miLazyCracker
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Part Number | 3 | |
| Number of Parts | 20 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/32395 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language | ||
| Production Place | Brüssel |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
3
4
7
8
17
18
00:00
Level (video gaming)Computer animationJSONXMLUML
00:22
Honeywell-HoldingFreewareRight angleBitPlastikkarteOpen sourceSoftware engineeringComputer animation
00:49
Memory cardData storage deviceTransportation theory (mathematics)CodecFactory (trading post)WritingReading (process)Physical systemBlock (periodic table)CryptographyServer (computing)Installation artCore dumpBitWeb 2.0SoftwareConfiguration spaceMoving averageAsynchronous Transfer ModeLibrary (computing)Multiplication signNumberForceKey (cryptography)BuildingType theoryComputer hardwareDistanceDifferent (Kate Ryan album)Classical physicsDefault (computer science)PlastikkarteBasis <Mathematik>Semiconductor memoryOrder (biology)PseudozufallszahlenInformationSummierbarkeitGame controllerException handlingDegree (graph theory)Closed setFocus (optics)Computer configurationStudent's t-testComputer animation
05:53
1 (number)Key (cryptography)BitMultiplication signDemo (music)Sound effectTerm (mathematics)AuthenticationWave packetInformation privacyExtension (kinesiology)NP-hardMathematicsFlow separationOpen sourceCASE <Informatik>CloningRadio-frequency identificationMemory cardTrailPseudozufallszahlenInformation securityBlock (periodic table)Scripting languageWrapper (data mining)Medical imagingSource codeParameter (computer programming)PlastikkarteRevision controlType theoryConstraint (mathematics)Figurate numberSpacetimeClassical physicsPoint (geometry)InformationForcing (mathematics)
10:57
Memory cardKey (cryptography)Focus (optics)Parameter (computer programming)Table (information)Multiplication signFrequencyReal numberDemo (music)Scripting languageComputer animation
12:18
Key (cryptography)Run time (program lifecycle phase)Scripting languageFrequencyMemory cardFunction (mathematics)Forcing (mathematics)SpacetimeLecture/Conference
13:37
BitMemory cardEncryptionRevision controlFile formatMultiplication signKey (cryptography)CASE <Informatik>Computer-assisted translationLaptop
14:22
Memory cardScripting languageCASE <Informatik>CloningDemo (music)Computer animation
15:29
Phase transitionMemory cardOrder (biology)Wave packetCASE <Informatik>Key (cryptography)Multiplication signMathematical analysisProcess (computing)Forcing (mathematics)PhysicalismView (database)Lecture/Conference
16:53
Computer animation
Transcript: English(auto-generated)
00:12
So my name is Kevin Larson, this is a talk on my for classic cracking and it's not going
00:27
to get in just to what maybe many of you already know, have you heard of MFOC, MFC UK? A few people, alright. That's been around for quite a while so the my for classic cards have been able, you can clone or crack them with free open source tools, it's been around for
00:44
quite a while. But a little bit about me, I'm a software engineer at Honeywell, the disclaimer, this is all my work for my masters degree, nothing to do with my employer. Also a note, I'm not disclosing anything that's brand new, that's not out freely
01:02
available on the web so NXP hopefully can't come run after me when I leave. The my for classic card is just, in essence it's really just a simple storage device. There's read write access per block and this is used for things like e-wallet access
01:20
control, transportation systems, getting in and out of your hotel and if you notice maybe at your hotel, if you wanted a late checkout they might say you have to bring your hotel card down to the front desk, we'll rescan it and you can check out an hour later. What you can really tell by that is there's some things that are, they're not networked, they're not doing server side checks, there's local checks being done based on the data
01:44
on the card. The my for classic actually used a custom crypto library called crypto one and the core of that has been broken for quite some time. A little background on my for the memory layout, this is a 1k card so there's 16 sectors
02:03
with four blocks each and there's a key A and a key B depending on if you want to read or write data for each block. So for a typical card there's going to be some default information that the manufacturer wants you to be able to read in order to get into the door or just know what the card is. Then there may be some encrypted data like the check in, checkout time at a hotel or
02:22
things like that. These really are card only attacks. So what that means is I don't need to be, there's separate different attacks if you can actually stand next to a reader with a card and watch someone actually trying to authenticate. This is only if you have the card by itself or if you're next to maybe someone on a
02:44
subway if you're in extremely close proximity. So what we're really using here, the basis is NFC tools for my for classic, MFLC and MFC-UK. MFLC relies on the fact that you know one key on the entire card and based on that
03:00
you can do some attacks to get all the keys on the rest of the card. In practice there's almost always one default key of all F's just so you can read the card type and the size and things like that. There's also another tool called MFC-UK if you don't know any keys on the card. It takes a lot longer. It's not quite as practical and it's very rare you'll actually need that.
