Member-only story
Reverse engineering Mifare Classic NFC cards using the hardnested attack
I’ve always been a fan of hacking. Not to harm others but just for the fun of it.
A few years ago, I learned about NFC hacking. At that time we had a NFC card at the office which allowed us to get 3 free drinks a day out of our vending machine. It turned out they were using a Mifare Classic card. This type of card can easily be hacked as the encryption keys protecting the data are vulnerable to several exploits.
So I bought an NFC card reader that’s compatible with libnfc, it’s an NFC library that’s available on linux and Mac.
Using the mfoc tool, available through homebrew on Mac, I was able to recover the encryption keys. Then using the Mifare Classic Tool for Android I was able to modify its contents so I could get more than 3 drinks a day. Hooray! That was fun. Not the drinking part but the path to the hack off course.
Swimming pool
Back to the present day. At our town we have this swimming pool that uses NFC cards to enter the pool. Again, I turned to mfoc to recover the encryption keys.
Let me go through the installation.
To install mfoc on a Mac, make sure you have homebrew installed and run
brew install mfocThen put your card on the reader and run
mfoc -O file.dmpUnfortunately, cracking the swimming pool card took forever:
Sector 00 - FOUND_KEY [A] Sector 00 - UNKNOWN_KEY [B]
Sector 01 - FOUND_KEY [A] Sector 01 - FOUND_KEY [B]
Sector 02 - FOUND_KEY [A] Sector 02 - FOUND_KEY [B]
Sector 03 - FOUND_KEY [A] Sector 03 - FOUND_KEY [B]
Sector 04 - FOUND_KEY [A] Sector 04 - UNKNOWN_KEY [B]
Sector 05 - FOUND_KEY [A] Sector 05 - FOUND_KEY [B]
Sector 06 - FOUND_KEY [A] Sector 06 - FOUND_KEY [B]
Sector 07 - FOUND_KEY [A] Sector 07 - FOUND_KEY [B]
Sector 08 - FOUND_KEY [A] Sector 08 - FOUND_KEY [B]
Sector 09 - FOUND_KEY [A] Sector 09 - FOUND_KEY [B]
Sector 10 - FOUND_KEY [A] Sector 10 - FOUND_KEY [B]
Sector 11 - FOUND_KEY [A] Sector 11 - FOUND_KEY [B]
Sector 12 - FOUND_KEY [A] Sector 12 - FOUND_KEY [B]
Sector 13 - FOUND_KEY [A]…
