MIFARE Classic 1K/4K: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has reaaally simple security mechanisms for access control; MIFARE Ultralight: a 64 bytes version of MIFARE Classic. It’s low costs make it widely used. – (sufficient for reading / cracking / writing / cloning Mifare Classic Cards). Chinese UID Changeable Mifare – U$ 2 – With those cards an attacker is able to create a perfect clone of any Mifare Classic card (including UID). Those Items can be easily bought in ebay.com or aliexpress.com from Thaiwan/China.
![](/uploads/1/2/7/1/127178107/211094423.jpg)
MIFARE is an NXP Semiconductors-owned trademark, and is considered one of the most successful contactless technologies in the world. MIFARE cards are reportedly the most widely used contactless smartcard technology for smart card transactions. Since the launch of the MIFARE card, more than 500 million smart card chips and 5 million reader modules were sold. The beauty of the card is that the interface is an open platform for system developers, which implies that applications could be built under the industry norm.
MIFARE interface platform consists of a few product lines, and the MIFARE 1k belongs to the MIFARE Classic family. The MIFARE 1k is fundamentally used for storing memories, yet a simple security mechanism divides the memories into segments. Therefore, this product family is ideal for high-volume transactions like transport ticketing, time and attendance solutions, car parking, and loyalty programs.
In the year 2006, a Japanese high-end supermarket chain in Hong Kong decided to adopt MIFARE card with a contactless smart card readers for its customer loyalty program. The chain store is one of the largest companies of its kind in Hong Kong. It mainly sells gourmet items and groceries from across Europe and Asia. In this loyalty program, customers involved earn bonus points on their cards for every purchase they make and redeem them for cash coupons every quarter and every year. The bonus points can even be redeemed as free parking, free delivery and free magazines. Cardholders can store money into their card accounts and make cash-free purchases with additional rebate benefits. In other words, the more the cardholders purchase, the more benefits.
![Mifare plus hack Mifare plus hack](http://img.alibaba.com/img/pb/741/245/611/611245741_547.jpg)
Now that we own the keys of a Mifare Classic card, we can move onto cloning them.
Just as a quick reminder, the steps to crack the keys were:
proxmark3> hf mf mifare
proxmark3> hf mf nested 1 0 A XXXXXXXXXXXX d
proxmark3> hf mf nested 1 0 A XXXXXXXXXXXX d
If you take a look inside the current folder where the client is running, you’ll find a binary file called “dumpkeys.bin”. Basically, it’s like a dump of the contents of the card but only the trail blocks, where keys are stored.
A really simple attack to an electronic wallet implementation using this type of cards is to dump the contents aka “money” and then use the credit and, after that, restore the contents, filling it with our “stored” money inside a binary file. Easy, right? In some poor implementations, this could work! In other implementations, you can even take “the money” from a card, and “paste it” into another one. Remember that the only block in a mifare card that you cannot modify is the block 0 in sector 0, where the UID of the cards is burnt in the Factory. So, if “the money” is related to it, the attack won’t work.
A couple of years ago, a “Magic Chinese Card” appeared. This card, that is also known as “UID Changeable Card” is a special card, in which you can manipulate the UID and the full sector 0. Some of these cards have a special feature, which we called “a backdoor”, you can use this card, modify its contents (yeap! Block 0 too!) without even knowing the keys! So if you forgot the keys, you can send some special frames to it to overwrite it whenever you need! Cool! So basically, FULL clones are possible!
Using proxmark after cracking the keys, you can execute:
proxmark3> hf mf dump
and you’ll get a file, just next the other one, with this name: dumpdata.bin
The other commands that you will finally use will be:
restore – Restore MIFARE classic binary file to BLANK tag
csetuid – Set UID for magic Chinese card
csetuid – Set UID for magic Chinese card
The first one will restore the data into the same card and the other, in case you own an UID changeable card, will set the uid to match the original one. In case the other card has got the same keys as the original card, a partial clone will be there.
Take a look at the other commands, just type: “hf mf” and look for commands for the Magic Card. You will understand them after Reading this post. Tip: the only difference is that you will need the info inside the simulator memory, not a file, but this is really easy to achieve: just take a look at the options while using the “nested” attack ?
Well, we covered a lot of stuff around the Mifare Classic World using Proxmark. You can also take a look at the LibNFC project, you will be able to do kind of the same stuff here, using some standard readers… with some limitations…
If you’re following our posts and practicing, just mail us and we will be very happy to help you!
See you on the next post!
—
This post was from Nahuel Grisolia who is a Information Security Professional. He has delivered trainings and talks in conferences around the world such as BugCON (Mexico), H2HC (Brazil), Ekoparty (Argentina), OWASP events (Argentina), TROOPERS (Germany), PHDays (Russia), and Ground Zero Summit (India). He is specialized in Web Application Security, Penetration Testing and Hardware Hacking.
![](/uploads/1/2/7/1/127178107/211094423.jpg)