RFID hacking

Since my university still used the MiFare Classic system, I became very interested in card decryption and hacking. I found that the school's system only used the first block (Sector 0) to serve as verification and access to buildings at the terminal. This section is not encrypted on any MiFare card, and is easily read by any phone with an NFC chip. As such, I was able to easily copy the data to a blank card (with Sector 0 direct write features) and access the doors with the clone. I later incorporated the RFID chip into my makeshift iPod Nano smartwatch (before they became mainstream).

However, when reading my card, Sector 1 always came up blank since the keys were hidden. This surprised me, since Sector 0 was sufficient for doors. However, in my second year, the dining halls and printers had gotten RFID tag readers to replace the older swipe method (perhaps because of my MagSpoof variant?). With this, I found that Sector 0 alone could not work, and the Sector 1 was likely required. After more research into the topic, I came across the extensive work by Kaspar & Oswald and the work in Germany on card decryption, and decided to get a ChameleonMini. With a simple ACR122U, I was able to use MFOC to recover the Sector 1 keys on my card, and transfer them to the Chameleon and other writable tags. With this, I was now able to access the new terminals for payment option.

After my third year, it seems my university stepped up its efforts on security, and now uses the Mifare Classic EV1 cards. Unfortunately for the school, these cards are able to be decrypted since they still are using an outdated model, but not without $3000 in equipment (which fortunately the EE Department has available). I have yet to look into this method for decryption since it is time consuming, and since Sector 0 is still the only thing needed to access doors, there is little incentive.