Chameleon Emulates Contactless Smart Cards

chameleon

Researchers at Ruhr University of Bochum in Germany have been busy working with RFID and related devices for quite some time now. They call the fruit of their labors Chameleon, a versatile Contactless Smart Card Emulator. Contactless Smart Cards are RFID style devices that also contain a smart card style memory. These cards are often used for payment, replacing mag strip style credit cards. Philips MIFARE Classic cards are a common example of contactless smart cards. The Chameleon is set up to emulate any number of cards using the common 13.56MHz frequency band. Adding a new card is as simple as loading up a new CODEC  and application to the firmware. Currently Chameleon can emulate MIFARE cards using the ISO14443A.

The Chameleon is completely open source, and can be built for around $25 USD. The heart of the system is an Atmel ATxmega192A3 microcontroller. The 192 is a great microcontroller for this task because it contains hardware accelerators for both DES and AES-128. An FTDI USB interface chip is used to provide an optional communication link between a host computer and the ATxmega. The link can be used for debugging, as well as manipulating data in real-time. A host PC is not necessary for use though – the Chameleon will operate just fine as a stand alone unit. We definitely like this project – though we’re going to be doubling down on the shielding in our RF blocking wallets.

46 thoughts on “Chameleon Emulates Contactless Smart Cards

    1. Projects like this are good because the truly terrifying three-letter-name organisations already have this technology. The more people who have it, the more pressure on industry to build secure systems. Security through obscurity and high capital costs for exploitation only keeps out 2-bit crooks who’ll slip up immediately, get caught for fraud, and sent to jail. It’s the high level criminals with their own implementations that you should be more concerned about.

    2. There may or may not have been superior devices available for many, many years if you frequent the right sites. Tiny little things that automagically clone on the fly multiple cards and are ready for immediate use while looking like little more than thick versions of the same.

      As usual, people that care to profit in whatever way they can have made interesting toys very shortly after every new advancement. Our only saving grace is there are very few people in the world that are willing to do bad things.

  1. Timo Kasper (one of the developers) held a talk al 29C3 (29. Chaos Communication Congress), Hamburg, Germany last year. He spoke about Chameleon and an other hardware to sniff SmartCard data (copy!?!). See http://www.youtube.com/watch?v=Y1o2ST03O8I. Spoken language is german. See links in video description for more informations.
    You can find more talks from 29C3 and older congresses here: http://mirror.fem-net.de/CCC/ (many talks are in english).
    Don’t miss the live streams form 30C3, which is currently held in Hamburg until Dec. 30. See https://events.ccc.de/congress/2013/wiki/Main_Page for streams and schedule

  2. Is this as serious and it initially sounds? RFID emulation is one thing, breaking the encryption used on the card is another.

    I must admit I don’t know enough to be sure how far this goes. I am fairly certain that the inevitable posts about how we’ll all be robbed if we have a contactless bank cards are over the top though.

  3. Unfortunately there is no possibility to buy the Chamleon-Mini yet, but we are working on it. The device itself can be used to upload the content of another, dumped contactless smartcard. This implies, that you have to make use of other tools like libnfc to actually obtain the dump of a card.
    Note that the article is not entirely accurate, since the new Chameleon-Mini is based on a ATxmega32A4U using the internal USB interface, but we very much appreciate hackaday to show our work on their website!
    So, thanks and see you later!

  4. Credit cards are not the best use for this, it’s getting through security because the company’s security believes that if you can open the door you belong there. Credit card fraud is chump change, Corporate Espionage is where the big money is at and this will emulate all of the aces cards that are in use at labs and corporations.

  5. Proxmark3 cannot emulate full mifare 1k or 4k. Auth fails always because of fucked up code. But proxmark3 is very good to sniff generic rfid communication. Don’t buy at xfpga.com there have been reports of people getting scammed by them.

    1. XPGA is reliable and professional – I recently bought through them.
      The proxmark3 is an amazing tool, and I have found its emulation is fine.