03:23
So NXP responded to these tools after a while with a My Fair Plus card which has an AES option. What that means is that they really wanted to be able to allow people to update their readers in a building or a transportation system while still using the old cards and
03:41
updating some readers and leaving some at the same time because it's too expensive for the infrastructure cost to actually update everything all at once. What this means though is that you may be using AES for some readers but you're still using the old system with the crypto one custom library for old readers.
04:01
The other thing they did do is they fixed the pseudo random number generator so it's not vulnerable to MFLC or MFC-UK. So I don't know if any of you are using that and you have a new card you're trying to use and it's not working you can sit and try all night it's not going to work. So what they've done is they fixed this so it's a little bit more secure.
04:23
So there's been some research done by Carlo and Roll. They found new card only attacks for the My Fair Plus in SL1 mode. SL1 means that you have the old crypto one library being used for the old readers along with potentially another block on the card using AES.
04:43
This is important because most installations did not completely reinstall all of their readers. So my goals really were to reproduce the attack and see if I could make it faster, see if I could make it real time. Could I really bump into someone like you see in the movies?
05:02
Could you bump into someone on a subway, actually copy their card, follow them into work, things like that. So some of the hardware and tools I used was the SCL3711. It's just like a $30 USB reader. Proxmark, which gets a little bit more expensive but has a very active community. So that was really a useful tool to learn the core of what I needed to do.
05:25
My Fair Plus cards and the reader with config software to actually take factory fresh cards, configure them like a hotel mite or a transportation system. And then I bought this crappy eBay lock for $80 off eBay.
05:40
And if you want to get checked by TSA, put one of those in your check bag. One other thing to note is that the mistake I made in buying this is actually not all My Fair Classic readers accept My Fair Plus as was intended. The My Fair Plus card takes a little bit longer for the authentication.
06:00
So this lock actually doesn't even work with My Fair Plus cards. So the new attack is dubbed the Hard Nested Attack because it's an extension of the existing nested attack on My Fair Plus cards, which have a hardened PRNG. It still requires one known key.
06:21
And what you do is you do many attempts at a nested authentication. You collect the unique encrypted nonces between the known sector you have the key for and the unknown sector you're trying to get the key for. With enough of those tries, there's some leaked bits. And what you're basically trying to do is reduce the key space from like 2 to the 48,
06:43
which is a My Fair Classic key size, down to about 2 to the 20, maybe a little bit bigger. But then from there you can do a brute force. So what did I actually do? I tried to improve the attack, but really there's people who don't sleep and a lot smarter than me who work on this all the time.
07:01
And they've basically reduced that down to almost the physical constraint of just the time it takes to authenticate a card to the reader. So my goal is really just to make this easy to use. It took me a month or two of my spare time and a fair amount of money to get this up and running. So I figured if I can do it for 20 bucks and no one has to type in a single command,
07:24
then maybe it'll get used a little bit more. So the point of this is I think everybody's lazy, I'm lazy. If you don't know if you have a My Fair Classic or My Fair Plus, you don't know what kind of pseudorandom number generator it has, you don't want to spend $200 or a month trying to figure this out,
07:41
all you have to do is download this. There's an installed script and you can run it with no arguments to find the keys on your card. So really what I did here is I modified the libNFC version of MFOC to identify if it has a new pseudorandom number generator which is not vulnerable, or the old one.
08:01
I modified the libNFC version of the hard nested attack to just hold on to some more information so I can automate this and you don't have to figure out what keys are unknown and type in more parameters. And I also created a wrapper script to just figure this all out so you can just run it with no problem. So here's a kind of a static demo of what would happen if you were running,
08:23
if you didn't know if you had a My Fair Classic or My Fair Plus. You would just run My Lazy Cracker, the script, and the first thing you would see is it would kind of identify, do you have a My Fair or do you have a My Fair Plus card, and from there it will pick which attack to use, and in this case it's a My Fair Plus,
08:42
and it will highlight what keys are unknown in what sectors, and it will just recursively go through and find those keys for you. So in this case it makes it known, it says PRNG is not vulnerable to the nested attack, so I'm selecting the hard nested attack. In the red there it's selecting the parameters for you
09:02
so you don't have to understand what really that is. What that's actually doing is saying I know that sector block 60 and key B is all zeros. You can use that to try and authenticate to another unknown sector, 48 key B, and try and crack that.
