Chameleon Emulates Contactless Smart Cards

chameleon

Researchers at Ruhr University of Bochum in Germany have been busy working with RFID and related devices for quite some time now. They call the fruit of their labors Chameleon, a versatile Contactless Smart Card Emulator. Contactless Smart Cards are RFID style devices that also contain a smart card style memory. These cards are often used for payment, replacing mag strip style credit cards. Philips MIFARE Classic cards are a common example of contactless smart cards. The Chameleon is set up to emulate any number of cards using the common 13.56MHz frequency band. Adding a new card is as simple as loading up a new CODEC  and application to the firmware. Currently Chameleon can emulate MIFARE cards using the ISO14443A.

The Chameleon is completely open source, and can be built for around $25 USD. The heart of the system is an Atmel ATxmega192A3 microcontroller. The 192 is a great microcontroller for this task because it contains hardware accelerators for both DES and AES-128. An FTDI USB interface chip is used to provide an optional communication link between a host computer and the ATxmega. The link can be used for debugging, as well as manipulating data in real-time. A host PC is not necessary for use though – the Chameleon will operate just fine as a stand alone unit. We definitely like this project – though we’re going to be doubling down on the shielding in our RF blocking wallets.

Comments

  1. SFT2 says:

    This will be a very popular product with a certain segment of the population (which are, not coincidentally, the ones that gave me such great job security). Truly terrifying.

    • Sancho says:

      I’d love to buy this thing ;)

    • Stephen says:

      Projects like this are good because the truly terrifying three-letter-name organisations already have this technology. The more people who have it, the more pressure on industry to build secure systems. Security through obscurity and high capital costs for exploitation only keeps out 2-bit crooks who’ll slip up immediately, get caught for fraud, and sent to jail. It’s the high level criminals with their own implementations that you should be more concerned about.

    • ac says:

      There may or may not have been superior devices available for many, many years if you frequent the right sites. Tiny little things that automagically clone on the fly multiple cards and are ready for immediate use while looking like little more than thick versions of the same.

      As usual, people that care to profit in whatever way they can have made interesting toys very shortly after every new advancement. Our only saving grace is there are very few people in the world that are willing to do bad things.

  2. der_picknicker says:

    Timo Kasper (one of the developers) held a talk al 29C3 (29. Chaos Communication Congress), Hamburg, Germany last year. He spoke about Chameleon and an other hardware to sniff SmartCard data (copy!?!). See http://www.youtube.com/watch?v=Y1o2ST03O8I. Spoken language is german. See links in video description for more informations.
    You can find more talks from 29C3 and older congresses here: http://mirror.fem-net.de/CCC/ (many talks are in english).
    Don’t miss the live streams form 30C3, which is currently held in Hamburg until Dec. 30. See https://events.ccc.de/congress/2013/wiki/Main_Page for streams and schedule

  3. Filipe YaBa Polido says:

    Where can I buy one of these? Would avoid carrying different cards all the time :|

  4. 0xfred says:

    Is this as serious and it initially sounds? RFID emulation is one thing, breaking the encryption used on the card is another.

    I must admit I don’t know enough to be sure how far this goes. I am fairly certain that the inevitable posts about how we’ll all be robbed if we have a contactless bank cards are over the top though.

  5. Thomas says:

    I’m not by 100% sure but I have seen something very similar already here on hack a day. Approx a year ago.

  6. Unfortunately there is no possibility to buy the Chamleon-Mini yet, but we are working on it. The device itself can be used to upload the content of another, dumped contactless smartcard. This implies, that you have to make use of other tools like libnfc to actually obtain the dump of a card.
    Note that the article is not entirely accurate, since the new Chameleon-Mini is based on a ATxmega32A4U using the internal USB interface, but we very much appreciate hackaday to show our work on their website!
    So, thanks and see you later!

  7. Tom says:

    I don’t see any FTDI devices in the schematic of either revision on the GitHub? Native XMEGA USB looks like it’s being used!

  8. Scott says:

    Just removed a MiFare tag a couple days ago: http://www.youtube.com/watch?v=y7svPozdpZY

  9. Dave says:

    As per usual, documentation is poor as hell. Old schematics are all that’s available. The mini version has no information about it.

  10. Dave says:

    Scratch that’ I’m blind ;)

  11. fartface says:

    Credit cards are not the best use for this, it’s getting through security because the company’s security believes that if you can open the door you belong there. Credit card fraud is chump change, Corporate Espionage is where the big money is at and this will emulate all of the aces cards that are in use at labs and corporations.

  12. Is it still worth buying a proxmark3 then?

  13. RFIdiot says:

    Proxmark3 cannot emulate full mifare 1k or 4k. Auth fails always because of fucked up code. But proxmark3 is very good to sniff generic rfid communication. Don’t buy at xfpga.com there have been reports of people getting scammed by them.

    • AG says:

      XPGA is reliable and professional – I recently bought through them.
      The proxmark3 is an amazing tool, and I have found its emulation is fine.

      At the end of the day, proxmark has always been ‘as is’ – and is open source. If you find the code doesnt work for you, fix it and commit it :)

  14. AG says:

    First and foremost – the talk was great.
    However, it seems to have hinged its arguments for the chameleon on the fact that MIFARE’s one defense is that you cannot change the UID / Manufactuer sector.

    It’s been possible for years now (hey, it’s built into libnfc and proxmark) to use the special chinese cards to do unlocked reads / writes to all sectors.

    The Chameleon looks like a great tool – I’m going to build a few – but it’s definitely not the only tool to have – in some circirumstances, using the Chinese cards would be a much more efficient vector.

  15. Eve says:

    What the fuck is wrong with this commenting system?! I cannot post my reply!

  16. Eve says:

    My experience with xfpga.com is also not very good, I ordered a Proxmark3 and some other stuff from them and payed via Paypal. The device arrived bricked and re-flashing via JTAG did not debrick it. Maybe it had to to with the missing esd bag … :( The xfpga guy, “Michael”, said I bricked it and refused to help in any way, he even stopped replying to my mails. I then tried to get the money back via paypal, however “Michael” presented a DHL tracking number to them showing that the parcel arrived and the case was closed then. Complete waste of time and money!

    Simon: can you give us a bill of materials for the ch-mini? With Farnell/Digikey/Whatever PN’s?
    Do you used a service the have the prototype build? How much did that cost you?

    Kits would be great!

    • JOSE says:

      Eve,,,, its since i see this forum today , i m other scammed by xfpga.com but from aliexpress,com (RFID SHOP) i make the buy there thinking more secure and sending 500USD to Jolin Yung and never thEy answer me

  17. Alizee says:

    xfpga is a scammer. Thats for sure. My proxmark3 never arrived. Refund was not possible, they just ignored my mail. This guy, Michael, does not respond to my skype calls and emails, scam!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,115 other followers