Known attacks on MIFARE Classic & Plus

suixo · 2016-04-27 15:02:30

Hi folks,

I am trying to write a complete reference of all the known attacks on contactless smartcards. I am pretty sure about the attacks on the MIFARE Classic, but I need some help on the MIFARE Plus.

For now, I identified the following attacks on the MIFARE Classic :

Dark side of obscurity attack - uses weaknesses in CRYPTO1 with encrypted error code responses and parity bits, card-only attack and no requirement
Nested attack - uses weaknesses in the PRNG and time distances to compute the plaintext value of nonces - card-only attack, but you need to know at least one key
Snooping attack - uses weaknesses in CRYPTO1 - you need a trace of a single captured authentication session

For MIFARE Plus however, the PRNG has been fixed and the encrypted error message is not sent anymore, so the Dark Side of Obscurity and the Nested attacks are no longer doable.
A HardNested attack has been developed for hardened PRNG, and allow to recover all the keys if at least one key is known.

Are snooping attacks still possible? Are there other attacks I missed?

Let me know if you have interesting papers documenting attacks on MIFARE Plus cards

iceman · 2016-04-27 15:48:02

Read the thesises from Roel Verdult and Gerhard de Koning Gans for starters,

ref
http://www.cs.ru.nl/~rverdult/publications.html
http://gerhard.dekoninggans.nl/document … thesis.pdf

roman921 · 2016-05-05 09:36:14

iceman wrote:

Read the thesises from Roel Verdult and Gerhard de Koning Gans for starters,
ref
http://www.cs.ru.nl/~rverdult/publications.html
http://gerhard.dekoninggans.nl/document … thesis.pdf

Where can I download hardnested program, I want to try the attack on the card mifare plus emulation classic 1k. I have no proksmarka only acr122u. Can I without proksmarka this attack to try to accomplish?

osys · 2016-05-05 16:24:42

Hi Roma! You need to gather nonces using the reader. The rest is done on PC side thanks to aczid bitslicing implementation.

roman921 · 2016-05-07 20:05:34

Thank you for your advice.
I also want to ask. Can do better hardnested attack, for example, without one key such as: hard dark side attack. Can be this attack or not, how do you think.

osys · 2016-05-07 20:20:32

I even know, hardnested is not possible without at least one known key. You may want to check iceman's branch for bunch of default keys in dictionary and in lua scripts as well.

Most of the cards have at least one default key for the sector. What card are you interested in?

roman921 · 2016-05-07 20:51:16

I interested this card https://strelkacard.ru/ I know one key in this card but hardnested don't work with this card.
This card is jcop 41 with emulation mifare classic. This card has SAK 0x28. It is main problem fail hardnested attack on this card.

osys · 2016-05-07 20:54:38

I see. I cannot help here though, sorry.

roman921 · 2016-05-07 21:01:12

If change tools libnfc that libnfc think that this card with SAK 0x08 will work hardnested or not, I have other card mifare plus with emulation mifare classic. This card sak is 0x08 and hardnested work great.

iceman · 2016-05-08 14:56:50

Since your tag is JCOP, emulating a Mifare Classic tag, I'm doubtful the hardnested attack will work here.
If you are lucky, the normal darkside attack should work.

suixo · 2016-05-09 12:34:39

@iceman: why would the JCOP prevent the hardnested attack to work? For what I have understood of the paper, any sytem compatible with MIFARE Classic is vulnerable, so the emulated JCOP should also be vulnerable.

In my case, the existing implementation did not work, the card responding with a lot of "Auth failed" and finally "Unable to select card" in an infinite loop. I had to modify the code to slow down (again!) the acquisition in order to reduce its pace.
Maybe this could be helpful in this case.

@roman921: what's the error message, why do you say it is failing?

iceman · 2016-05-09 12:55:34

its because the JCOP application would need to have the modern PRNG implemented on card. I doubt that there is a java implementation of that PRNG in the open. However its very easy to get the old one.
The darkside attact might not work because emulating mifare takes longer time, thus making the prng unpredicable.

