How I Finally managed to clone a NFC TAG
— — — Disclaimer — — —
This in intended to raise awareness on how insecure some technologies are. I’m not responsible for what people do, and sometimes neither what I do.
So just don’t be a jerk.
— — — — — — — — — — — — — —
In 2012 I started playing with RFID, I really found it fascinating and still do, mostly because it’s RF and it doesn’t need batteries (passive RFID), it can be used in access control, in my opinion just like biometry, but cheaper and much more flexible.
Some months later I built a very simple access control using NFC (RFID HF 13.56MHz), later I changed to RFID LF 125KHz because of range issues, but I will do another post for this story. So I used RFID to allow people to access my house, this is pretty serious, and I began looking for ways of bypassing my security.
I started looking for tag emulators, clonable tags, but in 2012 I couldn’t find much information and ways of bypassing, I hid the sensor, and back then people didn’t even understand the technology.
So last year I got more interested in hacking and with some more background in low level coding, I restarted my motivation.
I started looking for ways to authenticate using RFID, and that’s what I found:
- Authentication via content — Basically you store something in the memory blocks that is going to say that the tag is you, for example, inside the tag you can save your company registration number, and you can protect it with a 12 HEX digits key (or password if you will)
But you could brute-force the key, and I recommend this app for that:
and if you succeed brute-forcing it (the tag can get hot and you might damage it), you can dump the content and write to a new one, any tag can be used because you will write in the memory (I will explain this later), the part that most concerns me is that the company is using the registration number, that probably never changes.
- Authentication using UID (Unique IDentifier) — To explain this I will need to explain some RFID Mifare basics. The TAG memory is divided in Sector, from 0x00 to 0xFF, and the sectors have Blocks, the Block 0 of the Sector 0, is by Standard UID & Manufacturer information and READ ONLY, so in theory you cannot clone a NFC TAG. This method of authentication is much better than the other one, because if you loose a TAG, you can ask for a new one and just update the new UID to the system, the system reads the UID and checks the database for you company registration number, works like an alias.
So here I go trying to bypass it again, the first ideia that came to me was: “Let’s emulate a NFC tag”. So I tried emulating with my PN532 with no success, tried to emulate with my android phone using:
with no success, I was giving up, and I started wondering, maybe I could write some data to that READ ONLY block, the app (MCT) warned me that I was trying to write on a RO block and this can damage the tag, but I insisted, aaaand my tag got damaged. I couldn’t read some blocks of the damaged tag anymore and the readings now are very inconsistent.
So I was almost giving up, I found some FULL WRITABLE TAGs, I got so anxious, bought 10 TAGs, thinking about cloning all the TAGs. The tags arrived couple days later, then I got my phone, did a dump with MCT, and got to the advanced commands, marked to write on the Sector 0 Block 0, and I COULDN’T write, but it was showing success, and I was like, what the hell, then I started looking for answers…
found this issue: https://github.com/ikarus23/MifareClassicTool/issues/24
The app developer was saying that this type of tag doesn’t work with MCT, I was devastated.
After getting my sh*t together, I noticed the clue from the developer:
He said something about Proxmark3, I was thinking, I’ve heard that name before, so I started reading about it, and found that this thing costs $200, I was like WTF, I don’t live in US, so multiply this by 4 and add taxes.
So almost giving up again, then Black Friday came and I found a chinese version for $50, that was just too good to be true, but I purchased.
And It arrived TODAY, the tool is kind of complex, but it does a LOT, and I finally could clone a TAG using Chinese Magic and ProxMark3.
Thanks for reading.