09:20
So as it goes through it's finding each key for you, and in the red you can see that it's finding separate keys for key A and key B, and there's still one key left. Sometimes the attack does fail. It tries to reduce the key space down to a certain size, and due to some math I don't understand it, it gives up once in a while. If you just try again it seems to work.
09:42
So in this case it's found three keys, and once you've found all keys for all sectors it just dumps it to a binary file, and from there you can basically clone the card with a lot of NFC classic open source tools included in the script I made. It'll just ask you do you want to clone it, yes or no,
10:00
so you can just put a blank card on there as well if you want to copy it, and you have a clone of the card. The key that you would need is that the UID on a MyFlark classic card is read only, and there's some Chinese Magic cards which allow you to write to that sector,
10:20
so you do need to go to Alibaba or something and buy some Magic MyFlark cards. So the source code is released. It's here. It's on GitHub. It's been tested by a few people. If you guys ever go to troopers in Germany, in Heidelberg,
10:42
there's a great training called RFID Security and Privacy Nightmares. The guys that give this training were the ones that kind of got me interested in this, so I highly recommend that if you guys are heading to troopers this year, and I have a short demo here if you want to see it live.
11:08
So here I have a MyFairPlus card. You could not crack this with MFOC, so all you have to do is run this if you could actually see it.
11:22
There you go. So what it's doing here, I'll start it over. You can see I just ran the script with no parameters. You can see here that there's two keys that are unknown, key A and key B for sector 13.
11:41
So here, all it's trying to do is authenticate to the card over and over and over again, collecting different unique encrypted nonces. And after a short period of time, it kind of varies depending on the card and the key, how long it will take.
12:06
And while that's running, I have another demo with a relock, and if you guys have interest, you can stop by and see me afterward. So this actually only works with MyFairClassic. It doesn't work with the Plus because it's a bad lock I bought off eBay. So you can see here, this is a card that actually allows me to enter the room.
12:25
It turns blue. This is a key that does not. It's another key that does not. And I'll show you that I can clone that and enter the door pretty quickly.
12:53
This has a runtime of approximately between, I would say, five minutes to an hour, and I didn't pick a key that takes an hour, don't worry.
13:22
And in the output of the script, you can see here, it's actually, it said the PRNG is not vulnerable to the nested attack, so it automatically selects the sectors to use. And here, it reduced the key space down to like 2 to the 36, so it's going to brute force from here.
13:41
This might go a little bit faster with a better laptop, but it should do the trick here. So another note, I guess, for things like hotels and things like that, most of them are using kind of their own version of encryption or a data format on the card,
14:06
so it's not like if you can crack the card for one hotel, you can change your check-in time for every hotel. Things like that are typically proprietary. So in this case, it's found the keys on this card, and it says, do you want to clone the card?
14:20
You could say yes or no, put a new card on, and you'd be able to clone the card. And so here's a case where this card did not let me in the lock before. I'm just going to run the script.
14:45
And in this case, it's not in my for a plus card, so it's able to crack it very, very, very fast. And I can say, yep, clone the card.
15:02
I cloned the wrong one. That's the demo. That's why I had a static demo. All right, here's the card that got me in. And yes, I want to clone the card onto my Chinese clone, which doesn't want to stay.
15:26
So I say yes. And now I can get in. Any questions?
15:53
So the phase where you collect the nonsense, you need to have the card physically the whole time, or can you do a dump?
16:01
You need to have the card. In order to do a dump, you have to have the keys. So in order to read certain sectors, you need to have the keys. So you need to have the card on the reader during the collection process, but you don't need it for the brute force phase. How long does the gathering take?
16:21
How long do you need physical access to the card? It typically depends on the card or which key it is. From what I've seen, it's between five minutes and an hour. So it's certainly not a case where you can do it, just bump in and steal it in any case. Maybe if you have it on a long train ride.
16:52
All right, thank you.