Mifare Classic Type Of Keys
The different sectors of the MIFARE Classic card are protected by different keys. To be able to decrypt the content of the card, the keys must be found. There are two well-known applications for this: mfcuk 6 and mfoc 7. A typical attack scenario is to use mfcuk to find the first key of the card (which may take quite some time). Features TRF7970A reader firmware demonstrating authentication of MIFARE Classic Tags Allows users to easily change the MIFARE Classic keys used for authentication Developed on an easy to use and widely available reference platform, the TRF7970AEVM.
⚠️Important Update: Nearly 80% of all keycards used within commercial facilities may be prone to hacking due to protocol vulnerabilities. Kisi's 128bit AES encrypted passes and tags are designed to protect your business from such threats: learnmore here.
How we copied key fobs and found vulnerabilities in keycards:
In this post you'll learn:
- How many RFID cards exist
- The best ways to copy your office 125khz access cards with step-by-step instructions in LESS than 1 minute (including the tools you need)
- Another step-by-step guide on how the more advanced 13.56MHz cards can be copied (and, of course, which equipment you need)
Basically that means you’ll learn how to clone cards (NFC or RFID) at your office desk!
How Many RFID Cards Are Out There: The Threat
Skip this part if you’re looking for instructions on how to clone or copy cards.
IDTechEx found that in 2015, the total RFID market was worth $10.1 billion. The parent directory for NFC was estimated a $10.1 Billion dollars—from $9.5 billion dollars in 2014, and $8.8 billion in 2013.
This market sizing includes all the tags, readers and software designed for RFID cards, including all form factors. IDTechEx states that the market is estimated to rise to $13.2 billion by 2020. Security has experienced a large overhaul with modern advances in technology. We have gone from simple pad locks and keys to RFID-enabled cards and fobs that can be swiped and triggered, as well as using electric locks to open doors. While the technology is amazing, we have to constantly evolve if we want to stay on top of threats.
Any time there's a new piece of technology it presents those with bad intentions, coupled with the ability and knowledge, to use it for their own gain. A good example of this was RFID tags in 2013. By this time, RFID technology had spread like wildfire from tech companies to hospitals—using 125khz cards. Most were using the EM4100 protocol card (a type of 125khz card) a CMOS IC-based card, where the information about the tag or fob was stored. Since these ICs had no encryption or authentication, they would broadcast their information as soon as a reader was nearby.
Interested in access control? Download for free ourIntroduction to Access Control PDF Guide!
I get it—these cards are out there, how can they be copied?
Previous posts on our blog explore how HID cards can be hacked and how the Wiegand protocol, used by HID readers, can be copied. This post doesn’t go into as much technical depth but, rather, should be a fast and easy way for you to understand the card copying component.
How to copy 125khz cards—the old way:
A reader, like the one seen here, can easily copy the ID of an existing 125khz EM4100, or a similar type of protocol chip, and copy it to another card or fob. One of the first people to attack this security standard, in 2013, was Francis Brown—managing partner at the security firm, Bishop Fox. Brown set out to deliberately test the security of the standard and developed an Arduino powered reader/writer that could copy existing 125khz tags and fobs.
It's now been five years since Brown developed his tool to hack into these systems and plenty of companies have switched to a more secure, higher frequency standard; however, there are still many businesses that have not updated and still use the 125khz EM4100 cards and fobs, which makes them very vulnerable to attacks.
How to copy 125khz cards with an RFID copier—it's as easy as printing an email!
The “Handheld RFID Writer” (buy one here for as little as $11) works like this:
- Turn on the device and hold a compatible EM4100 card or fob to the side facing the hand grip and click on the “Read” button.
- The device will then beep if it succeeds, now replace the copied tag with an empty tag and press “Write”
- The information stored on the original tag or fob will then be copied onto the new device
Done! Don’t believe how easy it is? Here’s a video to show you:
That’s how easy it is to copy or clone an access card or key fob.
How to copy HID cards and get them on your phone
People ask questions like: “How can a mobile’s NFC be used as an HID proximity card (used at the doors of a corporate office)?“ and “Is the iPhone 6’s NFC transmitter capable of being used as a contactless card reader?” and so on.
