Sniffing and cloning contactless cards

Sniffing and cloning contactless cards

Technology News |
By eeNews Europe

The open source project launched by co-founders Timo Kasper and David Oswald (note that the company’s logo reads like chaos) promises a freely programmable, standalone tool for NFC security analysis. The smartcard-sized device can emulate and clone contactless cards, read RFID tags and sniff transiting data.

That’s all what you need to assess the security aspects of your RFID and NFC equipment or to perform functional tests.

But the ChameleonMini Rev.G (which integrates a PCB antenna and can operate as a basic active 13.56MHz RFID reader) also makes an attractive proposition to many would be fraudsters willing to perpetrate different attack scenarios, such as replay or relay attacks, state restoration attacks, or simply to sniff NFC communication and clone other cards.

The platform can create perfect clones of various existing commercial smartcards, including cryptographic functions and the Unique Identifier (UID). The small board can emulate various ISO 14443, NFC, and ISO 15693 cards, as well as other types of RFID transponders operating at 13.56MHz, including NXP Mifare Classic, Plus, Ultralight, Ultralight C, ntag, ICODE, DESfire / DESfire EV1, TI Tag-it, HID iCLASS, LEGIC Prime and Advant, Infineon my-d, and many other tags.

New firmware can be uploaded via a USB bootloader and a human-readable command set allows to configure the card’s behaviour and update the settings and content of up to eight internally stored, virtualized contactless cards.

In a demonstration video, Managing Director Timo Kasper shows the card in action, granting himself free access to parking lots, hotel rooms, public libraries, or even crediting his lunch card with extra meals at the university canteen. 

Originally, Kasper was due to become an electronic engineer, not a cryptographer, but he soon versed into cryptography back in 2006 as his Diploma thesis related to practical relay attacks on contactless NFC cards. This is when he built his first in-house test boards which would pre-figure today’s ChameleonMini kits.

Later, both Kasper and Oswald undertook PhDs in the field of embedded security, doing research on smart card security analysis and publishing their results on side-channel attacks, fault injections and power analysis to retrieve cryptographic keys.

More notoriously, at the 2011 Workshop on Cryptographic Hardware and Embedded Systems (CHES 2011), Oswald presented a paper titled " Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World". The two friends then left university and founded Kasper & Oswald GmbH in 2012 to offer their consulting services and carry out product development in the field of embedded security and IT applications.

When asked if that Kickstarter campaign could lure some makers into designing smartphone-based fraudulent applications, Kasper points to the other side of the coin.

"If you sell a hammer, it can be used to hammer some nails, or it can be used to commit crime. Of course, it would be criminal to use our kit to gain unlawful access or to steal from other people. But from the feedback we have received, most people are into penetration testing. They want to figure out if their system is working correctly and securely. The only way to convince your managers that they have a security problem is to open a door in front of their eyes or to show them that their coffee machine is distributing free coffees" he explains.

"By making our kit so cheap and easily accessible, what is going to happen is that more companies are going to realize that their systems are not so secure or not well implemented. There are hundreds of NFC door lock companies, but often they don’t have the knowledge to correctly implement cryptography.

It requires key management, individual firmware to be programmed for each lock. They may use very secure and capable chips from semiconductor vendors, but for a lack of know-how, they don’t change the default security settings, or simply put, they don’t read the instructions" Kasper continues.

So, is Kasper a sort of agitator in this market?

"Well, there should be no market for useless door knobs!" he answers. "Then secure chip vendors are happy to create better chips too as a way to renew their business among better educated customers".

The company sees the ChameleonMini as a non-profit project. "If it pays for itself and we can make it available cheaply, then we’ll be happy with the extra visibility our business will gain from it" says Kasper, "this could drive more companies to come to us for help, to implement a better solution for them".

Kasper hopes the open source community will strive to find new exciting applications and contribute back to the project. "It would be interesting to see if some makers find new uses for their current smartcards, say to connect and control an IoT network at home".

In the end, selling the ChameleonMini could well bring some income, but Kasper & Oswald GmbH could use that money to support PhDs candidates performing valuable research for them, while staying connected with the academic world, in some way, feeding the money stream back into more knowledge for the open source community.

Visit Kasper & Oswald GmbH at

Check out the kickstarter page.

If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :    eeNews on Google News


Linked Articles