Introduction
One of the most common applications of the Proxmark3 is the reading and cloning of cards. Considering the vast array of protocols and varying degrees of security, it should come as no surprise that the device has gained significant notoriety for its ability to bypass all but the most advanced implementations. The RDV4 by RRG represents a new leap forward in the decade-plus tradition of the PM3, incorporating the latest in firmware and hardware improvements that allow researchers to take their lab into the field with ease and discretion.
To best demonstrate the power and versatility of this tool, we will be reading, decrypting, and emulating a proprietary Mifare 1k hotel room key card using the only the Proxmark3 RDV4 with Blue Shark Module, the default antenna set, and an Android phone running the RFID Tools App, also by RRG. This would not be possible to replecate without significant effort using any other set up.
Acquiring the Target Card
This procedure requires your PM3’s antenna to be within close proximity of the target RFID card for up to 5 minutes – meaning that you will ideally have physical possession of the target card. Although acquisition of the card is beyond the scope of this particular tradecraft tutorial, using the medium range or long range variant of the HF antenna will increase the read range of your device up to 2-4 inches depending on the target card. Depending on one’s social engineering capabilities, this could provide just enough room to perform the attack discreetly – something that would not be possible without the Proxmark3 RDV4’s bluetooth connectivity and the ability to run the full PM3 client from the Android App.
Other than sanctioned red team engagements, you will most likely be utilizing this procedure in the lab and have full physical access to the target card or tag. The unauthorized cloning of RFID cards and tags is unethical and may be illegal in your jurisdiction. This article is intended for research purposes only and the use of this material in the commission of a crime is expressly prohibited.
Identifying Card Type
To ensure that the target card is vulnerable to the following attacks, start this procedure by reading the tag info contained on the card. Open the RFID Tools App by RRG on your Android device and connect to the Proxmark3 RDV4.01 using the Red Team Terminal. If you have not already set up your PM3 and Android device for use with the app, refer to our previous article in this series covering this topic. Although you can follow this along with this tutorial running the Proxmark3 client from your computer, the command names are slightly different in the firmware version used with the Android App.
Once in the Red Team Terminal, utilize the “easy button” menu to send the command hf search to your device. You can also manually input these commands by using your device keyboard and then hit the send button to execute. This will scan for all known tag types in the high 13.56 Mhz range and print a field of information identifying the card. This includes unique ID (UID) of the card, ATQA and SAK values, the type of chipset used by the card, the manufacturer, and a few diagnostic lines providing further info about the card and potential vulnerabilities. In our case, the target card reads:
UID: 25 82 C1 0E
ATQA: 00 04
SAK: 08 [2]
TYPE: NXP MIFARE CLASSIC 1k | Plus 2k SL1 | Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: WEAK
[+] Valid ISO 14443-A tag found
The vital piece of information that we are looking for is that “MIFARE CLASSIK 1k” appears as the card’s type.
Checking for Known Keys
Now that we have validated that the target card is of the appropriate type, we are going to want to check to see if we can read the card using known default values. This list of values is built into the device firmware and we can check the card against it by hitting the “Easy Button” for hf mf chk *1 ? 1, which will print any keys discovered by sector and save the data to our Android device memory. In this case the target card returns the following key information:
|---|--------------|---|--------------|---|
|sec|key A|res|key B|res|
|---|--------------|---|--------------|---|
|000| ------------ | 1 | ffffffffffff | 1 |
|001| ------------ | 0 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ------------ | 1 | ffffffffffff | 1 |
|004| ------------ | 1 | ffffffffffff | 1 |
|005| ------------ | 1 | ffffffffffff | 1 |
|006| ------------ | 1 | ffffffffffff | 1 |
|007| ------------ | 1 | ffffffffffff | 1 |
|008| ------------ | 1 | ffffffffffff | 1 |
|009| ------------ | 1 | ffffffffffff | 1 |
|010| ------------ | 1 | ffffffffffff | 1 |
|011| ------------ | 1 | ffffffffffff | 1 |
|012| ------------ | 1 | ffffffffffff | 1 |
|013| ------------ | 1 | ffffffffffff | 1 |
|014| ------------ | 1 | ffffffffffff | 1 |
|015| ------------ | 1 | ffffffffffff | 1 |
|---|--------------|---|--------------|---|
Although the default value of FFFFFFFFFFFF is used in in 17 sectors of the cards data, seeing that all of these keys appear in the B block of keys except for sector 002 in A, I can be fairly certain that none of these sectors are actually utilized by the card or reader. The reason for this is very technical, but in a nutshell, different proprietary implementations of MiFare utilize the chips memory blocks in different ways and in the case of many hotel security card systems, key B is not utilized in card authentication with key A in sector 002 and/or 003 also left blank.
