Wirelessly Pickpocketing a Mifare Classic Card

Garcia, Flavio D.; Rossum, Peter van; Verdult, Roel; Schreur, Ronny Wichers

doi:10.1109/sp.2009.6

Cited by 77 publications

(42 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Most of these have in common that they turn out to be insecure from a cryptanalytical perspective once the secret protocols and algorithms have been reverse-engineered. Today most security products used for access control, such as Texas Instrument's Digital Signature Transponder (DST) [5], NXP's Mifare Classic cards [7,10], Hitag 2 transponders [21], and Legic Prime [17], have something in common: Mathematical attacks emerging from cryptographic weaknesses enable to break their protection in minutes. For systems with a higher level of mathematical security, several examples of real-world side-channel attacks have demonstrated a huge attack potential: The 112-bit secret key of the Mifare DESfire MF3ICD40 smartcard (based on the 3DES cipher) can be extracted with Electro-Magnetic (EM)-based Side Channel Analysis (SCA) [16].…”

Section: Related Workmentioning

confidence: 99%

When Reverse-Engineering Meets Side-Channel Analysis – Digital Lockpicking in Practice

Oswald

Strobel

Schellenberg

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In the past years, various electronic access control systems have been found to be insecure. In consequence, attacks have emerged that permit unauthorized access to secured objects. One of the few remaining, allegedly secure digital locking systems-the system 3060 manufactured and marketed by SimonsVoss-is employed in numerous objects worldwide. Following the trend to analyze the susceptibility of real-world products towards implementation attacks, we illustrate our approach to understand the unknown embedded system and its components. Detailed investigations are performed in a step-by-step process, including the analysis of the communication between transponder and lock, reverse-engineering of the hardware, bypassing the read-out protection of a microcontroller, and reverse-engineering the extracted program code. Piecing all parts together, the security mechanisms of the system can be completely circumvented by means of implementation attacks. We present an EM side-channel attack for extracting the secret system key from a door lock. This ultimately gives access to all doors of an entire installation. Our technique targets a proprietary function (used in combination with a DES for key derivation), probably originally implemented as an obscurity-based countermeasure to prevent attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

When Reverse-Engineering Meets Side-Channel Analysis – Digital Lockpicking in Practice

Oswald

Strobel

Schellenberg

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Likewise, following the reverse-engineering of NXP's Mifare Classic cards [2] through analyzing the silicon die, the used Crypto1 cipher was found to be weak, relying on a state of only 48 bits. Further mathematical weaknesses of the cipher and implementations flaws, e. g., a weak random number generator, enable to reveal all secret keys and practically circumvent the protection mechanisms with a card-only attack in minutes [3][4][5]. The Hitag 2 transponders of the same manufacturer, widely used for car immobilizers-but also for RKE systems-were found to be flawed after the cipher became public [6].…”

Section: Related Workmentioning

confidence: 99%

Fuming Acid and Cryptanalysis: Handy Tools for Overcoming a Digital Locking and Access Control System

Strobel

Driessen

Kasper

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We examine the widespread SimonsVoss digital locking system 3060 G2 that relies on an undisclosed, proprietary protocol to mutually authenticate transponders and locks. For assessing the security of the system, several tasks have to be performed: By decapsulating the used microcontrollers with acid and circumventing their read-out protection with UV-C light, the complete program code and data contained in door lock and transponder are extracted. As a second major step, the multi-pass challenge-response protocol and corresponding cryptographic primitives are recovered via low-level reverse-engineering. The primitives turn out to be based on DES in combination with a proprietary construction. Our analysis pinpoints various security vulnerabilities that enable practical key-recovery attacks. We present two different approaches for unauthorizedly gaining access to installations. Firstly, an attacker having physical access to a door lock can extract a master key, allowing to mimic transponders, in altogether 30 minutes. A second, purely logical attack exploits an implementation flaw in the protocol and works solely via the wireless interface. As the only prerequisite, a valid ID of a transponder needs to be known (or guessed). After executing a few (partial) protocol runs in the vicinity of a door lock, and some seconds of computation, an adversary obtains all of the transponder's access rights.

show abstract

“…A method to recover a secret sector key is proposed in [10], requiring two recorded genuine authentications to one sector. The most powerful attacks are card-only attacks as presented in [11] and [5]. They exploit amongst others the weakness that a card sends an encrypted NACK (0x5) each time the parity bits of the message n R ⊕ ks 1 || a R ⊕ ks 2 are correct but the decrypted a R is not (cf.…”

Section: Security Of Mifare Classicmentioning

confidence: 99%

Chameleon: A Versatile Emulator for Contactless Smartcards

Kasper

Maurich

Oswald

et al. 2011

Information Security and Cryptology - ICISC 2010

View full text Add to dashboard Cite

Abstract. We develop a new, custom-built hardware for emulating contactless smartcards compliant to ISO 14443. The device is based on a modern low-cost microcontroller and can support basically all relevant (cryptographic) protocols used by contactless smartcards today, e.g., those based on AES or Triple-DES. As a proof of concept, we present a full emulation of Mifare Classic cards on the basis of our highly optimized implementation of the stream cipher Crypto1. The implementation enables the creation of exact clones of such cards, including the UID. We furthermore reverse-engineered the protocol of DESFire EV1 and realize the first emulation of DESFire and DESFire EV1 cards in the literature. We practically demonstrate the capabilities of our emulator by spoofing several real-world systems, e.g., creating a contactless payment card which allows an attacker to set the stored credit balance as desired and hence make an infinite amount of payments.

show abstract

Wirelessly Pickpocketing a Mifare Classic Card

Cited by 77 publications

References 4 publications

When Reverse-Engineering Meets Side-Channel Analysis – Digital Lockpicking in Practice

When Reverse-Engineering Meets Side-Channel Analysis – Digital Lockpicking in Practice

Fuming Acid and Cryptanalysis: Handy Tools for Overcoming a Digital Locking and Access Control System

Chameleon: A Versatile Emulator for Contactless Smartcards

Contact Info

Product

Resources

About