Blocking cards are an affordable device for protecting smart cards. These devices are placed close to the smart cards and generate a noisy jamming signal or shield them. Through this repo, we release the tools we developed for inspecting the spectrum emitted by blocking cards and setting up our attack against the MIFARE Classic and the MIFARE Ultralight.
In order to produce all results, a version of libnfc was used, in order to avoid segmentation faults: https://github.com/blackwiz4rd/libnfc, refer to commit #6de2cf2bb3d88fa70978363bde2eb7e490568f5d.
In order to evaluate the performance of the blocking cards, their spectrums were analyzed without card/reader interaction, just by activating the magnetic field:
Profiling.ipynb
: produces PDFs and PSDs of the blocking cards.magnetic_field_up.c
: activates the EM field of the reader for .
Usage:
magnetic_field_up <numSeconds>
The attack consists of two different phases:
- Recording the signal of the communication between the Reader and the MIFARE Classic
- Demodulate the raw signal previously acquired.
During the first phase, the attacker needs to capture the raw signals of the communication using GNURadio. To let the reader send a specific sequence of commands to read data written on the MIFARE Classic, the attacker could rely on the mfclassic_apdu_get_data script, which can be used as follows:
mfclassic_apdu_get_data <numIterations>
where:
numIterations
: specify how many times the sequence of commands should be sent from the Reader to the MIFARE Classic.
Once the signal has been collected, the attacker just need to launch one of the two following jupiter notebooks:
MifareClassicAtttack.ipynb
: use only one raw signal file in order to show entirely the communication between the Reader and the MIFARE Classic, decrypting all the messages that contain data retrieved from the MIFARE Classic.DemodulationAnalysis.ipynb
: could use more raw signal files at the same time to analyze different blocking cards at once, by computing different metrics and storing them into a CSV file.
During the first phase, the attacker needs to capture the raw signals of the communication using GNURadio. To let the reader send a specific sequence of commands to read data written on the MIFARE Ultralight, the attacker could rely on the apdu_get_data script, which can be used as follows:
./apdu_get_data <numRepetitions> <numIterations>
where:
numRepetitions
: specifies the amount of repetitions for the experiment (e.g. the user can execute the experiment several times: the elecromagnetic field goes down from one experiment to the other).numIterations
: specify how many times the sequence of commands should be sent from the Reader to the MIFARE Ultralight (e.g. 80). During iterations the electromagnetic field will be up.
Once the signal has been collected, the attacker just need to launch one of the two following jupiter notebooks:
MifareUltralightASR.ipynb
: calculates attack success rate metrics.
For Mifare Ultralight analysis the averaging technique was used on multiple repetitions of the same signal portions for tag messages in order to evaluate if there are improvements in the decoding.
Two more jupiter notebooks are released to study the features that a noise emitted by a blocking card should have to be effective. They both apply the same strategy:
- Load the clean signal of the communication acquired using GNURadio.
- Add noise to the clean signal in order to simulate the behaviour of a blocking card.
- Analyze the performance of the demodulator in presence of different kinds of noise.
More in detail:
NoiseSimulationGaussian.ipynb
: Add gaussian noise at different percentage: 5%, 10%, 15%, 20%, 25%, 30%.NoiseSimulationFixedFrequencies.ipynb
Add noise at different fixed frequencies.
Luca Attanasio ([email protected])
Marco Alecci ([email protected])
Federico Turrin ([email protected])
Eleonora Losiouk ([email protected])
Alessandro Brighente ([email protected])
We are members of SPRITZ Security and Privacy Research Group at the University of Padua, Italy.
Are you using OpenScope-sec in your research work? Please, cite us:
The paper is still under submission