Break Me If You Can: Exploiting PKO and Relay Attacks in 3DES/AES NFC
9 days ago
- #Key Recovery Attacks
- #NFC Security
- #MIFARE Vulnerabilities
- Analysis of vulnerabilities in MIFARE Ultralight C, MIFARE Ultralight AES, NTAG 223 DNA, NTAG 224 DNA, and non-NXP Ultralight C compatible cards.
- Relay-based man-in-the-middle techniques and partial key overwrites can reduce the keyspace of two-key Triple DES (2TDEA) from 2112 to 228 or less.
- MIFARE Ultralight AES is vulnerable when CMAC integrity checks are not enforced.
- NTAG 223/224 DNA security is undermined by lack of integrity checks and CMAC over Secure Unique NFC (SUN) messages.
- Non-NXP cards (ULCG, FJ8010, USCUID-UL) have flawed PRNGs and missing anti-tearing mechanisms, enabling complete key recovery in under 60 seconds.
- Partial Key Overwrite Attack reduces key-recovery brute-force workload against 2TDEA and AES-128 keys.
- Theoretical Single-Tag Recovery method to recover the full 112-bit 2TDEA key from a single NXP Ultralight C tag.
- NTAG 22x DNA Attack enables faster offline CMAC brute-force for recovering the SUN message authentication key.
- Real-World Deployment Survey shows configuration lapses around key diversification, lock bytes, and integrity mechanisms.
- Mitigations include enabling CMAC integrity verification, key diversification, locking critical memory pages, and verifying supply chain integrity.