hacktricks/todo/radio-hacking/flipper-zero/fz-nfc.md
2024-07-18 22:49:07 +02:00

6.7 KiB
Raw Permalink Blame History

FZ - NFC

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Intro

For info about RFID and NFC check the following page:

{% content-ref url="../pentesting-rfid.md" %} pentesting-rfid.md {% endcontent-ref %}

Supported NFC cards

{% hint style="danger" %} Apart from NFC cards Flipper Zero supports other type of High-frequency cards such as several Mifare Classic and Ultralight and NTAG. {% endhint %}

New types of NFC cards will be added to the list of supported cards. Flipper Zero supports the following NFC cards type A (ISO 14443A):

  • Bank cards (EMV) — only read UID, SAK, and ATQA without saving.
  • Unknown cards — read (UID, SAK, ATQA) and emulate an UID.

For NFC cards type B, type F, and type V, Flipper Zero is able to read an UID without saving it.

NFC cards type A

Bank card (EMV)

Flipper Zero can only read an UID, SAK, ATQA, and stored data on bank cards without saving.

Bank card reading screenFor bank cards, Flipper Zero can only read data without saving and emulating it.

Unknown cards

When Flipper Zero is unable to determine NFC card's type, then only an UID, SAK, and ATQA can be read and saved.

Unknown card reading screenFor unknown NFC cards, Flipper Zero can emulate only an UID.

NFC cards types B, F, and V

For NFC cards types B, F, and V, Flipper Zero can only read and display an UID without saving it.

Actions

For an intro about NFC read this page.

Read

Flipper Zero can read NFC cards, however, it doesn't understand all the protocols that are based on ISO 14443. However, since UID is a low-level attribute, you might find yourself in a situation when UID is already read, but the high-level data transfer protocol is still unknown. You can read, emulate and manually input UID using Flipper for the primitive readers that use UID for authorization.

Reading the UID VS Reading the Data Inside

In Flipper, reading 13.56 MHz tags can be divided into two parts:

  • Low-level read — reads only the UID, SAK, and ATQA. Flipper tries to guess the high-level protocol based on this data read from the card. You can't be 100% certain with this, as it is just an assumption based on certain factors.
  • High-level read — reads the data from the card's memory using a specific high-level protocol. That would be reading the data on a Mifare Ultralight, reading the sectors from a Mifare Classic, or reading the card's attributes from PayPass/Apple Pay.

Read Specific

In case Flipper Zero isn't capable of finding the type of card from the low level data, in Extra Actions you can select Read Specific Card Type and manually indicate the type of card you would like to read.

EMV Bank Cards (PayPass, payWave, Apple Pay, Google Pay)

Apart from simply reading the UID, you can extract a lot more data from a bank card. It's possible to get the full card number (the 16 digits on the front of the card), validity date, and in some cases even the owner's name along with a list of the most recent transactions.
However, you can't read the CVV this way (the 3 digits on the back of the card). Also bank cards are protected from replay attacks, so copying it with Flipper and then trying to emulate it to pay for something won't work.

References

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}