Hacking MIFARE Classic transport cards into universal NFC chips

June 30, 2022

If you live in a country with decent public transportation it's more than likely that you may have used a transport card to pay for the bus fares. Most, if not all of these work by using NFC chips and receivers, and many are using NXP's MIFARE chips. I'll be talking more precisely about the bip! transport cards, the ones which are actually being used in Santiago de Chile (where I'm currently living). These use MIFARE Classic with shared encryption keys for every card. What does this mean? Horrible security, but lots of fun too! Let's get started.

Disclaimer

This document was written for educational purposes only. Do not modify other people's transport cards and check for the legality of modifying transport cards before starting. I will not take any responsibility for angry roommates, arrests or thermonuclear war. In my specific jurisdiction doing this doesn't seem to be attached to any legal problems, but this may not be the case worldwide.

An accidental and catastrophic discovery

This all started by me trying to get my bip! card working with Metrodroid, an app which was built for allowing you to check how much money you have on your card, the transaction history for it and its data. Now, the process indicated in the wiki was a bit involved. Buying components off the internet, soldering, etc. Looking for another option, I spotted an app on F-Droid called “MIFARE Classic Tool”. I installed it and after a few minutes of poking around with it not only did I find out you can use it to crack the keys for a transport card, I realized you can also completely modify it. This brings me to talking about the card itself!

The card in question

Photo of my bip! card.

As I mentioned in the introduction, I'm using a bip! card, provided by Red Metropolitana de Movilidad (Metropolitan Mobility Network, translated) as my target for these modifications. In terms of security, this card is absolutely open. It uses a MIFARE Classic chip, which has been compromised all the way back in 2008, only requiring 200 seconds to crack it on a laptop from back then. Not only that, it's using the same key to decrypt every single card. This means by getting the key for one card like I did, you can modify every single card in existence.

Modifying the amount of money in the card and trying to use it will lead to the card being blacklisted from the network, from my guess by comparing it against a database. This may not seem too harmful at first, but this could mean anyone could casually deactivate transport cards with just their phone. This seems to be the reason why the Metropolitan Mobility Network has started pushing for their alternative named bip!QR. This uses an app on your phone to show a QR code which is scanned by their payment terminals. However, this system is less anonymous than the physical cards, since they're linked to your Unique Tax Registry (known locally as RUT). In a nutshell, you're either trading security or privacy with these two systems.

Modifying the card to store a website

Photo of my Pixel 3a with a bip! card below it. It has the MIFARE Classic Tool app open.

I'm using a Google Pixel 3a as my reader, since this phone is compatible with MIFARE Classic. I will link to a list of phones compatible with MIFARE Classic at the end of the document. Let's start by opening MIFARE Classic Tool and tapping on “READ TAG”. Place the card behind the phone and move it until its recognized. I'd recommend laying the phone with the card on a table in the exact position it got recognized in. Back to MIFARE Classic Tool, we'll map “extended-std.keys” and “std.keys” to our sectors. Once they're selected. Tap on “START MAPPING AND READ TAG”. This will take a few minutes, so while it's running go make a cup of coffee or play some Minesweeper. Once its done, tap on the hamburger menu on the top right and tap on “Save Keys”. Enter whatever name you like and press Ok. Take the opportunity to also back up your card, since by doing this it'll be formatted. You can do this by tapping on the floppy disk icon on the top right and giving it a more memorable name!

Once that's done, go back to the main page and tap on “WRITE TAG”. Select “Factory Format” and press the button with the same name. Select the keys you just saved and tap on “START MAPPING AND FORMAT TAG”. This shouldn't take too long. You can now write anything that can be stored in 1 KiB! I'm using NFC Tools to write the URL to my proxied Gemini capsule. And surely enough, it works as a regular NFC chip!

Conclusion

NXP has made newer versions for MIFARE which improve their security considerably and are already used in some transport systems nowadays. I think attempts at replacing the card system with deanonymized platforms like with bip!QR presents a huge privacy issue which could be abused in the future. So, to the Metropolitan Mobility Network of Santiago de Chile: Consider safer chips for a new variant of bip! cards instead of presenting this new platform. Anyways, this was a fun project to make and could serve as a business card for me. Who knows? Maybe it'll impress a few people.