MIFARE Classic: exposing the static encrypted nonce variant

Slide 1

Slide 1 text

MIFARE Classic: exposing the static encrypted nonce variant and a few backdoors... Philippe Teuwen 24-10-2024

Slide 2

Slide 2 text

What to expect?

Slide 3

Slide 3 text

Breaking MIFARE Classic in 2024 ??

Slide 4

Slide 4 text

https://www.fmsh.com/AjaxFile/DownLoadFile.aspx?FilePath=/UpLoadFile/20230104/FM11RF08S_sds_chs.pdf&fileExt=file

Slide 5

Slide 5 text

Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X Generate 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 𝑎𝑅 ≔ 𝑓(𝑛𝑇 ) Generate 𝑛𝑅 ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } 𝑎𝑅 ≟ 𝑓(𝑛𝑇 ) 𝑎𝑇 ≔ 𝑓′(𝑛𝑇 ) ⟵ ⟵ ⟵ ⟵ ⟵ {𝑎𝑇 } 𝑎𝑇 ≟ 𝑓′(𝑛𝑇 )

Slide 6

Slide 6 text

Reader Tag ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Y} Generate 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } 𝑎𝑅 ≔ 𝑓(𝑛𝑇 ) Generate 𝑛𝑅 ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } 𝑎𝑅 ≟ 𝑓(𝑛𝑇 ) 𝑎𝑇 ≔ 𝑓′(𝑛𝑇 ) ⟵ ⟵ ⟵ ⟵ ⟵ {𝑎𝑇 } 𝑎𝑇 ≟ 𝑓′(𝑛𝑇 )

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Reader+Tag Reader Eve Tag ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } ⟵ ⟵ ⟵ ⟵ ⟵ {𝑎𝑇 } key found!

Slide 10

Slide 10 text

Reader-only Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } ... (1 more time) key found!

Slide 11

Slide 11 text

Breaking MIFARE Classic in 2024 ?? Timeline 1994 first Philips MIFARE Classic 1997 Infineon SLE44R35 2004 Fudan FM11RF08 2007-2009 the end • 24C3 Mifare (Little Security Despite Obscurity) • Dismantling MIFARE Classic • Dark Side Of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere 24-10-2024 11

Slide 12

Slide 12 text

Card-only: Darkside attack Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X repeatable 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ random parity ok? ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {NACK} ... (7 more times) key found!

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Card-only: Nested attack Reader Tag ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Y} predictable, “16-bit” 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } ... (1-2 more times) key found!

Slide 15

Slide 15 text

Breaking MIFARE Classic in 2024 ?? Timeline 1994 first Philips MIFARE Classic 1997 Infineon SLE44R35 2004 Fudan FM11RF08 2007-2009 the end? not really... 2010 MIFARE Plus (with Classic compatible SL1) 2014 MIFARE Classic EV1 24-10-2024 15

Slide 16

Slide 16 text

Hardened cards Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X truly random 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ random no more NACK

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Hardnested attack Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block X} truly random 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } with {parity} ... (1500-2000 times) key found!

Slide 19

Slide 19 text

Static Encrypted Nonce cards

Slide 20

Slide 20 text

Static Encrypted Nonce cards Timeline 1994 first Philips MIFARE Classic 1997 Infineon SLE44R35 2004 Fudan FM11RF08 2010 MIFARE Plus (with Classic compatible SL1) 2014 MIFARE Classic EV1 2015 Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards 2020 Fudan FM11RF08S 24-10-2024 20

Slide 21

Slide 21 text

FM11RF08S aka Static Encrypted Nonce cards Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block X} static “16-bit” 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } with {parity} ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ random no more NACK ... same 𝑛𝑇 (→ repeating is useless)

Slide 22

Slide 22 text

Static Encrypted Nonce cards Static Encrypted Nonce depends on • the card • the sector • the key itself 24-10-2024 22

Slide 23

Slide 23 text

Static Encrypted Nonce cards Static Encrypted Nonce depends on • the card • the sector • the key itself Assume a key is repeated across some sectors / cards 24-10-2024 23

Slide 24

Slide 24 text

Reused Keys Nested Attack

Slide 25

Slide 25 text

Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block X} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Y } (other sector, same key) ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ another {𝑛𝑇 } keys candidates! ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Z } ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ yet another {𝑛𝑇 } key found!

