Open the box – grab your prize

What other competitions, challenges, and contests are waiting for you at ZeroNights? One of them is “Open the box – grab your prize!”

Hack the NFC authorization system and tamper with card balance so that it is sufficient to open the box.

The box is a vending machine with a single vendible item inside it. The box opens only if the item is fully paid for. It should be noted that the box accepts only special cards. You can get one 100¥ on its balance from an assistant. The cost of the item in the box is 750¥, and you have no legal way to top up the balance. You will need to identify the wireless protocol used by both your card and the card reader. Further steps are: hack the card authorization system, recognize the data storage format, and find a way to modify your balance.

Do not worry if anything goes wrong or if you have no clue about RFID protocols. Every 2 hours, we will hold brief workshops revealing how to hack the system step-by-step (however, we will keep the last one a secret). The contest is ideal for those who have never dealt with contactless payment systems and want to learn the ropes. The box utilizes industrial standards widely used at various facilities. So, you will be able to use your newly acquired knowledge in your work.

You will learn:

  • How to recognize main RFID protocols and find out what protocol is the basis of a particular system.
  • Basic principles of operation of the ISO-14443 used in NFC, PayPass, Trojka cards, Podorozhnik, and other systems.
  • How to intercept and analyze ISO-14443A with the help of a hardware sniffer.
  • How to extract access keys for a card’s protected memory sectors.
  • How to modify data in a card’s memory.
  • How to work with the libnfc package and compatible devices.

To participate in the contest and to analyze the provided card you will need the following set of equipment:

  • Laptop with installed kali linux. As an alternative, you are allowed to use the USB Live distribution, virtual machine or any other distribution with installed libnfc.
  • NFC reader. You will be able to get USB NFC reader on site to participate in the contest.
  • NFC-equipped phone. In case you have no laptop with you, you can use an Android smartphone with the NFC module. Note: some phones are not suitable.

Minimal skills:

  • Basic knowledge of Linux.
  • Knowledge of HEX and text editors.
  • Understanding of what a bit, byte, and endianness are.

See you at ZeroNights!

Social sharing