Results 1 to 15 of 15

Thread: MiFare RFID tags hacked.

  1. #1
    I am NOT the Messiah!
    SystemRat's Avatar
    Join Date
    Jan 2008
    Posts
    2,131
    Thanks
    278
    Thanked 563 Times in 274 Posts
    Rep Power
    332
    Reputation
    3178

    Cool MiFare RFID tags hacked.

    Back in late December two German hackers err sorry researchers demonstrated the reverse engineering of the MiFare RFID tags. There work allowed them to understand the encryption system used to secure the cards and that there where physical limits to the strength of that encryption due to the limited power source available. Anyway they kept the details of the system a secret but now more has come out and a lot of people are in damage control mode re this.

    There is a good summation and videos of the hack here.



    Other than lots of building security MiFare is also used on bus and train ticketing around the world and is also a basis of the new ticketing system costing by press reports $1 billion dollars here in Victoria. That systems now appears to be hacked before it is released with card readers now in place.









    http://www.doi.vic.gov.au/doi/doielect.nsf/2a6bd98dee287482ca256915001cff0c/ac07216c69b6de8bca25703c0009de27/$FILE/Kamco%20Consortium%20Profile.pdf



Look Here ->
  • #2
    Senior Member
    intelliGEORGE's Avatar
    Join Date
    Jan 2008
    Location
    Sydney, AUSTRALIA
    Age
    43
    Posts
    4,106
    Thanks
    884
    Thanked 1,484 Times in 691 Posts
    Rep Power
    478
    Reputation
    7236

    Default

    It was only a matter of time...

  • #3
    Senior Member bss904's Avatar
    Join Date
    Jan 2008
    Location
    NOT in Thailand
    Posts
    1,110
    Thanks
    523
    Thanked 251 Times in 153 Posts
    Rep Power
    294
    Reputation
    2964

    Default

    Quote Originally Posted by SystemRat View Post
    Back in late December two German hackers err sorry researchers demonstrated the reverse engineering of the MiFare RFID tags. There work allowed them to understand the encryption system used to secure the cards and that there where physical limits to the strength of that encryption due to the limited power source available. Anyway they kept the details of the system a secret but now more has come out and a lot of people are in damage control mode re this.

    There is a good summation and videos of the hack here.



    Other than lots of building security MiFare is also used on bus and train ticketing around the world and is also a basis of the new ticketing system costing by press reports $1 billion dollars here in Victoria. That systems now appears to be hacked before it is released with card readers now in place.









    http://www.doi.vic.gov.au/doi/doielect.nsf/2a6bd98dee287482ca256915001cff0c/ac07216c69b6de8bca25703c0009de27/$FILE/Kamco%20Consortium%20Profile.pdf
    It was worth the time spent watching. It just goes to show what you are told and what is actually the real facts are never quite the same when it comes to marketing propaganda. I loved the bit on the random generators.
    You have to take your hat off to the team that achieved the result and on such a small budget compared to what it must of cost to originally develop.
    Their comment on it would be time to migrate before they release all of the details next year was priceless.

  • #4
    Member tytower's Avatar
    Join Date
    Jan 2008
    Posts
    352
    Thanks
    12
    Thanked 17 Times in 15 Posts
    Rep Power
    213
    Reputation
    238

    Default

    Excellent post SystemRat
    Now if we can just get them to do an Austar chip

  • #5
    Senior Member
    best4less's Avatar
    Join Date
    Jan 2008
    Location
    Australia
    Posts
    7,684
    Thanks
    3,487
    Thanked 2,207 Times in 1,132 Posts
    Rep Power
    757
    Reputation
    15165

    Default

    Makes me wonder why the company responsible for the sale and manufacturing of these security MiFare RFID tags didn't approach the hackers...MMM researches and recruit them to their organization paying top dollar of course to be security consultants instead of letting them destroy there business before it was to late.
    When you do things right, people won't be sure that you have done anything at all

  • #6
    I am NOT the Messiah!
    SystemRat's Avatar
    Join Date
    Jan 2008
    Posts
    2,131
    Thanks
    278
    Thanked 563 Times in 274 Posts
    Rep Power
    332
    Reputation
    3178

    Default

    Quote Originally Posted by best4less View Post
    Makes me wonder why the company responsible for the sale and manufacturing of these security MiFare RFID tags didn't approach the hackers...MMM researches and recruit them to their organization paying top dollar of course to be security consultants instead of letting them destroy there business before it was to late.
    The card maker is Philips electronics (radio, TV and semiconductors.) To make matters worse a Dutch university has repeated the hack independently of the two German guys.

    The real problem is there is a limited amount of power available to run the crypto circuitry on the card so the algorithm used is nowhere near as strong as 3DES or AES. The strength of the system is the obscurity of the algorithm used which it appears can be obtained by carefully stripping the chip layer by layer. Most modern smartcards are protected against that attack to an extent by interconnected layers and special protective coatings to prevent electron microscope reverse engineering.

    I was lucky enough to see an IC running under and election microscope at Telstra’s research labs. First they stripped the outer case with hydrofluoric acid and then carefully stripped the glass layer off the top of the chip.

