From 26064db907df7b9bd8c54571c41e4e25f596f11a Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Fri, 13 Aug 2010 17:47:42 +0800 Subject: update more information as it is discovered --- paper/easycard.tex | 100 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 80 insertions(+), 20 deletions(-) diff --git a/paper/easycard.tex b/paper/easycard.tex index ddc5be5..7d1eddf 100644 --- a/paper/easycard.tex +++ b/paper/easycard.tex @@ -20,7 +20,7 @@ \title{Security analysis of the EasyCard payment card in Taiwan} \author{Harald Welte $<$laforge@gnumonks.org$>$} -\date{August 31, 2010} +\date{UNRELEASED (September XX, 2010} \maketitle \begin{abstract} @@ -68,11 +68,14 @@ FIXME \section{Published security research on MIFARE Classic} -FIXME +FIXME: Summarize the existing research on mifare classic systems \section{Published tools for MIFARE Classic attacks} -FIXME +\subsection{Crapto1} +\subsection{libnfc} +\subsection{MFOC} +\subsection{MFCUK} \section{Analyzing the EasyCard} @@ -94,16 +97,16 @@ transponder. As some users of MIFARE Classic systems only use some sectors of a card, but not all, an attempt was made to authenticate to any of the blocks using the -manufacturer-programmed standard keys. However, none of the card sectors were +manufacturer-programmed standard keys. However, none of the card blocks were using those standard keys. This also means that we could not use the key recovery method described in -FIXME, where keys of all other sectors are recovered based on the knowledge of -they key of at least one different sector. +FIXME, where keys of all other blocks are recovered based on the knowledge of +they key of at least one different blocks. \subsection{Recovering the MIFARE CRYPTO1 keys} -Since none of the sector keys was known, the publicly available MFCUK (MiFare +Since none of the block keys was known, the publicly available MFCUK (MiFare Classic Universal toolKit) implementation of the "Dark Side" attack (Nicolas T. Courtois) was used as a card-only attack. @@ -111,7 +114,7 @@ All that was required was the MFCUK Free Software, as well as a RFID reader as supported by libnfc. Compatible readers are widely available, among them one for EUR 30 from http://www.touchatag.com/e-store. -Using the MFCUK key recovery tool, the A and B keys for all sectors have +Using the MFCUK key recovery tool, the A and B keys for all blocks have been recovered within FIXME. This attack can definitely be optimized by using special-purpose hardware such as the Proxmark, which gives hard-realtime control over the communication with the EasyCard. @@ -121,7 +124,7 @@ common to all cards. \subsection{Dumping the content of the EasyCard} -Once the sector keys have all been recovered, the full content of the EasyCard +Once the block keys have all been recovered, the full content of the EasyCard can be dumped using any RFID reader supporting MIFARE Classic. The author chose to use the same reader that was used for the MFCUK key recovery combined with the nfc-mfclassic program (part of libnfc). @@ -225,10 +228,12 @@ The result of this analysis can be found in the next section: \section{Re-engineered EasyCard Data Format} -\subsubsection{Sector 0 and 1: The header} -\subsubsection{Sector 2: The card balance as value block} +\subsubsection{Block 0 and 1: The header} +FIXME -The first two blocks of Sector 3 store the current remaining debit account +\subsubsection{Block 2: The card balance as value block} + +The first two sectors of Block 2 store the current remaining debit account balance as a MIFARE Classic VALUE BLOCK. The format of this block is documented in the official NXP vendor documentation on the MIFARE chip used inside the card. @@ -236,16 +241,16 @@ used inside the card. The value block is decremented every time payment is made with the card. Given the MIFARE access bits, it is assumed that the RFID readers in public -transportation as well as stores use key A for this sector, as key A is +transportation as well as stores use key A for this block, as key A is sufficient to read and decrement the VALUE block. Re-charging the card must happen using authentication with key B, as only -Key B has permissions to increment and/or write to this