Hacking RFID Billing Schemes for Fun and Free Rides - Marcio Almeida Macedo - Ekoparty Security Conference - 2014

Explore the world of RFID hacking in this conference talk from Ekoparty 2014. Dive into the vulnerabilities of MIFARE Classic contactless cards, widely used in access control systems and public transportation. Learn about the card's features, major attack types, and potential security measures. Witness a practical demonstration of dumping and cloning old SUBE cards still in use in Buenos Aires' subway and bus services. Gain insights into the CRYPTO-1 cipher, its weaknesses, and various attack methods including Nested and Curtois Dark-Side attacks. Discover the tools and techniques used in RFID hacking, such as Proxmark3 and active sniffing. Analyze the PuntoBIP! application and understand potential countermeasures against these vulnerabilities. This comprehensive presentation covers the history, security features, and structure of MIFARE Classic cards, providing valuable knowledge for both security professionals and enthusiasts interested in RFID technology and its potential exploits.

Intro
DISCLAIMERS !!
RFID Billing Schemes
Mifare Classic Cards
A tiny history and some facts...
Security Features of Mifare Classic
Mifare Classic Structure
Partial Reverse Enginnering . In 2007 Karsten Noh and Henryk Plötz released at CCC the partial reverse engineering cipher initialization of CRYPTO-1 by hardware analysis
Weaknesses discovered
Full Disclosure of CRYPTO-1
Output Example Proxmark3
CRYPTO1 Cipher Cryptol Cipher
Proxmark3 + Active Sniffing
Card-only Attacks
Nested Attack
Curtouis Dark-Side Attack
Attack Steps
Proof of Concept
Running MFOC First Time
Running MFCUK
Running MFOC Second Time
Creating a Clone
Attack Cost
Analyzing PuntoBIP! Application
Problems Identified only analyzing PuntoBIP.akp
Countermeasures Against
"Decrement-counter" workaround
Conclusions