13.56 MHz Smart Cards
#1
Hey all,

Does anyone have any resources or books discussing the general architecture and types of attack vectors for13.56 MHz smart cards

There’s a lot of mixed information online, with most people discussing the old unencrypted RFID tag... 

I'm not thinking contactless credit cards, but rather access control systems, etc. At the moment, I'm not even sure what the process is for exchanging the encrypted information and how the reader and scanner agree on a secret key, so any information or direction will be appreciated.
Reply
#2
When looking for papers I suggest you to search in Google Scholar, usually helps.
I was indeed very interested in smart cards a while ago.
I'm going to throw at you a ton of resources so you get whatever you need, hopefully my research is helpful for you haha.

First of all, smart cards are not proximity cards. I was confused at first but while proximity cards just give a code number smart cards have way more information, sometimes they can even be programmed.

Old badges used to run with the "Wiegand effect", you will see people talking about Wiegand but they are not(?)* using this effect anymore, they now use proximity. 
You couldn't change your card number and it depended on the number of wires present. If you have physical access to the card you can even decode the number pointing bright light to it.

There are some readers that are backwards compatible and they might use this protocol to communicate to the main board. So you can hack it with plain text and this leads to replay attacks. Some systems are ADT, Keyscan or Keri Systems
You can read more about it here: 
Wikipedia page: https://en.wikipedia.org/wiki/Wiegand_effect
Hacking the protocol (emulation, skimming, brute forcing…): http://blog.opensecurityresearch.com/201...tocol.html
A more in depth paper by HID: https://www.hidglobal.com/sites/default/...-wp-en.pdf
Demos on Youtube: https://www.youtube.com/watch?v=Rz1MfcqEJzY

Other protocols that card readers use are serial and magnetic stripe (ABA).

Proximity cards use Radio Frequency with 125kHz from the reader to the card, when the card is on the data is sent back and read by the host. They use 26/40/84 bits depending on the model. There are several talks about hacking these cards.
See for example hacking the Mifare Classic cards (a famous brand): https://www.blackhat.com/docs/sp-14/mate...Slides.pdf

They follow two standards ISO/IEC 15693 and  ISO/IEC 14443.
https://en.wikipedia.org/wiki/ISO/IEC_15693
https://en.wikipedia.org/wiki/ISO/IEC_14443

When talking about magnetic stripe cards they can also use rfid and a very famous hacker published hacking these cards. He’s Samy Kamkar, he does a lot of amazing projects. He has a defcon talk but I prefer his own channel, this is the project I’m talking about: https://samy.pl/magspoof/
At the end of it you will find more standards about these in case you want to look at them too.

As you can see there are a lot of cards and depending on your case there are a lot of methods and some of them can be pretty advanced. The main difference is in encryption. Here you can watch a very interesting talk from Black Hat:
https://www.youtube.com/watch?v=1fszkxcJt7U

If you have an arduino there are some modules you can buy and start playing with some cards ;P

The main reason why I started playing with cards were because of SIMs.
These are smart cards and they are in my opinion the most interesting ones. You can also see references to them as ICC (integrated circuit cards).

They can sometimes be programmed and even have internal memory (the ones I had were 128kb I think). Contactless smart cards also follow that ISO14443 and contact smart cards use ISO7816.
In the last one you can get info about pins and all (ground, vcc, clk, etc).
It isn’t an easy task tho, their protection is a pain in the ass and they run a shitty version of java. 
In this defcon talk there is some explanation about it:
https://www.youtube.com/watch?v=31D94QOo2gY

Finaly there is EMV. A forum user @losthopeful gave me some good papers about this architecture. This one is mainly used for payments (e.g. credit cards).

Quote: The sim cards are EMV Chips that are on credit/debit cards. The data is to be placed in an organized database to be used later.

Here you have a library for playing with smart cards: https://pyscard.sourceforge.io
And here you have a paper where everything is explained:
http://read.pudn.com/downloads106/ebook/...erface.pdf

I ended up writing a loong response haha… might organize the ideas and make a proper thread about all this.
Hope that I helped, if you have any questions, I’ll try to help you as much as I can but this is almost all that I know about cards.
If you have more things to share about it it would be nice to read some of your resources Tongue

Have a nice day man!
Reply
#3
Sweet, thanks.

Yes I already understood about all the different types of "card", I should have been more clear.

Due to my history with RF I am specifically interested in the contactless cards operating around 13.56 MHz.

I'll take a good look at the resources over the weekend. Thanks!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Deadly Software - Cyberattacks On "Smart Devices" DeepLogic 6 1,725 05-04-2020, 03:21 PM
Last Post: Vector
  IoT "smart" lightbulbs vulnerable to persistent XSS & more. Vector 2 4,408 01-07-2017, 06:59 PM
Last Post: Vector