Chameleon: A Versatile Emulator for Contactless Smartcards

  • Timo Kasper
  • Ingo von Maurich
  • David Oswald
  • Christof Paar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6829)


We develop a new, custom-built hardware for emulating contactless smartcards compliant to ISO 14443. The device is based on a modern low-cost microcontroller and can support basically all relevant (cryptographic) protocols used by contactless smartcards today, e.g., those based on AES or Triple-DES. As a proof of concept, we present a full emulation of Mifare Classic cards on the basis of our highly optimized implementation of the stream cipher Crypto1. The implementation enables the creation of exact clones of such cards, including the UID. We furthermore reverse-engineered the protocol of DESFire EV1 and realize the first emulation of DESFire and DESFire EV1 cards in the literature. We practically demonstrate the capabilities of our emulator by spoofing several real-world systems, e.g., creating a contactless payment card which allows an attacker to set the stored credit balance as desired and hence make an infinite amount of payments.


RFID contactless smartcards payment systems access control efficient implementation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Carluccio, D.: Electromagnetic Side Channel Analysis for Embedded Crypto Devices, Diplomarbeit, Ruhr-University Bochum (March 2005)Google Scholar
  5. 5.
    Courtois, N.: The Dark Side of Security by Obscurity and Cloning Mifare Classic Rail and Building Passes, Anywhere, Anytime. In: SECRYPT 2009, pp. 331–338. INSTICC Press (2009)Google Scholar
  6. 6.
    Crapto1. Open Implementation of Crypto1 (2008),
  7. 7.
    de Koning Gans, G., Hoepman, J., Garcia, F.: A Practical Attack on the MIFARE Classic. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 267–282. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Federal Office for Information Security, Germany. Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control,
  9. 9.
    Future Technology Devices International Ltd. FT245R Datasheet,
  10. 10.
    Garcia, F., de Koning Gans, G., Muijrers, R., Van Rossum, P., Verdult, R., Schreur, R., Jacobs, B.: Dismantling MIFARE Classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Garcia, F., van Rossum, P., Verdult, R., Schreur, R.: Wirelessly Pickpocketing a Mifare Classic Card. In: Symposium on Security and Privacy, pp. 3–15. IEEE, Los Alamitos (2009)Google Scholar
  12. 12.
  13. 13.
    ISO/IEC 14443-A. Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 1-4 (2001),
  14. 14.
    Kasper, T., Carluccio, D., Paar, C.: An Embedded System for Practical Security Analysis of Contactless Smartcards. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 150–160. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Kasper, T., Oswald, D., Paar, C.: EM Side-Channel Attacks on Commercial Contactless Smartcards Using Low-Cost Equipment. In: Youm, H.Y., Yung, M. (eds.) WISA 2009. LNCS, vol. 5932, pp. 79–93. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Kasper, T., Silbermann, M., Paar, C.: All You Can Eat or Breaking a Real-World Contactless Payment System. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 343–350. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Nohl, K., Evans, D.: Reverse-engineering a Cryptographic RFID Tag. In: USENIX Security Symposium, pp. 185–193 (2008)Google Scholar
  18. 18.
    NXP. About MIFARE (2001),
  19. 19.
    NXP. Mifare Classic 1K MF1 IC S50 Functional Specification (2008),
  20. 20.
    OpenPICC. Programmable RFID-tag,
  21. 21.
    Proxmark III. A Radio Frequency IDentification Tool,
  22. 22.
    Silbermann, M.: Security Analysis of Contactless Payment Systems in Practice. Diplomarbeit, Ruhr-University Bochum (November 2009)Google Scholar
  23. 23.
    Touchatag. Touchatag RFID Reader,
  24. 24.
    Verdult, R.: Proof of Concept, Cloning the OV-Chip Card,

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Timo Kasper
    • 1
  • Ingo von Maurich
    • 1
  • David Oswald
    • 1
  • Christof Paar
    • 1
  1. 1.Horst Görtz Institute for IT SecurityRuhr-University BochumGermany

Personalised recommendations