Hi Guys,
So we are currently working on an project where the ntag213 or ntag215 are going to be used. (in public areas, guests can scan it, to access an site)
The idea is: To write specifik data to the chip that can be read by guests ( its not sensitive) BUT shoud not be able to overwritten/erased/replaced.
We've found a couple of good android apps, that can write and 'lock' the chip to make it read-only, where u recieve an Master key to unlock it.. So far so good..
But my question and concern is;
How secure is that read-only? with the ntag213/215 chips.
I mean, are there any known exploits to be aware of?
Would there be any possibility to 'crack' the password, and reverse it somehow to be overwritten? so that someone could intentionally put malware on it or make an phishing site written to the chip. (Obviously we are trying to avoid that of happening, so that's why we have the concerns of the security )
Thanks allot guys! hope to learn more about it.
Kind regards,
Johnny
Hello,
It will depend on how secure you want your system to be. The most important thing to keep in mind is that in every authentication to the Tag, the data will travel in plain text though the air. You may use a DESFire instead which is common criteria EAL5+ if you want your communication to be encrypted. For more information, please refer to: MIFARE DESFire EV2 | NXP
BR,
Ivan.
Hi Evan, thanks for the reply..
As mentioned before, the communication being plain text is OK > since its for guest purposes anyway (its on an isolated network)
The concerns are regarding the password - making the chip read-only, in terms of security, how secure is that? How easily can it be cracked and overwritten by an unauthorized person?
That's what I really would like to know..
Thanks again, waiting for your reply!
Hello,
Overwritten, not possible, unless you authenticate successfully to the Tag with the right password to protected area memory and overwrite it.
You could make it even stronger by avoiding brute-force. Fortunately, this can be prevented by limiting negative verification attempts, as mentioned in chapter 8.8.2 of datasheet: https://www.nxp.com/docs/en/data-sheet/NTAG213_215_216.pdf
Hope this helps.
BR,
Ivan.