Slide 26

Slide 26 text

Lightweight fuzzing

Slide 27

Slide 27 text

Lightweight fuzzing ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ Nested AuthA/B for block X 60xx = keyA 61xx = keyB 6000, 6200, 6800, 6a00 → {𝑛𝑇 } = 4e506c9c, auth successful with keyA 6100, 6300, 6900, 6b00 → {𝑛𝑇 } = 7bfc7a5b, auth successful with keyB 6400, 6600, 6c00, 6e00 → {𝑛𝑇 } = 65aaa443, auth failed 6500, 6700, 6d00, 6f00 → {𝑛𝑇 } = 55062952, auth failed 24-10-2024 26

Slide 28

Slide 28 text

Reused Keys Nested Attack

Slide 29

Slide 29 text

Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Auth 6400} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Auth 6404} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ another {𝑛𝑇 } ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Auth 6408} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ yet another {𝑛𝑇 } key found!

Slide 30

Slide 30 text

A396EFA4E24F all sectors all FM11RF08S tags

Slide 31

Slide 31 text

DEMO: Data Read

Slide 32

Slide 32 text

Data-first attacks

Slide 33

Slide 33 text

Data-first + Reader-only Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } 2x → key found! ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ AuthA/B for block X ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Read block X} Sure! ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {data = xxxx}

Slide 34

Slide 34 text

DEMO: Data-first + Reader-only

Slide 35

Slide 35 text

Backdoored nested attack

Slide 36

Slide 36 text

Backdoored nested attack 6000, 6200, 6800, 6a00 → 𝑛𝑇 = 75bfa373, auth successful with keyA 6100, 6300, 6900, 6b00 → 𝑛𝑇 = 999c7562, auth successful with keyB 6400, 6600, 6c00, 6e00 → 𝑛𝑇 = 75bfa373, auth successful with A396EFA4E24F 6500, 6700, 6d00, 6f00 → 𝑛𝑇 = 999c7562, auth successful with A396EFA4E24F 24-10-2024 34

Slide 37

Slide 37 text

Reader Tag ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ {Auth 6400} Recover clear 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Auth keyA } ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } keys candidates! ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ Online brute-force... key found!

Slide 38

Slide 38 text

Data-first attacks, supporting nested

Slide 39

Slide 39 text

Data-first + Reader-only, with nested auth support Reader Tag ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ AuthA/B for block X ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Y} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } key found! ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ {AuthA/B for block Y} ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Read block X} Sure! ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {data = xxxx}

Slide 40

Slide 40 text

Reversing Nested Nonce Generation

Slide 41

Slide 41 text

𝑛𝑇0 , 𝐾0 , 𝐾1 → 𝑛𝑇1

Slide 42

Slide 42 text

Faster Backdoored Nested Attack

Slide 43

Slide 43 text

DEMO: Full Card Recovery

Slide 44

Slide 44 text

Light-Fast Supply Chain Attack

Slide 45

Slide 45 text

DEMO: Light-Fast Supply Chain Attack

Slide 46

Slide 46 text

More Backdoors

Slide 47

Slide 47 text

FM11RF08 ⇒ A31667A8CEC1 FM11RF32N ⇒ 518B3354E760 With help of community: FM11RF08-7B ⇒ A396EFA4E24F FM1208-10 ⇒ A31667A8CEC1 one FM11RF08S ⇒ A31667A8CEC1 Official manufacturers... MF1ICS5003 ⇒ A31667A8CEC1 MF1ICS5004 ⇒ A31667A8CEC1 SLE66R35 ⇒ A31667A8CEC1

Slide 48

Slide 48 text

Resources

Slide 49

Slide 49 text

Resources • 40-page https://eprint.iacr.org/2024/1275 (soon v1.2) - Proxmark3 - Iceman fork ❤ • 7 new commands/tools/scripts • 4 updated commands with backdoor support 24-10-2024 46

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

Resources • 40-page https://eprint.iacr.org/2024/1275 (soon v1.2) • Proxmark3 - Iceman fork ❤ ‣ 7 new commands/tools/scripts ‣ 4 updated commands with backdoor support • Flipper Zero ‣ ongoing, by Nathan Nye ❤ ‣ beta version available on the unofficial firmwares ‣ soon on the official one 24-10-2024 48