Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Hacking RFID devices using NFC smartphones

The goal of the presentation is to describe potential vulnerabilities in various RFID devices (Mifare, RFID biometric passports, Mastercard PayPass, VISA PayWave) and how to exploit them using common NFC smartphones.

Pavol Luptak

on 25 May 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Hacking RFID devices using NFC smartphones

Exploiting RFID vulnerabilities using your NFC phone
NFC - Near Field Protocol
set of standards for smartphones to establish radio communication
includes ISO14443a, ISO14443b, FeliCA, ISO 18000-3
it uses 13.56 Mhz Frequency
Mifare Classic / DESFire
the most used RFID in the world (more than 1 billion worldwide, more than 1 milion in Slovakia)
used by public transport companies in Bratislava, Prague, London, Krakow, Luxembourg and other cities
parking cards in Bratislava, Warsawa, Prague and other cities
entrance to many areas (buildings, swimming pools, skiing resorts)
Mifare Classic
firstly cracked in 2007 in Berlin at CCC conference
in 2009 we in Nethemba s.r.o. published the first opensource world implementation of MFOC cracker
possibility to make clones of any card
charge your credit
read all sensitive information
permanently destroy all cards
monitor passenger's movements
emulate card (using Proxmark 3 or NFC reader)
Now reading ,writing and emulation of RFID tags is possible using your NFC phone!!!
Install and run our MFOC cracker on any Mifare Classic
Download and run Mifare Classic Scanner to your Android
Setup your own keys you cracked using MFOC, read the whole content and start the emulation
it is easy to read your firstname and surname from your Slovak University Card, Bratislava Public Transport Card, etc.
it is easy to emulate hotel access cards (I've just tested it in Malaysia), swimming pool entry cards
Biometric RFID passports
all passwords has 72 kB RFID chip that contains a lot of sensitive information (personal info, JPEG photo, fingerprint biometric data)
MRZ code is necessary to decrypt and read the passport data
Older passports (without EAC) were possible to clone or emulate using NFC phones
It is necessary to know a private RSA key to read biometric information (AA Public Key)
RFID passports can be read using your NFC phone easily..
MRZ code consists of:
Passport Number
Birth date
Expiration Date
Italian passport number is generated sequentially....
This is not a private information at all, can be easily gained using multiple ways (social networks, public registries, ..)
Password expiration is 10 year (there are 3650 possibilities only)
Slovak police claims it is not possible read biometric RFID passports.
"All information stored in your biometric passport can be read with a special device attached to the passport"...told František Blanárik from NBÚ
Mifare Classic can be fully compromised
Mifare DESFire EV1 can be read / written by phone, you just need the right keys
Any NFC payment cards can be read (and potentially misused)
Any NFC passport can be read if you know the passport number, expiration date and date of birth, it is also possible to make / emulate an "imperfect" clone of the RFID passport using NFC phone
There are no secure RFID technologies.
Only those which are not cracked yet... :-)
NFC history
The first implementations were created by Nokia (Nokia 6131, 6212)
Few implementations - Public transport in Plzeňský kraj, ePassport emulator (eClown)
NFC history
The first implementations were created by Nokia (Nokia 6131, 6212)
Few implementations - Public transport in Plzeňský kraj, ePassport emulator (eClown)
The first implementations were created by Nokia (Nokia 6131, 6212)
Few implementations - Public transport in Plzeňský kraj, ePassport emulator (eClown)
the first implementations were created by Nokia (Nokia 6131, 6212)
few implementations - Public transport in Plzeňský kraj, ePassport emulator (eClown)
NFC History
Thanks for your attention!
Mifare DESfire MF3ICD40 smartcards were practically cracked few years ago!
By exploiting the electro-magnetic information leakage of the cards, its cryptographic keys are revealed:
widespread German payment system was/is affected
Prague's OpenCard was/is affected

Open-source tools for analyzing contactless smartcards:
an ISO 14443 RFID reader (http://sourceforge.net/projects/reader14443)
opensource card emulator Chameleon (http://sourceforge.net/projects/chameleon14443).
Hacking RFID devices using NFC smartphones
Or use NFC Android Mifare cracking applications
Mifare Doctor [NFC]
Android Mifare Security Tool
In this presentation
I will show you how to
read / write any Mifare Classic / DESFire EV1 cards (the most used cards in the world)
crack / gain keys to Mifare Classic cards
read your RFID biometric passport
read your NFC payment cards (Mastercard PayPass, VISA PayWave)
and everything using your smartphone!
Mifare Desfire EV1 Tool
If you know the right keys, install Mifare DESFire EV1 Tool and read all current "secure" cards (Bratislavská mestská karta, Pražský OpenCard, ..)
3DES a AES encryption is supported
in these days Mifare DESFire EV1 is still secure (waiting for the crack :-)
What about NFC payment cards (Mastercard PayPass, VISA PayWave)?
firstly published at Hackito Ergo Sum in Paris "Hacking NFC credit cards for fun and profit"
few months ago we decided to check NFC cards in Slovakia / Czech Republic
we are able to read a lot of sensitive information (e.g. history of payments) without any authentication
Used tools
Banking Card reader NFC (EMV) app for Android
touchatag NFC reader with NFC millionare application
Maximum reading distance
our experiments were done from the distance of 4 cm
NFC standard allows to extend this range up to 20 cm
According to the original paper, using external antenna and special amplificator it is possible to reach the distance 1.5 meter
We have analyzed almost 60 Slovak NFC payment cards and 30 Czech ones
For all tested cards it was possible to read card number, expiration date, PIN tries
For almost half of them it was possible to read "transaction history"
For some of them "owner name"
And the results!
Potential risks I.
in case of stored transaction history it was possible to read:
type of transaction
date of transaction
amount and currency
This information can be used to create "geographical profile" of the victim (what countries he visited and when)
Potential risks II
payment patterns can be used to create a "buying profile" of the victim and help to estimate his solvency
Serious risk: CVC/CVV code is not possible to read from the cards, but this may not be a problem because many online portals still do not require CVC/CVV code
And all of this can be exploited by any POS terminal / ATM owner or anonymous attacker within physical proximity
Use RFID shields....
Android ePassport utility for NFC-enabled phones that allows you to read and clone your ePassport's chip content:
- Read passport data using a given authentication key (if needed).
- View passport details including the JPEG picture.
- Write passport data to an emulator chip.
- Write passport data to internal storage (not very secure).
Full transcript