As Cheap As Chips: The MiFare Ultra Light Gets A Closer Look

If you take public transport in many of the world’s cities, your ticket will be an NFC card which you scan to gain access to the train or bus. These cards are disposable, so whatever technology they use must be astonishingly cheap. It’s one of these which [Ken Shirriff] has turned his microscope upon, a Montreal Métro ticket, and his examination of the MiFare Ultra Light it contains is well worth a read.

The cardboard surface can be stripped away from the card to reveal a plastic layer with a foil tuned circuit antenna. The chip itself is a barely-discernible dot in one corner. For those who like folksy measurements, smaller than a grain of salt. On it is an EEPROM to store its payload data, but perhaps the most interest lies in the support circuitry. As an NFC chip this has a lot of RF circuitry, as well as a charge pump to generate the extra voltages to charge the EEPROM. In both cases the use of switched capacitors plays a part in their construction, in the RF section to vary the load on the reader in order to transmit data.

He does a calculation on the cost of each chip, these are sold by the wafer with each wafer having around 100000 chips, and comes up with a cost-per-chip of about nine cents. Truly cheap as chips!

If NFC technology interests you, we’ve taken a deep dive into their antennas in the past.

Cracking The MiFare Classic Could Get You Free Snacks

[Guillermo] started a new job a while back. That job came with an NFC access card, which was used for booking rooms and building access. The card also served as a wallet for using the vending machines. He set about hacking the card to see what he could uncover.

Initial scans with NFC Tools revealed the card was an Infineon MIFARE Classic Card 1k. These cards are considered fairly old and insecure by now. There’s plenty of guides online on how to crack the private keys that are supposed to make the card secure. Conveniently, [Guillermo] had a reader/writer on hand for these very cards.

[Guillermo] was able to use a tool called mfoc to dump the keys and data off the card. From there, he was able to determine that the credit for the vending machines was stored on the card itself, rather than on a remote server.

This means that it’s simple to change the values on the card in order to get free credit, and thus free snacks. However, [Guillermo] wisely resisted the urge to cash in on candy and sodas. When totals from the machine and credit system were reconciled, there’d be a clear discrepancy, and a short investigation would quickly point to his own card.

He also managed to successfully clone a card onto a “Magic Mifare” from Amazon. In testing, the card performed flawlessly on all systems he tried it on.

It goes to show just how vulnerable some NFC-based access control systems really are. RFID tags are often not as safe as you’d hope, either!

Chameleon Emulates Contactless Smart Cards

chameleon

Researchers at Ruhr University of Bochum in Germany have been busy working with RFID and related devices for quite some time now. They call the fruit of their labors Chameleon, a versatile Contactless Smart Card Emulator. Contactless Smart Cards are RFID style devices that also contain a smart card style memory. These cards are often used for payment, replacing mag strip style credit cards. Philips MIFARE Classic cards are a common example of contactless smart cards. The Chameleon is set up to emulate any number of cards using the common 13.56MHz frequency band. Adding a new card is as simple as loading up a new CODEC  and application to the firmware. Currently Chameleon can emulate MIFARE cards using the ISO14443A.

The Chameleon is completely open source, and can be built for around $25 USD. The heart of the system is an Atmel ATxmega192A3 microcontroller. The 192 is a great microcontroller for this task because it contains hardware accelerators for both DES and AES-128. An FTDI USB interface chip is used to provide an optional communication link between a host computer and the ATxmega. The link can be used for debugging, as well as manipulating data in real-time. A host PC is not necessary for use though – the Chameleon will operate just fine as a stand alone unit. We definitely like this project – though we’re going to be doubling down on the shielding in our RF blocking wallets.

Live CD For RFID Hacking On The Go

live_rfid_sniffing_distro

[Milosch] wrote in to tell us that he has recently released a bootable RFID live hacking system – something he has been diligently working on for quite some time. The live distro can be used for breaking and analyzing MIFARE RFID cards, as well as a reasonable selection of other well-known card formats. The release is based off the Fedora 15 live desktop system, and includes a long list of RFID hacking tools, as well as some applications that allow for NFC tag emulation.

His toolkit also contains a baudline-based LF RFID sniffer package, allowing for a real-time waveform display of low frequency RFID tags. The LF sniffer makes use of a cheap USB sound card, as well as a relatively simple reader constructed from a handful of easy to find components.

We have seen some of [Milosch’s] handiwork before, so we are fairly confident that his toolkit contains just about everything you need to start sniffing and hacking RFID tags. If you’re interested in grabbing a copy of the ISO, just be aware that the live CD is only compatible with 64-bit systems, so older laptops need not apply.

RFID Reader For IPhone

[Benjamin Blundell] built an RFID reader for the iPhone. A jailbroken iPhone connects to this project box by patching into a standard iPhone USB cable. Like in past iPhone serial projects, [Benjamin] is using openFrameworks for the software interface. Right now this reader only detects low-frequency tags but he’s working on the code to read MIFARE tags as well. See the magic of a tag ID displayed on the screen in the video after the break.

Continue reading “RFID Reader For IPhone”

ShmooCon 2009: Chris Paget’s RFID Cloning Talk

[googlevideo=http://video.google.com/videoplay?docid=-282861825889939203]

When we first saw [Chris Paget]’s cloning video, our reaction was pretty ‘meh’. We’d seen RFID cloning before and the Mifare crack was probably the last time RFID was actually interesting. His ShmooCon presentation, embedded above, caught us completely off-guard. It’s very informative; we highly recommend it.

The hardest part about selling this talk is that it has to use two overloaded words: ‘RFID’ and ‘passport’. The Passport Card, which is part the the Western Hemisphere Travel Initiative (WHTI), is not like the passport book that you’re familiar with. It has the form factor of a driver’s license and can only be used for land and sea travel between the USA, Canada, the Caribbean region, Bermuda, and Mexico. They’ve only started issuing them this year.

Continue reading “ShmooCon 2009: Chris Paget’s RFID Cloning Talk”

MBTA Drops Lawsuit Against MIT Subway Hackers

The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.

This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.