Listen to this Post

Introduction:
MIFARE Classic is one of the world’s most widely deployed contactless smart card technologies, used in access control systems, hotel key cards, public transit passes, and campus IDs. Its proprietary CRYPTO1 cipher has been known to be broken since 2008, but practical exploitation traditionally required specialized hardware like a Proxmark3 or an Android phone with external NFC readers. Recent discoveries show that certain OPPO smartphones sold in mainland China can read MIFARE Classic cards, crack their encryption keys in seconds using only built-in NFC hardware, store the card’s data, and fully emulate the card – turning any compatible phone into a universal cloning and bypass tool. This renders millions of existing access systems vulnerable to trivial physical intrusion.
Learning Objectives:
- Understand the cryptographic weaknesses in MIFARE Classic and how they enable key recovery.
- Learn to identify vulnerable Android devices (including OPPO models) and configure software tools for NFC attacks.
- Execute a step-by-step cloning and emulation attack against a MIFARE Classic card using only a smartphone.
- Implement mitigation strategies for organizations still relying on MIFARE Classic.
You Should Know:
- Why MIFARE Classic is Broken – And How Phones Leverage the Flaw
MIFARE Classic uses a stream cipher called CRYPTO1 with a 48-bit key per sector. Researchers have demonstrated that by presenting a specially crafted nonce (random number) to a card, the card’s response leaks enough information to recover the key using a nested authentication attack or a darkside attack. Traditionally, this required a Proxmark3 or an NFC reader capable of sending raw commands at precise timings. However, modern NFC controllers in smartphones (e.g., NXP PN548, PN557, or Broadcom BCM47755) can emit arbitrary NFC-A frames, including the necessary anti-collision and authentication commands. The breakthrough with OPPO phones (and other OEMs that enable raw NFC access in their firmware) lies in the fact that the stock NFC stack does not filter proprietary MIFARE commands. Combined with a modded version of “Mifare Classic Tool” (MCT) that includes `extended_keys` and built-in cracking algorithms (mfoc-based), the phone can:
– Scan a card’s UID and manufacturer data.
– Launch a nested attack using known weak keys (e.g., FFFFFFFFFFFF, A0A1A2A3A4A5).
– Recover all sector keys within seconds (often under 10 seconds).
– Dump the entire card memory (1KB or 4KB) to a `.dmp` or `.mfd` file.
– Emulate the cloned card via the phone’s host card emulation (HCE) or by writing to a writable NFC tag.
Step‑by‑step guide to test your own Android phone:
Requirements: Android 8.0+ with NFC, rooted or non-rooted (some functions require root). Install “Mifare Classic Tool” from F-Droid or GitHub (the modded version with cracking support). For OPPO users, no root is typically needed.
- Enable Developer Options and NFC raw mode (if available):
On OPPO: Settings → Additional Settings → Developer Options → “Allow NFC raw mode” (varies by ColorOS version). - Install MCT modded from: `https://github.com/ikarus23/MifareClassicTool/releases` (choose the `extended_keys` branch APK).
- Prepare key files: MCT stores known keys in
/sdcard/MifareClassicTool/keys-std.keys. Add common default keys (e.g.,FFFFFFFFFFFF,000000000000,A0A1A2A3A4A5,D3F7D3F7D3F7). - Scan a tag: Open MCT → “Read tag” → Hold card to phone back. Select standard keys file.
- Start the attack: If default keys fail, tap “Start map” → “Nested attack” (or “Hardnested” if supported). The app will brute force each sector using leaked nonces.
- Save the dump: After keys are found, tap “Read sectors” → Save as
.dmp. - Emulate: Go to “Emulator” tab → Load the dump → “Start emulation”. Place phone near a reader. The phone now behaves exactly as the original card.
Linux command alternative (using PCSC reader and mfoc):
Install mfoc (MIFARE Classic offline cracker) on Kali Linux sudo apt install mfoc Dump keys and data - replace /dev/pn532 with your reader mfoc -O card.dump -k FFFFFFFFFFFF -k A0A1A2A3A4A5 To emulate via a Proxmark3, convert dump to emulator format proxmark3> hf mf restore --dump card.dump
Windows alternative (using Mifare Windows Tool + ACR122U reader):
– Download MFT from `https://github.com/Proxmark/proxmark3/wiki/Windows-Drivers`
– Use the “Nested Attack” button to recover keys and dump the card.
- OPPO’s Hidden NFC Superpower – What Models and Why
Not all OPPO phones have this capability. Based on community reports (XDA Developers, GitHub issue 849 on MCT), the following models allow unfiltered raw MIFARE commands: OPPO Find X3 Pro (China version), Find X5, Find X6, Reno 8 Pro, and certain Realme devices (Realme GT series). The key differentiator is the NFC chipset – models using the NXP PN557 or ST ST54J with a modified Android NFC stack (the “China-ROM” variant) do not enforce Google’s `android.nfc.tech.MifareClassic` permission filtering. In international versions (Global ROM), MIFARE Classic commands are often blocked at the firmware level to comply with NXP licensing. However, attackers can cross-flash a Chinese ROM or use Magisk modules to re-enable raw access. The vulnerability is not a bug but a design choice to support local Chinese transit systems (e.g., Beijing Municipal Card) that still use MIFARE Classic. This creates a backdoor that attackers can weaponize.
