MIFARE Classic Security Analysis
MIFARE Classic is the most deployed contactless smart card IC in history — installed in billions of transit cards, access badges, and loyalty schemes. It is also the most thoroughly broken proprietary security system in the NFC world. This guide documents the attack surface, known vulnerabilities, and migration path.
Architecture Overview
MIFARE Classic uses NXP's proprietary crypto-1 stream cipher for authentication. Cards come in two memory sizes:
| Variant | Memory | Sectors | Blocks per Sector |
|---|---|---|---|
| Classic 1K | 1024 bytes | 16 | 4 (last is trailer) |
| Classic 4K | 4096 bytes | 40 | 4 (sectors 0–31) or 16 (sectors 32–39) |
Each sector is protected by two 48-bit keys (Key A and Key B) stored in the sector trailer (block 3 of each sector). The access-control-bits in the trailer define what operations each key permits on each block.
Crypto-1 Cipher
Crypto-1 is a 48-bit LFSR stream cipher designed by NXP in the 1990s. It was never publicly documented, but was reverse-engineered in 2008 by Karsten Nohl and Henryk Plötz. Key weaknesses:
- 48-bit key space: Brute-force is feasible with modern hardware (2^48 ≈ 280 trillion keys; GPU-based attacks complete in hours).
- Weak pseudo-random number generator: The card's RNG is based on a free-running LFSR seeded by power-up time. If an attacker can control when the card is powered (e.g., using a controlled RF field), the RNG state is predictable.
- AuthenticationAuthenticationIdentity verification of NFC tags/readers via passwords or cryptographyView full → output leaks key bits: The challenge-response protocol leaks information about the key via timing and response patterns.
- No mutual authenticationmutual authenticationTwo-way identity verification between reader and tagView full →: Only the reader authenticates to the card sector; the card does not verify the reader is legitimate.
Known Attacks
Darkside Attack
The Darkside attack exploits a weakness in MIFARE Classic authentication error handling. When the card returns a NACK during authentication, the NACK value is encrypted under a partially known keystream. An attacker can iteratively collect NACKs, recover the keystream, and extract the 48-bit key.
- Requires approximately 100 authentication attempts
- Works even without a known key to any sector
- Tools:
mfoc-hardnested(Linux), Proxmark3
Nested Authentication Attack
Once one sector key is known, nested authentication attacks recover all remaining sector keys. The attack exploits the predictable PRNG: knowing the RNG state at the start of one successful authentication allows prediction of the state at the start of the next.
- Recovery of 15 unknown keys from 1 known key in <10 seconds
- Documented by Nohl, Evans, Plötz (2008 CCC/USENIX)
- Fully automated in
mfoc(MIFARE Classic Offline Cracker)
Hardnested Attack
When the PRNG is not predictable (some post-2011 cards have improved RNGs), the hardnested attack uses statistical cryptanalysis of the XOR-sum of known encrypted nonces to reduce the key search space. Recovery time: seconds to minutes on modern hardware.
Relay Attack
Because mutual-authentication is absent, MIFARE Classic is vulnerable to relay attacks. An attacker can transparently proxy authentication between a cloned mole and a legitimate reader, granting access without knowing any key.
Card Cloning
With recovered keys, cloning a MIFARE Classic card takes under 30 seconds:
- Read all sector data with
mfocor Proxmark3. - Identify the UID. Most Classic cards have a writable UID only on "magic" cards; genuine cards have factory-fixed UIDs.
- Write the dump to a "magic card" (CUID/GEN1a/GEN2) that accepts UID overwrite commands.
Systems that validate only the UID (not the sector authentication) are trivially bypassed by UID-only clones even without a full key recovery.
Deployment Risk Assessment
| System Type | Risk Level | Reason |
|---|---|---|
| Transit fare only (no financial value) | Medium | Clone risk; revenue fraud possible |
| Access control (building security) | High | Clone = unauthorized access |
| Cash/stored value wallet | Critical | Clone = money theft |
| Loyalty points | Low-Medium | Limited fraud value |
| UID-only door locks | Critical | No crypto; UID clone trivial |
Migration Path
NXP's recommended migration targets:
| Target | Standard | Key Improvement |
|---|---|---|
| MIFARE Plus | ISO 14443ISO 14443Standard for contactless smart cards at 13.56 MHz (Types A and B)View full →-3A | AES-128 replacing Crypto-1Crypto-1Broken proprietary cipher in MIFARE Classic (reverse-engineered 2008)View full →; backward compatible sector structure |
| MIFARE DESFire EV3 | ISO 14443-4 | AES-128/192/256, mutual-authentication, transaction MAC |
| NTAG 424 DNA | ISO 14443-3A | aes-encryption, sdm, originality-signature |
For a structured migration guide see MIFARE Classic to DESFire Migration.
MIFARE Plus offers the most operationally smooth migration: it is software-backward-compatible with Classic sectors at Security Level 1, allowing existing readers to continue operating during a phased transition while upgrading to AES at Security Level 3.
Detecting Classic Cards in Your Fleet
# Proxmark3: read UID and type
pm3 -c 'hf search'
# Output includes: ATQA, SAK, type identifier
# Classic 1K: SAK 0x08, ATQA 0x0004
# Classic 4K: SAK 0x18, ATQA 0x0002
Use the Compatibility Checker to identify Classic cards by their ATQ/SAK values.
Operational Mitigations (Pre-Migration)
If immediate migration is not feasible:
- Implement back-end transaction validation (compare card UID with server-side state to detect clones presenting at two locations simultaneously).
- Add velocity checks: flag cards scanned at physically impossible speeds.
- Use sector-level MACs: add a server-computed HMAC in a data block so cloned cards cannot forge current-session data even with correct keys.
- Segment keys per location: different sector keys for different reader zones limits blast radius of a compromised key.
See also: MIFARE Classic to DESFire Migration | NFC Security Deep Dive | NFC Relay Attack Explained | NFC Anti-Counterfeiting