Holistic NFC hacking 2012



= Introduction =

The security of many RFID protocols depends on owning the production process, controlling the card or reader distribution, magic unique read-only IDs that stop you from copying card content and hardwired protocols in cards and readers that stop you from tampering with the communication (man-in-the middle, remote forwarding etc.) on chip- or firmware-level.

As a result of these security features a key requirement for evaluating and breaking RFID cards is to have full control over protocols and cards on radio-frequency level. In our last years course we did show how to build and use RFID sniffers to reverse engineer unknown card protocols. This year we will teach you emulating 13.56MHz HF RFID cards and readers on radio-frequency level (ISO14443, ISO15693, NFC and proprietary) in software and readers on radio-frequency level in software.

This three day hands-on course will teach you to emulate proprietary 13.56MHz reader and card protocols (ISO14443A, ISO15693, NFC and proprietary card chips) in software and show real world attacks on prominent RFID card systems on protocol level. It will show how to practically exploit weaknesses in the random number generation of RFID cards or how to perform card emulation for cloning cards.

update reader to the latest OpenPCD 2 firmware with libnfc support
Press both the RESET+FLASH button and release RESET first to switch OpenPCD 2 into programming mode. A mass storage device containing the firmware image pops up as a result.

reading and analyzing the hotel door RFID card
Dump both hotel key cards:

creating a ndef based NFC tag
Create a NDEF formatted link:

Store the link to a Mifare DESfire RFID card:

Emulate a RFID tag using OpenPCD2:

compiling the latest OpenPCD 2 source code and flashing the firmware
Press both the RESET+FLASH button and release RESET first to switch OpenPCD 2 into programming mode. A mass storage device containing the firmware image pops up as a result.

OpenPCD is also capable of running in a stand-alone mode where the RFID protocol is handle by the onboard ARM cpu. For a stand-alone firmware example - please refer to firmware/lpc13xx/openpcd2. In src/main.c you can see the interface for talking to the PN532 chip and sending out data via USB Serial CDC ACM protocol.

Talking directly to the RFID reader chip on OpenPCD 2
Please check the PN532 datasheet for details on the RFID chip protocol (starting at page 65).

Getting the firmware version (see GetFirmwareVersion, page 73): > 02 Tx: 02 Rx: 32 01  04  07

Scanning for cards (see InListPassiveTarget, page 115): > 4A 01 00 Tx: 4a 01  00 Rx: 01 01  03  44  20  07  04  36  26  a9  b2  1c  80  06  75  77  81  02  80 You can see the card uid length length (7) at byte 6. The card uid follows (04 36  26  a9  b2  1c  80).

Converting sniffed binaries to WAV-files
Record the sniff with PicoRFID-3K at 15.5Mhz. Use sox to convert the recorded binary log file into a WAV file for review in Audacity. Please visit OpenPICC SnifferOnly front end for more information.