Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi,
i'm really interested in RFID technology and in ethical hacking and since i also enjoyed skiing i decid to merge the two things.
A little background
I went skiing with my friends and since the last year there is the possibility to buy a 5$ rechargeable RFID card as pass instead of the old barcode, one time use cards. So i decided to buy one. Since i do not own a proxmark, but a lot of modern mobile phones have the capabilities of reading and writing rfid tags i chose a random app which seemed good to make the dumps. The app is NFC TAGINFO https://play.google.com/store/apps/details?id=at.mroland.android.apps.nfctaginfo&hl=it . The dumps are saved in XML format but i'll publish the parsed ones for privacy and reability matters.
The dumps
Here is what i found:
http://www.dinkypage.com/proxskitag/
ALL BLOCKS ARE WRITEABLE
My Thoughts
Most of you will think that naybe the data on the cards are nonsense and that the ski company use a centralized database where the rfid readers checks in real time the card id validity.
This is partially true: they actually HAVE a centralized db but i don't think it's used for live card validation, because when you recharge the card, as you can see from the dumps, some value are overwritten. Even when you buy a recharge on via internet, when you first use it, you need to wait for some seconds for their rfid reader to write some changes. So they actually have a database where personal data and status are saved, but it is used in order to keep track of the changes and not for live validation.
In the next days i will add more and more data as soon as i and my firends will go skiing again. Please share your thoughts about the dumped data.
Offline
Good idea but usually data are encrypted with tag uid (if you are lucky and des/3des encryption is not used) so without it you cannot have a valid information/data analisys.
Anyway if you continue to collect data and post dumps i will try to interpret them but i think uid is necessary (not totally sure until now) and also dumps done after consecutive same-day passages on the turnstel will be good to understand.
For what you can read online, data collected by ski-stations are syncronized at night and not in real-time, using a mobile connection.
Edit:
I just fund some correlations between the 2 days but more dumps are needed to verify.
MERRY CHRISTMAS
Last edited by asper (2013-12-25 12:16:07)
Offline
Good idea but usually data are encrypted with tag uid (if you are lucky and des/3des encryption is not used) so without it you cannot have a valid information/data analisys.
Anyway if you continue to collect data and post dumps i will try to interpret them but i think uid is necessary (not totally sure until now) and also dumps done after consecutive same-day passages on the turnstel will be good to understand.
For what you can read online, data collected by ski-stations are syncronized at night and not in real-time, using a mobile connection.
Edit:
I just fund some correlations between the 2 days but more dumps are needed to verify.MERRY CHRISTMAS
I'd prefer not to publish UID for a privacy matter but i can give it privately to who requests them. How can i contact you since fluxbb doesn't have a pm system?
I'll collect more and more dumps during the next days and i'll publish them.
I'll also collect data after passages on the turnstel, but as far as i understand no changes are written after the first one.
Offline
Provide me a contact account (skype, msn, irc - no social) and i will contact you.
When you are sure that after each turnstel passage nothing changes on the card please report here your tests.
If you can please post different columns of the same tag one next the other so direct comparing will be easier; alternatively you can publish the dumps on a googledocs excel table.
For now tell me if:
00070000
20004802
mean something to you (date, time, uids, something written on the card, something else).
Last edited by asper (2013-12-25 23:26:00)
Offline
Hi,
i can give you an email account rfid (at) mailtor (dot) net .
I can give you raw xml files with included UIDs so you should be able to compare data as you want. I'll give you also the serial number written on the card which is totally different from the UID.
Actually i can't see any correlation with the number you wrote, how did tou get them?
Thanks
Offline
For now I will rely on the data you posted on the link above (it seems not to be updatet yet, always the same 4 dumps), if I need serials I will email you but not to a tor mail account, sorry.
The above bytes were obtained wih a simple function but you have to know what elaborate and with what function (it's easy, don't worry, but I want to be sure of what I found so I need more dumps to verify, in particular same-day possible changes between turnstel passages).
Last edited by asper (2013-12-26 22:44:28)
Offline
I'll go skiing from 28/12 to 5/1 so i'll collect more and more dumps that i'll publish.
Sorry for the tormail, but i don't like to publish my email account on a forum. But we can meet on irc, just tell me the server and the channel
Offline
Efnet is ok, channel #proxmark3; choose the "meeting time" (GMT)
Offline
I'm in (11 GMT). I can wait there until about 18 GMT.
Offline
In.
Offline
Hi, i got a lot of new dumps if you are still interested we can meet again in IRC.
Offline
In right now.
Offline
I'm in now.
Offline
I believe i found something interesting. I would like to meet you again on irc.
Offline
In.
Offline
I'll join now and wait
Offline
hi,
I would be interested to chip in .. i have 2 cards and can share the info.
I should get more data in a month or so ... hopefully.
as asper said data seem to be encrypted as it's not meaningful to me ... could be enc with the tag UID, just have to figure what encryption system is being used.
when do you do another session on IRC ?
Offline
Hi, i did not left this project, i'm just too busy at this time. Anyway, if you would like we can meet on irc.
Offline
yes, can you give me server and chan info ?
Offline
yes, can you give me server and chan info ?
= irc.freenode.org #proxmark3. it s ok i will join tomorow.
Offline
betelgeuse => i m on irc and i will join as much i can that we can share..
Offline
I am taking a course on cryptography and i'm now getting a better idea on how data may be encrypted and stored, and also maybe which attacks are possibile. But would be nice to have some techinical paper, rfid specific to read.
Offline
I can confirm that all the infos about SkyPass Holder's ID is stored in a server not in the tag itself and any attempt to get through it can be only by using somebodyelse's ID which is not wise because in the majority of places there is a live Picture of the legit user showing up on the screen...
Not worth to touch
Offline
I can confirm that all the infos about SkyPass Holder's ID is stored in a server not in the tag itself and any attempt to get through it can be only by using somebodyelse's ID which is not wise because in the majority of places there is a live Picture of the legit user showing up on the screen...
Not worth to touch
i think you didn't get the point. As far as i observed and i understood from data and thair indtrastructure is that thay actually have a central server, because they have your data stored, they can sometimes see the pic (not this case i think since i don't remember them taking a pic of me). You can also buy skipasses online. But when you load the card for example with a new daily pass, the do not update the server, but instead your card (or maybe both but there would be no reason for that). So for example, when you buy a skipass online with your id, you must wait on the first entry some seconds because the reader need to update your card.
So here's what i think:
-They do have a central server with your personal details
-The also offer the possibility to save a credit card and pay automatically on first entry
-They sell skipasse online
-Some data on the card changes, depending on pass purchase
-With two different nominal pass, for the same purchase, the same data changes, in way that is costant in time: for example xoring two skipasses of two different people used on the same days there is a costant 'value'.
-I think that they, mainly for performance matters, don't check the validity date and time of the skipasses on the server, but just locally. it only quiery the server to know if there are pending updates for that card.
Anyway, i'm exploring some interesting property of xor, as well as i'm waiting my proxmark for other testing. I'll update this thread.
Offline