09-05, 13:30–15:30 (Europe/Amsterdam), Workshop track 1
MIFARE DESFire is the stronger, slightly more expensive sibling of the MIFARE family of smartcards. This workshop aims to cover the basics of the card's functions as well as how the most important crypto works. After a short lecture, it is up to you to analyze captured DESFire traces of vulnerable reader implementations with a Proxmark3 and program your own DESFire card to bypass the reader's security.
This workshop dives into the basics of the MIFARE DESFire smartcard - a popular smartcard for high-security access control and ticketing systems. The workshop will start with a short lecture covering important concepts of the DESFire standard:
- What standards DESFire is built on top of
- DESFire logical structure
- DESFire authentication & cryptography
- Analyzing DESFire with Proxmark3
- Possible pitfalls.
Afterwards, the hands-on portion of the workshop starts. A set of traces of communication between a DESFire card and a card reader with implementation defects will form the basis of the challenges. Each participant will get access to a Proxmark3 and a blank DESFire card during the workshop, with the goal of "cloning" the card used in the trace and trick the card reader to let you through.
IMPORTANT: This workshop requires you to bring your own laptop with Proxmark3 (Iceman fork) v4.18589 client software installed (https://github.com/RfidResearchGroup/proxmark3/releases/tag/v4.18589). Instructions on how to prepare the environment can be found under the "PROXMARK3 INSTALLATION AND OVERVIEW" section of the README. A working Proxmark3 and DESFire card will be provided for use during the workshop. This can be done on a VM with a USB3 controller configured, but expect occasional communication timeouts if you choose to do so.
Sebastiaan is an Ethical Hacker at KPN with an interest in binary analysis and exploitation, system security and breaking programs in general. Before that, he worked as an incident responder and forensic analyst at KPN-CERT. Whenever opportunity arises, he can be found at CTF events. Free time consists of GMing D&D campaigns, playing board games, traveling, cooking and daydreaming legitimized as worldbuilding for D&D sessions.