Cloning Contactless Cards – MiFare – Courtois Dark Side Attack London Oyster Card and MiFare Classic Building Cards Research by Dr. Courtois Can one crack and clone a London Oyster Card or a contact-less building card.
Contents.Variants MIFARE products are embedded in contactless and contact smart cards, smart paper tickets, wearables and phones.The MIFARE brand name (derived from the term MIKRON FARE Collection and created by the company MIKRON) covers four families of contactless cards:MIFARE Classic Employs a proprietary protocol compliant to parts 1–3 of ISO/IEC 14443 Type A, with an NXP proprietary security protocol for authentication and ciphering. Subtype: MIFARE Classic EV1 (other subtypes are no longer in use).
MIFARE Plus Drop-in replacement for MIFARE Classic with certified (AES-128 based) and is fully backwards compatible with MIFARE Classic. Subtypes MIFARE Plus S, MIFARE Plus X and MIFARE Plus SE. MIFARE Ultralight Low-cost ICs that are useful for high volume applications such as public transport, loyalty cards and event ticketing.
Subtypes: MIFARE Ultralight C, MIFARE Ultralight EV1 and MIFARE Ultralight Nano. MIFARE DESFire Contactless ICs that comply to parts 3 and 4 of ISO/IEC 14443-4 Type A with a mask-ROM operating system from NXP. The DES in the name refers to the use of a DES, two-key 3DES, three-key 3DES and AES encryption; while Fire is an acronym for Fast, innovative, reliable, and enhanced. Subtypes: MIFARE DESFire EV1, MIFARE DESFire EV2.There is also the MIFARE SAM AV2 contact smart card. This can be used to handle the encryption in communicating with the contactless cards.
The SAM (Secure Access Module) provides the secure storage of keys and cryptographic functions.MIFARE Classic family The MIFARE Classic IC is just a memory storage device, where the memory is divided into segments and blocks with simple security mechanisms for. They are -based and have limited computational power. Due to their reliability and low cost, those cards are widely used for electronic wallet, access control, corporate ID cards, transportation or stadium ticketing.The MIFARE Classic with 1K memory offers 1,024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. Each key can be programmed to allow operations such as reading, writing, increasing value blocks, etc. MIFARE Classic with 4K memory offers 4,096 bytes split into forty sectors, of which 32 are same size as in the 1K with eight more that are quadruple size sectors.
MIFARE Classic Mini offers 320 bytes split into five sectors. For each of these IC types, 16 bytes per sector are reserved for the keys and access conditions and can not normally be used for user data. Also, the very first 16 bytes contain the serial number of the card and certain other manufacturer data and are read only. That brings the net storage capacity of these cards down to 752 bytes for MIFARE Classic with 1K memory, 3,440 bytes for MIFARE Classic with 4K memory, and 224 bytes for MIFARE Mini. It uses an NXP proprietary security protocol for authentication and ciphering. Parts of this article (those related to smartphone types) need to be updated.
Please update this article to reflect recent events or newly available information. ( December 2013)The Samsung tag stickers use MIFARE Classic chips.
This means only devices with an NXP NFC controller chip can read or write these tags.
MIFARE Classic Tool (MCT)An Android NFC app for reading, writing, analyzing, etc.