The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Reverse Engineering a real-world RFIDpayment system
How the EasyCard allows you to print your own digital money
Harald Welte
hmw-consulting.degnumonks.org
gpl-violations.orgosmocom.org
27th CCC Congress, December 2010, Berlin/Germany
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Outline
1 The EasyCard system
2 Analyzing the EasyCard
3 Tampering with the EasyCard
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
About the speaker
Kernel / bootloader / driver / firmware development since1999IT security expert, focus on network protocol securityCore developer of Linux packet filter netfilter/iptablesBoard-level Electrical EngineeringAlways looking for interesting protocols (RFID, DECT,GSM)Open Source hardware/firmware/software for RFID: librfid,OpenPCD, OpenPICC
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Introducing the EasyCardEasyCard for Public TransportApril 2010: EasyCard as means of payment
Travelling to Taipei
Starting from 2006, I was doing a lot of freelancing work forcompanies in Taiwan, resulting in numerous business trips tothe capital Taipei. As soon as you use public transport, younotice they are using an RFID based system called EasyCard.This was just after having worked extensively on the OpenPCDRFID reader and OpenPICC RFID tag simulator.However, work kept me too busy to ever have a look at theEasyCard until 2010.
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Introducing the EasyCardEasyCard for Public TransportApril 2010: EasyCard as means of payment
What is this EasyCard?
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Introducing the EasyCardEasyCard for Public TransportApril 2010: EasyCard as means of payment
EasyCardOne of Asia’s most popular electronic payment systems
EasyCard is used in Taiwan, mostly in the capital TaipeiOriginally deployed in 2001More than 18 million issued cardsInitially a payment system for public transport
Taipei metro (MRT)Taipei public bus
Similar to many other systems like Oystercard
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Introducing the EasyCardEasyCard for Public TransportApril 2010: EasyCard as means of payment
EasyCard as payment in public transport
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Introducing the EasyCardEasyCard for Public TransportApril 2010: EasyCard as means of payment
EasyCard sale, recharge and refund
Cards are purchased at vending machines located in everysubway station
Price is 500 NTD: 400 NTD value, 100 NTD depositPayment is made in cashThus, no credit card / account number linking a person to acard
Full refund of the account balance and the deposit can bemade at a cashierAdding value to the card is made by the same machinesthat sell the cards
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Introducing the EasyCardEasyCard for Public TransportApril 2010: EasyCard as means of payment
Threat analysis / Fraud potential
It is publicly known that EasyCard uses NXP MiFAREMiFARE Classic has been broken in various ways before,ranging from eavesdropping attacks to card-only attacks.However, the card itself is only one element in the securitychainEasyCard using MiFARE does not by itself mean that theEasyCard system is broken
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Introducing the EasyCardEasyCard for Public TransportApril 2010: EasyCard as means of payment
Online or Offline validation
EasyCard could have been a relatively safe system, ifthe value was not stored on the card but in the back-endall transactions would inquire the back-end and not only thecard
I never really bothered to do much analysis, consideringthat all you could get is fraudulent free rides for publictransport (which are cheap anyway)
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Introducing the EasyCardEasyCard for Public TransportApril 2010: EasyCard as means of payment
EasyCard for payment in stores
In 2009, the government creates laws for stored-valuecards as means of paymentIn early 2010, use of the EasyCard is extended beyondpublic transport
you can store up to 10,000 NTD ( 240 EUR) on the cardthe card is accepted at lots of stores (mostly big brands)
The attack incentive is much higher: Not only free metrorides, but suddenly you can buy basically any goodsavailable in the largest department stores
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Introducing the EasyCardEasyCard for Public TransportApril 2010: EasyCard as means of payment
EasyCard as payment in stores
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
What is MiFARE classic?
A 13.56 MHz RFID card system based on ISO 14443(1,2,3)1024 or 4096 bits of storage, divided in sectors and blocksUses proprietary 48bit cipher (CRYPTO1)Manufacturer and customers really believed in Security byobscurity ?!?Nobody should ever have used it for any applicationrequiring securityWeaknesses first published at 24C3 by Henryk Ploetz andKarsten Nohl
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
Analyzing the EasyCard
First step: Verify it it indeed MIFARE classicCan be done by applying ISO1443-1/2 air interface andISO14443-3 anti-collision procedure and checking theresult values
Next step: Recovering the keysmany cards have one ore more sectors using the defaultmanufacturer keysif one sector key is known, breaking the other keys isfast/easy by means of a publicized existing attackEasyCard uses custom keys for all sector, no success
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
Recovering the keys
As all keys are unknown, the card-only Dark Side attack(Nicolas T. Courtios) was usedOpen Source MFCUK (MiFare Classic Universal toolKit)program implements the attackAll hardware required is a RFID reader supported by libnfc(EUR 30)All A and B keys for all sectors have been recovered within3 hours
Attack time could be much shorter if proxmark with verytight timing control was used
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
Extracting raw content
Once the keys are known, the full data content of the cardcan be dumpedFree Software nfc-mfclassic program (part of libnfc)was usedAll hardware required is a RFID reader supported by libnfc(EUR 30)
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
Re-engineering the data format
The raw card content is not of much use unless it can beinterpretedIndividual transactions need to be made, raw card dumpsacquired before/after each transactionAnalysis of modifications caused by single transactionallow conclusions on data formatRepeat this with transactions like
entering a metro stationleaving a metro stationrecharging the cardpurchasing something using the card
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
Sector 2: EasyCard balance
MIFARE value blocks are intended for counters that can beincremented/decremented by different keysThe actual counter value is stored three times(inverted/non-inverted) for safetyEasyCard uses MIFARE value block in sector 2The value 1:1 represents the account balance of the cardin NTD
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
Sectors 3 through 5: Transaction Log
Each 16-byte block in sectors 3 through 5 contains onetransaction log recordEach record contains
Transaction ID, Cost, Remaining Balance, MRT Stationcode, RFID reader IDTransaction Type (Entering/leaving MRT, re-entering /connecting MRT, purchase, rechargeTimestamp is a 32bt unix time() format (seconds sinceJanuary 1st 1970). However, it refers to CST instead ofUTC
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
How to decode the MRT Station Code
Transaction log record contains MRT station codeHow to know which station name corresponds to thenumeric code?
Option A: visit each of them and take a EasyCard raw dumpOption B: visit the MRT homepage, point mouse at aspecific station on the map and look at the URL: It containsthe same ID!
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
EasyCard MRT station codes
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
Sector 7: Last MRT entry/exit record
Block 2 (Offset 0x1e0) contains a record describing thelast MRT station that was entered
Byte 4 contains the MRT station codeBytes 9..12 contain a timestamp
Block 1 (Offset 0xd0) contains a similar record describingthe last MRT station that was leftIt is assumed that this information is used to compute thedistance (and thus fee) to be paid for the current ride, aswell as the discount that is made when switching from MRTto bus.
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Recovering the MiFARE keysUnderstanding card contentEasyCard data format
Sector 15: Maximum daily spending
Block 2 (offset 0x3e0) contains a record keeping track ofthe amount of money spent on a single day
Bytes 0..10 are unknown (all zero)Byte 11 contains the day of the monthByte 12 contains an unknown value (0x3d on all testedcards)Byte 13..14 contains the sum of all purchases on theindicated day
This is used to impose a daily spending limit of NTD 3,000.
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Decreasing the value of the cardIncreasing the value of the cardeasytool
Tampering with the EasyCard
After recovering keys + understanding the format,tampering with the card is easyTesting purchases with tampered card permits validation ofthe offline vs. online questionPossible manipulations
Decreasing the value on the cardIncreasing the value on the cardBypassing the daily spending limit
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Decreasing the value of the cardIncreasing the value of the cardeasytool
Decreasing the value of the card
Make a purchase in a store that accepts the EasyCardFind the transaction log entry and increase the cost of thepurchaseDecrement the value block storing the card balance by thesame amount
Make sure you get the value block modifications right(inverted, non-inverted, backup copy)
Alter the amount spent per day (Sector 15) to reflectincreased amount
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Decreasing the value of the cardIncreasing the value of the cardeasytool
Decreasing the value of the card
A card was manipulated accordinglyThe card behaved like expected, i.e.
it had less value remainingit was still possible to use it in stores and public transportthe artificially removed money could not be spentthe card could still be re-charged at recharge machines,without ever recovering the artificially removed amount
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Decreasing the value of the cardIncreasing the value of the cardeasytool
Increasing the value of the card
Make a purchase in a store that accepts the EasyCardFind the transaction log entry and decrease the cost of thepurchaseIncrement the value block storing the card balance by thesame amount
Make sure you get the value block modifications right(inverted, non-inverted, backup copy)
Alter the amount spent per day (Sector 15) to reflectreduced amount
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Decreasing the value of the cardIncreasing the value of the cardeasytool
Increasing the value of the card
A card was manipulated accordinglyThe card behaved like expected, i.e.
it had more value remainingit was possible to use it in stores and public transportthe artificially removed money could all be spent (!)the card could still be re-charged at recharge machines,without ever loosing the artificially added amount
NOTE: The artificially added money was immediately added byrecharging the card at a recharge machine. The amount storedon the card has been reduced by the previously added amount.No fraud was committed!
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Decreasing the value of the cardIncreasing the value of the cardeasytool
Introducing easytool
Information regarding the data format of the cardimplemented as C header file / structsC program easytool created to decode cards contentsLater, code to decrement/increment amount was addedTool has not been released publiclyRead-only version of the tool might be released soon
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Decreasing the value of the cardIncreasing the value of the cardeasytool
Summary
Using MIFARE classic or any RFID system based onsecurity by obscurity is irresponsibleExtending a MIFARE classic based public transportpayment system to general payment system in the year2010 is nothing but ignorant, clueless and a sign of grossnegligenceGovernment regulartors should mandate the use ofpublicly and independently audited and reviewed securitytechnology. Security by obscurity is not an answer to anyproblem.
Harald Welte Reverse Engineering a real-world RFID payment system
The EasyCard systemAnalyzing the EasyCard
Tampering with the EasyCard
Decreasing the value of the cardIncreasing the value of the cardeasytool
Thanks
I would like to express my thanks toBrita and Milosch Meriac for OpenPCD and
OpenPICCHenryk Ploetz, Karsten Nohl, starbug for their work on
CRYPTO1Jonathan Westhues for his work on Proxmark
Nethemba for implementing thenested key attack inMFOC
Roel Verdult for libnfcNicolas T. Courtois for his darkside paper
Andrei Costin for his MFCUKimplementation of thedarkside paper
Harald Welte Reverse Engineering a real-world RFID payment system