Minutes 2025-02-13: Difference between revisions

From MTU LUG Wiki
Jump to navigation Jump to search
No edit summary
(Added images)
 
Line 1: Line 1:
# Presentation from Noah on creating MIFARE Classic polyglot cards!
# Presentation from Noah on creating MIFARE Classic polyglot cards!
## Brief primer of NFC and RFID
## Brief primer of NFC and RFID[[File:LUG Card Programming Meeting (Whole Table).jpg|thumb|468x468px|Members hanging out around the round table]]
### HID and NXP duopoly
### HID and NXP duopoly
### Many organizations use credentials with broken or nonexistent encryption
### Many organizations use credentials with broken or nonexistent encryption
Line 13: Line 13:
#### NXP attempts to sue, fails
#### NXP attempts to sue, fails
### Used in lots of hotels and organizations that don't know any better
### Used in lots of hotels and organizations that don't know any better
## Visual representation of data on a MIFARE Classic card
## Visual representation of data on a MIFARE Classic card[[File:LUG Card Programming Meeting (Half Table).jpg|thumb|462x462px|Response to being photographed]]
### The '1K' in "MIFARE Classic 1K" is the total space
### The '1K' in "MIFARE Classic 1K" is the total space
### There's only 720 bytes of usable space
### There's only 720 bytes of usable space
Line 31: Line 31:
### Key Diversification Function (KDF)
### Key Diversification Function (KDF)
### Take the (in this case) four-byte UID
### Take the (in this case) four-byte UID
### Plug into 'black-box' algorithm
### [[File:Logan cutting his card.jpg|thumb|460x460px|Logan cutting his card]]Plug into 'black-box' algorithm
### get keys for that sector
### get keys for that sector
### We don't have the KDF for Schlage, but we can get a 1:1 copy of the data anyway
### We don't have the KDF for Schlage, but we can get a 1:1 copy of the data anyway
Line 45: Line 45:
### Wiegand values are all sequential in most systems
### Wiegand values are all sequential in most systems
### These are both stupid
### These are both stupid
## The MIFARE Application Directory (MAD)
## The MIFARE Application Directory (MAD)[[File:Josh programming a card.jpg|thumb|460x460px|Josh programming an ID]]
### Allows formatting the data in the card in special ways
### Allows formatting the data in the card in special ways
### Designed to allow multi-tenant functionality
### Designed to allow multi-tenant functionality
Line 59: Line 59:
### Don't implement spec properly
### Don't implement spec properly
### IOS is really strict with some aspects, but still doesn't implement it correctly
### IOS is really strict with some aspects, but still doesn't implement it correctly
## What do we do?[[File:Closeup of Josh programming an ID.jpg|thumb|457x457px|Closeup of the ID being programmed]]
## What do we do?
### Allegion has our backs
### Allegion has our backs
### Schlage readers support a zillion card formats
### Schlage readers support a zillion card formats
Line 76: Line 76:
## They work!
## They work!
### They even work on iPhones!
### They even work on iPhones!
# Borrowed Ethan's Flipper Zero to check if the unlabeled stock of cards were gen1 or gen2
# Borrowed Ethan's Flipper Zero to check if the unlabeled stock of cards were gen1 or gen2[[File:Anika's LUG IDs.jpg|thumb|455x455px|Anika showing off the front and back of her two LUG IDs]]
## We ran out of pre-confirmed gen2 tags
## We ran out of pre-confirmed gen2 tags
## Didn't want to use gen1 tags so members could rewrite cards with their phones at a later date
## Didn't want to use gen1 tags, so members could rewrite cards with their phones at a later date
# USG Budget Hearing @ 8:20 PM
# USG Budget Hearing @ 8:20 PM
## Took some quick pictures before leaving at 8:15 (the ones embedded in these minutes)
## Took some quick pictures before leaving at 8:15 (the ones embedded in these minutes)