    It was then operated at a low clock rate under the electron microscope. You could see the path of each signal through the chip as the active section lights up. That was pretty cool. Pity I can’t try running a couple of smartcards through that process but I doubt it would work on these or else our Chinese and Russian friends would be flooding the market with Gamma like cards.

  • #7
    Senior Member
    best4less's Avatar
    Join Date
    Jan 2008
    Location
    Australia
    Posts
    7,684
    Thanks
    3,487
    Thanked 2,207 Times in 1,132 Posts
    Rep Power
    757
    Reputation
    15165

    Default

    Now that would be the coolest thing to see
    Has any one made a video of it, that you have seen on the net ????
    When you do things right, people won't be sure that you have done anything at all

  • #8
    I am NOT the Messiah!
    SystemRat's Avatar
    Join Date
    Jan 2008
    Posts
    2,131
    Thanks
    278
    Thanked 563 Times in 274 Posts
    Rep Power
    332
    Reputation
    3178

    Default

    It was very cool indeed. It was said that they stripped down stuff they bought a lot of to QC it before releasing to the field.

    I managed to find this site with a couple of short videos on it. The second "slow the chip down" one is close to what I was lucky enough to see.



    I am not sure if the research labs are still there or not now but they had the very best toys money could buy. Problem was to work there you needed to have a better than average PHD or above to even sweep the floors.

    Edit

    Not that I like Telstra much but sadly it seems its gone.



    Thank god there are still places like CSIRO and DSTO in Oz

  • #9
    Member
    Join Date
    Jan 2008
    Location
    Super Duper Secret Members Forum
    Posts
    374
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    0
    Reputation
    21

    Default

    Damn, makes you wonder why we aren't all carrying around an "Australia Card"

    That little bugger could've changed the world back in the 1990's, visions of rampant medicare / CES / Centrelink fraud come to mind.

    Hehehe, if you are >30 years old you'll understand what the Australia Card is / was.

    A little green paint on a "gold" card and you can become the prime minister.

  • #10
    Senior Member
    best4less's Avatar
    Join Date
    Jan 2008
    Location
    Australia
    Posts
    7,684
    Thanks
    3,487
    Thanked 2,207 Times in 1,132 Posts
    Rep Power
    757
    Reputation
    15165

    Default

    Thanks SystemRat
    The slow clip was fantastic, how many times magnification do you
    think they had the electron scope set for to see that so clearly
    When you do things right, people won't be sure that you have done anything at all

  • #11
    Member GavinSV's Avatar
    Join Date
    Jan 2008
    Location
    Adelaide
    Posts
    430
    Thanks
    84
    Thanked 114 Times in 59 Posts
    Rep Power
    234
    Reputation
    1124

    Default

    Well I've been following this Mifare story for a while and now I think it's time to chuck in my conspiracy theory. I believe the resources required by the researchers to hack the card was deliberately leaked by NXP (Phillips) themselves. This theory is based on the following notions:

    1. I find the possibility of decoding a chips security algorithms by slicing the silicon wafer and examining the layers to be somewhat far-fetched.

    2. Mifare classic technology has been around for a while now and has fairly good market penatration in the contactless industry. However, Mifare DESfire is now on the scene and if NXP could "scare" everyone into migrating their contactless applications to the DESfire platform, NXP's sales of DESfire cards would go through the roof.

  • #12
    I am NOT the Messiah!
    SystemRat's Avatar
    Join Date
    Jan 2008
    Posts
    2,131
    Thanks
    278
    Thanked 563 Times in 274 Posts
    Rep Power
    332
    Reputation
    3178

    Default

    Did you see this presentation on how the two German guys did it.


  • #13
    Senior Member
    best4less's Avatar
    Join Date
    Jan 2008
    Location
    Australia
    Posts
    7,684
    Thanks
    3,487
    Thanked 2,207 Times in 1,132 Posts
    Rep Power
    757
    Reputation
    15165

    Default

    Quote Originally Posted by SystemRat View Post
    Did you see this presentation on how the two German guys did it.

    100 meg I will have to watch that one after my IP un-shapes me LOL
    When you do things right, people won't be sure that you have done anything at all

  • #14
    Member GavinSV's Avatar
    Join Date
    Jan 2008
    Location
    Adelaide
    Posts
    430
    Thanks
    84
    Thanked 114 Times in 59 Posts
    Rep Power
    234
    Reputation
    1124

    Default

    Quote Originally Posted by SystemRat View Post
    Did you see this presentation on how the two German guys did it.

    At approximately half way through that video, the presenter said, and I quote "Phillips will probably help you migrate away from this (ie the crypto cipher) to their product"

    I bet they will!!

  • #15
    Junior Member Trance's Avatar
    Join Date
    Jan 2008
    Posts
    74
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    200
    Reputation
    10

    Default

    Quote Originally Posted by GavinSV View Post
    At approximately half way through that video, the presenter said, and I quote "Phillips will probably help you migrate away from this (ie the crypto cipher) to their product"

    I bet they will!!
    Yea, prolly from 15yrs or so old Challenge Response PIT to HITAG or the HITAG2 versions at least
    PCF7936, PCF7941, PCF7942, PCF7943, PCF7944, PCF7946.

  • Bookmarks

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •