I’m getting a xDF2 implanted this week and I’ll probably be taking a whack at making some software for it.
Relevant links for the next person when I inevitably fail:
The first seems very promising. I’ll likely try to port that to typescript to work with react-native-nfc-manager. Not my preference for app development but also not everyone has an android phone so it seems like a good idea to work in a cross-platform environment when possible. Ultimately I’d like to build something that can use the challenge-response capabilities to authenticate with a remote server a la vivokey spark, but it seems like I have my work cut out for me. It would be fun to store keys in a trusted execution environment or something and auth with that using the implant though.
Just thought I’d report on progress here. I currently have a react native app that can:
Authenticate with the EV2 using ISO authentication (DES-based)
Authenticate with the EV2 using AES authentication
Change the master key to any arbitrary AES key after either form of authentication
Format the card (removing all applications and data except for the master key and its settings)
Didn’t quite go as fast as I wanted it to but life isn’t a race
I’m going to spend today working on application management and file management if I get to it. I suspect I’ll make good progress now that I understand how to calculate CRCs and have the crypto stuff all implemented and everything. Still waiting on approval from my employer to release the code for this project so I can’t promise it’ll be open-source but that’s the plan. My main goal is to build this as a react native library so people can actually interact with their desfire implants on a deeper level than what other apps provide, then once I have that in a good state I think I’m going to first build a completely offline password manager, and once that’s done if I’m still interested in this project I’ll explore other things I can do with it, possibly trying to implement an open-source version of what the spark 2 does with like, servers authenticating with your chip in order to provide oauth capabilities and stuff.
I’m excited about the password manager idea though, especially on Android where the key used to authenticate with the chip can likely be kept in a hardware-backed keystore. You’ll get two really complementary security guarantees:
The passwords can’t be copied off the chip except by being scanned by a device that demonstrates it has access to the authentication key (NXP’s guarantee, best I can tell)
The authentication key can’t be accessed unless an attacker has access to your phone and can unlock the screen OR has your master password. (Android keystore’s guarantee, caveat comes from how the auth key is derived)
I think the net result of these two guarantees is that as long as you can keep your master PW secret and nobody loads malware onto your phone then scans your hand, they can’t get your passwords.
All working. For reads I still need to do the checksum validation and strip the padding after decryption, but yeah I think that’s everything I need, now I have to just like, go implement the rest of the app. Anyone with an EV1 or EV2 want to beta test? I’ll wait to release something until I’m fairly confident it won’t mess up other things on the implant, but I can’t make absolute guarantees. I’m also open to mailing people an EV2 test card if they have interesting hardware and pinky promise to test things out. Android only for now, I’ll need to pony up some cash for an iPhone SE before I can get it working on iOS. The NFC library I’m using doesn’t completely abstract away the hardware differences.
I have 10 test cards to mess with and I haven’t bricked any, but NFC Tools doesn’t want to play nice with one of them anymore. I think the NFC Tools app expects the master key (PICC key) to still be in DES mode, so I’m probably going to try to only ever touch the application keys. Locking down an application key does seem like it might be enough to ensure proper access control. The PICC key can still be used to wipe the device but it can’t read the data from a protected file while authenticated as itself. I still have to confirm whether or not it can be used to change the application keys though.
I’m really intrigued by your work, especially the authentication and key management aspects. Would it be possible for me to get access to your React Native app? I’d love to take a closer look and maybe even learn a thing or two from your implementation.
No rush, of course – as you rightly mentioned, life isn’t a race! Whenever you have a moment, please let me know if you could provide access.
Thanks in advance, and keep up the fantastic work!
