Researchers at Ruhr University of Bochum in Germany have been busy working with RFID and related devices for quite some time now. They call the fruit of their labors Chameleon, a versatile Contactless Smart Card Emulator. Contactless Smart Cards are RFID style devices that also contain a smart card style memory. These cards are often used for payment, replacing mag strip style credit cards. Philips MIFARE Classic cards are a common example of contactless smart cards. The Chameleon is set up to emulate any number of cards using the common 13.56MHz frequency band. Adding a new card is as simple as loading up a new CODEC and application to the firmware. Currently Chameleon can emulate MIFARE cards using the ISO14443A.
The Chameleon is completely open source, and can be built for around $25 USD. The heart of the system is an Atmel ATxmega192A3 microcontroller. The 192 is a great microcontroller for this task because it contains hardware accelerators for both DES and AES-128. An FTDI USB interface chip is used to provide an optional communication link between a host computer and the ATxmega. The link can be used for debugging, as well as manipulating data in real-time. A host PC is not necessary for use though – the Chameleon will operate just fine as a stand alone unit. We definitely like this project – though we’re going to be doubling down on the shielding in our RF blocking wallets.
This will be a very popular product with a certain segment of the population (which are, not coincidentally, the ones that gave me such great job security). Truly terrifying.
I’d love to buy this thing ;)
Projects like this are good because the truly terrifying three-letter-name organisations already have this technology. The more people who have it, the more pressure on industry to build secure systems. Security through obscurity and high capital costs for exploitation only keeps out 2-bit crooks who’ll slip up immediately, get caught for fraud, and sent to jail. It’s the high level criminals with their own implementations that you should be more concerned about.
There may or may not have been superior devices available for many, many years if you frequent the right sites. Tiny little things that automagically clone on the fly multiple cards and are ready for immediate use while looking like little more than thick versions of the same.
As usual, people that care to profit in whatever way they can have made interesting toys very shortly after every new advancement. Our only saving grace is there are very few people in the world that are willing to do bad things.
you fool :)))))))))
woosh
Timo Kasper (one of the developers) held a talk al 29C3 (29. Chaos Communication Congress), Hamburg, Germany last year. He spoke about Chameleon and an other hardware to sniff SmartCard data (copy!?!). See http://www.youtube.com/watch?v=Y1o2ST03O8I. Spoken language is german. See links in video description for more informations.
You can find more talks from 29C3 and older congresses here: http://mirror.fem-net.de/CCC/ (many talks are in english).
Don’t miss the live streams form 30C3, which is currently held in Hamburg until Dec. 30. See https://events.ccc.de/congress/2013/wiki/Main_Page for streams and schedule
Where can I buy one of these? Would avoid carrying different cards all the time :|
Is this as serious and it initially sounds? RFID emulation is one thing, breaking the encryption used on the card is another.
I must admit I don’t know enough to be sure how far this goes. I am fairly certain that the inevitable posts about how we’ll all be robbed if we have a contactless bank cards are over the top though.
I’m not by 100% sure but I have seen something very similar already here on hack a day. Approx a year ago.
Unfortunately there is no possibility to buy the Chamleon-Mini yet, but we are working on it. The device itself can be used to upload the content of another, dumped contactless smartcard. This implies, that you have to make use of other tools like libnfc to actually obtain the dump of a card.
Note that the article is not entirely accurate, since the new Chameleon-Mini is based on a ATxmega32A4U using the internal USB interface, but we very much appreciate hackaday to show our work on their website!
So, thanks and see you later!
I don’t see any FTDI devices in the schematic of either revision on the GitHub? Native XMEGA USB looks like it’s being used!
Just removed a MiFare tag a couple days ago: http://www.youtube.com/watch?v=y7svPozdpZY
As per usual, documentation is poor as hell. Old schematics are all that’s available. The mini version has no information about it.
Scratch that’ I’m blind ;)
Credit cards are not the best use for this, it’s getting through security because the company’s security believes that if you can open the door you belong there. Credit card fraud is chump change, Corporate Espionage is where the big money is at and this will emulate all of the aces cards that are in use at labs and corporations.
Is it still worth buying a proxmark3 then?
Proxmark3 cannot emulate full mifare 1k or 4k. Auth fails always because of fucked up code. But proxmark3 is very good to sniff generic rfid communication. Don’t buy at xfpga.com there have been reports of people getting scammed by them.
XPGA is reliable and professional – I recently bought through them.
The proxmark3 is an amazing tool, and I have found its emulation is fine.
At the end of the day, proxmark has always been ‘as is’ – and is open source. If you find the code doesnt work for you, fix it and commit it :)
First and foremost – the talk was great.
However, it seems to have hinged its arguments for the chameleon on the fact that MIFARE’s one defense is that you cannot change the UID / Manufactuer sector.
It’s been possible for years now (hey, it’s built into libnfc and proxmark) to use the special chinese cards to do unlocked reads / writes to all sectors.
