A few years ago, we saw a project from a few researchers in Germany who built a device to clone contactless smart cards. These contactless smart cards can be found in everything from subway cards to passports, and a tool to investigate and emulate these cards has exceptionally interesting implications. [David] and [Tino], the researchers behind the first iteration of this hardware have been working on an improved version for a few years, and they’re finally ready to release it. They’re behind a Kickstarter campaign for the ChameleonMini, a device for NFC security analysis that can also clone and emulate contactless cards.
While the original Chameleon smart card emulator could handle many of the contactless smart cards you could throw at it, there at a lot of different contactless protocols. The new card can emulate just about every contactless card that operates on 13.56 MHz.
The board itself is mostly a PCB antenna, with the electronics based on an ATXMega128A4U microcontroller. This micro has AES and DES encryption engines, meaning if your contactless card has encryption and you have the cryptographic key, you can emulate that card with this device. They’re also making a more expensive version that also has a built-in reader that makes the ChameleonMini a one-stop card cloning tool.
33 thoughts on “Emulating And Cloning Smart Cards”
No legal problems there whatsoever.
Yes, freedom of sciences, researches, and teachings are fundamental rights guaranteed in §5 of Germany’s “constitution” (which is called Grundgesetz – basic/fundamental laws).
But saying we have no such odd things like http://www.slate.com/blogs/future_tense/2016/01/13/copyright_law_shouldn_t_keep_me_from_fixing_a_tractor.html here in Europe isn’t try either. Industry and their lobbyists are fighting strong for their pervert ideas…
There are cards with encrypted keys that you need to emulate them. It is not like this breaks really good security. It is just that most mass deployed systems do not have particularly good security. And without hardware like this existing there is no incentive for companies to deploy better security.
Sadly most card access door system in the USA are horribly insecure and only look for the car’s transmitted serial number to open the door.
Newer systems are better, but most businesses here have the 10+ year old systems that are as secure as a piece of tape that says “do not open”
So how long will it take in the US before possessing something like this becomes (right or wrong) evidence of criminal intent, like owning a set of lock picks without being a locksmith in many jurisdictions?
Dunno. How long did it take for you people to vote in gay marriage? Then probably just as long.
It was never voted in (nationwide at least).
You just reaffirmed his comment… regardless of the method America went about lawfully accepting gay marriage, it took a period of time equal to amount of shits Americans gave about their country…
To assume that the American people will suddenly develop an urge to put its social issues aside and focus on something substantially less significant is just naive.
I mean, they can’t even regulate gun ownership without executive orders
Note: I’m not your lawyer, and I’m not giving any official legal advice.
Actually, it is only illegal to possess lockpicks in one state (Tennessee) without a locksmith license. In four states lockpicks can be considered evidence of criminal intent, one of those states only if the picks are concealed.
Even if they catch you in one of those states where it can be shown as criminal intent, you have a chance to counter prima facie evidence of intent.
The way burglary tools are defined, you could get in trouble with this in many states currently if they can prove intent to commit a crime.
It’s kind of like an electronic key cutting machine
What’s the purpose of the copper on the other side of the coil antenna?
Good question. I am interested in this one, too. That copper plane is not connected to anything and no closed loop. Microstrip impedance matching? Resonance tuning?
It is bare PCB (no copper), it is to make the length of the card such that it can push physical switches inside some card readers. It is shown in one of the videos in their KS page. And if you don’t want it, there is a one way removal process.
Looks like an e-field shield. Basically blocks the e field while allowing h field to pass. Generally, this goes on both sides of the coil though and a 4 layer PCB is required.
Yeah, but it’s a 2 layer board. My guess is that it has to do with eddy currents, i.e. working as a one-way gasket to cancel them out? That would allow to take out the unknown of the equation if the antenna is appropriately tuned.
My guess is that the copper on the other layer of the pcb acts as a ground plane for the antenna.
* On a regular basis, authentication systems should exchange a token with a carried RFID device, and in subsequent interactions, the list of the last X tokens be returned to the authentication system, so the system knows if it’s the same device that’s been responding
* Flag devices whose previous contact transcripts don’t match for enhanced scrutiny
* Allow devices flagged for enhanced scrutiny to be cleared at an authorised/monitored point, at which point it would also update the card to have a new secret/keypair in addition to the old one. Flag attempts with the old key to security (policy on whether access is granted and monitored or denied dependent on security required).
The period at which you set the transcript comms + enhanced scrutiny + key change, and how often the person uses the RFID device to authenticate would limit the window of opportunity to use the cloned device.
“Well, I don’t think we can make this scrutiny thing a selling point and it would just add cost, right? Let’s just focus on getting this logo colour issue sorted out now hmmkay?”
They should try this on a CAC card.
Oh man, I’m imagining the shitstorm that would result from somebody getting caught in a SCIF with a cloned CAC.
Could be pretty fun to use that with our test robot we use to simulate access to test our card readers. With this device we could program a lot of different users on one card to better track if the reader missed some cards he should have seen. Guess it’s not that easy to do for a Mifare DESFire card tho, and we don’t use any lower security cards.
and Desfire is not state of the art from quite some time. there’s some card that won’t get broken for long time… The security issues about RFID is not current tech, it’s all the old junk completely broken that keep getting sold and used for “security”…
” [David] and [Tino]” <– that should be [David] and [Timo]
For those interested, I have also developed a fully open source HW & SW for NFC sniffer / emulator (based on ultra powerful STM32F4@168MHz & TRF7970A) see https://github.com/bvernoux/hydranfc
Well I could see an advantage in this where if you have multiple smart cards you could use this to make a, should I say, mooltipass, to store all your cards on one device.
This thing has been doing the rounds for a couple of weeks now on all the infosec lists/twitters but I don’t really get it. Sure, it’s open which is nice, but I’m not convinced that it will do anything much that you can’t with a PN532, and those are plenty available for people who want to hack on ISO14443A and friends.
You just cannot emulate and sniff mifare cards with the PN532.
Unrelated: Could we just buy the Rev. E and solder the FRAM in place on our own to get Rev. G functionality?
This is slightly more sophisticated. You can log traffic and/or store loads of different cards on one smart card sized device. You can also start doing stuff like random uid and stuff like that. I think this is overkill if you just want to play around with some basic nfc-fuzzing/public transport stuff – but once you get into the more startling details of how badly designed some of these systems really are – well I think this is the tool for those kinds of details. Also I’m buying one for keeping my dozen cards in one place. This was on my list of things to build and they even got it better than I imagined.
Question for Timo et al:
Well I’m from germany and if I understand correct I’ll pay 117€ for the Rev. G while everybody else will pay 99€ incl. shipping? Wtf? You’re shipping the device from germany, right?
Nice that you can just buy the blank pcb and put it together yourself. That’s a pretty good move by them.
This seems like a completely natural development to me. Even with the highest standard of security, there will be ways to get around it. Even an 256-bit AES encryption can be brute-forced within a matter of hours by renting cloud computing. Have a look at what happened with the iPhone – the FBI managed to break its security without Apple helping them out. If someone really wants to steal from you or hack you, they will find means to do so. Smart cards are still infinitely safer than mag stripe cards.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)