Cracking The MiFare Classic Could Get You Free Snacks

[Guillermo] started a new job a while back. That job came with an NFC access card, which was used for booking rooms and building access. The card also served as a wallet for using the vending machines. He set about hacking the card to see what he could uncover.

Initial scans with NFC Tools revealed the card was an Infineon MIFARE Classic Card 1k. These cards are considered fairly old and insecure by now. There’s plenty of guides online on how to crack the private keys that are supposed to make the card secure. Conveniently, [Guillermo] had a reader/writer on hand for these very cards.

[Guillermo] was able to use a tool called mfoc to dump the keys and data off the card. From there, he was able to determine that the credit for the vending machines was stored on the card itself, rather than on a remote server.

This means that it’s simple to change the values on the card in order to get free credit, and thus free snacks. However, [Guillermo] wisely resisted the urge to cash in on candy and sodas. When totals from the machine and credit system were reconciled, there’d be a clear discrepancy, and a short investigation would quickly point to his own card.

He also managed to successfully clone a card onto a “Magic Mifare” from Amazon. In testing, the card performed flawlessly on all systems he tried it on.

It goes to show just how vulnerable some NFC-based access control systems really are. RFID tags are often not as safe as you’d hope, either!

24 thoughts on “Cracking The MiFare Classic Could Get You Free Snacks

    1. Wishful thinking, you’d get forced entry on top here for that stunt. If you do it digitally there is a hacking law too. So you can add a couple of years for the perp. The titles article itself is solicitation already. But I am no lawyer and cannot give people advice. Since there is a law against that as well.

      1. “The titles article itself is solicitation already”

        That’s not how that works, at all. The title is a mere statement of fact: that if you were to crack & clone an NFC card used for stored-value payments, you could use that card to obtain goods without paying for them. It’s no less illegal than the statement “Stealing could get you goods without paying”. It is neither solicitation (would be something like “hey, want a cracked card to get free snacks with?”), or entrapment (what I’m guessing you meant, which would be “here, have this cracked payment card, go use it to get free snacks!”).

          1. OMG, I’m from Europe as well. Is this really illegal in the USA unless you’re a lawyer? It seems to me that would be against freedom of speech!

    2. When I was a teenager, I spent a couple rolls of quarters getting every single stuffed animal out of a small claw machine at the local convenience store. It wasn’t until I got them all out that I realized I didn’t actually want to keep them. So, I just picked the lock on the cabinet and put them all back in. In my case, I wouldn’t call it theft. 🤣

  1. For a lot more NFC capabilities, along with other high frequency and low frequency communications protocols, get a Proxmark3. Great little device, and the Iceman fork of the software+firmware provides ridiculous amounts of functionality.

    1. Yes, proxmark3+Iceman is really great.

      One thing I use mine for is making cheap cards and fobs for several local non-profit organizations for their buildings. Their alarm contractor wants $8-10 per fob for programmed 125 kHz fobs. Instead I buy them in bulk for less than $1 each and program them myself in a few seconds.

  2. Stored-value cards are mindlessly dumb. FedEx Kinkos had a stored value card for their brick & mortar stores where you could load money on a card for surfing the web and running copies, and you could cash out unused money from the cards. It was only a matter of time for someone to figure out the system, change the value stored on a card and then $ free money $. After the details went public it was a few months before they replaced the system with a remote ledger system where the cards were just authentication tokens.

      1. Clipper cards are only stored value so that they work for offline validation. The offline systems sync up with the server ledger regularly, and discrepancies would get caught very quickly, as all the ways to add money to the card are online. I don’t have one on me anymore, but iirc, they were DESFire EV1 cards back in 2016 (dunno if they’ve upgraded since). At the time I looked into it (around 2015), the original DESFire had public exploits available, but the EV1 did not.

    1. No, the security features of Mifare Classics have been broken and the tool mentioned (mfoc) leverages that. Read the paper The Fall of a Tiny Star from the University of Nijmegen for a pretty nice description of how it happened.

  3. I remember some old card payment vending machines, you could cancel the payment, it would give you the, maybe 80p item and also return, usually £5 in change. Repayment for all the times it swallowed money without registering it perhaps.

  4. My engineering school had vending machines that used MIFARE tags. Used the same technique to get tens of bucks of free snacks for me and my friends at every break, for several years. As broke-ass CS students, hacked food tasted so much better than the regular…

  5. My local bus service uses on-card storage of trips and funds. Like what’s mentioned in the article though, it’s not possible to get free trips because the fraud detection system will block your access pretty easily at the end of the day. Good way to get a letter in the mail or some men at your door though if you are into that!

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.