Revisiting RFID Mifare Classic security in the context of investigations that account millionaire losses a case study based on the ticketing system implemented in Brazil/ Revisitando a segurança do RFID Mifare Classic no contexto de investigações que contabilizam perdas milionárias um estudo de caso baseado no sistema de bilhética implementado no Brasil

Abstract

Electronic systems in the infrastructure of public and private transport services are increasing. This growth comes from the various benefits for its implementation. In the capital of Brazil, the Federal District, as well as other federative entities, an electronic ticketing system based on smart cards was adopted. The card adopted in the capital belongs to the Mifare Classic series whose internal characteristics are widely known. Although several vulnerabilities are known, this card is still widely used in Brazil and worldwide. The focus of this study is on the security of this card as a credit storage medium within the ticketing system adopted locally. The most relevant and known vulnerabilities were enumerated. These vulnerabilities were confronted with the real possibility of building a cloned card. As an expected result, it was possible to build a cloned and accepted card within the system. Finally, significant storage areas were revealed: serial number location, registration number, credit total, credit batches and a 64 bits signature. This reinforces the need to withdraw Mifare Classic cards urgently.