NFC

81 Articles

Apple AirTags Hacked And Cloned With Voltage Glitching

July 14, 2022 by 33 Comments

Apple AirTags are useful little devices. They essentially use iPhones in the wild as a mesh network to tell the owner where the AirTag is. Now, researchers have shown that it’s possible to clone these devices.

The research paper explains the cloning process, which requires physical access to the hardware. To achieve the hack, the Nordic nRF52832 inside the AirTag must be voltage glitched to enable its debug port. The researchers were able to achieve this with relatively simple tools, using a Pi Pico fitted with a few additional components.

With the debug interface enabled, it’s simple to extract the microcontroller’s firmware. It’s then possible to clone this firmware onto another tag. The team also experimented with other hacks, like having the AirTag regularly rotate its ID to avoid triggering anti-stalking warnings built into Apple’s tracing system.

As the researchers explain, it’s clear that AirTags can’t really be secure as long as they’re based on a microcontroller that is vulnerable to such attacks. It’s not the first AirTag cloning we’ve seen either. They’re an interesting device with some serious privacy and safety implications, so it pays to stay abreast of developments in this area.

[Thanks to Itay for the tip!]

Cracking The MiFare Classic Could Get You Free Snacks

July 13, 2022 by 24 Comments

[Guillermo] started a new job a while back. That job came with an NFC access card, which was used for booking rooms and building access. The card also served as a wallet for using the vending machines. He set about hacking the card to see what he could uncover.

Initial scans with NFC Tools revealed the card was an Infineon MIFARE Classic Card 1k. These cards are considered fairly old and insecure by now. There’s plenty of guides online on how to crack the private keys that are supposed to make the card secure. Conveniently, [Guillermo] had a reader/writer on hand for these very cards.

[Guillermo] was able to use a tool called mfoc to dump the keys and data off the card. From there, he was able to determine that the credit for the vending machines was stored on the card itself, rather than on a remote server.

This means that it’s simple to change the values on the card in order to get free credit, and thus free snacks. However, [Guillermo] wisely resisted the urge to cash in on candy and sodas. When totals from the machine and credit system were reconciled, there’d be a clear discrepancy, and a short investigation would quickly point to his own card.

He also managed to successfully clone a card onto a “Magic Mifare” from Amazon. In testing, the card performed flawlessly on all systems he tried it on.

It goes to show just how vulnerable some NFC-based access control systems really are. RFID tags are often not as safe as you’d hope, either!

Hackaday Links Column Banner

Hackaday Links: February 27, 2022

February 27, 2022 by 15 Comments

If there’s one thing that can trigger people, it’s the printer racket. Printer manufacturers who put DRM-like features into their consumables are rightly viewed as Satan’s spawn, and while these monsters have been content so far to only put digital rights management features into their ink and toner cartridges, they appear to now have their rapacious gaze set on print media too. At least according to the good folks over at the Electronic Frontier Foundation, who claim that Dymo’s latest generation of label printers will have RFID tags in the label cartridges, apparently to prevent consumers from buying non-Dymo media. The company doesn’t bill it as a way to lock you into their exorbitantly priced consumables, of course; rather, this is an exciting new feature that’s called “Automatic Label Recognition,” which keeps track of what labels are installed and how many are left. Of course, this is just red meat to people like us, and we fully expect to see workarounds in the not-to-distant future.

Continue reading “Hackaday Links: February 27, 2022”

An NFC Antenna Ring With A Chip As Its Jewel

December 10, 2021 by 12 Comments

Contactless payment by means of NFC-enabled bank cards has made our everyday transactions far more convenient over the last decade, but there still remains the tedious task of finding the card and waving it over the reader. Maybe embedded chips are a step too far for many of us, but how about a bank card in a wearable such as a ring? [Jonathan Limén] shows us how, by taking the NFC chip module from a bank card and mounting it on a ring with a wire coil antenna embedded within it.

The chip in a bank card comes mounted on a small thin PCB with contacts on one side and a coil on the other that serves as its antenna. It’s not sensitive enough to work reliably with most card readers, so the card incorporates a separate printed circuit layer that forms a large-sized tuned circuit which couples to the chip antenna. After taking us through the removal of the chip from the card with some acetone, he proceeds to create a replacement for the card antenna by winding a wire coil round the ring. This becomes a trial-and-error process, but in the end, the result is a working NFC payment ring.

