Man-in-the-Middle - where a sniffer sits between the card and the reader and then replaying the communication.Making the cards some what unusable from a security perspective.Not long after public exploits/tools surfaced.Once published this led to the development of an Open Source implementation.The courts denied NXPs request and the research was published.NXP attempted to block the research via legal means.In 2008m Radboud University Nijmegen completely reversed the protocol and were going to publish the research.In 2007m two German researchers (Nohl and Plötz) presented a partial reverse engineering of the protocol.This crypto protocol’s “security of this cipher is… close to zero.”.NXP Semiconductors went with security by obscurity for the cryptography protocol implemented.Some of the highlights from the background: A 2018 practical guide to hacking NFC/RFID covers what tools and hardware are available for actually preforming the exploit for duplication of cards. Hacking MiFare Classic cards provides a good background on the cards as well as a highlevel explanation of the exploit. I found two pretty good presentations on this, the first being Hacking MiFare Classic cards which covers more of the history as well as and A 2018 practical guide to hacking NFC/RFID. Now for the exciting part: finding any literature out there that talks about exploiting the MiFare Classic cards. Which means that any sort of scanner/duplicator needs to work with that. One of the most important pieces of information here is that it says the operating frequency is 13.56 MHz. A quick Google search for MiFare Classic 1k datasheet, and with the first link we’ve struck gold: data sheet and this one. Next up is to figure out what exactly this MiFare Classic is all about. ![]() Looks like I’ll be tackling a MiFare Classic 1k byte/8k bit 16 sectors keyfob. A few more Google searches revealed that this is a multi-frequency keyfob that supports a High Frequency ( 13.56 MHz) and Low Frequency ( 125 kHz), which this data sheet happily gives the details to. Looking over the keyfob, it had some text printed on it: 9691T. ![]() The biggest take away from these documents is that there are a few different types of credentials supported: Schlage MIFARE classic, Schlage MIFARE plus, Schlage Mobile Access Credential, Schlage DESFire EV1. First the general specifications about the lock, next up I found some marketing material that covered some of the features. Information GatheringĪfter looking at the brand of lock, a quick Google Image Search revealed it was a Schlage FE410. What follows is how I went out determine and successfully duplicating my keyfob with some off the shelf components. Well, since I’m not a red-teamer and not one for gaining access to locations I’m not supposed to, I was left with only one real option to finally explore this idea: duplicate the keyfob to my residence. This idea has always rattled around in the back of my mind, especially for the cool factor of pulling off the same sort of key duplication. A common occurrence in a lot of these movies is the need to copy a key or keycard to gain access to a location. ![]() Growing up I had the pleasure of watching all sorts of spy, heist, and hacking movies - the 007 films, Sneakers, The Italian Job, Hackers, Swordfish, the Ocean’s movies, the list goes on.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |