update more information as it is discovered
This commit is contained in:
parent
554d6e45cf
commit
26064db907
|
@ -20,7 +20,7 @@
|
|||
|
||||
\title{Security analysis of the EasyCard payment card in Taiwan}
|
||||
\author{Harald Welte $<$laforge@gnumonks.org$>$}
|
||||
\date{August 31, 2010}
|
||||
\date{UNRELEASED (September XX, 2010}
|
||||
\maketitle
|
||||
|
||||
\begin{abstract}
|
||||
|
@ -68,11 +68,14 @@ FIXME
|
|||
|
||||
\section{Published security research on MIFARE Classic}
|
||||
|
||||
FIXME
|
||||
FIXME: Summarize the existing research on mifare classic systems
|
||||
|
||||
\section{Published tools for MIFARE Classic attacks}
|
||||
|
||||
FIXME
|
||||
\subsection{Crapto1}
|
||||
\subsection{libnfc}
|
||||
\subsection{MFOC}
|
||||
\subsection{MFCUK}
|
||||
|
||||
\section{Analyzing the EasyCard}
|
||||
|
||||
|
@ -94,16 +97,16 @@ transponder.
|
|||
|
||||
As some users of MIFARE Classic systems only use some sectors of a card, but
|
||||
not all, an attempt was made to authenticate to any of the blocks using the
|
||||
manufacturer-programmed standard keys. However, none of the card sectors were
|
||||
manufacturer-programmed standard keys. However, none of the card blocks were
|
||||
using those standard keys.
|
||||
|
||||
This also means that we could not use the key recovery method described in
|
||||
FIXME, where keys of all other sectors are recovered based on the knowledge of
|
||||
they key of at least one different sector.
|
||||
FIXME, where keys of all other blocks are recovered based on the knowledge of
|
||||
they key of at least one different blocks.
|
||||
|
||||
\subsection{Recovering the MIFARE CRYPTO1 keys}
|
||||
|
||||
Since none of the sector keys was known, the publicly available MFCUK (MiFare
|
||||
Since none of the block keys was known, the publicly available MFCUK (MiFare
|
||||
Classic Universal toolKit) implementation of the "Dark Side" attack (Nicolas T.
|
||||
Courtois) was used as a card-only attack.
|
||||
|
||||
|
@ -111,7 +114,7 @@ All that was required was the MFCUK Free Software, as well as a RFID
|
|||
reader as supported by libnfc. Compatible readers are widely available,
|
||||
among them one for EUR 30 from http://www.touchatag.com/e-store.
|
||||
|
||||
Using the MFCUK key recovery tool, the A and B keys for all sectors have
|
||||
Using the MFCUK key recovery tool, the A and B keys for all blocks have
|
||||
been recovered within FIXME. This attack can definitely be optimized
|
||||
by using special-purpose hardware such as the Proxmark, which gives
|
||||
hard-realtime control over the communication with the EasyCard.
|
||||
|
@ -121,7 +124,7 @@ common to all cards.
|
|||
|
||||
\subsection{Dumping the content of the EasyCard}
|
||||
|
||||
Once the sector keys have all been recovered, the full content of the EasyCard
|
||||
Once the block keys have all been recovered, the full content of the EasyCard
|
||||
can be dumped using any RFID reader supporting MIFARE Classic. The author
|
||||
chose to use the same reader that was used for the MFCUK key recovery combined
|
||||
with the nfc-mfclassic program (part of libnfc).
|
||||
|
@ -225,10 +228,12 @@ The result of this analysis can be found in the next section:
|
|||
|
||||
\section{Re-engineered EasyCard Data Format}
|
||||
|
||||
\subsubsection{Sector 0 and 1: The header}
|
||||
\subsubsection{Sector 2: The card balance as value block}
|
||||
\subsubsection{Block 0 and 1: The header}
|
||||
FIXME
|
||||
|
||||
The first two blocks of Sector 3 store the current remaining debit account
|
||||
\subsubsection{Block 2: The card balance as value block}
|
||||
|
||||
The first two sectors of Block 2 store the current remaining debit account
|
||||
balance as a MIFARE Classic VALUE BLOCK. The format of this block is
|
||||
documented in the official NXP vendor documentation on the MIFARE chip
|
||||
used inside the card.
|
||||
|
@ -236,16 +241,16 @@ used inside the card.
|
|||
The value block is decremented every time payment is made with the card.
|
||||
|
||||
Given the MIFARE access bits, it is assumed that the RFID readers in public
|
||||
transportation as well as stores use key A for this sector, as key A is
|
||||
transportation as well as stores use key A for this block, as key A is
|
||||
sufficient to read and decrement the VALUE block.
|
||||
|
||||
Re-charging the card must happen using authentication with key B, as only
|
||||
Key B has permissions to increment and/or write to this sector.
|
||||
Key B has permissions to increment and/or write to this block.
|
||||
|
||||
\subsubsection{Sectors 3 through 5: The transaction log}
|
||||
\subsubsection{Block 3 through 5: The transaction log}
|
||||
|
||||
Every time a transaction is made with the card, an entry in the transaction log
|
||||
on the card itself is generated. Every entry occupies one full 16-byte block.
