[Guillermo] started a new job a while back. That job came with an NFC access card, which was used for booking rooms and building access. The card also served as a wallet for using the vending machines. He set about hacking the card to see what he could uncover.
Initial scans with NFC Tools revealed the card was an Infineon MIFARE Classic Card 1k. These cards are considered fairly old and insecure by now. There’s plenty of guides online on how to crack the private keys that are supposed to make the card secure. Conveniently, [Guillermo] had a reader/writer on hand for these very cards.
[Guillermo] was able to use a tool called mfoc to dump the keys and data off the card. From there, he was able to determine that the credit for the vending machines was stored on the card itself, rather than on a remote server.
This means that it’s simple to change the values on the card in order to get free credit, and thus free snacks. However, [Guillermo] wisely resisted the urge to cash in on candy and sodas. When totals from the machine and credit system were reconciled, there’d be a clear discrepancy, and a short investigation would quickly point to his own card.
He also managed to successfully clone a card onto a “Magic Mifare” from Amazon. In testing, the card performed flawlessly on all systems he tried it on.
It goes to show just how vulnerable some NFC-based access control systems really are. RFID tags are often not as safe as you’d hope, either!
Picking a lock can get you some freebies too. It’s called theft, though.
Wishful thinking, you’d get forced entry on top here for that stunt. If you do it digitally there is a hacking law too. So you can add a couple of years for the perp. The titles article itself is solicitation already. But I am no lawyer and cannot give people advice. Since there is a law against that as well.
“The titles article itself is solicitation already”
That’s not how that works, at all. The title is a mere statement of fact: that if you were to crack & clone an NFC card used for stored-value payments, you could use that card to obtain goods without paying for them. It’s no less illegal than the statement “Stealing could get you goods without paying”. It is neither solicitation (would be something like “hey, want a cracked card to get free snacks with?”), or entrapment (what I’m guessing you meant, which would be “here, have this cracked payment card, go use it to get free snacks!”).
Are you a lawyer? Are you giving me legal advise?
They’re just defining words for you, like telling you advise is a verb, not a noun
I’m from Europe, i can give legal and financial advice without giving a damn haha.
OMG, I’m from Europe as well. Is this really illegal in the USA unless you’re a lawyer? It seems to me that would be against freedom of speech!
When I was a teenager, I spent a couple rolls of quarters getting every single stuffed animal out of a small claw machine at the local convenience store. It wasn’t until I got them all out that I realized I didn’t actually want to keep them. So, I just picked the lock on the cabinet and put them all back in. In my case, I wouldn’t call it theft. 🤣
Our building uses cards to gain access. Haven’t messed around with it though. It’s just for the doors and garages.
For a lot more NFC capabilities, along with other high frequency and low frequency communications protocols, get a Proxmark3. Great little device, and the Iceman fork of the software+firmware provides ridiculous amounts of functionality.
Agreed! The proxmark3 is where it’s at. Dangerous Things sell the Proxmark3 Easy with the Iceman firmware preloaded. They also have a bunch of very good video tutorials walking through the basic setup and usage with different card types and etc. The videos are linked on this page.
https://dangerousthings.com/product/proxmark3-easy/
While you’re at it, pick up a NExT implant chip. My keyless start on my car has a backup passive reader and a similar badge in case your key fob battery dies. I used the Proxmark to clone that to my NExT, and now I don’t even cary my key fob anymore.
https://dangerousthings.com/product/next/
Yes, proxmark3+Iceman is really great.
One thing I use mine for is making cheap cards and fobs for several local non-profit organizations for their buildings. Their alarm contractor wants $8-10 per fob for programmed 125 kHz fobs. Instead I buy them in bulk for less than $1 each and program them myself in a few seconds.
Some free snacks would be a great way to lose your job. Depending on the company’s attitude, telling them about the exploit so they can fix it might not be received well either.
Stored-value cards are mindlessly dumb. FedEx Kinkos had a stored value card for their brick & mortar stores where you could load money on a card for surfing the web and running copies, and you could cash out unused money from the cards. It was only a matter of time for someone to figure out the system, change the value stored on a card and then $ free money $. After the details went public it was a few months before they replaced the system with a remote ledger system where the cards were just authentication tokens.
Clipper cards in the bay area are stored-value. You can get them at vending machine.
I’m honestly surprised I don’t hear about more people hacking free fares
Clipper cards are only stored value so that they work for offline validation. The offline systems sync up with the server ledger regularly, and discrepancies would get caught very quickly, as all the ways to add money to the card are online. I don’t have one on me anymore, but iirc, they were DESFire EV1 cards back in 2016 (dunno if they’ve upgraded since). At the time I looked into it (around 2015), the original DESFire had public exploits available, but the EV1 did not.
Bullshit! Has anyone of the guy’s that wrote this ever really understood the migrate classic security features.
If the reader use the whole possibilities that mifare classic offers, you’ll NEVER break into such a system!
No, the security features of Mifare Classics have been broken and the tool mentioned (mfoc) leverages that. Read the paper The Fall of a Tiny Star from the University of Nijmegen for a pretty nice description of how it happened.
I remember some old card payment vending machines, you could cancel the payment, it would give you the, maybe 80p item and also return, usually £5 in change. Repayment for all the times it swallowed money without registering it perhaps.
My engineering school had vending machines that used MIFARE tags. Used the same technique to get tens of bucks of free snacks for me and my friends at every break, for several years. As broke-ass CS students, hacked food tasted so much better than the regular…
Politecnico di Milano?
My local bus service uses on-card storage of trips and funds. Like what’s mentioned in the article though, it’s not possible to get free trips because the fraud detection system will block your access pretty easily at the end of the day. Good way to get a letter in the mail or some men at your door though if you are into that!
You can clone mifare with just an Android phone and the magic mifare fobs.