Proxmark3 community

joker

Contributor

Registered: 2008-11-17

Posts: 34

What's possible without a reader?

Most published attacks are reader based. Because whenever you say "HI I am a tag", it replies with 64bits of cipher text and 8 parity bits. Which since the cipher is well euhm weak, is more than plenty.

A tag however only starts encrypting things after this point, and presumably does nothing when fed with an invalid reader response.

However for some reason, after the initial authentication, the roles are reversed, and for subsequent sector authentications the tag starts encrypting a nonce first. Are there attacks known which exploit this? There are several situations where you would want to know keys to additional sectors.

at first glance it would seem an obvious(though untested, and since something is fed in the lfsr not identical) attack would need to try 1<<29 possibilities. Anyway, I was wondering if anything of this nature is published somewhere?

And more general what tagbased attacks are there? other than just trying 1<<48 keys over RF.

joker

Contributor

Registered: 2008-11-17

Posts: 34

Re: What's possible without a reader?

Ok, due to the overwelming response i'm going to assume it's either hush hush, or there is some obvious reason this isn't usable/possible/feasable/interesting in the real world and you are all trying to spare my feelings ;-)

rule

Member

Registered: 2008-05-21

Posts: 417

Re: What's possible without a reader?

I think the following scientific publication answers most of your questions.

Flavio D. Garcia, Peter van Rossum, Roel Verdult and Ronny Wichers Schreur.
Wirelessly Pickpocketing a Mifare Classic Card.
To appear in 30th IEEE Symposium on Security and Privacy (S&P 2009). IEEE.

You can find it here.

joker

Contributor

Registered: 2008-11-17

Posts: 34

Re: What's possible without a reader?

4.4. Nested authentication attack
We now assume that the attacker already knows at
least one sector key; let us call this sector the exploit
sector.

yes that sounds pretty close to what  vaguely described above ;-). The obvious attack, using just the 3 parity bits, is only 128times harder than the original parity based attack which is well in range.
I'll work my way through your "scientific" notation later to see if there is anything new in there. to improve on it. There's the timing and apparently the tag isn't dead silent if you send "crap" to the card;-) thanks for the info

Last edited by joker (2009-04-03 08:15:01)

Dennyxiao

Contributor

Registered: 2008-11-01

Posts: 43

Re: What's possible without a reader?

Hi,Joker
Could you post the method to calculate the 2nd sector's password(using crypto1 we can calculate the first sector)
?
Thanks,

joker

Contributor

Registered: 2008-11-17

Posts: 34

Re: What's possible without a reader?

@Dennyxiao that is ridiculously off topic here

@Roel, wow! i skipped over the other attacks in the paper before. Which i shouldn't have. Nice works! I'll digest it further. I wonder how many people outside your group already know the impact of this :-) It seems to be quieter around the publication than one might expect ...

edit: ow yeah i suspect a tiny typo on page 8

f (?64 ) = f (?64 ? 1). Approx. 9.4% of the possible
?64 ’s has f (?64 ) != f (?64 ) ? 1

Unless i'm missing something the percentage of x's where x != x+1 is slightly higher than 9.6%.

Last edited by joker (2009-04-03 08:12:45)

rule

Member

Registered: 2008-05-21

Posts: 417

Re: What's possible without a reader?

Thank you for the note! Always nice to see that people are really reading and verifying the paper.

I guess you are right there. It think it should have been:
Approx. 9.4% of the possible ?64’s has f (?64) != f (?64 ? 1)
I'll will discuss it with my colleges to see if this is the notation we should have here.

In more ambiguous language it states the following:
When you flip the last bit of the reader nonce it will only change the encryption 1/10 of the time. The very last bit of the LFSR has only effect on 9.4% of all the cipher states in stead of the 50%, which you would expect to find in a more balanced cipher. To check the encryption you can simply look at what parity that you send is accepted (and therefor which key-stream was used). For this parity bit, your new(bit-flipped) a64 state was used. If it shows a different key-stream bit, you know you are dealing with a cipher that has the funny 9.4% property

For completeness sake I have added a local copy of the document in the files section here.

rule

Member

Registered: 2008-05-21

Posts: 417

Re: What's possible without a reader?

I wonder how many people outside your group already know the impact of this :-) It seems to be quieter around the publication than one might expect ...

The manufacturer and system integrators were informed half a year ago.
The following statement is already a few months on the official MIFARE Website.

- Card only attacks are possible in lab environments and at considerable precalculation time. This is expected to further evolve into an attack that does not need lab conditions and may require less precalculation time.*
- One particular card only attack can, with a certain prerequisite on knowledge about the card, retrieve all keys and data from the card in about a second per key using a laptop and limited value equipment. Interaction with the card can be limited to two times less than a second: first to get material for key recovery and then once the keys are retrieved an interaction to retrieve the data.*

* (The recent vulnerabilities are courtesy to Radboud University Nijmegen, who have given early warning to NXP in order to allow timely communication such that system integrators can take measures).

Though there are always people looking to start a riot with this paper for example .