The assumption that this default key cannot be used to decypher the rest of the key values can be verified by attempting to run the Nested attack using this value. To do this, simply locate the easy button labeled hf mf nested 1 0 A FFFFFFFFFFFF d to execute. Note that some commercial MiFare lock systems utilizing this blank default key do exist in the wild – hence the fact that there is a button dedicated for it. In our case, running the command returns only an error message reading:
[!] Wrong key. Can’t authenticate to block: 0 key type: A
In order to decypher the necessary keys from this card using the Nested attack, we are going to need to identify at least one of the key values used in authenticating the card. Fortunately, there is a vulnerability in the key authentication process that we can try called the Darkside attack.
Using the Darkside Attack to Acquire a Key
The Darkside attack leverages the RFID tag’s response to an RFID reader’s request signal during key authentication. Along with every nonce sent from the reader to the tag is an accompanying 8 parity bits that must match up with the tag in order for it to send a response signal. If the parity bits of the reader’s nonce match, the tag will attempt to authenticate the value received. In some implementations of Mifare, the tag will send back a 4-bit non-acknowledgment code to the reader. This may not seem like much of a vulnerability, except that this NACK is sent by the tag as an encrypted value. Given that the error code is a known plaintext value, we are able use this encrypted NACK to recover 4 keystream bits and using that, eventually identify one of the valid keys stored on the card.
Executing this attack is as easy as pressing a button in the App. Locate the hf mf darkside button from the Easy Button menu and tap it. This process may take up to a couple of minutes as it attempts to identify the parity bits, capture the NACK, recover the 4-bit keystream, identify candidate reader nonces corresponding to this keystream, and finally authenticating a key value.
Running this attack against our target card results in the successful acquisition of a valid key, the value of which is printed out by the client. From here, you will want to tap and hold this value to copy it to your clipboard as you will need it in the next step, where we will be using this single known key value to decypher the rest of the key values.
Using the Nested Attack to Decypher All Keys
As previously identified when running hf search on our target RFID card, the PM3 has identified the pseudo-randon number generator (PRNG) of this tag as weak, making it vulnerable to an exploit in the Linear Feedback Shift Register (LFSR), which is generated using a constant initial state combined with the number of clock cycles counted during the request. With the PM3 acting as the reader, we have have exact control over protocol timing and thus can calculated the initial constant of this PRNG function. From there is is merely a matter using our single known key value and the known timing value to compute the LFSR, and applying those calculations across the range of possible reader nonces to authenticate each of the remaining keys.
Fortunately, you do not need to understand how this attack works in order to exploit it. As in every other step of this process, the RFID Tools App makes the Nested attack as simple as pressing a button! Go ahead and press that same easy button when we tried running the Nested attack using the default key value. It will automatically run the command and fail just as before, but from here we are going to tap the input field to bring up our keyboard. Now we will delete the last two variables in the command and paste in that key we copied from the Darkside attack. Use a single space and add a lowercase t to the command so that the device will transfer the results to emulator memory. Now tap the send button to execute the attack.
hf mf nested 1 0 A a7c3180bcf68 t
The Proxmark3 will now get to work testing the known keys and then sytematically working its way through the unknown keys, eventually printing out the complete set of keys for this RFID card. At this point in the process, you no longer require physical possesion or proximity of the target card/tag. From here there are several ways of using the card data, but the most obvious and straightforward is to use the PM3 as an emulator to spoof the RFID card you just decyphered.
