I have found a new front door lock which is not in the compatibility list. It is more robust than others I have seen and uses a motor to pull back the heavy 7 way bolts common on doors in my area. One of the options is an RFID pad and it has a wireless bridge and software to operate it remotely. All cool stuff but it’s expensive so I want to be sure it is compatible before buying it. The tech spec only refers to the RFID as being “Mifare Classic”.
Are the following statements true?:
Given that the user can enrol many fobs it is possible that I could enrol an NTAG216
The Mifare Classic spec means that I would definitely be able to clone an existing fob to my xMagic
Sure, it’s possible, but without knowing more it’s hardly definite. If the reader is only looking at UIDs, then most likely, yes
Unfortunately this is not definite either, there are some types of Mifare Classic credentials you couldn’t clone to your xMagic, or that might cause issues trying to get a dump, Mifare Classic cards with a 7 byte UID for instance can’t be cloned to the xMagic as it has a 4 byte uid
Any chance you could share which reader you’re looking at?
Yeah I second what @Aoxhwjfoavdlhsvfpzha said… when it comes to packaging or even the technical manuals, marketing has much more to do with the wording of things then any engineers. Basically all you can glean from the words mifare on a box or manual is that it’s at least 13.56mhz… But I have seen this on products that only support ISO 15693 which is not mifare what so ever.
Do you have some equivalent test cards?
Take them along and try them, once you prove those work, you could maybe show and explain your implants; and if they work, tell them there is a community that would be interested in buying some.
Hmmm, no dice: I spoke to their technician who told me that they have built in an encryption layer because “without it Mifare Classic is not very secure so we made it so you can only use our fobs”.
So enrolling my chips is out and I didn’t feel I could ask him what he thought of my chances cloning their fobs with a Proxmark3…
I told him that my reason for asking was to add their locks to an existing system so I wanted to unify the keys. I asked if they could offer a custom service to enrol my keys into their encrypted service. He said that they have no plans to do that at the moment but that mine wasn’t the first request so it might be something they do in the future.
And then a ray of hope: he said that if I had a system with a controller that includes a simple button switch (which I do) I could use my own reader and controller for the lock. I might try that.
I think we’re still about where we started for your xMagic, so long as the Mifare Classic they’re using is a compatible type you should be able to clone the whole chip including the encrypted data over to your xMagic and use it the same.
Assuming you can get the mifare keys through sniffing the reader or otherwise breaking them with the pm3 of course…
Any chance they sell replacement cards, or have some other way to get your hands on one for a little digging prior to purchasing the reader?
This is such a classic marketing response. There is no way to improve security of an insecure device by “adding an encryption layer”. It’s like improving security of a door with no lock by fogging the glass panel in it.
Good to know.
As the reader is a relatively small part of the budget I could buy in, try to hack it and if it doesn’t work, fall back on the add-a-reader-that-closes-the-entry-button-circuit technique.
Yeah basically what they are saying is that they “encrypted the data on the chip” because the chip was not secure enough to rely on its security mechanisms… but all that means is you just copy the “encrypted data” to your cloned chip and you’re good.
Far too many people, even some 3 Square Market CEOs (that fucking douchebag Todd Westby and his equally slimy cohort Patrick McMullan) I’ve talked to, are pretty fucking dumb when it comes to how security works. They told me on the phone, multiple times, that their engineers secured the NTAG216 enough to be used in financial transactions because “the data written to the chip was encrypted”. Some day I’ll post up a video to DT Club about those two pieces of shit and everything that went down.
You can’t just sprinkle encryption dust on something and make it secure. This is extremely simplified, but it highlights the issue;
Mifare security broken, so imagine it’s just a storage medium like a piece of paper.
Write data on the paper like “I have $5 in my wallet” or “I am authorized to enter this door, here is my password”.
Present the paper to the vending machine or to the door.
Device reads the data and updates it with “You now have $4 in your wallet” or “Next time you want to enter this door, present this new password” (stored in the written data).
Now compare that to the encrypted version;
Write encrypted data on the paper “vc9898q4laki7ea987t432”.
Present the paper to the vending machine or to the door.
Device reads the data, decrypts it to “I have $5 in my wallet”
Update the data to “I have $4 in my wallet”
Encrypt the data to “lk85w098as096u209458gb”
Write the new encrypted data to the paper
You’re simply adding steps which do nothing to protect someone from cloning the encrypted data to a new fob. How would the vending machine know if the paper presented to it was not just a copy of the encrypted data or the original paper? It has no way to know that.
The only thing the encryption scheme does is protect the wallet amount from being directly changed, but at the same time there is not likely anything to protect the system against reset… simply put $5 in your wallet, copy the encrypted data to a file, and rewrite that same data value over and over again to perpetually have $5 on your chip. It would take specific counter or time based salts or methods of protection wrapped up into your encryption methods to even attempt at protecting against this kind of attack.
Granted, proper counter / timer protections in your encryption mechanisms can also have some level of protection against cloned data / chips, but only in so far as there could not really be multiple active chips in circulation… each chip will be out of sync upon use of just one… but this does not protect against outright cloning for immediate use by an attacker… and when it comes to physical security or financially linked transactions (closed loop purchases, laundry, services, etc.) you really want to enable much more secure methods of “digital purse” type solutions built into actually secure (but more expensive) chips like the DESFire Ex series or smart card chips.
Thank you for the detailed explanation.
It’s set off a bunch more questions in my curious mind. Here’s two:
Would you ever secure the front door of your house with a Mifare classic based lock?
In systems that write new data to the chip on each presentation what happens if the data is corrupted during the write? Are you locked out? Is there a way to hack into the lock and reset the chip to pick up from where it left off with the data that the lock is expecting?
I have. The threat model is drastically different for my personal scope security needs at my front door vs a broader scoped application like transactions linked to financial value, or the physical security needs of a small facility or business that don’t employ any additional security mechanisms like guards and manned control points or gates.
That depends entirely on how well the system is designed. It might perform a write-check-update process or it might just throw the bytes to the aether and hope all went well.
Being that I am not the only one living in my house, it is collectively the most valuable thing we own and I also feel the responsibility of making a decision that could affect others (especially those who are not as enamoured as I am with “those sub-thermal microscopic ships you’re always banging on about”).
If I can swap out their reader for one I provide would it be safer to go with an LF reader and use the other side of my xMagic?
No, there are what DT calls "x"series (small injectable cylindrical glass) chips that run the Mifare protocol. A “flex” series Mifare implant would be larger to accommodate a larger antenna with greater read ranges.
Me too. Copying a mifare classic is no different to copying a key. At least with the chip in my hand I don’t have to worry about someone reading the bitting of the physical key and I cannot lose it.
Also for others in my house (my kids have x series implants, but wife doesn’t), I have put a circular rfid sticker chip inside the cover of my wife’s phone, and that allows her easy entry. I am assuming if she lost her phone, no one would realise there is a rfid sticker there or what it can be used for (also I would delete it from the system pretty quickly).
I think it is safer than a physical key as the keys can be lost and then the entire lock needs to be replaced. Also unless you have really high end locks, they can often be picked by anyone who has spent 30 minutes watching YouTube….