A new  major security breach with MiFare Classic cards used in London's Oyster card and in a majority of building passes worldwide  was just disclosed to the public. Any card can be wirelessly accessed and cloned in 10 minutes due to a nasty bug, sort of backdoor. One paper is available here where we read that in addition some cards found in eastern Europe are even weaker and can be  cloned in seconds by anobody, anytime(!). Another (earlier) paper about this will be presented at IEEE Oakland  conference in May 2009, but it seems that the authors decided that the vulnerability is so serious that they should NOT tell the press about it any time soon.
However we have met in the hacker and research community a surprisingly large number of people that knew about this vulnerability for a long time and it can be demonstrated with software found on the Internet, as explained here. So really keeping quiet about this vulnerability only serves the interests of criminals. Everybody needs to know about it and protect any building passes they have with shielding (aluminium foil also does the job), otherwise they can be cloned.

Personally I don't think the public sees a big difference between a card hacked and broken and even more broken

joker

Contributor

Registered: 2008-11-17

Posts: 34

Re: What's possible without a reader?

yeah it's a nice clever trix, and a bit counter intuitive. But i see what you did there ;-) I'll look into it more.

Just in case you want to know, There are a few more things, i noticed:

- on page 8 in the proof of protocol 4.2 you seem to have A = B = B= C = D q.e.d., which although mathematically sound dropping one B might save people wondering whether or not they are cross eyed.

- on page 7

correct parity bits and received response. In practice,
gathering those six authentication sessions with correct
parity bits only takes on average 6 · 256 = 1536
authentication attempts which can be done in less than
one second.

which is somewhat strange when compared with this quote from page 2

This attack requires on average 212 = 4096 authenti-
cation attempts, which could in principle be done
in about two minutes.

Unless some strange non-linearity in the tag speed occurs this might be confusing.

Last edited by joker (2009-04-03 08:10:08)

rule

Member

Registered: 2008-05-21

Posts: 417

Re: What's possible without a reader?

I must give you credit for the subtle things you spot there.

Thanks a lot!

joker

Contributor

Registered: 2008-11-17

Posts: 34

Re: What's possible without a reader?

Personally I don't think the public sees a big difference between a card hacked and broken and even more broken wink

very true, though what the public really sees is that it's real and wants to believe it's secure enough. And "everything can be cracked anyways." Not to mention "who would want to do it anyways". And so on and so on ;-) Though given the scope, and even wrt to the OV chip the political nature of the subject. I do expect a hype.

btw functional specs for the tags suggest that an authentication session takes about 5msec, the time needed to reset the tag is in the microseconds. which would suggest doing it under one second is something reserved for the next paper ;-)

Last edited by joker (2009-03-21 02:50:53)

rule

Member

Registered: 2008-05-21

Posts: 417

Re: What's possible without a reader?

very true, though what the public really sees is that it's real and wants to believe it's secure enough. And "everything can be cracked anyways." Not to mention "who would want to do it anyways". And so on and so on ;-) Though given the scope, and even wrt to the OV chip the political nature of the subject. I do expect a hype.

Last February in the Parliament (2e kamer) we demonstrated this attack by recovering the key and birth date from a Parliament-member within seconds in front of the parliament OV-chipkaart commision. It's still did not wake (most of) them up to see the real problem there is now.

Furthermore, we helped the local media TV-Rijnmond with a demonstration and test to verify if you could travel undetected. Personally I think we did our best to show the impact.

btw functional specs for the tags suggest that an authentication session takes about 5msec, the time needed to reset the tag is in the microseconds. which would suggest doing it under one second is something reserved for the next paper ;-)

The functional specs are kind of "incorrect", let me explain why.

As you can see in the traces in this forum the tag responds within 64 or 72 Proxmark ticks. I refer to this because that is the measure unit used in the FPGA to measure the timing. To be specific, this is 1/8th of a bit-period (ISO14443A), it takes in total 9.44us to transmit 1 bit. So you can see the tag responds in maximum of 9*9.44us = ~100us = ~0.1ms

The reader in stead is normally much slower. This is because of the hardware design NXP uses, they let the chip (with system integrator firmware) that controls the MIFARE modulation chip (MFRCxxx) handle the messages using a callback, the modulation chip then just waits for a next command to transmit to the tag (and encrypts this on the fly). This means in practice, that even the fastest readers I've seen (from the OV-chipkaart gates for example) end up using 1200 Proxmark ticks, which is a little bit less than ~1.5ms per command. This makes the authentication consumes until the first command around 5ms.

But! If we just let the Proxmark firmware do the authentication, we can get the reader side back to less than 500 proxmark ticks, and even better, using the FPGA for CRYPTO1 it should be possible to get the time down to around the same speed the tag needs to respond. Which means you can do a full authentication in less than 0.5ms.

I hope this is a little bit clear, let me know if you still have questions of course .

joker

Contributor

Registered: 2008-11-17

Posts: 34

Re: What's possible without a reader?

Personally I think we did our best to show the impact.

Sure that's not up for debate for what I am concerned.

Last edited by joker (2009-04-03 08:13:38)