In the following segment, we’ll focus on your typical HID card, which works off of 13.56 MHz and is a bit more advanced to copy:
Why are these cards more difficult to copy?
Since the frequency is significantly higher, compared to the 125 KHz version, the amount of bits that can be sent per second is significantly higher. That means the data on the chip to be encrypted will be greater, rendering it more secure. Now that encryption is available for these cards, the way they communicate with a reader device is to send out a signal and the reader reads it. Unlike before, however, it no longer advertises all of its data; instead, it only broadcasts data that is public—like its ID and name.
Ok, I get it—they're difficult to copy, but how do we copy them?
To access sensitive information, you have to provide that sector of memory with the right key—otherwise, it will show up blank. Even though these cards are a lot more secure, once you know the encryption algorithm you can decrypt them and access the sensitive information. With that, people can also clone these cards relatively easily.
Since most Android smart phones running the Android OS have NFC on them, reading these cards and, in certain cases cloning them, is easy.
—(If you don’t want to order equipment on Ebay, skip over this part and learn how to copy the card using a smartphone and an app)—
- Prepare to copy your HID cards—the tools you need: To get started, we need a few cheap components from Ebay—it’s sold under “NFC reader.” You can also check the NFC reader on Alibaba if you need higher volumes. I got my NFC reader/writer on NewEgg, which lists it as “NFC ACR122U RFID” reader/writer tool. It runs on Windows, Mac, and most Linux systems.
- Once you have the copy tool, you need a Windows-based computer. Install its drivers and start using it. You’ll also need a computer to run the software and, following this guide, you can clone Mifare Classic 1K Cards. Here’s the BlackHat Guide.
Hold on! I hope you didn’t order the NFC reader yet, because if you have an Android you can also do it with your phone!
Cloning Mifare NFC cards with a mobile phone:
Here's the easiest way to copy HID cards:
Although the BlackHat guide works well it can be a bit frustrating to use, since you have to get some components together and hack away at a guide for an hour or two to see some results.
The easiest way to clone Mifare NFC Classic 1K Cards is by using an Android smartphone with NFC capabilities. That’s right, your cellphone can be used to compromise the security of a company if they are using these types of cards. Just download the “Mifare Classic Tool” for Android. Pro Tip: It took me a while to figure out why it doesn’t work, but of course you need to turn on NFC. Go to your settings and search for NFC, make sure to enable it. Now we can start cloning cards that have never changed their default sector password.
How the app is used to copy the card:
The app comes with the default keys set by the manufacturer of NFC cards, you would not believe how many people never bother to change this. Tim Theeuwes has a great guide on how to clone NFC cards using your NFC-enabled smartphone. The following images are from his guide, which can be found here.
Clone NFC via an app:
Once we have read the key or fob we want, we can store all of the information onto a file. We can then use this information and write it back onto an empty card, essentially cloning the original or fob. Figure 5 below shows the “Write Sector” portion of the app, in which you can write individual sectors or write all of them. The important sector to keep in mind is sector 0 as it is what contains the UID and manufacturer's data, basically if you copy sector 0 to another fob then you’ve made a copy.
The Kisi Reader Pro uses the Mifare Desfire EV1 2K NFC cards, these are some of the most secure NFC cards out today. They provide an added level of security to the already existing Mifare Desfire NFC cards, making them incredibly secure.
If you want to know how we at Kisi use mobile credential and 128bit AES-encrypted NFC cards, check this overview of our mobile access control system or get in touch with us. If you are more interested in how access systems work then download our free PDF guide.
Bahkan saat ini Autodesk AutoCAD 2016 ini menjadi salah satu software terstandar dalam pembuatan desain 2D dan 3D.Anda dapat menuangkan semua ide anda dalam bentuk desain 2D maupun 3D dengan menggunakan Autodesk Autocad 2016 x86 x64 Full Version ini. Link download autocad 2016 64 bit full version.
Last month, the Dutch government issued a warning about the security of access keys based on the ubiquitous MiFare Classic RFID chip. Thewarning comes on the heels of an ingenious hack, spearheaded by Henryk Plotz, a German researcher, and Karsten Nohl, a doctoral candidate incomputer science at the University of Virginia, that demonstrated a way to crack the encryption on the chip.