The Chameleon looks like a great tool – I’m going to build a few – but it’s definitely not the only tool to have – in some circirumstances, using the Chinese cards would be a much more efficient vector.
Of course the Chameleon-Mini is not “the only tool to have”. It is just a contactless smartcard emulator :-) However its feature range goes a lot further than those of the chinese cards.
You can have multiple card settings on the chameleon at the same time and switch them with a button on the fly. Also you are not limited to Mifare Classic emulations, since you are free to write your own so-called CODECs and Applications.
Furthermore you can even do your own stuff with the Chameleon-Mini as in Logging, Sniffing or even Jamming another RFID communication channel.
So, how does this differ from the $450 fpga based Proxmark (LF and 13.56mhz), or the older $200 OpenPCD Reader, or the newer OpenPICC tag emulator? Or even Bishofox’s Tastic RFID Thief (125/134khz)?
Also not sure if it’s entirely different beast, but how can I clone my car keys that also use rfid? The dealer asks for $250 per key, so I’d love to be able to do it myself even if the equipement to do it, ends up costing me more!
http://www.kukata86.com/en/description-and-development-RFID-emulator
http://www.slideshare.net/devnology/devnology-smartcard-rfidnov2012#
http://cq.cx/proxmark3.pl
Hey Simon, do you have any news regarding the kits?
What the fuck is wrong with this commenting system?! I cannot post my reply!
My experience with xfpga.com is also not very good, I ordered a Proxmark3 and some other stuff from them and payed via Paypal. The device arrived bricked and re-flashing via JTAG did not debrick it. Maybe it had to to with the missing esd bag … :( The xfpga guy, “Michael”, said I bricked it and refused to help in any way, he even stopped replying to my mails. I then tried to get the money back via paypal, however “Michael” presented a DHL tracking number to them showing that the parcel arrived and the case was closed then. Complete waste of time and money!
Simon: can you give us a bill of materials for the ch-mini? With Farnell/Digikey/Whatever PN’s?
Do you used a service the have the prototype build? How much did that cost you?
Kits would be great!
Eve,,,, its since i see this forum today , i m other scammed by xfpga.com but from aliexpress,com (RFID SHOP) i make the buy there thinking more secure and sending 500USD to Jolin Yung and never thEy answer me
xfpga is a scammer. Thats for sure. My proxmark3 never arrived. Refund was not possible, they just ignored my mail. This guy, Michael, does not respond to my skype calls and emails, scam!
Hello friends, I am new to this forum someone can get a mini chameleon?
i built out 10 of them a couple months ago because a couple friends wanted some, I have several left. are you still interested in one?
Hola dame un correo para hablar.
Do you have more?
Hi Marcin,
If you still have any, I’d be interested in getting my hands on one. You can mail me at had@dawes.za.net.
Rogan
give me a shout marcin at haxaday com
Any of these animals still left?
As at 14/January/2015 Kasper & Oswald GmbH still had 3 ChameleonMini Rev.E for sale and ready to dispatch.
They also wrote: “FYI, we plan a kickstarter project to be able to manufacture bigger amounts of ChameleonMini, and thus have a lower sales price well below 100 EUR. This is planned to happen within the next few months.”
Cheers to all
Just in case: Kasper & Oswald GmbH —> info at kasper-oswald dot de
Please post any news regarding this. Thank you
FYI, the Kickstarter project is finally live (only two years wait, sorry about the slight delay :D)
https://www.kickstarter.com/projects/1980078555/chameleonmini-a-versatile-nfc-card-emulator-and-mo
We are baking up a batch of Mini Rev2-Es. Interested parties can reserve one at https://chameleonmini.wufoo.com/forms/reserve-your-chameleonmini/
Woohoo 240$ with shipping for a device that is 25$ in components?! This is ridiculous, you had zero development cost! Hopefully Timo manages to finally start the kickstarter campaign soon :)
Sooooo ridiculous that cannot even access the link … “This form is currently private and cannot be viewed by the public.”
Might be they fixing a typo in the price … $25 and not $250 :-P
The form no longer works because the reservation period is over. Reservations have been fulfilled and the ChameleonMini is now generally available for purchase at http://store.ryscc.com/products/chameleonmini.
I’ve a seen it
It comes preprogrammed on cheap phones from the lower carriers. My advice buy high end phone and root it.
Hi all,
I drive a focus mk2 2005 1,6 TDci and am using an V-gate iCar 2 (wifi edition)… Its only €15, but fully supports 11bit/500kbps high speed communication. With the aid of Forscan and FoCOM I got similar results in finding all extra’s, just by retrieving the right hex PID in those programs (with wikipedia nearby) and applied them in Torque Pro. Together with Torque being auto launched when its connected to the iCar, it literally became a smart car…
There is a GUI Tool for the chameleonmini available now which is makes Putty and Teraterm etc. obsolete. This is more comfortable to use than terminal commands.
http://www.bronken.de/chameleonminigui/
Hi Torsten, why not put it int the github repository, including source code?