The boring introduction
I’ve recently been interested in access control systems, vaguely inspired by an information risk management module I took last year. As part of the module, I had the opportunity to take a “deep dive” on RFID security to determine whether a faux hotel’s security systems were up to scratch – spoiler, they were not.
From my own research following the module, I decided I wanted to purchase a Proxmark3 RDV4.01. Following a further look at my bank balance, I decided the Proxmark3 Easy would be far more appropriate. It does also make more sense with my use-case in mind; I’m not looking to perform in the field penetration tests, I’m looking to research (play around with) RFID card security systems at my leisure.
Fortunately, there are a couple of vendors where you can purchase devices pre-flashed with Iceman firmware, and I decided on KSEC labs as my vendor of choice – Lab401 would have been my second choice. These pre-flashed devices mean you don’t have to bother with bootloaders, and worry about bricking your device – this can be an issue with the cheaper clones sold. I also found that the “cheaper” clones were only a few pounds cheaper, so I decided a more reputable buyer would be beneficial.
Even more fortunately this isn’t a blog on the set-up of the environment and device, so I won’t bore with the details – I followed the excellent tutorial created by Dangerous Things, you can find it here: https://youtu.be/o6WOTM4D970
The less boring “research”
After purchasing and setting up the working environment, it was time to investigate the technology embedded in the cards I’ve been carting around in my wallet – both my Swift card and University ID card use RFID technology. Since I’m not going to break any laws, and ideally don’t want to void any policies I did check the University policy on card usage:
Fortunately I’m not even particularly able to do that, seeing as the card is a Mifare Classic 4k card, with a 4-byte UID; with the Proxmark3 Easy I also received a Mifare Classic 1k magic card. Sadly, 4k ≠ 1k. Therefore I may as well crack the encryption, dump the data, and see what they’re storing about me on the card – it is my data after all, and there’s no policy telling me I can’t.
As the above screen capture shows you (found by running the “auto” command), we’re dealing with a Mifare Classic 4k 4-byte UID card – vaguely rare, seeing as most available “magic” 4k cards seem to be of the 7-byte UID variety. In the context of Mifare cards, “magic” cards refer to a card’s ability to change the usually static UID (Unique ID) of a card – something that should worry you if your security solely relies on simply checking the UID of the presented card. These are also known as UID-Writable cards; the “magic” refers to the magic bytes used to write to the original faux Mifare cards. Lab401 already has a great article on the matter, which can be found here: https://lab401.com/blogs/academy/know-your-magic-cards
Just for clarity’s sake, I’ve included a scan of Mifare Classic 4k Magic 7-byte UID card below. In my experience, it’s very easy to confuse a 4k 4-byte UID and a 4k 7-byte UID magic card when purchasing them online.
Having modified the data on the card, I appear to have changed the data such that it identifies as being manufactured by Motorola – I doubt the authenticity of this claim.
The capabilities of the Iceman firmware
With the Iceman firmware, a huge variety of options are available specifically for manipulating Mifare Classic cards. I’ve included the options related to key recovery below – I might do a specific post on the different types of attack in another post, however we’re going to focus on the most boring of all here – the “autopwn”.
This attack will attempt to automatically break the encryption via different methods until a successful one is found – in the case of this card, a nested/hardnested attack is used. The details of this attack are a little above the complexities of this post, so I’ll save them for a later one. The attack takes some time to complete, which gives you time to regret buying the wrong UID size magic card, something very easy to do.
After all that regret, we get the encryption keys – lovely.
We also get a message telling us that a MAD key has been detected – on running the command given, it tells us what is stored where on the card, useful stuff.
We can then use one of the operations that the Iceman firmware gives us to view the data stored in those sectors; the “rdsc” command in particular.
After specifying which key (A or B) to use, as well as the sector number, it gives us an ASCII decode of the data stored. All of this data makes sense, bar the “xw” at the bottom – the numbers represent dates between which the card is valid – I wonder if changed the card would still be accepted by a reader? The stray “xw” is also worth wondering about – it could denote student status, or perhaps course.
The first sector solves that question by revealing my student ID number, my student status, but it also repeats the dates that my card is valid between.
The third sector then shows my department, WMG – this is assumedly for access control, allowing me to use my card to open doors in their buildings – or it could simply hold the information in case the card is queried. Again, “xw” features at the end of the data.
The fourth and reserved sector of the card also contains information about the university as opposed to me personally – I wonder if it’s reserved because it’s set by default to all cards the university programs?
The reason I’m not taking a dump of the card and then reading through the data is due to the universities policy – by reading the data live from certain sectors, it means I don’t copy the data at any point. However it does have the negative trade off that I have to have the card on the reader at all times.
A Conclusion
I’m a big fan of the Proxmark3 Easy, and I think it enables a lot more people to explore the world of RFID that wouldn’t have otherwise been able to – which includes cheap students like myself. I’ll continue to play around using the Iceman firmware (obviously legally). I might have to invest in a little lab set-up if I want to explore cloning cards, it’s either that or find a card in the real world with a lax policy – either way I’ll post any updates on this site.