Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2015-04-27 17:40:36
- samburner3
- Contributor
- From: Sydney AUS
- Registered: 2015-03-01
- Posts: 51
DESFire EV1 transit replay top-up attack
Hi
I have not yet got a promark, but have taken an interested in RFID security, and have used some software to clone mifare classic cards successfully.
My city's transport system uses DESFire EV1 cards, therefore not able to be hacked/cloned. However I thought a replay attack would still be useful:
In theory if the top-up transmission can be captured (sniffed / snooped) from a top-up machine, that could then be replayed onto the card at anytime in the future, therefore free top-ups?
I could not find anything relating to this on the web, closest was on this forum with the oyster card example.
Would the proxmark be up to this task? Would encryption be an issue? I figured not as it is simply replaying a captured transmission.
Also would an NFC android device be able to carry this out in place of a proxmark? (budget in mind).
Offline
#2 2015-04-27 20:56:51
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: DESFire EV1 transit replay top-up attack
No NFC Android devices are NOT able to do what you want to do.
Offline
#3 2017-04-17 21:47:15
- Danz
- Contributor
- From: Dubai
- Registered: 2015-10-24
- Posts: 98
Re: DESFire EV1 transit replay top-up attack
I tried the above theory, it didn't work as the top up transmission have server reference that saved on card and needed to be verified once with server after the top up which save approval code on the card with encrypted key , the server will disacknowledge any further reference verification
Offline
#4 2017-08-15 17:25:59
- atmel9077
- Contributor
- Registered: 2017-06-25
- Posts: 46
Re: DESFire EV1 transit replay top-up attack
When authenticating the card sends a random number that is different every time and you have to respond with an encryption of this number by the diversified key stored in the card.. Son you can't do replay attacks. With MIFARE CLASSIC which have a bad RNG this could be possible if there's no one-way counter (value block) used to certify the contents of the card.
Last edited by atmel9077 (2017-08-20 12:40:25)
Offline
#5 2018-10-08 04:59:24
- Tom5ive
- Contributor
- Registered: 2017-09-18
- Posts: 53
Re: DESFire EV1 transit replay top-up attack
Unfortunately this is not possible. I'm located close by in the same city and have been working at the same thing that you seem to be hinting at. Maybe we should get together for a beer sometime? 
Offline
#6 2018-10-12 13:27:00
- merlok
- Contributor
- Registered: 2011-05-16
- Posts: 132
Re: DESFire EV1 transit replay top-up attack
Replay not possible.
but...
relay with android, wifi and|or etc... may be possible...
but may have a detection in the system.
bbbut) something like this:
https://eprint.iacr.org/2010/332.pdf
possible and cant be detected
(may be detected in only one way - detect of chip's antenna parameters)
Offline
#7 2018-10-13 10:04:04
- merlok
- Contributor
- Registered: 2011-05-16
- Posts: 132
Re: DESFire EV1 transit replay top-up attack
Offline
Pages: 1