91

The head of our IT department and Networking class in my college has given me and another student a challenge; he told us that if we could clone the NFC tags in our student ID's used to sign in on time, he would give one of us unlimited access to the colour printers for a year. His main motto that he always talks about though is encouraging students to learn through experimentation regardless of whether the students ideas will work or not. He wants us to experience failure as well as success through our own attempts.

I'm a bit skeptical as to whether it will work because I've read forums online that say this a futile attempt because no reputable academic institution or business would leave their NFC tags unprotected and completely vulnerable to complete cloning.

From scanning the card with my Android phone, I see that it uses a Mifare Classic 1k tag.

Does anyone have an idea how to replicate it? There are some cheap tags on eBay but I wonder if I should bother if it's not even possible to clone it.

grg
  • 155
  • 1
  • 1
  • 8
myopicflight
  • 951
  • 1
  • 7
  • 4
  • 9
    If you read @Hector answer and source reference, you will notice `NXP is officially recommending to migrate away from MIFARE Classic based systems` – mootmoot Oct 06 '17 at 08:51
  • 19
    Totally unrelated: I'm surprised the ability to make *hard copy* (ick) is seen as a reward in this day and age, but I'm out of touch with modern campus realities. – Todd Wilcox Oct 06 '17 at 12:09
  • 3
    Only time I ever printed anything at University (2010-2014) was for paper submissions (still depressingly common) or for revision purposes (scribbling and circling all over the material I always found useful). That and free black and white printing came in useful for non-uni purposes like boarding passes... Still. Our departments goto bribes were beer and pizza. – Hector Oct 06 '17 at 12:33
  • 93
    "...no reputable academic institution or business would leave their NFC tags unprotected and completely vulnerable to complete cloning." Anybody who writes something like that needs to go poke around the real world for a few hours. – Blrfl Oct 06 '17 at 14:49
  • 1
    We had a task in labs set by an eccentric lecturer to crack and try to clone our ID cards. You should be able to crack the crypto, since Mifare Classic is vulnerable to various attacks (my old uni used it too). Besides this, you'll probably also need to clone the ID (door locks often just check the ID), which might be a bit more involved - cards from reputable sources don't let you modify the ID. However, when I did the module a few years back, Chinese cards with modifiable ID fields had started to appear on the market. I don't know if these are now more common. – Muzer Oct 06 '17 at 15:48
  • 4
    @ToddWilcox we're talking about unlimited color posters for beer bashes and keg parties. – barbecue Oct 07 '17 at 17:03
  • If you have an arduino lying around you could get a MIFARE read/write board. That should be able to clone MIFARE classic cards. – Bloc97 Oct 07 '17 at 20:11
  • Look at a device called a Proxmark. It's probably (okay, is) overkill for this specific purpose, but it is pretty good at attacking most kinds of proximity cards. There are, of course, more open source and cheaper alternatives as well. – Kaz Wolfe Oct 08 '17 at 05:32
  • 4
    If I was you, I'd make sure to get some indication in writing that the head of IT has **authorized** you to try this. If you don't already, I would email them with something like: "We have made some progress researching your challenge If you are still happy we are ready to trying a physical copy. If so do you have a blank card we can use?" If you don't get an email back (e.g., only gets back to you in person) then tread very carefully... Other wise have fun being *authorized* to break some things! Document everything carefully for when the sh*t hits the fan – DarcyThomas Oct 08 '17 at 09:26
  • 2
    Can I point out that when your professor said they wanted you to learn through experimentation, their idea of experimentation probably wasn't "post it to SE and do what they told you" :P – Ben Millwood Oct 08 '17 at 12:29
  • http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf Awwwww yesssss.... But I suspect that if you manage to put together someting showing such skills you`ll get more than free printing.... – Caterpillaraoz Oct 09 '17 at 07:19
  • [Michael Roland](https://stackoverflow.com/users/2425802/michael-roland) must be happy! – vojta Oct 09 '17 at 10:52
  • 2
    Not sure whether it helps or whether you even want to try something in this direction, but the easiest way to get a duplicate card may be to indicate to the service desk that you need a replacement ;-) – Dennis Jaheruddin Oct 09 '17 at 11:31
  • Wants us to experience failure as well as success through our own attempts -- gets posted on stackexchange within the hour – Andreas Oct 09 '17 at 13:25
  • Researching on SE seems like an intelligent thing to do, and makes you more employable. Better than thrashing around, wasting time and resources. BTW, maybe the Head of IT is hoping you succeed, so he can go to the next budget meeting with a request for the more expensive, more secure NFC tags he has been after ;-) (But, I agree, with Darcy Thomas: first get some proof you've been authorized to try and hack...) – Darren Cook Oct 09 '17 at 19:27

4 Answers4

58

Many NFC enabled smartphones can write to these cards with an app like MifareClassicTool. However I've found several phones seem to be able to do it when in reality trying to write to Sector-0 bricks the card. It may be worth testing one or two cards and if it doesn't work buy a dedicated USB writer.

