Approach to hack RFID Cards

Question

Recently RFID cards 13.56Mhz band caught my eye. What is the step by step approach to hack RFID Cards? I have a rough idea, but there are still quite a few doubts.

1. Identify the type of the card. Eg. Mifare Classic
   
   Questions:
   How do you identify the type of card accurately?
   I was told that using our phone NFC is not 100% accurate. Is that true?

2. Get a 13.56Mhz usb RFID card reader
   
   Question:
   Is there any cheap and good RFID card reader? There quite a few types at Ebay.

3. Use some program to crack the encryption key
   
   Question:
   What program? The program won't work with all readers right?
4. Once you obtained the encryption key, some android phones with NXP NFC chip are able to read/write the card.

Answer 1

To identify a card, you power it using a carrier wave on its frequency and wait for answers. If there is no answer, you switch to a different frequency and protocol and so on until you get communication from the card (you may need to use multiple readers as different frequencies require different readers). Using your phone is accurate, I mean, if the phone can talk to the card then at the very least the card is using a frequency and protocol that's supported by the phone's reader.

Now, let's assume you positively identified a Mifare Classic card and you need a reader to attack it. Any LibNFC-supported reader should work, but I suggest you look for NXP PN53x-based readers, they are pretty cheap (chinese, and I'm not sure the NXP chip is genuine but they do work) and work perfectly with LibNFC and all applications that use LibNFC to talk to readers.

For software, you first use mfcuk to get at least one key, then you pass that key to mfoc which uses a different (and faster) attack that requires the knowledge of at least one key (you can also try default keys if the people who manage the card system you're attacking were really idiots). These software use LibNFC to talk to the card and are thus compatible with any reader supported by LibNFC.

Yes, once you have the key, any device can read and write to the sectors protected by that key. Note that there can 2 different keys per sector, and each sector has some ACL bytes that describe the permissions for each key.

Note that Android devices with NXP chips can directly crack Mifare Classic cards using NFC-War.

Answer 2

There is no single answer to your question on a "step by step approach" to hack RFID cards. As it is the case with a lot of things, IT DEPENDS!! It depends for example the type of RFID tag/card it is. Mifare classic you mentioned above for example is just one type produced by NXP semiconductors. For more details on mifare classic, have a look at the data sheet here http://www.nxp.com/documents/data_sheet/MF1S50YYX.pdf. Mifare classic was successfully hacked in 2008, the cipher used by the mifare classic known as the "crypto1" was specifically attacked. have a look at the published paper here from more information http://www.researchgate.net/profile/Nicolas_Courtois/publication/220334848_Algebraic_Attacks_on_the_Crypto-1_Stream_Cipher_in_MiFare_Classic_and_Oyster_Cards/links/0046352b6e998b38d2000000.pdf. On how to identify the the type of card. Different types of cards have different characteristics such as the memory organization. however the easiest way to do it is using apps such as NFCtaginfo on android's playstore

In terms of readers, I think the eBay ones are your cheapest options.

On Cracking the encryption keys of mifare classic, you can do it on kali linux. basically you need to dump the contents of the card and do the cracking offline, therefore any working NFC reader would do

Hope this helps.