|
||||
on the card itself is generated. Every entry occupies one full 16-byte sector.
|
||||
|
||||
The structure of a transaction log entry is as follows:
|
||||
\begin{itemize}
|
||||
|
@ -289,11 +294,11 @@ The {\em RFID Reader ID} is presumed to be a unique identifer for the specific
|
|||
RFID Terminal. Subsequent transactions at the same terminal will render
|
||||
the same number in this field.
|
||||
|
||||
\subsubsection{The transaction log pointer}
|
||||
FIXME: Transaction log pointer
|
||||
|
||||
\subsubsection{Sector 7: The last MRT entry/exit record}
|
||||
\subsubsection{Block 7: The last MRT entry/exit record}
|
||||
|
||||
Block 2 (Offset 0x1e0) contains a record dscribing the last MRT station
|
||||
Sector 2 (Offset 0x1e0) contains a record dscribing the last MRT station
|
||||
that was entered using this EasyCard.
|
||||
\begin{itemize}
|
||||
\item Bytes 0...3 are unknown
|
||||
|
@ -303,7 +308,7 @@ that was entered using this EasyCard.
|
|||
\item Bytes 13..15 are unknown
|
||||
\end{itemize}
|
||||
|
||||
Block 1 (Offset 0xd0) of the same sector contains a record using the same
|
||||
Sector 1 (Offset 0xd0) of the same sector contains a record using the same
|
||||
structure. However, this record describes the last MRT station that was
|
||||
left using this EasyCard.
|
||||
|
||||
|
@ -311,10 +316,42 @@ It is assumed that this information is used by the system to compute both the
|
|||
distance (and thus fee) to be paid by the current ride, as well as any
|
||||
applicable discount in case a connection is made from MRT into a bus.
|
||||
|
||||
\subsubsection{Block 15: Maximum daily spending}
|
||||
|
||||
Sector 2 (Offset 0x3e0) contains a record used for keeping track of
|
||||
the amount of money spent on a single day. This is needed in order
|
||||
to impose a daily spending limit of (currently) NTD 3,000.
|
||||
|
||||
The record is structured as follows:
|
||||
\begin{itemize}
|
||||
\item Bytes 0...10 are unknown (all zero in tested cards)
|
||||
\item Byte 11 contains the day of the month
|
||||
\item Byte 12 contains an unknown value (0x3d in tested cards)
|
||||
\item Byte 13...14 contain the sum of all purchases on the indicated day
|
||||
\end{itemize}
|
||||
|
||||
If multiple retail store purchases are made on the same day of the month, the
|
||||
sum is incremented with every purchase. If an EasyCard terminal in the store
|
||||
detects that the current day-of-the-month is different from that stored on the
|
||||
card, the sum is re-set and starts new for that day.
|
||||
|
||||
\section{Manipulating the EasyCard}
|
||||
|
||||
\subsection{Decreasing the Value of the card}
|
||||
FIXME
|
||||
|
||||
\subsection{Increaing the value of the card}
|
||||
FIXME
|
||||
|
||||
\subsection{Bypassing the maximum daily spending of NTD 3000}
|
||||
FIXME
|
||||
|
||||
\section{Mistakes of the EasyCard Corporation}
|
||||
|
||||
Based on this research as well as publicly known information on the
|
||||
EasyCard Corporation, we can identify a series of mistakes with cumulative
|
||||
effect.
|
||||
|
||||
\subsection{Deploying old technology}
|
||||
|
||||
The Taipei Smart Card corporation (predecessor to the EasyCard Company) was
|
||||
|
@ -448,6 +485,29 @@ EasyCard corporation should be liable for the complete system
|
|||
upgrade/transition cost, as the fault of the system can only be blamed
|
||||
on them.
|
||||
|
||||
\section{Credits}
|
||||
|
||||
The author of this paper expresses his gratitude to the many people
|
||||
involved in trying to uncover the weaknesses of proprietary and ultimately
|
||||
insecure RFID systems worldwide.
|
||||
|
||||
Milosch and Brita Meriac
|
||||
for their great work on OpenPCD and OpenPICC
|
||||
Henryk Ploetz, Karsten Nohl, starbug
|
||||
for their work on MIFARE, Crypto1 and tiresome research into all kinds of proprietary snake-oil
|
||||
Jonathan Westhues
|
||||
for designign and openly publishing the Proxmark
|
||||
Nethemba
|
||||
for the Open Source implementation of the nested key attack in MFOC
|
||||
Roel Verdult
|
||||
for his research on RFID security at Radbound University and libnfc
|
||||
Nicolas T. Courtois
|
||||
for his {\em darkside} paper
|
||||
Andrei Costin
|
||||
for his Open Sourc implementation of the darkside paper (MFCUK)
|
||||
http://andreicostin.com/
|
||||
|
||||
|
||||
\section{Bibliography}
|
||||
%1. [WPMCC09] - "Wirelessly Pickpocketing a Mifare Classic Card"
|
||||
%2. [ESO08] - "2008-esorics.pdf"
|
||||
|
|
Loading…
Reference in New Issue