Millions upon millions of MiFare Classic chips are used worldwide in contexts such as payment cards for public transportationnetworks throughout Asia, Europe and the U.S. and in building-access passes.
The report asserts that systems employing MiFare will likely be secure for another two years, since hacking the chipseems to be an involved and expensive process. But in a recent report published by Nohl, titled 'Cryptanalysis of Crypto-1,' he presents anattack that recovers secret keys in mere minutes on an average desktop PC.
In December, Nohl and Plotz gave a presentation on MiFare's security vulnerabilities at the 24th Chaos Communications Congress (24C3), the annual four-day conference organized by Germany's notorious hacking collective, the Chaos Computer Club (CCC). Thousands of hackers from far-flung locales converged on Berlin between Christmas and New Year's for a raft of talks and project demonstrations.
In their popular talk at 24C3, punctuated by bursts of raucous applause, Nohl presented an overview of radio frequency identification security vulnerabilities and the process of hacking the MiFare chip's means of encryption, known as the Crypto-1 cipher. 'This is the first public announcement that the Crypto-1 cipher on the MiFare tag is known,' said Nohl in December at the 24C3 talk. 'We will give out further details next year.'
Get out the microscopes
To hack the chip, Nohl and Plotz reverse-engineered the cryptography on the MiFare chip through a painstaking process. They examined theactual MiFare Classic chip in exacting detail using a microscope and the open-source OpenPCD RFID reader and snapped several in-depthphotographs of the chip's architecture. The chip is tiny -- about a 1-millimeter-square shred of silicon -- and is composed sed of severallayers.
The researchers sliced off the minuscule layers of the chip and took photos of each layer. There are thousands of tiny blocks on thechip -- about 10,000 in all -- each encoding something such as an AND gate or an OR gate or a flip-flop.
Analyzing all of the blocks on the chip would have taken forever, but there was a shortcut. 'We couldn't actually look at all 10,000 of these small building blocks, so we wanted to categorize them a bit before we started analyzing,' said Nohl at 24C3. 'We observed that there aren't actually 10,000 different ones. They're all taken from a library of cells. There are only about 70 different types of gates; we ended up writing MATLAB scripts that once we select one instance of a gate finds allthe other ones.'
To find the cryptographically important regions of the chip, Nohl and Plotz scanned for clues in the blocks: long strings of flip-flops thatwould implement the register important to the cipher, XOR gates that are virtually never used in control logic, and blocks on the edge ofthe chip that were sparsely connected to the rest of the chip, but strongly connected to each other.
They then reconstructed the circuit using their data, and from the reconstruction, they read the functionality. It was a painful process, but once it was done, the researchers had decoded the security on the chip, unveiling several vulnerabilities. Among the potential securityrisks they uncovered was a 16-bit random number generator that was easy to manipulate -- so easy, in fact, that they were able to coax thegenerator into producing the same 'random' number in every transaction, effectively crippling the security.
Simpler from here on out
A potential attacker wouldn't have to go through all of the steps that Nohl and Plotz had to undertake to hack the RFID chip. A diagram ofthe Crypto-1 cipher, published in Nohl's recent paper, shows that the heart of the cipher is a 48-bit linear feedback shift register and afilter function. To find bits of the key, an attacker would send challenges to the reader and analyze the first bit of key stream sentback to the reader.
Type Of Keys And Locks
Though there are some tricks to generating these challenges, it is computationally not a terribly expensive, or expansive, procedure.'The number of challenges needed to recover key bits with high probability varies for different bits, but generally does not exceed afew dozen,' writes Nohl in the paper.
At 24C3, Nohl warned against the increasing ubiquity of RFID tags. 'We need some level of authentication, some security that has yet to be added to many of these applications,' he said. He pointed to the increasing use of RFID tags in public transit systems, car keys,passports, and even World Cup tickets -- and the potential worrying privacy implications of large-scale RFID tagging of products by big retailers such as Wal-Mart Stores Inc.
Different Type Of Keys
The gist? If you rely on MiFare Classic security for anything, you may want to start moving to a different system.