Tag-side attacks against NFC

Building an NFC attack tool using STM k2l 496 zji microcontroller and discussing security weaknesses in Mifare classic tags

• Built an NFC attack tool using STM k2l 496 zji microcontroller with one megabyte of flash and 320 kilobytes of RAM
• Discussed hardware limitations of the previous device and the need for a more powerful one
• Implemented DES fire attack and used Mifare DESFire des fire tool to mess with responses
• Explained weaknesses in Mifare classic tags, including the uselessness of crypto one and vulnerabilities to replay attacks and key recovery

The speaker explained how they built an extremely simple device using a big coil of wire, capacitor, diode, resistor, and another capacitor to convert the microcontroller into an NFC tag. They also discussed the need for a more powerful device due to hardware limitations of the previous one, and how they used an android application to mess with responses and implement DES fire attack. They then went on to explain the weaknesses in Mifare classic tags, including the uselessness of crypto one and vulnerabilities to replay attacks and key recovery.

This talk covers tag-side attacks against NFC communication protocols, including cracking of Mifare encryption keys and performing targeted attacks against NFC readers. In addition, it will cover the design and creation of devices capable of emulating NFC tags down to the raw protocol using standard components and tools, with no abstraction to dedicated hardware, covering and expanding on the capabilities of available products. This talk will contain how 13.56MHz NFC works at a raw level, how tools can be built for analysing it, how the protocol can be implemented in full on standard Microcontrollers, and the security weaknesses present in its design.