Stockport NHS Security Fail. Mifare Classic 1k
A while back I sat down with my Samsung Galaxy S2 with NFC built-in and came too close to a couple of Stockport HNS ID badges, one had a chip on it (Oberthur Java Card) and the other had no chip. The cards activated my NFC app. I was thinking these cards would be MIFARE DESFire but I was wrong they were in fact MIFARE Classic 1K. To make a bad situation even worse the cards use the default security keys, WTF. Reading the card revealed a short repeating pattern of data across a few sectors, the rest of the sectors where blank.
The people who implemented the system probably thought that because you can’t change the UID of the MIFARE cards no one can copy them and the data is safe, so what’s the point of any other security. It is possible to buy MIFARE cards with a changeable UID they are called Magic Cards and cost about £1 on ebay. With a Magic card and a £20 RFID reader/writer (ACR122U) you now have the ability to make an exact working copy of an ID badge just by standing close to a member of staff.
After some research online I discovered a project on Github called NHSbuntu which is a Linux alternative for HNS centres and it confirms that the UID of the ID badge is checked and the data is some sort of certificate.
According to NHS documentation available on the web the ID cards are used for access control and part of a 2 factor authentication for accessing patient data. Further reading suggest that some computers do not need an ID card at all. So if you have a USB key logger and maybe your cloned ID card you will be able to access any patient’s confidential information using one of the many untended computers.
Other things to be noted around Stepping hospital are that uniform stores are left open for anyone to help then self’s, doors secured with Simplex locks which can be bypassed or manipulated in seconds, many CCTV cameras do not work or are of poor quality and unlocked networking cabinets and rooms. There are some WIFI AP’s secured to asbestos ceiling tiles, not much hope for this place.
I contacted Stockport NHS 18 months ago and reported what I found but got stonewalled and the problem still persists.
At the time of contacting Stockport NHS I also mentioned they had not implemented SPF, DKIM or DMARC and their email servers did not check incoming email for this either. At present they have implemented SPF (only after wanacry struck) and tried to implement DKIM but seem to have gotten it somewhat wrong and is not used. Their email servers still do not validate incoming emails and the Trend Micro filtrer is usless, so providing you had enough information of an employee (see below) you could probably just ask the IT department for a password reset for an account or you could just send them your favourite zero day.
After some further research I discovered many Stockport NHS email and passwords in various database dumps on Github, which is not to good as this will aid spear phishing. After analysing the passwords it showed there is a very familiar pattern amongst them, and that is the vast majority are random six characters, lower case letters and numbers (no upper case of special characters). Could this be users are reusing there NHS password and that Stockport NHS's password policy is extremely poor?
To sum it all up your personal data is not safe with Stockport HNS. A person with motivation and a little knowledge could easily access your data.
MIFARE Classic cards have been broken since 2008 and can easily be cloned.You can read more on hacking MIFARE Classic cards here.https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Hacking-MIFARE-Classic-Cards-Slides.pdf