If there is a implementation of the hardend PRNG available, then we can use it in the current darkside attack, to predict nonces...

osys · 2016-05-09 15:08:17

Hardnested guesses in the current implementation are not always accurate by the way.

@roman, wish you open personal messages for me to send you via forum.

Last edited by osys (2016-05-09 15:14:38)

iceman · 2016-05-09 15:18:47

Had to test it now,
I tried the hardnested on a old mifare tag, it got to 702k nonces without success to find the parity with high probability then the client crashed.

So, I don't think the hardnested attack works against the old PRNG.

roman921 · 2016-05-13 20:01:59

@osys, how on this forum open personal messages ?

osys · 2016-05-15 10:05:09

@roman921, seems PMs are disabled, however I have set

Hide your email address but allow form email.

Do you have possibility to contact me?

roman921 · 2016-05-15 10:54:04

osys wrote:

Do you have possibility to contact me?

@osys, i open email in profile. Please, write me.

Last edited by roman921 (2016-05-15 10:54:18)

osys · 2016-05-15 20:28:32

@roman921, unfortunately they doesn't work. there is no ability to send a message to you.

roman921 · 2016-05-16 04:59:37

@osys, now me e-mail shows in my profile. Do you see e-mail now in my profile ?

osys · 2016-05-16 07:11:42

@roman921, unfortunately no. seems there are some troubles with the forum.
lets wait when they will be fixed.

zhuminggang · 2018-11-01 02:57:09

iceman wrote:

Read the thesises from Roel Verdult and Gerhard de Koning Gans for starters,
ref
http://www.cs.ru.nl/~rverdult/publications.html
http://gerhard.dekoninggans.nl/document … thesis.pdf

Good thesises!

Proxmark3 community

Announcement

#1 2016-04-27 15:02:30

Known attacks on MIFARE Classic & Plus

#2 2016-04-27 15:48:02

Re: Known attacks on MIFARE Classic & Plus

#3 2016-05-05 09:36:14

Re: Known attacks on MIFARE Classic & Plus

#4 2016-05-05 16:24:42

Re: Known attacks on MIFARE Classic & Plus

#5 2016-05-07 20:05:34

Re: Known attacks on MIFARE Classic & Plus

#6 2016-05-07 20:20:32

Re: Known attacks on MIFARE Classic & Plus

#7 2016-05-07 20:51:16

Re: Known attacks on MIFARE Classic & Plus

#8 2016-05-07 20:54:38

Re: Known attacks on MIFARE Classic & Plus

#9 2016-05-07 21:01:12

Re: Known attacks on MIFARE Classic & Plus

#10 2016-05-08 14:56:50

Re: Known attacks on MIFARE Classic & Plus

#11 2016-05-09 12:34:39

Re: Known attacks on MIFARE Classic & Plus

#12 2016-05-09 12:55:34

Re: Known attacks on MIFARE Classic & Plus

#13 2016-05-09 15:08:17

Re: Known attacks on MIFARE Classic & Plus

#14 2016-05-09 15:18:47

Re: Known attacks on MIFARE Classic & Plus

#15 2016-05-13 20:01:59

Re: Known attacks on MIFARE Classic & Plus

#16 2016-05-15 10:05:09

Re: Known attacks on MIFARE Classic & Plus

#17 2016-05-15 10:54:04

Re: Known attacks on MIFARE Classic & Plus

#18 2016-05-15 20:28:32

Re: Known attacks on MIFARE Classic & Plus

#19 2016-05-16 04:59:37

Re: Known attacks on MIFARE Classic & Plus

#20 2016-05-16 07:11:42

Re: Known attacks on MIFARE Classic & Plus

#21 2018-11-01 02:57:09

Re: Known attacks on MIFARE Classic & Plus

Board footer