic Unit): manages the operations of addition / subtraction when the card stores values in memory

– Crypto: algorithm implementation CRYPTO1 (stream cipher) to establish secure channel between card and reader

Mifare Classic• 3-step authentication

– The reader specifies the sector to be accessed and used the A or B key to access this

– The card reads the key sent by the reader and encrypt a random number which is sent to the reader (challenge card) <Passing 1>

– The reader decrypts the challenge using the same card key

Mifare Classic• Authentication three steps (continued)

– The reader returns to the card number along with a new decoded random number encrypted by the reader (the reader challenge) <Passing 2>

– The card checks the decrypted number compared to the same that was previously sent

Mifare Classic• Authentication 3 steps (continued)

– The card decrypts the challenge and sends the reader back to the reader <Passing 3>

– The reader checks the response returned by the card

– At the end of this process is established an encrypted communications channel between card and reader

Mifare Classic

• Card Access – Set of commands supported by the card's

owner and are programmed into the chip reader

– An application interacts with the card using a specific bilbioteca of NXP which is linked directly with the controller chip reader

Reading Mifare cards

Reading Mifare cards

• Tools– Contactless reader (HID Omnikey 5321) – Opensource library for interaction with readers

and contactless devices - Librfid (ww.openmrtd.org / projects / librfid /)

– Sample of a blank card Mifare 1K

Reading Mifare cardsProtocol Mifare ClassicSize: 1024 bytesAuthenticating sector 0: mifare auth succeeded!Reading sector 0Reading block 0: Page 0x0: d4 0f 01 ac 76 88 04 00 47 c1 1e 38 65 00 48 05Reading block 1: Page 0x1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 2: Page 0x2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 3: Page 0x3: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ffAuthenticating sector 1: mifare auth succeeded!Reading sector 1Reading block 4: Page 0x4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 5: Page 0x5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 6: Page 0x6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 7: Page 0x7: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ffAuthenticating sector 2: mifare auth succeeded!

And so for the other sectors and blocks ...

número de série

dados

Chave A Chave B

Access cond. bits

Reading Mifare cards

• The Mifare card reading blank was only possible because he was set up with keys (A and B) standard

• A card, such as the “Bilhete Único” could not be read or changed (Used in Bus - Brazil)

Safety aspects

Safety aspects

• Mifare card security is supported by the proprietary algorithm CRYPTO1

• First work was done by Karsten Nohl, "Starbug and Henryk Plötz the Chaos Communication Camp 2007 in Berlin

• The CRYPTO1 was the focus of this first analysis of the Mifare cards

• The operation of CRYPTO1 was deduced through reverse engineering

Safety aspects

• Vulnerabilities CRYPTO1 – Time dependence of the random number

generator allows control of the numbers to be generated

– Only 16 bits of the 32 bits used to authenticate three steps are in fact random

– Reverse Engineering by observation of the chip allowed to deduct the functioning of CRYPTO1

Safety aspects

• Operation CRYPTO1

Safety aspects

• Other articles which were published on the security of Mifare cards – A Practical Attack on the MIFARE Classic –

CARDIS 2008, LNCS 5189, pp. 267–282, 2008.

– Dismantling MIFARE Classic – ESORICS 2008, LNCS 5283, pp. 97–114, 2008.

Safety aspects

• The attacks made so far, allowed the creation of clones of smart cards using auxiliary equipment

• It was also possible to manipulate the contactless communication channel in order to observe the data traffic

Safety aspects

Safety aspects

DEMO

Safety aspects

• The security problems are pointed out related to the fragility of CRYPTO1

• The attacks shown not to apply for PKI smart cards, such as electronic passports

References

References

• ISO 14443-1 / 2 / 3• NXP - Mifare functional specification (2008)• Mifare Security. Karsten Nohl, "Starbug" e

Henryk Plötz • A Practical Attack on the MIFARE Classic.

Gerhard de Koning Gans, Jaap-Henk Hoepman, and Flavio D. Garcia.

• Dismantling MIFARE Classic. Flavio D. Garcia, Gerhard de Koning Gans, Ruben Muijrers, Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, and Bart Jacobs