As you may know, Mifare Classic cards hacked about 7 years ago. So now anybody can hack a Mifare card to extract its authentication keys and read its content. And after that he/she can simulate that card on its mobile handset, for example, and use the mobile instead of the card using NFC technology on its handset. I want to know if is there any way to detect this simulated card? (Any!) A difference between transmission protocol between mobile and reader vs card and reader, for example.
I know that in the communication between card and reader, commands arw transferred in APDU forms based on T = CL protocol. But I don't have any idea about the NFC communication.
2
votes
I think there might be two things that could work. First response times, an actual card probably is slower in processing and answering requests. Second handling of corner cases, if the specifications are not 100%clear (and specifications seldom are) then there might be some slight variations in the interpretation between implementations. So an actual card might give a different response then a simulation in certain rare cases.
– Eelke
There are also (at least available on dark channels) blank cards, which may be fully written (including serial number), which I assume as worthy of detection as ones simulated by mobile phone. What you are trying is, to salvage broken cryptography by evaluating additional side channel information. While this is possible to some degree, I would not expect a significant gain of security (if any). Sorry, the only choice is, to use better base cryptography.
– guidot
2 Answers
2
votes
Most card emulation techniques (proxmark, NFC phone, UID-changeable cards, etc.) do not provide perfect emulators.
First, there are obvious differences: some transceivers cannot emulate all UIDs, ATQA or SAK (as noted in other answer); but there are also many protocol issues with them while handling errors, or when you go slightly out of spec.
Some things I noticed while working on a transceiver driver, and testing with various cards:
some clone cards do not handle
power up->WUPA->SEL(full selection command, with CRC) sequence correctly, they assume first request afterWUPAisCL1(short anticollision command), so they make a collision while it works with genuine cards,some clone cards still answer to
SELif you doWUPA->WUPA, while they should not w.r.t. the ISO14443-3 state machine (they should be stuck inIDLEstate),error handling is sometimes broken (in particular when Mifare authentication fails),
of course, UID-changeable "Chinese" cards actually answer to unlocking "magic" commands, genuine cards do not,
and at last, NXP introduced an Originality Check in its cards (they call it that way), it is marketed as a way to check card is genuine (I never used it, documentation is not public, so I can't comment those claims), and NXP guarantees a given UID is not issued twice.
With all these, you can probably detect and reject all current clones and emulator implementations, but you cannot guarantee nobody will ever create a perfect one.
If you truly rely on un-clonable cards, Mifare Classic is probably not the relevant technology, as all "security" features have been reverse engineered. Today, Mifare Classic should be considered as a cleartext-equivalent copiable memory.