Check if your phone supports MIFARE Classic attacks:
- Install “NFC TagInfo” by NXP from Play Store.
- Scan a MIFARE Classic card. If it shows “Technical details” including SAK (0x08 or 0x18) and ATQA, and allows sending “Authenticate” commands, your phone is vulnerable.
- For a quick CLI test (requires root): Use `nfc-list` from libnfc, or run:
On rooted Android via Termux pkg install root-repo && pkg install mfoc mfoc -d /dev/nfc0 -k FFFFFFFFFFFF
- How to Build a Portable Cloning Rig – No Laptop, No Proxmark
With a vulnerable OPPO (or similar) phone, an attacker can walk past a target, tap a card against the phone (in a pocket or bag), and have the full clone ready in under 30 seconds. No additional hardware is needed. The attack workflow:
- Covert scanning: Use MCT’s “Auto-save” feature. The app can continuously scan for NFC cards in the background. Set vibration on success.
- Key cracking: Enable “Hardnested” with `extended_keys` – this uses precomputed lookup tables (stored in phone storage) to reduce cracking time from minutes to 2–5 seconds per sector.
- Data extraction: Dump all 16 sectors (1KB card) or 40 sectors (4KB card). Save to encrypted folder.
- Emulation: MCT’s emulator uses Android’s Host-based Card Emulation (HCE). The phone broadcasts the cloned UID and data when any reader polls for NFC-A tags. No root required for HCE.
- Bypass UID checks: Some readers check for “magic” UID ranges (e.g., Chinese cloned cards start with
04). MCT can inject the original UID byte‑for‑byte. If the reader checks the card’s manufacturer block, you may need a rooted phone with NFC firmware patching (e.g., using `nfc-hack` Magisk module) to simulate a genuine UID.
Code snippet for automated dumping using Android shell (requires root):
Create a script that triggers MCT via intent am start -n com.github.devnied.emvnfccard/.ui.MainActivity --es action "dump" --es tag "Block0 data" Or use NFC command-line tools on rooted Android: /data/data/com.nxp.nfc/nfc_cmd -authenticate -key FFFFFFFFFFFF -sector 0
- Hotel, Office, Transit – Real-World Attack Scenarios and Mitigations
The most immediate risk is to hotels using MIFARE Classic for key cards. An attacker checks in, clones the room key with their phone, returns the original card, and later enters the room without any record. Similarly, office access control systems that log only successful “card read” events will see the legitimate card’s UID, making forensic analysis useless. Transit systems that rely on stored-value cards (e.g., prepaid metro cards) can be cloned and recharged by emulating a card and replaying transaction logs.
Step‑by‑step mitigation for security professionals:
- Inventory all MIFARE Classic systems – Many organizations are unaware that their “proximity cards” are MIFARE Classic. Check card markings: “MIFARE 1K” or “S50” indicate Classic.
- Upgrade to MIFARE DESFire EV2/EV3 or use CPU card technologies (Java Card) with mutual authentication and encrypted channels. DESFire uses AES-128 and is not vulnerable to these attacks.
- Implement reader-side mitigations even if stuck with Classic:
– Enable reader-side anti-cloning by checking the card’s ATQA/SAK for anomalies (cloned cards may report different values).
– Use sector personalization – store a digital signature over the card UID in a read-only sector, and have the reader validate it.
– Enforce online verification – each card read triggers a backend lookup of the last known location. Multiple rapid reads of the same UID from different readers indicate cloning.
4. Deploy physical credential management – Require biometrics or PIN as a second factor alongside any card that cannot be immediately upgraded.
- Legal and Ethical Implications – What You Can and Cannot Do
Penetration testers and security researchers must be cautious. In many jurisdictions (including the US under CFAA and EU’s Cybercrime Directive), cloning a card that you do not own or that controls access to a system you are not authorized to test is illegal. However, testing your own property (e.g., your building’s access card with written permission) is allowed. Always obtain explicit authorization before scanning or emulating any card that does not belong to you. The tools and commands provided in this article are for educational and defensive security purposes only.
What Undercode Say:
- Key Takeaway 1: The “hardware‑required” barrier for MIFARE Classic attacks is gone. Any attacker with a $400 OPPO phone and a modded app can bypass billions of dollars’ worth of access control systems.
- Key Takeaway 2: Organizations still using MIFARE Classic are in a state of “security by obscurity” – the obscurity just evaporated. Immediate migration to DESFire or similar AES-based technologies is not optional – it’s an operational emergency.
Prediction:
Within 12–18 months, we will see the first widespread physical breach campaigns leveraging smartphone-based MIFARE cloning. Attackers will target hotel chains (lateral movement from one room to executive floors), co‑working spaces (spoof employee badges), and public transit (unlimited cloned passes). Expect litigation against phone manufacturers (OPPO, Xiaomi, etc.) for enabling “built‑in lockpicks.” Governments will impose new regulations on NFC chipset configuration, forcing OEMs to block raw MIFARE commands globally. In the meantime, red teams will adopt these techniques as standard tradecraft, and blue teams must deploy reader‑side anomaly detection as a stopgap. The era of “phone as universal key” has arrived – for better or worse.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Herrmann1001 Nfc – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


