MIFARE Classic: exposing the static encrypted nonce variant

Slide 1

Slide 1 text

MIFARE Classic: exposing the static encrypted nonce variant Y'en a un peu plus, j'vous l'mets quand même? Philippe Teuwen 15-11-2024

Slide 2

Slide 2 text

What to expect?

Slide 3

Slide 3 text

Breaking MIFARE Classic in 2024 ??

Slide 4

Slide 4 text

https://www.fmsh.com/AjaxFile/DownLoadFile.aspx?FilePath=/UpLoadFile/20230104/FM11RF08S_sds_chs.pdf&fileExt=file

Slide 5

Slide 5 text

Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X Generate 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 𝑎𝑅 ≔ 𝑓(𝑛𝑇 ) Generate 𝑛𝑅 ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } 𝑎𝑅 ≟ 𝑓(𝑛𝑇 ) 𝑎𝑇 ≔ 𝑓′(𝑛𝑇 ) ⟵ ⟵ ⟵ ⟵ ⟵ {𝑎𝑇 } 𝑎𝑇 ≟ 𝑓′(𝑛𝑇 ) 5

Slide 6

Slide 6 text

Reader Tag ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Y} Generate 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } 𝑎𝑅 ≔ 𝑓(𝑛𝑇 ) Generate 𝑛𝑅 ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } 𝑎𝑅 ≟ 𝑓(𝑛𝑇 ) 𝑎𝑇 ≔ 𝑓′(𝑛𝑇 ) ⟵ ⟵ ⟵ ⟵ ⟵ {𝑎𝑇 } 𝑎𝑇 ≟ 𝑓′(𝑛𝑇 ) 6

Slide 7

Slide 7 text

Breaking MIFARE Classic in 2024 ?? Timeline 1994 first Philips MIFARE Classic 1997 Infineon SLE44R35 2004 Fudan FM11RF08 2007-2009 the end • 24C3 Mifare (Little Security Despite Obscurity) 7

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Reader+Tag Reader Eve Tag ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } ⟵ ⟵ ⟵ ⟵ ⟵ {𝑎𝑇 } key found! 9

Slide 10

Slide 10 text

Reader-only Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } … (1 more time) key found! 10

Slide 11

Slide 11 text

Breaking MIFARE Classic in 2024 ?? Timeline 1994 first Philips MIFARE Classic 1997 Infineon SLE44R35 2004 Fudan FM11RF08 2007-2009 the end • 24C3 Mifare (Little Security Despite Obscurity) • Dismantling MIFARE Classic • Dark Side Of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere 11

Slide 12

Slide 12 text

Card-only: Darkside attack Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X repeatable 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ random parity ok? ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {NACK} … (7 more times) key found! 12

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Card-only: Nested attack Reader Tag ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Y} predictable, “16-bit” 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } … (1-2 more times) key found! 14

Slide 15

Slide 15 text

Breaking MIFARE Classic in 2024 ?? Timeline 1994 first Philips MIFARE Classic 1997 Infineon SLE44R35 2004 Fudan FM11RF08 2007-2009 the end? not really… 2010 MIFARE Plus (with Classic compatible SL1) 2014 MIFARE Classic EV1 15

Slide 16

Slide 16 text

Hardened cards Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X truly random 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ random no more NACK 16

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Hardnested attack Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block X} truly random 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } with {parity} … (1500-2000 times) key found! 18

Slide 19

Slide 19 text

Static Encrypted Nonce cards Resist all known card-only attacks

Slide 20

Slide 20 text

Static Encrypted Nonce cards Resist all known card-only attacks Timeline 1994 first Philips MIFARE Classic 1997 Infineon SLE44R35 2004 Fudan FM11RF08 2010 MIFARE Plus (with Classic compatible SL1) 2014 MIFARE Classic EV1 2015 Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards 2020 Fudan FM11RF08S 20

Slide 21

Slide 21 text

FM11RF08S aka Static Encrypted Nonce cards Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block X} static “16-bit” 𝑛𝑇 ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } with {parity} ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ random no more NACK … same 𝑛𝑇 (→ repeating is useless) 21

Slide 22

Slide 22 text

Static Encrypted Nonce cards Resist all known card-only attacks Static Encrypted Nonce depends on • the card • the sector • the key itself 22

Slide 23

Slide 23 text

Static Encrypted Nonce cards Resist all known card-only attacks Static Encrypted Nonce depends on • the card • the sector • the key itself Assume a key is repeated across some sectors / cards 23

Slide 24

Slide 24 text

Reused Keys Nested Attack

Slide 25

Slide 25 text

Reused Keys Nested Attack Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block X} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Y } (other sector, same key) ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ another {𝑛𝑇 } keys candidates! ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Z } (other sector, same key) ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ yet another {𝑛𝑇 } key found! 25

