NFC Card Vulnerability Exploitation Leading to Free Top-Up i...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/
• Blog Title: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft “Stored Value” Unattended Payment Solution (MiFare)
• Suggested Section: Generic Hacking / RFID & NFC (MiFare Classic) Attacks

🎯 Content Summary

Product / Scope
KioSoft “Stored Value” unattended payment solution that uses MiFare Classic NFC cards. Assessed cards in the field (as of Q1/2025) were affected; vendor states current firmware/hardware were impacted as of Q2/2025.

CVE
CVE-2025-8699 (Impact: high).

Root cause and system design
The system stores the account balance client-side on a MiFare Classic NFC card and relies on on-card integrity checks. MiFare Classic uses NXP’s proprietar...

🔧 Technical Details

MiFare Classic offline stored-value tampering via broken Crypto1 and differential dumps: When a payment system stores balances on MiFare Classic, use a Proxmark to dump the card (hf mf autopwn) and recover keys. Perform differential analysis of multiple dumps (before/after legitimate top-ups) to locate the balance and integrity fields. Recompute the observed XOR-based checksum (value ⊕ unknown field ⊕ constant) after changing the balance, then write the modified dump back to a tag.

Cloning with UID-changeable (“Chinese magic”) tags to preserve recognition: Program the modified dump to a writable MiFare Classic clone (hf mf cload -f ...) and set its UID to the original (hf mf csetuid -u <uid>). Many terminals trust the on-card state and the UID for card identity, so the manipulated balance is accepted across readers that do not verify against an online ledger.

General defense-in-depth pattern: Avoid offline...

🤖 Agent Actions

I explored the repository and found existing, relevant pages under src/todo/radio-hacking that cover RFID/NFC and Proxmark usage:

• src/todo/radio-hacking/pentesting-rfid.md
• src/todo/radio-hacking/proxmark-3.md
• src/todo/radio-hacking/flipper-zero/fz-nfc.md
• src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md
• src/todo/radio-hacking/README.md

Given the blog’s content is highly technical and directly related to MiFare Classic exploitation, I updated existing pages instead of creating new ones. I focused on adding the concrete exploitation workflow with Proxmark commands and the methodology (differential dumps, checksum recomputation), keeping vendor-specific constants/PoC redactions in mind and abstracting the technique.

Changes implemented:

1. Updated MiFare Classic attack methodology in the general RFID page
   File: src/todo/radio-hacking/pentesting-rfid.md

• Added a new subsection under “High-Frequency RFID Tags (13.56 MHz) -> Attack” titled “MiFare Classic offline stored-value tampering (broken Crypto1).”
• Documented the end-to-end workflow used in the advisory:
  • Dumping and recovering keys with Proxmark (hf mf autopwn)
  • Differential analysis of dumps to locate balance/integrity fields
  • Recomputing simple integrity checks (e.g., XOR-based) and ensuring Classic value block consistency
  • Writing to UID-changeable “Chinese magic” tags (hf mf cload -f)
  • Cloning original UID (hf mf csetuid -u )
• Added practical notes about value blocks, custom checksum hunting, and UID-changeable tag requirements.
• Kept it generic and educational (no vendor-specific constants).
• Appended references with:
  • SEC Consult advisory URL
  • NXP Crypto1 security statement
  • MiFare security overview (Wikipedia)

2. Expanded Proxmark3 page with the specific workflow and commands
   File: src/todo/radio-hacking/proxmark-3.md

• Added a subsection “MiFare Classic quick workflow for stored-value abuse” right after the existing Classic commands:
  • hf mf autopwn
  • hf mf cload -f modified.bin
  • hf mf csetuid -u <original_uid>
• Included notes on autopwn behavior (nested/darkside/HardNested), magic tags/UID write constraints, and ensuring integrity fields are consistent after edits.
• Added a reference link back to the broader methodology in pentesting-rfid.md via internal {{#ref}}.
• Created a “References” section with:
  • Proxmark wiki (HF Mifare, HF Magic cards)
  • NXP Crypto1 statement
  • SEC Consult advisory

Why these locations?

• HackTricks already has an RFID section and a dedicated Proxmark page in src/todo/radio-hacking. The blog’s technique fits perfectly within these pages. The “Generic Hacking” location suggested by the user would be less aligned with the repository’s current structure for radio/NFC content.

References added (both updated files include a references section at the end):

• NXP statement on MIFARE Classic Crypto1: https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/
• MiFare security overview: https://en.wikipedia.org/wiki/MIFARE#Security
• SEC Consult advisory: https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/
• Proxmark3 wiki pages where relevant

No new files were created. The updates adhere to HackTricks style, include code blocks, keep existing content intact, and add internal references where appropriate.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking / RFID & NFC (MiFare Classic) Attacks".

Repository Maintenance:

• MD Files Formatting: 876 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0