Reverse engineering Mifare Classic NFC cards using the hardnested attack

I’ve always been a fan of hacking. Not to harm others but just for the fun of it.

A few years ago, I learned about NFC hacking. At that time we had a NFC card at the office which allowed us to get 3 free drinks a day out of our vending machine. It turned out they were using a Mifare Classic card. This type of card can easily be hacked as the encryption keys protecting the data are vulnerable to several exploits.

So I bought an NFC card reader that’s compatible with libnfc, it’s an NFC library that’s available on linux and Mac.

the SCL3711, a very compact NFC reader/writer

Using the mfoc tool, available through homebrew on Mac, I was able to recover the encryption keys. Then using the Mifare Classic Tool for Android I was able to modify its contents so I could get more than 3 drinks a day. Hooray! That was fun. Not the drinking part but the path to the hack off course.

Swimming pool

Back to the present day. At our town we have this swimming pool that uses NFC cards to enter the pool. Again, I turned to mfoc to recover the encryption keys.

Let me go through the installation.

To install mfoc on a Mac, make sure you have homebrew installed and run

brew install mfoc