Emulating the Card
From here, you are a single command away from utilizing your Proxmark3 to emulate your target card – and thanks to the RDV4’s discreet form factor, you can do this without anyone seeing the device. Simply input the command hf mf sim u followed by the 8 digit UID of the target card and tap send. Your PM3 will now interact with RFID card readers as if it were the target card!
In order to save the data you just collected, just tap the hf mf dump easy button. This will generate a few files. Note the location and name of the .eml file, as you will need this to emulate or clone the card later. You can load this file by entering the command hf mf eload followed by a space and the pathway of the desired card’s .eml file.
Once the card data is loaded in the appropriate file format, we can use the keyboard to input and execute the command hf mf sim. Note that client will print the UID of the card being emulated – use this validate that you have loaded the correct card to the emulator. This triggers the PM3’s emulation mode and it will act exactly like the target card within range of an RFID reader, unlocking any doors associated with that specific card.
You can also copy this card data to a blank or re-writable tag with a changeable UID, like the one that comes with Proxmark3 RDV4. Simply input the command hf mf restore 1 u followed by the UID of the target card, place the blank card on the PM3’s antenna, and then tap send. The PM3 will then write copy the card data to the blank. Just like you would expect, this card will now behave exactly as the target when interacting with RFID readers.
The Proxmark3 RDV4 makes quick work of decyphering and emulating Mifare classic cards, and with the Blue Shark bluetooth module and RFID Tools App, you can take your entire lab into the field with total discretion. Start to finish, this technique took us a mere 1 minute and 40 seconds, with only 65 seconds of close proximity/possession of the target card. No other version of the Proxmark3 is capable of delivering this level of functionality without a wired connection to the PM3 client – so take this into consideration before looking to other versions of this device.
Project Resources
PM3-RDV4 - Decrypting and Emulating Mifare 1K Using RFID Tools App
Tradecraft Materials:
- Proxmark3 RDV4
Blue Shark Module
Firmware fork supporting RFID Tools App (https://www.dropbox.com/s/416lsrqpr2lfeis/%5BCompiled%5DPM3-RRG-20190812.rar?dl=0)
- Android Device
RRG RFID Tools App (https://github.com/RfidResearchGroup/RFIDtools or Google Play App Market)
- Target Card
Mifare Classic 1k
Setting Up the PM3
1. Open RFID Tools App on your Android device
2. Power up your Proxmark3 RDV4 with Blue Shark Module and turn on Bluetooth
3. Connect the Proxmark3 to the RFID Tools App
4. Open Red Team Terminal
Decrypting the Target Card
1. Place Target Card in proximity of the PM3 antenna set
2. Identify the Target Card
hf search
4. Check for Default Keys
hf mf chk *1 ? 1
5. If no valid keys are found, execute Darkside attack
hf mf darkside
6. Copy the valid key to your clipboard, or otherwise note this value
7. Execute Nested attack using the key value recovered above, loading card data to emualator memory
mf nested 1 0 A [KeyValue] t
ex: mf nested 1 0 A a7c3180bcf68 t
8. Remove Targt Card from PM3
Emulating the Target Card
1. Simulate Target Card data currently stored to emulator memory using UID of card
hf mf sim u [UID] ex: hf mf sim u 2582C10E
2. Your PM3 will now respond to reader signals as if it was the Target Card
3. Hold PM3 antenna in proximity of RFID reader
4. To stop your PM3 from acting as the Target Card by tapping the Stop button in the App or by pressing the button on the PM3 itself