First of all a huge number of Mifare Classic Systems only use the ID on the card. This is stored in Sector-0 which is theoretically read only. Of course plenty of online sources will happily sell you cards where this is writable. Writing to the cards themselves is trivial.

The encryption on the cards has also been broken and again can be trivially cracked on a smartphone, as seen on Wikipedia: Security of MIFARE Classic, MIFARE DESFire and MIFARE Ultralight. My university used the same cards. As did an Oracle facility I used to work at…

Hector
  • 10,893
  • 3
  • 41
  • 44
  • 12
    *"when in reality trying to write to Sector-0 bricks the card"* That sounds like a great denial of service attack on someone's wallet. – Luc Oct 06 '17 at 13:31
  • 7
    @Luc - Only works on cards with a writable Sector-0. I imagine there is a bug in the driver which hasn't been identified/fixed because its not a legal action. How it ends up bricking the card altogether is beyond me. Might just leave it in a dodgy state that led my reading software to barf. – Hector Oct 06 '17 at 13:43
  • 2
    Ah, Oracle... stuck in the 20th century as always. – jpmc26 Oct 06 '17 at 23:04
  • 5
    @jpmc26: Securing Oracle access has been an issue since the [6th century BC](https://en.wikipedia.org/wiki/First_Sacred_War) ;) – MSalters Oct 09 '17 at 12:54
24

I have recently cloned a Mifare Classic tag. The scan you have there indicates there is no information stored on your tags, apart from in the first sector. This isn't readable by that app because it does not use the default key.

I suggest you first try it with Mifare Classic Tool first, using the extended keys file. There are some common keys there but your tag may use a different one.

If that doesn't work, you will need MFOC or MFCUK with a dedicated reader, or a modified version of Mifare Classic Tool (google it) with your phone to attack the card. It can take upwards of 8 hours with a dedicated (USB / UART / SPI etc. I use a Raspberry Pi with a reader connected by SPI) reader, and even longer with Mifare Classic Tool.

You can then use the above tools to make a dump of the tag, providing you obtain the key.

If there is only data stored in the top row of sector 0 (not including the bottom row), this means the readers only look at the ID of the card. If your phone is rooted, you can then use this app to emulate a card (the ID is the first 4 bytes of sector 0). I have not tested this personally as my phone is not rooted.

Almost all Mifare Classic tags do not allow you to write to sector 0 (where the unique ID is stored), so that the ID can be used for security purposes. However, you can buy some tags (on eBay for example) that do allow you to write to sector 0.

Some of them will let you write them with Mifare Classic Tool, but others won't. This is because they require a special unlock command that is blocked on phones. You will need a dedicated reader (PN532 chipset works well) to write to them and nfc-tools, which you will probably have to compile yourself, but there are guides on how to do this.

comp500
  • 341
  • 1
  • 5
16

If it is Mifare Classic, that should really not be hard.

The general attack on Mifare's broken cryptosystem has been around since 2007. Have a look at this if you want: BlackHat Talk Slides

This is indeed most likely easily possible. There are plenty of tutorials about this. Just remember: if your ID/whatever is not stored in the data section but only in Block 0 (the card's ID), this is not writable on most of the cards. There are Chinese models (as far as I know) that allow writing to Block 0. If your college just uses the card's ID and does everything else internally (like on a DB basis), you will need such a card.

See also: "How To Crack Mifare Classic Cards"

Jamal
  • 148
  • 1
  • 8
Ben
  • 2,024
  • 8
  • 17
5

I've actually tried a similar thing at my old school, and after months of research, this is what I found:

  1. Write to sector 0 and hope for the best, maybe it's just the ID that's important.
  2. MFCUK, never got around to trying it myself, but if I recall correctly, it will use the security flaw of the classic and figure out the key.
  3. Brute force, the Mifare Classic Tool, have a extended version of the app, that you'll have to download over github, but let's face it, you're probably not going to have much luck with this option...
Giacomo1968
  • 1,185
  • 5
  • 16
user452094
  • 151
  • 2