0x00 Preface
Today, IoT RFID systems are fully integrated into our lives. From building access to Apple pay. It can be said that its figure is everywhere. Many netizens also share their own security testing experience of RFID system. But mostly based on access cards and Mifare-classic. In fact, there are many other categories in the big family of the Mifare family. such as Mifare-desfire and the protagonist of this article mifare-ultralight.
Vancouver Transportation company TransLink began phasing out the old print ticketing system in 2015. and the comprehensive promotion of RFID-based ticketing system, and named it Compass. In order to facilitate the needs of different passengers, the system uses Mifare-desfire as a monthly pass card. Mifare-ultralight is also used as a one-time ticket. Due to the low cost of mifare-ultralight, make it a perfect ticket. But it is to save costs, and its security is almost 0. Its innate disability opens up an open door for attackers. This article will take the light rail RFID ticketing system as an example, with everyone to the field of RFID system Exploration tour.
0x01 Mifare-ultralight Introduction
Mifare-ultralight is one of the many Mifare series produced by NXP. It also works at 13.56 Mhz. But unlike its big Brother Mifare-classic, it does not use any encryption and its data content can be accessed arbitrarily. Because of the low cost, many need one-time tickets for the occasion to be the first choice. For example, the 2006 World Cup. Its data structure is very simple and straightforward. Total bytes. Divided into 16 districts, each with a 4 bytes. The 4-15 area is usually used for data storage and has time; Entrance and platform name, etc. It is worth mentioning that this area can be any read and write without certification Oh. ;)
UID Area
Its UID area is not writable by default. Occupies 9 bytes, but only 7 bytes are used as UID. For example, "E2 A8 c6 ba E2 9b" of which only the E2 A8 BA E2 43 80 is identified as the UID, and C6 and 9b are as check values check Bytes exist.
OTP Area
The security of ultralight mentioned earlier is almost 0 because it has this one time programmable zone. The entire distinction is 4 bytes, the default value is 00 00 00 00. It is usually used as a counter for tickets. The OR is not inverse for each bits by 01. Until 00 all runs out of tickets. However, the OTP can also be bypass by activating Lock Byte. This test is not done because the Compass system does not use OTP.
0x02 Combat Test-single Fare Reset Attack
A pre-paid ticket is required in advance to declare the entire test process. The Reset attack was only tested at the station entrance, and there was no actual fare evasion behavior. So don't worry about the tragedy of being asked to drink tea. And it's against the misuse of such technologies to do bad things ...:p
* In the video upload *
In fact, the entire attack process is very simple. Because the data area can read and write without authentication. So we can dump the original data of the Compass ticket in advance. After the ticket expires, use the mobile APP to write the original data back to the ticket. The Reset attack is achieved to achieve the system bypass. :) The whole attack process is surprisingly simple, right? And from the Translink point of view, what are the defensive options? In fact, NXP has long provided 3DES encryption of MIFARE Ultralight C. Do not know why Translink at the beginning of the system design does not consider it?
0X03 Summary
Finally, thank the brethren who have provided help throughout the course of the study. At the same time, it is considered that the system security reinforcement, sometimes depends on their own attitude to the problem. A problem is not actively repaired, but trying to hide the problem. And hope that the less people who know how to learn, the better. This is a very unwise attitude to deal with.
The Vancouver Transportation company TransLink is strongly despised here. After the vulnerability exposure, knowing that the system is hidden in the case of the situation is still allowed to ignore. When the reporter interviewed also put a kind of you bite me face. Well, maybe the luck is with you ... Fxxk ... Now we all know how to hack.
0X04 Reference Documents
- Http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf
- HTTPS://WWW.YOUTUBE.COM/WATCH?V=CZVN4L1R6F4 (Building safe NFC system--30c3)
- http://www.cbc.ca/news/canada/british-columbia/compass-ticket-hack-1.3535955
- http://bc.ctvnews.ca/security-flaw-lets-smartphone-users-hack-transit-gates-1.2852464
- https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/september/ ultrareset-bypassing-nfc-access-control-with-your-smartphone/
Play Radio--Vancouver Crane RFID Ticketing system