MIFARE: Can I read the data easily?
Alexis
We have a cashless payment system at work for buying food and snacks,
and this has recently been upgraded to use a MIFARE card. Being the
hacker that I am, I'm interested in what information it's possible for
me, a humble employee, to retrieve off my own MIFARE card.
I'm guessing that it's either a MIFARE Classic chip or a MIFARE
UltraLight chip, but I'm not sure which - is it possible to tell without
a MIFARE reader? (I'm happy to buy one, but obviously I'd like some
idea of the feasibility of getting data off the chip before I spend my
hard-earned).
If it is a MIFARE Standard chip, I presume that access will be
restricted, using these keys A and B, which I will not have any way of
finding out. Is this restriction to prevent writing to the card, or
reading from it (or both?)
If I need the key, (and I realise I'm getting into morally dodgy ground
here), is it possible to discover it by brute-force? Being as I have
unlimited access to my own MIFARE card, this wouldn't be a problem.
To give you an idea of what I'd like to achieve, I'm assuming (hoping)
that the MIFARE card will have our employee serial number embedded in
it, as this seems the most logical way of keeping track of the money in
our account. If I could get hold of this data, I could have a little
reader by my PC that would read anyone's card placed on it, and bring up
their e-mail address, instant messenging id, and so on. Just as a cool
toy :D
The manufacturer of the MIFARE readers that are used when we purchase
items has a small amount of detail about the cards they use here:
http://www.countersolutions.co.uk/products/card_mif.php
Any advice appreciated!
A.
Pug
long (16777216 different combinations) for each of the 16 sectors (or 40 if
its a 4kbyte card) you'll be a very long time trying to brute force it. If
they have encrypted their system so that each key is individual to each card
i.e. it is generated from the UID number + sector and you managed to crack
your card the same codes would not work on anyone elses.
So for instance if you validated 100keys per second it would take 46hours to
crack one code for a single sector. If you could reader capable of doing 100
validations with failures. Some readers are preprogramed to wait or retry a
few times, the SCM SDI010 reader can take nearly 0.5seconds after a failed
key validation to allow another try so about 233 hours per key on that
reader.
If my hunch is correct about the unique key system then I'd say at the 100
validations per second it would take 1472 hours to get all the keys per
1kbyte card and 3680 hours on a 4kbyte.
They will almost likely have set the security configuration of each sector
so that you must verify key A so that you cannot even read a sector plus you
don't know which sector the data is in. Good luck.
The difficulty in cracking a mifare is exactly why they're using it.
"Alexis" <sno...@alexSiPsAbMirkill.com> wrote in message
news:rD4Sh.29356$1H6....@fe01.news.easynews.com...
Ulf Leichsenring
> so that you must verify key A so that you cannot even read a sector plus you
> don't know which sector the data is in. Good luck.
Maybe you can see which sectors they are using, if they are using the
MAD Standard (Mifare application directory) in sector 0 on the cards.
And many of the Mifare applications I've seen so far are using the same
Mifare keys for all the sectors they are using (if they are using more
than one). So if the payment application is using e.g. 4 sectors you
have a good chance that the keys are the same for all 4 sectors.
--
Ulf Leichsenring
u...@leichsenring.net
johann.d
"Pug" <n...@this.address> a écrit dans le message de
news:46216a0c$0$8712$ed26...@ptn-nntp-reader02.plus.net...
> You could try brute force but as each of the 2 keys per sector is 6 bytes
> long (16777216 different combinations) for each of the 16 sectors (or 40
if
> its a 4kbyte card) you'll be a very long time trying to brute force it.
Ugh... 6 bytes is 2^48 = 281474976710656 combinations. At 100 tries per
second this is 89133 years. And yes 100 tries per second is impossible with
standard readers (and even I think that card's select + auth + read is
almost 15ms, so that's a hardware limit a 66 tries/sec).
--
johann.d
NFCKing
> "Pug" <n...@this.address> a écrit dans le message denews:46216a0c$0$8712$ed26...@ptn-nntp-reader02.plus.net...
Guys !!!
Does anyone used Mifare DESFire Card??
hows the security in that card ??
Thanks,
Jay.
johann.d
"NFCKing" <jba...@gmail.com> a écrit dans le message de
news:1176831358.4...@y80g2000hsf.googlegroups.com...
> Guys !!!
>
> Does anyone used Mifare DESFire Card??
> hows the security in that card ??
State of art security with new version supporting AES. Current version uses
3-DES (112 bits), this is AFAIK the best choice if looking for a versatile,
ready-to-use, and not that expensive contactless smartcard. But IMHO
security in the card is not as a major concern as security in the reader /
controller. Most of the time there's no need to try to break a Desfire key
(or a Mifare key) where reverse or social engineering on the base station
part let retrieve the key in a few minutes. So, if considering Desfire, look
for a reader with either secure key storage or a SAM slot, or work on a
"connected" system where cryptographic operations are done out of the
reader.
--
johann.d
NFCKing
> "NFCKing" <jbad...@gmail.com> a écrit dans le message denews:1176831358.4...@y80g2000hsf.googlegroups.com...
Ok Thanks much Johann.
Did you ever try to use that Card ? Using pegoda reader ??
johann.d
"NFCKing" <jba...@gmail.com> a écrit dans le message de
news:1176929810.0...@y5g2000hsa.googlegroups.com...
> Ok Thanks much Johann.
> Did you ever try to use that Card ? Using pegoda reader ??
Using one of my readers is easier in my case...
http://www.pro-active.fr/products/contactless.php
--
johann.d