Smart cards and the use of near-field communications (NFC) is an increasingly popular tool for many things from wireless payment solutions to entry access and identification. One of the main players in this industry, NXP, designed the MIFARE Classic many years ago, and to date 260 Million readers and 10 billion card components have been sold in the MIFARE family of products[i]. What happens when something so widespread and embedded into a corporate or city infrastructure is revealed to have a custom cryptography algorithm and it’s predictable? After the initial panic, most companies realize that it’s not financially feasible to fix this security issue for years to come, if at all. They rely on the fact that the vulnerability costs more to implement, in time or money, than traditional attacks such as just breaking a window or paying a disgruntled employee for information.
Cost is usually the largest factor. For example, if moving from a MIFARE Classic card type to a MIFARE DESfire[ii] smart card, which uses well-vetted AES encryption, the card readers also have to be updated to support AES as well. In some cases (like in a city wide transportation infrastructure) this may take years to implement and have prohibitively high costs. In these cases manufacturers (NXP) are tasked with coming up with quick fixes to address these issues, or they run the risk of losing large scale customers, like city bus or metro passes and readers. NXP did just this, with the MIFARE Plus card, by introducing a card which works with all existing Mifare Classic readers, but was not vulnerable to attacks on traditional MIFARE Classic cards. These cards also support AES encryption, so that one single card can work with legacy readers and updated AES compatible readers such that card holders can use one card as the hardware/reader infrastructure is slowly updated. Most large scale installations will only be able to afford to update the readers in sections or regions at a time, maybe on a city by city basis in the case of transportation systems.
The MIFARE Classic is a classic example of why creating custom cryptography algorithms is a bad idea. Because there were a few fatal flaws in the custom MIFARE Classic CRYPTO1[iii] library, it allowed a massively distributed secure access control infrastructure to be compromised, with common off the shelf hardware. By compromise, it means that a MIFARE Classic card is easy to read, replicate and produce new cards which then a malicious user can use to impersonate to legitimate cardholder. These cracking tools are called MFOC [iv]and MFCUK[v], and have been around for many years at the time of this writing. A new attack dubbed the Hard-Nested [vi] attack was implemented using the open-source Proxmark3 toolset, based on a white paper [vii] which showed that the MIFARE Plus card was still vulnerable to cipher text only attacks.
The Proxmark3 smart card testing framework is a mature hardware/software platform for smart card research. It is capable of cloning complete cards with proven attacks on the default encryption algorithm (CRYPTO1) used in MIFARE Classic cards. Card-only attacks are of particular interest because it does not require the attacker to sniff a valid interaction between a legitimate reader and the card, which theoretically means this attack could take place while sitting next to someone with an access badge in their backpack or purse, given the proper amount of time. The time needed ranges from 5 minutes up to many hours depending on multiple factors currently outside the control of the attacker.
There are two current methods of cracking encryption keys and/or brute forcing key guessing to obtain all keys used on a MIFARE Classic smart card, and therefore have the ability to entirely clone the card and impersonate another user. MFCUK (also known as the Darkside Attack) uses flaws in the pseudo-random number generator (PRNG) and error responses of the card to leak partial bits of the key stream, to eventually obtain one of the sector keys. This attack is only used if not one single key is known for any sector on the MIFARE Classic card. While this is a rare occasion it does happen, and this attack can take hours. The general methodology in this case is to find one key using MFCUK and then move on to the other attack method, MFOC. MFOC (also known as the nested attack), first authenticates to a sector using a known key (whether that be a default key or one found from MFCUK) to then perform a nested authentication to other sectors. In this transaction, some bits of the key stream can be leaked, and eventually the entire key can be recovered. This is performed then for all keys unknown, and eventually to the point where all keys are known. Once all keys are known the card can then be duplicated and used for impersonation.
In addition to the Proxmark3, the SCL3711 USB Reader works with LibNFC, which provides commands to read a MIFARE Classic card and save contents to file. Dumping the data of the card of course requires knowing all the keys for each Sector of the card itself, however cards from the factory generally come with at least a few default keys. With the card dump files, they can be edited with a hex editor to change the key bytes, and write back to the card again with the nfc-mfclassic toolset so that custom cards can be written for testing and general use.
A version of the Hard-Nested attack[viii] came out for LibNFC and SCL3711 reader, such that this could be done with a cheap reader. It still requires specific knowledge of how the cracking scripts work, and the MIFARE memory layout on a smart card, to successfully clone a card.
The common question for this attack is: how long does it take and how expensive is it to replicate a MIFARE Card? In a novice case, it takes maybe a few months and a few hundred dollars. In practice it is closer to a few hours, and $30.
It is possible to detect a vulnerable PRNG or not, by sending a short set of authentication requests to see if the randomness is predictable or not. This info can be used as an indication of card type, so there is no lost time trying for hours to crack the card (with no hope of ever finding a solution). If it the PRNG is predictable, then the older MFOC attack can be used and we know it’s a MIFARE Classic card. If the randomness cannot be characterized, there is no need to even try MFOC because it will never work. Instead, one should jump right into the Hard-Nested attack. Also, since we may have many keys we do not know on a card, we recursively run this until all keys are found.
Research has been done to create a script with the capability to clone any MIFARE Classic or Plus smart card (running with legacy compatibility on SL1) using a $30 reader with no input needed from the attacker. The script will make all the proper sector determinations and feed proper parameters to accomplish the end goal of finding all keys. What this means to some, is that anyone with $30 and can run a Linux shell script can clone some types of smart cards. This may allow for an attacker to sniff cards automatically in public situations, possibly sitting next to someone on a bus or train. What it should mean to most is that customers should move to AES enabled readers as fast as possible, if they are still using CRYPTO1 compatible systems.
[i] MIFARE Product History: http://www.nxp.com/products/identification-and-security/mifare-ics:MC_53422