Login/Register
Serials on NFC Tags - truly unique? cloneable?
Asked Answered
Solved clonenfcuniqueidentifierrfidserial-number
S

1

44

So are NFC tags really UNIQUE from each other, at least in their SERIAL NUMBER? And can we rely on the fact that no 2 NFC tags can have the same serial number? I'm highly skeptical about this as there are (and will be more) NFC tags out there and I don't think anyone is controlling the serials...

The reason I'm asking is that I'm developing a key based system using NFC tags. I don't need to write to the tags, I basically just need their serial numbers. But I need them to be truly unique.

Also, I would like to know if the serial numbers can be cloned (I know the content of tags can always be read and cloned, but can one program another tag to have exactly the same ID/serial?)

Sorghum answered 11/2, 2014 at 11:34 Comment(0)
K
98

Are serial numbers of NFC tags truely unique?

That depends on the tag product and what you consider truely unique. E.g.:

  • ISO 14443 Type A tags with 4 byte serial numbers: There certainly exist duplicates (mainly because there is no clear scheme to divide the available range of serial numbers among the various manufacturers) and you can expect that within a batch of tags, there will be significant similarity between serial numbers (e.g. running sequences).
  • ISO 14443 Type A tags with 7 byte serial number (similarly for serial numbers of ISO 15693 tags): Each manufacturer is allocated a block of serial numbers (e.g. NXP serial numbers start with 0x04, Infineon with 0x05, etc). Within that block many manufacturers (I'm not sure about all of them) guarantee that they use each serial number only once. So these serial numbers are often unique (each manufacturer has a block of trillions of serial numbers). Still there will often be significant similarities between serial numbers of each batch (e.g. running sequences). Moreover, it seems that even within the serial number ranges that are supposedly guaranteed to be unique by manufacturers there appear counterfeit tag products that have duplicate serial numbers (see this question on duplicate serial numbers of counterfeit(?) NTAG203 chips).

Can serial numbers be cloned?

Yes, definitely. If you look for instance at MIFARE Classic, you can easily get cards with freely customizable serial number from a Chinese vendor of your choice. There is also devices like Proxmark with which you can emulate a card with a freely customizable serial number. And, moreover, it is relatively easy and cheap to build a device that emulates the protocol and consequently emulates a serial number of your choice. (Also see this question on emulating arbitrary serial numbers using Android NFC smartphones.)

As an attacker, the interesting part now is how you find a legit serial number for a specific system (i.e. a serial number that successfully authenticates to the system):

  1. Read someone's card and clone the serial number.
  2. Intercept communication between the legit card and the legit reader.
  3. Make a guess based on other cards from the same batch (that's why similarity between serial numbers also matters).

Is it a good idea to design an access control system that's based solely on serial numbers?

No, definitely not. Still there exist lots of such systems. But more and more of these systems introduce additional security mechanisms.

Kirakiran answered 11/2, 2014 at 15:15 Comment(9)
EXTREMELY helpful response mate, thanks very much. So the security implementations can get a bit tricky then... I'm developing for more of marketing and time/logging and asset tracking at the moment so i guess I don't have to worry too much about these clones.. but my issue is w/ the same serials that causes error in my application.. you mentioned 7 byte tags? I ordered some tags from Amazon from Tapwise, and the serials are actually 8bytes (8 digits) one of em for example is: 10501160 and i did find duplicates of this in another batch of slightly different tags also from tapwise.frustratingSorghum
I only found NTAG203 tags in their store. These should have 7 byte UIDs. Promised to be more or less unique by their manufacturer. What reader are you using to get the serial number?Kirakiran
I'm using this reader: www.amazon.com/Mifare-Wiegand-Utralight-MifareDesFire-Contactless/dp/B00BYKPHSU/ it's acts as keyboard emulator and reads the ID/Serial of the tags.. im gunning for sticker tags as they are easier to embed/deploySorghum
From the Amazon description it seems that the reader outputs in Wiegand 26 2H10D+4H10D format. This means that this reader will only give you the last 3 bytes of the serial number in decimal representation (more exactly the thrid last byte converted to decimal followed by the last two bytes converted to decimal). So you have 16777216 possible serial number values. Depending on where you get your tags you could certainly get some duplicates, though its getting unlikely if you have a sequentially numbered batch.Kirakiran
wow really? so the reader is not reading the whole lot? but when i scan the tags in my NFC equipped phone, the ID , though in hex, it seems to be just right.. here's one of the tags scanned via phone and NFC reader app: Protocols> Tag ID: 04cc3fc27b2b80 <-- i believe this is hex or something.. representing the ascii numbers that the emulator reads and outputs (?)Sorghum
Right, this is the hexadecimal representation of the whole 7 byte UID. For that tag, your reader should output one of the following numbers (depending on how properly it is implemented): 123 11136 (using 0x7B 0x2B80, if full UID is considered), 004 52287 (using 0x04 CC3F, if first cascade level is considered), 204 01160 (using 0xCC 0488, if UID is read starting at the wrong end and cascade tag is invalidly included into the UID) or 043 31532 (using 0x2B 7B2C, if only second cascade level is used and UID is read starting at the wrong end).Kirakiran
Good answer. Thanks. Can you refer us to any secure authentication mechanisms ?Frightfully
@M-T-A You might be interested in this answer: https://mcmap.net/q/375184/-how-to-prevent-nfc-tag-cloningKirakiran
Hi @MichaelRoland I realise this is an old question but we've been doing quite some research on using RFID cards. A little background: we have a drinks/food ordering platform and we'd like to introduce RFID tags for payments. Customers can top up their card and use it to pay. At first, we had the idea to solely use the unique ID of the RFID to link a card with an account in our system, but reading this post, this might be a security risk (e.g. copying). We're looking into Mifare Ultralight cards for this purpose. Any thoughts on how to get this more secure? Thanks!Suffocate

© 2022 - 2024 — McMap. All rights reserved.