Hacking a parking system

Have you ever been to a shopping mall and used an NFC card to access(and pay) the parking spot? In this article, I will explain how I got access to it and could add an unlimited balance to the card. I will also mention what they could have done better for this to not happen.

The system

I want to start describing the process first; you probably have seen many like this. You try to go to a place and right before you access the parking lot
there is an automatic barrier where you usually:

• Press a button and get a ticket. This will lift the barrier.
• Park your vehicle.
• Spend some time at the place you are supposed to be.
• Go back and pay the ticket obtained in step one.
• Leave the place. At one point you will get to another automatic barrier where you can return the ticket and then you can leave if it is paid for.

This is probably something familiar to most people reading this. Now some places will offer a prepaid card to skip the last step described before. This allows a better user experience and this was the case I will expose today.

Identifying the technology

The first thing to know is what technology they are using. This card looked like any other PVC Card out there with the Shopping Mall logo on it so we need to identify what they are using.

I use an application called “NFC Tools” that you can download from the Play Store (Android only). Your phone needs to have NFC as well for this to work. This is what I got when I scanned the card:

Here what is important is the tag type.
We can read that it is a Mifare Classic 1k.
This means it might be vulnerable to some attacks and also, depending on the implementation, it could have the balance inside the card.
Before I move to the next step I want to mention a few other possible outputs:

• Your phone does not read it(nothing happens): Then it is probably a 125Khz card. There are ways to clone them but certainly not with your phone. These cards don’t store data that keeps changing so cloning the card would not help much.
• You have a Mifare DESfire: This card uses 3DES or AES for authentication. This is not a target we can attack unless they left default keys, which is very unlikely.
• Another type: You will have to read and see what the chip is capable of doing and if there is an easy way to read and change the contents.

Reading the content

The good thing about being a Mifare Classic is that you can easily read the content using an app called “Mifare Classic Tools”, which you can get in the Play Store. I tried using it but I couldn’t read the contents but this was expected, all it means they are not using the default keys. This means we have to get the keys.

For that, I used a tool called proxmark3. Now, this is an actual piece of hardware you can buy online. I recommend it if you want to get into the RFID research world.

I used one of the attacks that it offers for Mifare Classic and this is what I got:

In the Mifare Classic 1k, there are 16 sectors. There are two keys per sector, A and B. This is why we got a total of 32 keys.
Each key is 6 bytes long. These are all hex values. I deleted part of them because these are the actual keys of this system. No, you can’t brute force them just like you would do if this was online because the card takes some time between requests so it will take a long time to figure out just 6 bytes.

Anyways we can see A key is the same for all sectors. Key B is different. Some of them came out as 0x000000000000 but that was because the attack failed a few times. I’m able to run the attack again but also you can tell there is a pattern so I was able to figure out the missing keys.

After that, I opened Mifare Classic Tools, loaded the keys, and started reading the card. Only one sector had data. This is what I got:

This might be confusing but one of the things that you can do with the app is to turn the Hex values into ASCII so that’s what I did:

Easy enough, I got what I was looking for. The first line is the card number (it was printed on it) but the third line had the actual balance, that that time, 8000 CLP which I was able to change easily with the same application into any number I wanted. I tested the card on the system and it worked! No online checks at all.

Note that is very common for this type of card to have the balance inside them. These are commonly used in transport systems and they handle the balance inside because they can’t depend on the internet for it to work, if not, what would happen if the internet goes down? People wouldn’t be able to access it that’s why they keep the balance inside to avoid this dependency.

What they could have done better

I called the shopping mall, but they sent me to the parking system provider and I gave them enough details so they could take care of the matter. If you have a system that uses this technology a few things you can do to avoid this type of vulnerability is:

• Do Not use Mifare Classic.
• If you are using Mifare Classic, NXP patched most of the vulnerabilities so you have to buy directly from them to get the latest version.
• If the card can’t be replaced, then a good thing to do is to bind the balance with the card UID (which can’t be changed in a real card) and then put a signature or checksum. If someone changes the balance then it can be detected and also if a person dumps the content of Card X into Card Y you will be able to tell since UID won’t be part of the dump.

There are several other things to do because there are card emulators that can even clone the UID of the card but at least it wouldn’t be that easy for an attacker to access and change the card balance if you follow some of the recommendations above.