We quite like this idea, but would be tempted to both take away some of the trial and error with a vector network analyzer, and run a couple of turns of the wire as a closer coupling coil for the chip. This is a subject we’ve looked at before here at Hackaday, and we wouldn’t mind having another go at it.

NFC Performance: It’s All In The Antenna

November 10, 2021 by 15 Comments

NFC tags are a frequent target for experimentation, whether simply by using an app on a mobile phone to interrogate or write to tags, by incorporating them in projects by means of an off-the-shelf module, or by designing a project using them from scratch. Yet they’re not always easy to get right, and can often give disappointing results. This article will attempt to demystify what is probably the most likely avenue for an NFC project to have poor performance, the pickup coil antenna in the reader itself.

A selection of the NFC tags on my desk
A selection of the NFC tags on my desk

The tags contain chips that are energised through the RF field that provides enough power for them to start up, at which point they can communicate with a host computer for whatever their purpose is.

“NFC” stands for “Near Field Communication”, in which data can be exchanged between physically proximate devices without their being physically connected.  Both reader and tag achieve this through an antenna, which takes the form of a flat coil and a capacitor that together make a resonant tuned circuit. The reader sends out pulses of RF which is maintained once an answer is received from a card, and thus communication can be established until the card is out of the reader’s range. Continue reading “NFC Performance: It’s All In The Antenna”

Flipper Zero tool reading bank card, displaying data on LCD

What’s On Your Bank Card? Hacker Tool Teaches All About NFC And RFID

October 4, 2021 by 29 Comments

The Flipper Zero is a multipurpose hacker tool that aims to make the world of hardware hacking more accessible with a slick design, wide array of capabilities, and a fantastic looking UI. They are struggling with manufacturing delays like everyone else right now, but there’s a silver lining: the team’s updates are genuinely informative and in-depth. The latest update is all about RFID and NFC, and how the Flipper Zero can interact with a variety of contactless protocols.

Drawing of Flipper Zero and a variety of RFID tags
Popular 125 kHz protocols: EM-Marin, HID Prox II, and Indala

Contactless tags are broadly separated into low-frequency (125 kHz) and high-frequency tags (13.56 MHz), and it’s not really possible to identify which is which just by looking at the outside. Flipper Zero can interface with both, but the update at the link above goes into considerable detail about how these tags are used in the real world, and what they look like from both the outside and inside.

For example, 125 kHz tags have an antenna made from many turns of very fine wire, with no visible space between the loops. High-frequency tags on the other hand will have antennas with fewer loops, and visible space between them. To tell them apart, a bright light is often enough to see the antenna structure through thin plastic.

Low-frequency tags are “dumb” and incapable of encryption or two-way communication, but what about high-frequency (often referred to as NFC) like bank cards and applications like Apple Pay? One thing demonstrated is that mobile payment methods offer up considerably less information on demand than a physical bank or credit card. With a physical contactless card it’s possible to read the full card number, expiry date, and in some cases the name as well as recent transactions. Mobile payment systems (like Apple or Google Pay) don’t do that.

Like many others, we’re looking forward to it becoming available, sadly there is just no getting around component shortages that seem to be affecting everyone.

Download From NFC Datalogger, No App Required

September 23, 2021 by 14 Comments

The plethora of wireless technologies has made internet-connected devices the norm, but it’s not always necessary if you don’t need real-time updates. Whether it’s due to battery life, or location and range constraints, downloading data directly from the device whenever possible might be a viable solution. [Malcolm Mackay] demonstrates an elegant solution on the open source cuplTag temperature/humidity logger, using any NFC-enabled smartphone, without requiring a custom app.

The cuplTag utilizes the feature on NFC-enabled smartphones to automatically open a URL provided by the cuplTag. It encodes the sensor data from the sensor unit as a circular buffer in a ~1 kB URL, which automatically uploads to a web frontend that plots the data. (You can use their server or run your own.)

This means that data can be collected by anyone with the appropriate phone with zero setup. The data is displayed on the web app and can be downloaded as a CSV. To deter spoofing, each tag ships with a secret key which is used to generate a unique HMAC every time the circular buffer changes.

Battery life is a priority on the cuplTag, and it’s theoretically capable of running seven years on a single CR1220 coin cell using the current-sipping Texas Instruments MSP430 microcontroller. The hardware, firmware, and server-side frontend and backend code are all open source and available on GitHub.

Earlier this year, we held a data logging contest, and featured submissions that monitored everything from your garden’s moisture levels to your caffeine intake.