Latest revision as of 01:49, 15 February 2025

  1. Presentation from Noah on creating MIFARE Classic polyglot cards!
    1. Brief primer of NFC and RFID
      Members hanging out around the round table
      1. HID and NXP duopoly
      2. Many organizations use credentials with broken or nonexistent encryption
    2. MIFARE
      1. MIFARE Classic
      2. MIFARE DESFire
      3. HID iClass
    3. MIFARE Classic
      1. Crypto1
        1. Security through obscurity
      2. MIT hackers break it overnight
        1. NXP attempts to sue, fails
      3. Used in lots of hotels and organizations that don't know any better
    4. Visual representation of data on a MIFARE Classic card
      Response to being photographed
      1. The '1K' in "MIFARE Classic 1K" is the total space
      2. There's only 720 bytes of usable space
      3. Block 0 is for manufacturer data
        1. First 4 bytes are the UID (serial number) of the card
      4. Blocks 2/3 are for the MAD (more on this later)
      5. the rest of the sectors are for data
    5. MIFARE Classic 1K is the cheapest version of these cards
      1. There exist 2K and 4K variants
      2. Not very useful since most orgs just store an ID number on them anyway, which takes like 10 bytes, and leave the rest blank
    6. Is this allowed @ Tech?
      1. In all of IT's and the Universities policies, nothing says you can't put your own data on a different medium
      2. But they do explicitly disallow unauthorized distribution, so don't hand out your card or share a copy of the data dump
      3. "not an issue until it becomes one"
        1. Don't otherwise abuse services or technology and it won't pose an issue
    7. How it works
      1. Key Diversification Function (KDF)
      2. Take the (in this case) four-byte UID
      3. Logan cutting his card
        Plug into 'black-box' algorithm
      4. get keys for that sector
      5. We don't have the KDF for Schlage, but we can get a 1:1 copy of the data anyway
      6. The first sector is the one that we care about
    8. Orange bytes are access bits
      1. These define read/write permissions
      2. If the access bits are configured to never allow writing the access bits, they're 'bricked'; IE permanently locked and can never be changed
      3. For this reason, we use the access bits of 787788 instead of the OEM access bits of F0FF00 to keep the same KeyA/KeyB R/W permissions, but also allow re-writing the access bits again in the future
        1. Can be useful if anyone wants their LUG ID to be a different card in the future, like a hotel key or convention pass
    9. General purpose byte - not super important
    10. Weigand value is the one that were looking for
      1. Card numbers are printed on the card
      2. Wiegand values are all sequential in most systems
      3. These are both stupid
    11. The MIFARE Application Directory (MAD)
      Josh programming an ID
      1. Allows formatting the data in the card in special ways
      2. Designed to allow multi-tenant functionality
      3. The purpose was to use different sectors to store different 'types' of applications  (vending credits, bus passes, dorm access, etc)
        1. No one uses it like this
      4. But it also allows encoding data as NDEF (what we care about)
      5. NDEF
        1. Special type of standard by NXP, the company with a borderline monopoly on NFC
        2. Can store files, contacts, pictures and more
        3. Commonly used on NTAG chips (ex. NTAG215/216)
      6. MAD normally is in sector one, which on our cards, is where our ID numbers are
      7. Mobile devices look for mad in sector 0, then reads in sector 1 even when the MAD specifies otherwise
      8. Don't implement spec properly
      9. IOS is really strict with some aspects, but still doesn't implement it correctly
    12. What do we do?
      Closeup of the ID being programmed
      1. Allegion has our backs
      2. Schlage readers support a zillion card formats
      3. One of these formats is a card with the data in sector 15 (the last sector)
      4. we can just copy+paste our sector 1 data down to sector 15, and it works all the same
      5. This frees up sector 1 to be used to our MAD data
      6. This trick let's us make other kinds of Polyglot Cards
        1. Noah's Tech+Elements NFC (gen4) / RFID (t5577) Ring
    13. Dining halls and printers only use UID (really insecure)
      1. This means you can't write your data to an RFID tag, as they only work with a 13.56mHz NFC tag
    14. Onto the fun stuff!
      1. Josh literally just finished the script as presentation ended
      2. Not tested yet
  2. Handed out materials to create IDs for people who haven't made them yet
    1. For people who already created theirs last meeting, started on the polyglot creation
    2. They work!
      1. They even work on iPhones!
  3. Borrowed Ethan's Flipper Zero to check if the unlabeled stock of cards were gen1 or gen2
    Anika showing off the front and back of her two LUG IDs
    1. We ran out of pre-confirmed gen2 tags
    2. Didn't want to use gen1 tags, so members could rewrite cards with their phones at a later date
  4. USG Budget Hearing @ 8:20 PM
    1. Took some quick pictures before leaving at 8:15 (the ones embedded in these minutes)
    2. Noah, Dane, Lucas, and Logan went
    3. Was only 10 minutes, meetings are very short
    4. Seems to have gone well
  5. Returned to the meeting
    1. Helped finish up remaining cards
    2. Discussions about integrating LUG into RedTeam and some future plans for RedTeam's leadership as people slowly dispersed
Retrieved from "https://lug.mtu.edu/w/index.php?title=Minutes_2025-02-13&oldid=7780"