sector. +Key B has permissions to increment and/or write to this block. -\subsubsection{Sectors 3 through 5: The transaction log} +\subsubsection{Block 3 through 5: The transaction log} Every time a transaction is made with the card, an entry in the transaction log -on the card itself is generated. Every entry occupies one full 16-byte block. +on the card itself is generated. Every entry occupies one full 16-byte sector. The structure of a transaction log entry is as follows: \begin{itemize} @@ -289,11 +294,11 @@ The {\em RFID Reader ID} is presumed to be a unique identifer for the specific RFID Terminal. Subsequent transactions at the same terminal will render the same number in this field. -\subsubsection{The transaction log pointer} +FIXME: Transaction log pointer -\subsubsection{Sector 7: The last MRT entry/exit record} +\subsubsection{Block 7: The last MRT entry/exit record} -Block 2 (Offset 0x1e0) contains a record dscribing the last MRT station +Sector 2 (Offset 0x1e0) contains a record dscribing the last MRT station that was entered using this EasyCard. \begin{itemize} \item Bytes 0...3 are unknown @@ -303,7 +308,7 @@ that was entered using this EasyCard. \item Bytes 13..15 are unknown \end{itemize} -Block 1 (Offset 0xd0) of the same sector contains a record using the same +Sector 1 (Offset 0xd0) of the same sector contains a record using the same structure. However, this record describes the last MRT station that was left using this EasyCard. @@ -311,10 +316,42 @@ It is assumed that this information is used by the system to compute both the distance (and thus fee) to be paid by the current ride, as well as any applicable discount in case a connection is made from MRT into a bus. +\subsubsection{Block 15: Maximum daily spending} + +Sector 2 (Offset 0x3e0) contains a record used for keeping track of +the amount of money spent on a single day. This is needed in order +to impose a daily spending limit of (currently) NTD 3,000. + +The record is structured as follows: +\begin{itemize} +\item Bytes 0...10 are unknown (all zero in tested cards) +\item Byte 11 contains the day of the month +\item Byte 12 contains an unknown value (0x3d in tested cards) +\item Byte 13...14 contain the sum of all purchases on the indicated day +\end{itemize} + +If multiple retail store purchases are made on the same day of the month, the +sum is incremented with every purchase. If an EasyCard terminal in the store +detects that the current day-of-the-month is different from that stored on the +card, the sum is re-set and starts new for that day. + \section{Manipulating the EasyCard} +\subsection{Decreasing the Value of the card} +FIXME + +\subsection{Increaing the value of the card} +FIXME + +\subsection{Bypassing the maximum daily spending of NTD 3000} +FIXME + \section{Mistakes of the EasyCard Corporation} +Based on this research as well as publicly known information on the +EasyCard Corporation, we can identify a series of mistakes with cumulative +effect. + \subsection{Deploying old technology} The Taipei Smart Card corporation (predecessor to the EasyCard Company) was @@ -448,6 +485,29 @@ EasyCard corporation should be liable for the complete system upgrade/transition cost, as the fault of the system can only be blamed on them. +\section{Credits} + +The author of this paper expresses his gratitude to the many people +involved in trying to uncover the weaknesses of proprietary and ultimately +insecure RFID systems worldwide. + +Milosch and Brita Meriac + for their great work on OpenPCD and OpenPICC +Henryk Ploetz, Karsten Nohl, starbug + for their work on MIFARE, Crypto1 and tiresome research into all kinds of proprietary snake-oil +Jonathan Westhues + for designign and openly publishing the Proxmark +Nethemba + for the Open Source implementation of the nested key attack in MFOC +Roel Verdult + for his research on RFID security at Radbound University and libnfc +Nicolas T. Courtois + for his {\em darkside} paper +Andrei Costin + for his Open Sourc implementation of the darkside paper (MFCUK) + http://andreicostin.com/ + + \section{Bibliography} %1. [WPMCC09] - "Wirelessly Pickpocketing a Mifare Classic Card" %2. [ESO08] - "2008-esorics.pdf" -- cgit v1.2.3