      At the end of the day, proxmark has always been ‘as is’ – and is open source. If you find the code doesnt work for you, fix it and commit it :)

  6. First and foremost – the talk was great.
    However, it seems to have hinged its arguments for the chameleon on the fact that MIFARE’s one defense is that you cannot change the UID / Manufactuer sector.

    It’s been possible for years now (hey, it’s built into libnfc and proxmark) to use the special chinese cards to do unlocked reads / writes to all sectors.

    The Chameleon looks like a great tool – I’m going to build a few – but it’s definitely not the only tool to have – in some circirumstances, using the Chinese cards would be a much more efficient vector.

    1. Of course the Chameleon-Mini is not “the only tool to have”. It is just a contactless smartcard emulator :-) However its feature range goes a lot further than those of the chinese cards.
      You can have multiple card settings on the chameleon at the same time and switch them with a button on the fly. Also you are not limited to Mifare Classic emulations, since you are free to write your own so-called CODECs and Applications.
      Furthermore you can even do your own stuff with the Chameleon-Mini as in Logging, Sniffing or even Jamming another RFID communication channel.

      1. So, how does this differ from the $450 fpga based Proxmark (LF and 13.56mhz), or the older $200 OpenPCD Reader, or the newer OpenPICC tag emulator? Or even Bishofox’s Tastic RFID Thief (125/134khz)?

        Also not sure if it’s entirely different beast, but how can I clone my car keys that also use rfid? The dealer asks for $250 per key, so I’d love to be able to do it myself even if the equipement to do it, ends up costing me more!

        http://www.kukata86.com/en/description-and-development-RFID-emulator
        http://www.slideshare.net/devnology/devnology-smartcard-rfidnov2012#
        http://cq.cx/proxmark3.pl

  7. My experience with xfpga.com is also not very good, I ordered a Proxmark3 and some other stuff from them and payed via Paypal. The device arrived bricked and re-flashing via JTAG did not debrick it. Maybe it had to to with the missing esd bag … :( The xfpga guy, “Michael”, said I bricked it and refused to help in any way, he even stopped replying to my mails. I then tried to get the money back via paypal, however “Michael” presented a DHL tracking number to them showing that the parcel arrived and the case was closed then. Complete waste of time and money!

    Simon: can you give us a bill of materials for the ch-mini? With Farnell/Digikey/Whatever PN’s?
    Do you used a service the have the prototype build? How much did that cost you?

    Kits would be great!

    1. Eve,,,, its since i see this forum today , i m other scammed by xfpga.com but from aliexpress,com (RFID SHOP) i make the buy there thinking more secure and sending 500USD to Jolin Yung and never thEy answer me

  8. xfpga is a scammer. Thats for sure. My proxmark3 never arrived. Refund was not possible, they just ignored my mail. This guy, Michael, does not respond to my skype calls and emails, scam!

  9. As at 14/January/2015 Kasper & Oswald GmbH still had 3 ChameleonMini Rev.E for sale and ready to dispatch.
    They also wrote: “FYI, we plan a kickstarter project to be able to manufacture bigger amounts of ChameleonMini, and thus have a lower sales price well below 100 EUR. This is planned to happen within the next few months.”

    Cheers to all

    1. Woohoo 240$ with shipping for a device that is 25$ in components?! This is ridiculous, you had zero development cost! Hopefully Timo manages to finally start the kickstarter campaign soon :)

      1. Sooooo ridiculous that cannot even access the link … “This form is currently private and cannot be viewed by the public.”
        Might be they fixing a typo in the price … $25 and not $250 :-P

  10. Hi all,
    I drive a focus mk2 2005 1,6 TDci and am using an V-gate iCar 2 (wifi edition)… Its only €15, but fully supports 11bit/500kbps high speed communication. With the aid of Forscan and FoCOM I got similar results in finding all extra’s, just by retrieving the right hex PID in those programs (with wikipedia nearby) and applied them in Torque Pro. Together with Torque being auto launched when its connected to the iCar, it literally became a smart car…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.