Slide 26

Slide 26 text

Lightweight fuzzing

Slide 27

Slide 27 text

Lightweight fuzzing ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ Nested AuthA/B for block X 60xx = keyA 61xx = keyB 6000, 6200, 6800, 6a00 → {𝑛𝑇 } = 4e506c9c, auth successful with keyA 6100, 6300, 6900, 6b00 → {𝑛𝑇 } = 7bfc7a5b, auth successful with keyB 6400, 6600, 6c00, 6e00 → {𝑛𝑇 } = 65aaa443, auth failed 6500, 6700, 6d00, 6f00 → {𝑛𝑇 } = 55062952, auth failed 27

Slide 28

Slide 28 text

Reused Keys Nested Attack

Slide 29

Slide 29 text

Reused Keys Nested Attack Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Auth 6400} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Auth 6404} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ another {𝑛𝑇 } ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Auth 6408} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ yet another {𝑛𝑇 } key found! 29

Slide 30

Slide 30 text

A396EFA4E24F all sectors all FM11RF08S tags

Slide 31

Slide 31 text

DEMO: Data Read

Slide 32

Slide 32 text

Data-first attacks

Slide 33

Slide 33 text

Data-first + Reader-only Reader Tag ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ UID ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ AuthA/B for block X ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } 2x → key found! ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ AuthA/B for block X ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Read block X} Sure! ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {data = xxxx} 33

Slide 34

Slide 34 text

DEMO: Data-first + Reader-only

Slide 35

Slide 35 text

Backdoored nested attack

Slide 36

Slide 36 text

Backdoored nested attack 6000, 6200, 6800, 6a00 → 𝑛𝑇 = 75bfa373, auth successful with keyA 6100, 6300, 6900, 6b00 → 𝑛𝑇 = 999c7562, auth successful with keyB 6400, 6600, 6c00, 6e00 → 𝑛𝑇 = 75bfa373, auth successful with A396EFA4E24F 6500, 6700, 6d00, 6f00 → 𝑛𝑇 = 999c7562, auth successful with A396EFA4E24F 36

Slide 37

Slide 37 text

Backdoored nested attack Reader Tag ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ {Auth 6400} Recover clear 𝑛𝑇 ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Auth keyA } ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } keys candidates! ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ Online brute-force... key found! 37

Slide 38

Slide 38 text

Data-first attacks, supporting nested

Slide 39

Slide 39 text

Data-first + Reader-only, with nested auth support Reader Tag ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ AuthA/B for block X ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {AuthA/B for block Y} ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {𝑛𝑇 } ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {𝑛𝑅 |𝑎𝑅 } key found! ⟺ ⟺ ⟺ ⟺ ⟺ ⟺ {AuthA/B for block Y} ⟶ ⟶ ⟶ ⟶ ⟶ ⟶ {Read block X} Sure! ⟵ ⟵ ⟵ ⟵ ⟵ ⟵ {data = xxxx} 39

Slide 40

Slide 40 text

Reversing Nested Nonce Generation

Slide 41

Slide 41 text

𝑛𝑇0 , 𝐾0 , 𝐾1 → 𝑛𝑇1 41

Slide 42

Slide 42 text

Faster Backdoored Nested Attack

Slide 43

Slide 43 text

DEMO: Full Card Recovery

Slide 44

Slide 44 text

Light-Fast Supply Chain Attack

Slide 45

Slide 45 text

DEMO: Light-Fast Supply Chain Attack

Slide 46

Slide 46 text

More Backdoors

Slide 47

Slide 47 text

FM11RF08 ⇒ A31667A8CEC1 FM11RF32N ⇒ 518B3354E760 With help of community: FM11RF08-7B ⇒ A396EFA4E24F FM1208-10 ⇒ A31667A8CEC1 FM1216-137 ⇒ A31667A8CEC1 one FM11RF08S ⇒ A31667A8CEC1 Official manufacturers… MF1ICS5003 ⇒ A31667A8CEC1 MF1ICS5004 ⇒ A31667A8CEC1 SLE66R35 ⇒ A31667A8CEC1 47

Slide 48

Slide 48 text

Resources

Slide 49

Slide 49 text

Resources • 47-page https://eprint.iacr.org/2024/1275 (v1.2 2024-11-08) - Proxmark3 - Iceman fork ❤ • 7 new commands/tools/scripts • 4 updated commands with backdoor support 49

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

Resources • 47-page https://eprint.iacr.org/2024/1275 (v1.2 2024-11-08) • Proxmark3 - Iceman fork ❤ ‣ 7 new commands/tools/scripts ‣ 4 updated commands with backdoor support • Flipper Zero ‣ integration by Nathan Nye ❤ ‣ merged in the official firmware 2 weeks ago 51