Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EMV simulation mode POC (use physical credit card to allow proxmark to make payments) #2

Merged
merged 2 commits into from
Jan 20, 2025

Conversation

n-hutton
Copy link
Owner

Hello,

I have here a proof of concept that allows the proxmark3 RDV4 to use the attached card reader for signing contactless transactions, turning the proxmark into a payment device (only works with Visa cards for now and I think is hardcoded for UK based payments, if anyone wants to try it out, I can fix that).

I think it is pretty interesting feature to enable because it allows you to MITM/play around with contactless flow.

I think that this is only possible due to security lapses in the way Visa differentiates between contactless and contact transactions, you are kindof tricking the card into performing this signature. I suspect that it bypasses PIN protections in certain circumstances. I can write long boring technical explanation on this later. Visa was not interested in this bug report so here we are.

I assume that there is interest in having this in the codebase - if not it would be good to know so I don't spend time cleaning the PR up! Note that this PR is messy and not in its final form (but does work every time).

If there is interest, it would be good to get some answers to these questions:

  • The invokation/usage is currently emv smart2nfc because it doesn't 'sit' anywhere. Is this desirable?
  • The timing of responding to NFC is difficult and so I had to re-write I2C for various reasons (seen in this pr as i2c_direct), should I try to integrate into i2c.c or keep it standalone?
  • The main part of the code is in emvsim.c - this is basically ripped from mifaresim.c because all we care about is communicating once the handshaking is completed. Should emvsim stand alone, or should it be a special case in mifaresim?
  • Should I split this PR into smaller PRs (for i2c for example)
  • Anything else anyone can think of

Copy link

You are welcome to add an entry to the CHANGELOG.md as well

aes_encode(iv, key, input, out, input_len);
} else if (encryption_algorithm == 0x02) {
mbedtls_des3_context ctx3;
mbedtls_des3_set2key_enc(&ctx3, key);

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High

This file makes use of a broken or weak cryptographic algorithm (specified by
invocation of macro MBEDTLS_DES_DECRYPT
).
This file makes use of a broken or weak cryptographic algorithm (specified by
call to mbedtls_des3_set2key_dec
).
This file makes use of a broken or weak cryptographic algorithm (specified by
call to mbedtls_des3_crypt_cbc
).
This file makes use of a broken or weak cryptographic algorithm (specified by
invocation of macro MBEDTLS_DES_DECRYPT
).
This file makes use of a broken or weak cryptographic algorithm (specified by
call to mbedtls_des3_set2key_dec
).
This file makes use of a broken or weak cryptographic algorithm (specified by
call to mbedtls_des3_crypt_cbc
).
This file makes use of a broken or weak cryptographic algorithm (specified by
invocation of macro MBEDTLS_DES_ENCRYPT
).
This file makes use of a broken or weak cryptographic algorithm (specified by
call to mbedtls_des3_set2key_enc
).
This file makes use of a broken or weak cryptographic algorithm (specified by
call to mbedtls_des3_crypt_cbc
).
@n-hutton n-hutton merged commit d5e80c1 into master Jan 20, 2025
21 of 22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants