Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2023-12-03 18:55:39

quterydyf
Contributor
Registered: 2023-02-15
Posts: 23

MFKS attack: any details?

Warning: all of the following is my understanding of Google translation from Russian. Native speakers are welcome to correct.
TL;DR: like darkside, yet better. But a special reader is necessary (I know you hate this phrase).

So, someone claims a new (in 2016 and not yet discussed there) attack against Classic [3][4]. It recovers one key in presence of weak PRNG, and has more chances to succeed compared to mfcuk/darkside.
The attack is published as a win32/win64 binary for a specific reader RD-03AB, as a demo of its capabilities, on its page [1].
Executables are not obfuscated, but not easy to read either. Reader API documentation [2] may help.
Nothing is provided for normal readers, libnfc is not supported, and their reader is not easy to get (no buy button, Belarus-based company [5]), so I can't actually verify this attack.
Is it something worth exploring? Does anybody already know the details?

[1] https://www.anyram.net/anyram_ru/develo … /index.php
[2] https://www.anyram.net/anyram_ru/develo … b-2-DS.pdf
[3] https://anyram.net/blog_ru/?p=712
[4] https://anyram.net/blog_ru/?p=954
[5] https://www.anyram.net/anyram_ru/contacts/index.php

Offline

#2 2023-12-04 19:57:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: MFKS attack: any details?

Interesting,
never heard of this MFKS software nor seen it before.

I wonder what method for recovery it does.

Offline

#3 2024-01-15 18:33:44

quterydyf
Contributor
Registered: 2023-02-15
Posts: 23

Re: MFKS attack: any details?

Some possibilities, with no substantial base. I assume their claims are correct. Ordered by perceived plausibility.
- Some way to avoid or deal with 'unexpected behavior' of PRNG as called by PM3
- Darkside modification that works with card always sending NACK (IIUC PM3 doen't).
- The 'Practical attack on patched Mifare Classic' - works when NACKs are leaked, but RNG is strong
- A shiny new vulnerability: some people argue one was inserted deliberately in Classic and thus it's likely modern replacements have them, too.

Offline

Board footer

Powered by FluxBB