CRTM

A research on how Metro de Madrid NFC cards works.

NFC Card and http requests
Security
- Authentication
- Side channel attacks
Custom APK for debugging NFC communication

NFC Card and http requests

Constants

SalePoint: 010201000001
CONST_KEY_AT: uGpeE45u5c5AgyULp1Uy5hRHWln92g8a
CONST_KEY_ID: ZdPZfPPFYoRT9gcqm965HChS5ojEWjlz
CONST_SHA: 2L5tE938257tZ63iIb3u7L9NHdvyHW5v

Network status values

Status	Value
`Servicio LAT detenido al no haberse podido leer correctamente los ficheros de configuración`	10
`El OTP suministrado no ha podido ser validado`	20
`No es posible aplicar el perfil turístico infantil por no alcanzar la edad mínima`	50
`No es posible aplicar el perfil turístico infantil por superar la edad máxima`	51
`No es posible aplicar el perfil turístico infantil por superar la fecha de nacimiento el momento actual`	52
`El código de tarjeta indicado no figura como disponilble para venta en el fichero ITT`	53
`La tarjeta indicada para venta no tiene bloqueada la aplicacion en el TLV70 del Feap`	54
`No existe tarifa en el fichero TLP para el titulo indicado`	55
`Operación incompleta no se ha leído`	80
`Tarjeta no válida`	81
`Tarjeta no auténtica`	82
`Tarjeta con aplicación no activa`	83
`Tarjeta con aplicación caducada`	84
`La tarjeta no tiene la aplicación BIT`	85
`La tarjeta no tiene una aplicación BIT con la versión adecuada`	86
`La tarjeta no tiene títulos activos`	87
`La tarjeta esta en lista negra, operación no permitida`	88
`La tarjeta esta en lista negra, se bloquea la aplicación BIT`	89
`La tarjeta esta en lista negra, se bloquea el título 1`	8A
`La tarjeta esta en lista negra, se bloquea el título 2`	8B
`La tarjeta esta en lista negra, se bloquea el título 3`	8C
`La tarjeta esta en lista negra, se permite la operación`	8D
`No se ha suministrado la sesión`	A0
`Hay sesión pero no tenemos el objeto LAT Manager`	A1
`La tarjeta no tiene perfiles válidos`	A7
`La tarjeta no tiene un perfil normal válido`	A9
`RUF Error`	B0-BF
`El dSalePoint suministrado tiene una longitud incorrecta, deben ser 6 bytes`	C0
`No se ha suministrado el token JWT en una operación de inspección`	00A0
`No se ha podido validar el token JWT necesario para la inspección`	00A1

More network codes on class: com.sgcr.vo.

PDU status values

Status	Value
`STATUS_OK`	00
`STATUS_OKINCONS`	01
`STATUS_SESSION_INVALID`	A0
`STATUS_TOKEN_EMPTY`	A1
`STATUS_PENDING`	AF
`STATUS_ERR_LOG`	EF
`STATUS_ERR_OTP`	FD
`STATUS_KO`	FF

STATUS_OK: Operación realizada correctamente
STATUS_OKINCONS: Tarjeta BIT contiene alguna inconsistencia`
STATUS_SESSION_INVALID: La sesión no existe o es inválida
STATUS_TOKEN_EMPTY: Token de acceso no proporcionado
STATUS_PENDING: El Proceso se ha interrumpido
STATUS_ERR_LOG: Error lógico. Interfaz / operación
STATUS_ERR_OTP: OTP no suministrado
STATUS_KO: error no controlado

Note: AF means the systems is pending for new commands.

Within the HTTP requests, CMD parameter is used to indicate next command to send to the NFC card, the response obtained from the NFC card is then sent it back to the server via GET request.

Description: This requests generates a new session that is set as a Cookie with JSESSIONID. Some information related to our device and timezone is being sent in the POST, however what will identify us is uuid.

Request:

Host: lat1p.crtm.es:39480
Endpoint: /middlelat/midd/device/init/conn

Request:

POST /middlelat/midd/device/init/conn HTTP/1.1
Content-Type: application/json; charset=UTF-8
Content-Length: 620
Host: lat1p.crtm.es:39480
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.12.1

{"board":"MSM8974","bootLoader":"unknown","brand":"oneplus","build":"MTC20F","device":"A0001","display":"MTC20F test-keys","fingerprint":"oneplus/bacon/A0001:6.0.1/MMB29X/ZNH0EAS2JK:user/release-keys","hardware":"bacon","initAt":"Wed Jan 29 21:23:15 GMT+01:00 2020","language":"en","macAddress":"02:00:00:00:00:00","manufacture":"OnePlus","model":"A0001","networkType":0,"osName":"LOLLIPOP_MR1","osVersion":"6.0.1","product":"bacon","radio":"unknown","screenResolution":"1080x1920","serial":"1a5e4ecc","time":0,"timezone":"Europe/Madrid","uuid":"e626f4c4-34aa-4ca2-bf2b-3c8e0e5e7d26b1f3ee2f-6bdc-49f4-af27-f40218c3e3d1"}

Response:

HTTP/1.1 200 OK
Date: Fri, 31 Jan 2020 00:50:01 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: JSESSIONID=0C1B6566468F2B2A1E382371832C2860.worker2; Path=/middlelat; Secure; HttpOnly
Content-Length: 72
Connection: close
Content-Type: text/plain;charset=UTF-8

e626f4c4-34aa-4ca2-bf2b-3c8e0e5e7d26b1f3ee2f-6bdc-49f4-af27-f40218c3e3d1

Generate NFC command: /middlelat/device/front/GeneraComando?respuesta=<VALUE>

Generate command

Request:

GET /middlelat/device/front/GeneraComando?respuesta=007EE6FFE255CB7EB8 HTTP/1.1
Cookie: JSESSIONID=5AE30B6DA466C6BEAD94061558300959.worker2; Path=/middlelat; Secure; HttpOnly
Host: lat1p.crtm.es:39480
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.12.1

Response:

HTTP/1.1 200 OK
Date: Wed, 29 Jan 2020 20:53:03 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 50
Connection: close
Content-Type: text/plain;charset=UTF-8

STATUS=AF
CMD=AF402AF9127495F99F60783D3337234B0C

Security

Authentication

In this procedure both, the PICC as well as the reader device, show in an encrypted way that they posses the same secret which especially means the same key. This procedure not only confirms that both entities can trust each other but also generates a session key which can be used to keep the further communication path secure. As the name “session key” implicitly indicates, each time a new authentication procedure is successfully completed a new key for further cryptographic operations is obtained. [3]

Side channel attacks

There is no available information wether someone has achieved a side channel attack on the MIFARE DESFire EV1 (MF3ICD41). However, there was an study made on the MF3ICD40 which was vulnerable using differencial power analysis to leak partial key information and used a template to crack the key [4] [5].