-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MIFARE Classic Anti-Copy Detection #1345
Comments
@gornekich Let me know your thoughts on how to implement for the entire community, and next steps so I can provide the anti-copy detection rules. |
Hello @quantum-x . Thanks for information! For now we ignore counter related commands during emulation. I can see that this can cause problems, and we try to add working with counters soon. I guess it will solve the issue, when user just copy the card to flipper and no longer use the original card. Further we will add users possibility to synchronize both variants of card. It will come after we add write functionality. Flipper can detect if the data was updated during emulation, and I think it's a good point to notify user about it. I will talk with our UX designers and come back with solution. I'm not sure I understood you correctly about additional script that can be run against a saved Mifare Classic dump that checks for Anti-Copy Could you explain the solution in more details? |
Hi @gornekich To be clear, the anti-copy algorithms in are not simply consecutive counters (0x01, 0x02, 0x03 etc), it's heavily obfuscated data that is written 'randomly' over the badge. Regarding 'Additional Script that can be run against a Mifare Classic Dump':
In France, ~20% of badges on the market have anti-copy. As EU customers are starting to receive their Flipper devices, there is a very high risk that customers will de-activate their building badges by mistake, with no warning, and no way to repair the badge except to buy a new one (~50EU - 100EU) from the building manager. Detection is reliable and "easy" to implement, perhaps we should try to implement this quickly. |
Hello @quantum-x We discussed with our team this issue and our priority is to support all commands during Classic emulation. Regarding anti-copy algorithms, we need at least badges dumps. It would be nice if you send a few dumps with anti-copy signatures and provide an algorithm to detect the signature. Further, it would be perfect to get these badges and may be readers on hands for tests. Is it possible for you to send them to us? |
Hi @gornekich Regarding detection and rules, I have full rule-sets for detecting all types of known anti-copy on the market. We are happy to open-source this code, as it's important for the community. If possible, we'd appreciate acknowledgement for the hard work of the dev team There are five brands using anti-copy:
Each brand has different generations of algorithms. The Common method
COGELEC BrandsGeneric detection for COGELEC Brands
Intratone
HexactHexact A
Hexact B
Hexact C
ComelitComelit A
Comelit B
Comelit C
NoralsyNoralsy A
UrmetUrmet A
Generic
We can provide dumps to test against if required. Please note, there are some badges that match A/C rules that do not have anti-copy enabled, but this false positive rate is ~2% maximum. Hopefully these methods should remove some workload from your dev-team. |
got one dump made some times ago from a Cogelec/Intratone badge with all keys.. could help ? |
This one should indeed trigger the A/C Intratone ("COGELEC") algo. |
Hello @quantum-x, to see if a badge is really protected, the data should change if dumped before then after a badge is used to enter ? I have a spare Urmet badge with the pattern matching, but the content doesn't seems to be updated when used. |
@LoganMcClay The content doesn't necessarily update on each scan. With that said there is a 'before and after' difference between badges that don't have anti-copy enabled, and badges that do have anti-copy enabled - this is what the above algorithms detect. |
Ok so my badge is from immotec and first thing I did when I received my flipper was trying to copy it (obviously I didn't read this thread before). It seems it didn't work as I was unable to open my door with my flipper, I will go and test if my badge still work. Should I just stop everything for now about it, should I delete the saved nfc ? This sure is a huge problem and need to be told to EU users |
how does it work when there are several users/badges for the same building to synchronize everything? |
If your badge contents matches the IMMOTEC anti-copy rules above, do *not*
attempt to emulate the badge.
IMMOTEC anti-copy will block the copy and the original badge. Depending on
the configuration of the system, it can also erase the badges assigned to
your apartment.
If your badge does not match the anti-copy rules, you should be OK to
emulate it.
orign Sun, Aug 28, 2022, 01:08 LilianHori ***@***.***> wrote:
… Ok so my badge is from immotec and first thing I did when I received my
flipper was trying to copy it (obviously I didn't read this thread before).
It seems it didn't work as I was unable to open my door with my flipper, I
will go and test if my badge still work. Should I just stop everything for
now about it, should I delete the saved nfc ? This sure is a huge problem
and need to be told to EU users
—
Reply to this email directly, view it on GitHub
<#1345 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AATF43BGI6SKRYBKXXRBYI3V3KNYNANCNFSM5Z5TIVYA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
another user posted :
😥 |
The one with permanent access could be interesting ;) |
Did you test it successfully ? |
Link to Pastbin. |
This is a thread about providing detection of anti-copy algorithms put in place by French Access Control manufacturers to prevent Flipper Zero owners for inadvertently erasing their original cards when they make private copies, or when they make in-scope penetration tests. @Foul @Yomi2023 @Sweedn You are discussing the VIGIK Service cards, which is out of scope of this thread. |
I want to propose another anti-copy situation: the original card is a Mifare Classic 1K card, SAK:08, KeyA/B are FFFFFFFFFFFFF, so it can be copied and stored by F0, but when F0 simulates, systems like the elevator system and access control system cannot read the content normally (no response at all). Later, I found information on the Internet saying that these systems "may" have a firewall, and need to use a card type called "CUID" (probably the so-called magic card) to work normally. In practice, a copied card using CUID can pass through the above systems normally. Is it possible for F0 to update the firmware to read data normally through the above systems? Thank you. |
Hi!
