I’ve did a presentation at the “Gulaschprogrammiernacht” in Karlsruhe. This talk was about RFID/NFC-based payment systems that are often seen in university menses or company canteens. You typically pay with the student ID card or you employee badge, which is preloaded with money or linked to you monthly salary. The security of some of these systems is severely broken due to the usage of old and insecure RFID/NFC technologies. The talk contains some basics about those insecure RFID/NFC technologies and stories of broken systems I’ve analyzed in the past. Read more

I’ve did a presentation on the basics of RFID/NFC from my (a pentester) perspective. Since several parties were interested, I gave the presentation twice, once at the “Gulaschprogrammiernacht” in Karlsruhe and once at the “IT-Sicherheitskonferenz” in Stralsund. The main goal was to explain how some of the RFID/NFC technologies work and what security issues there are. Read more

In the process of making and improving the MifareClassicTool (MCT) I wrote two documentations about the development process. The first one covers the initial development until version 1.0.0 and also explains the basics of the MIFARE Classic technology and Android app development. It was created as part my internship semester. The second documentation covers the development process from version 1.0.0 to 1.5.2 and has some download and usage statistics. It was created as part of university project. Read more

This is a paper about RFID security. It was part of my university studies (sixth semester). The main focus is on the theory and feasibility of different attack vectors and their counter measures. Especially logical issues and physical attack vectors have been taken into account. Read more

The “Gulaschprogrammiernacht” (GPN) is a congress organized by Entropia e.V. (CCC Karlsruhe). I presented my research about the security of the student card at this congress. The similar student card system is present at most German universities. At this point in time the system was very broken, mostly because of the usage of the insecure MIFARE Classic RFID tags. Read more

MifareClassicTool (MCT) is a Android NFC app for reading, writing, analyzing, etc. MIFARE Classic RFID tags. It provides several features to interact with (and only with) MIFARE Classic RFID tags. It is designed for users who have at least basic familiarity with the MIFARE Classic technology. You also need an understanding of the hexadecimal number system, because all data input and output is in hexadecimal. A list of features can be taken from the readme. Read more

This is a paper about basic RFID security issues but with focus on the MIFARE Classic technology. It was part of my university studies (fourth semester). As part of this research, I had a closer look at the MIFARE Classic-based system of my university. Because of the multiple use cases (payment, access control, amount of free copies at the printers, etc.) there are plenty of attack vectors. Furthermore, I build an RFID zapper. This device can destroy RFID chips without leaving a trace (visible from the outside). Read more