Thanks for providing the dump and thanks a lot to contributors such as @quantum-x for the hard work. A first interesting thing to note about this dump is what we see at
$this->hex_substring($this->hex_dump, 0x03c0, 0x3c5) == "484558414354" && // 3c0-3c5 == HEXACT Hope this help |
Looks like NFC plugin system solves this issue. Please contribute plugins ;-) |
What do you mean by the "NFC plugin system", and how does it solve the issue? |
@anonymous10download NFC plugin system currently covers card data parsing, helps to identify and visualize known systems data. For example: #3325 |
This was very informative ! thank you for all the contributors ! I’m an expat living in Paris and have obviously run into the same issue everyone else has run into on this forum. Any information on updated capabilities would be valued greatly by myself and many other EU users I’m sure. Is Flipper working on a work around, or should EU users look at this as a dead end? |
As per @skotopes post, Flipper now has plugin / parsing architecture for NFC. If someone is available to work on the structure of the plugin, I can contribute up-to-date algorithms for all known brands. Feel free to contact me. |
@quantum-x contact me via discord (leptopt1los). I will need a description of the algorithms and dumps for tests |
hello, Also i wonder if Silca, Copybadge and rebadge do this kind of check as well, i think i've heard copybadge and rebadge sometimes copied protected badges, but i recall a silca copier owner saying it would detect the anticopy straight away. But i also do think Silca is less "intrusive" in the way it clones badges, as it requires an internet connection to work, iirc. @Leptopt1los, @quantum-x, did you get in touch together? ♥ everyone |
Copybadge.fr claim to be able to re-activate badges which have been disabled when a clone-copy has been used. I haven't dared to try. They say at https://www.copybadge.eu/copybadge/comprendre-les-systemes-anti-copies/
|
Hi, but what about Hexact badges ? I got a dump of my own badge and i want to emulate it. Any ideas please ? |
More than an implication, I would say; they make pretty clear that they do. |
As to Hexact, I think you will need to dump the badge, use it, dump it again use it again for at least 17 cycles and compare all the copies to see if there are changes recorded on your Hexact fob,. It seems that some have no anti-copy local on-fob storage used and others have that set up. IT is a choice made when the building system is set up. The copy companies suggest that unless co-propietaires ( co-owners ) have agreed and been informed of an exclusivity forbidding copying of entrance badges then they have ( in France ) a right to be able to make and use copies. Rebadge say they check if copies are allowed, so it might be possible to use them for a test ? |
do you think that the code at the top may be useful ? for the anticopy detection |
public function detectAntiCopyFromFile($filePath)
} $filePath = "chemin/vers/le/fichier/badge_dump.hex"; there some code for hexact badges |
Background
In France, almost every apartment building uses RFID Access Control based on MIFARE Classic 1K badges.
The keys to decode these badges are well known (and in Flipper's library), and the badges can be easily cloned / emulated.
However, in France many Access Control Manufacturers now include anti-copy algorithms in the badge contents.
While the implementation differs between manufacturers, the overall technique remains the same.
Each time a badge is scanned on the building, a counter in the badge contents is updated.
The next time the badge is scanned, the Access Control Reader checks the contents of the counter.
If the counter is not at the expected value, the badge is rejected.
The problem
When badges with anti-copy are cloned - the contents between original badge and the new clone (or emulation) become desynchronised. When de-synchronisation is detected, the copy will work, but the original badge will no longer work.
If the badge was emulated the original will no longer work, and the emulation will no longer work either (because its contents weren't updated during the emulation).
Depending on the brand of the badge, typically only one badge is de-activated. However some brands (such as Immotec) will deactivate all badges associated with an apartment when cloned badges are detected.
Although this problem is concentrated in France, it is also present in Belgium, UK, Germany and Australia.
As more and more people in Europe will be getting their hands on Flippers, I feel it's important to discuss the issue, to prevent people unintentionally breaking their residential badges / locking themselves out..
Suggestions for a solution
The anti-copy algorithms for each brand and model have a unique fingerprint, and can be detected.
I am unsure the best way to implement (if at all) some type of detection / protection.
I have the full list of signatures for all brands and models with anti-copy for all of Europe, and will happily contribute this information.
The text was updated successfully, but these errors were encountered: