Bypassing Stored-Value Laundry Systems via Mifare Classic Memory Manipulation

TLDR: Researchers at DEF CON 2025 demonstrated how to manipulate stored-value laundry cards by reverse-engineering the memory layout of Mifare Classic RFID tags. By identifying the specific blocks containing balance data, transaction identifiers, and incremental mirror bytes, they successfully performed unauthorized balance top-ups. This research highlights the inherent insecurity of legacy RFID systems that rely on client-side data storage without cryptographic integrity.

Laundry rooms in apartment complexes and university dorms are often treated as low-risk environments, but they are essentially running on legacy hardware that hasn't seen a security update in decades. The recent research presented at DEF CON 2025 on Mifare Classic cards proves that these systems are wide open for anyone with a Proxmark3 and a bit of patience. When a payment system stores its "source of truth" directly on a user-controlled card, you aren't looking at a secure transaction; you are looking at a simple data structure waiting to be edited.

The Anatomy of a Laundry Card

The core of the issue lies in how these systems, such as those provided by Kiosoft, manage data. Mifare Classic cards are not secure tokens; they are essentially small, programmable memory banks. The researchers found that the card's memory is divided into sectors, each containing three blocks of data and one sector trailer. The sector trailer holds the keys and access bits, but the actual value—the money you think you have—is stored in plain text within the data blocks.

The researchers mapped the memory layout and identified three critical components:

1. Value Bytes: The actual balance, stored as a whole cent amount in little-endian format.
2. Transaction Identifier: A value used by the reader to verify the card's state.
3. Incremental Mirror Bytes: A set of bytes that change in a predictable, linear relationship with the value bytes.

The system uses these mirror bytes as a rudimentary check to ensure the card's memory hasn't been tampered with. If the value bytes are modified without updating the corresponding mirror bytes to match the expected linear equation, the reader rejects the card. This is a classic example of Broken Access Control where the system trusts the client to maintain its own integrity.

Exploiting the Linear Relationship

The most impressive part of this research is the mathematical approach to bypassing the integrity checks. By taking snapshots of the card's memory before and after a legitimate top-up, the researchers were able to plot the relationship between the value bytes and the mirror bytes. They discovered that the mirror bytes are simply a bitwise negation of the value bytes, or an XOR operation with 0xFF.

To perform an unauthorized top-up, you don't just change the balance; you have to solve for the mirror bytes. If you want to set your balance to $69.69, you calculate the hex representation, convert it to the required little-endian format, and then apply the XOR operation to generate the correct mirror bytes.

# Simplified logic for calculating the required mirror bytes
balance = 6969 # $69.69 in cents
hex_balance = balance.to_bytes(2, byteorder='little')
# The mirror bytes are the bitwise negation of the value bytes
mirror_bytes = bytes([b ^ 0xFF for b in hex_balance])

Once you have these values, you use the Proxmark3 to write the new data directly to the card's memory blocks. Because the reader doesn't perform any server-side validation or use a secure challenge-response protocol, it accepts the modified card as legitimate.

Real-World Implications for Pentesters

If you are conducting a physical security assessment or a red team engagement, these systems are low-hanging fruit. You will likely encounter them in any facility that uses self-service laundry or vending machines. The impact is straightforward: financial theft and unauthorized access to services. While the dollar amount per card is small, the cumulative loss for a property management company can be significant, and the lack of logging means these attacks are almost never detected.

During an engagement, your workflow is simple:

1. Dump the card's memory using a tool like the Proxmark3 client.
2. Use a script to identify the value blocks by comparing multiple dumps after small, legitimate transactions.
3. Calculate the XOR relationship for the mirror bytes.
4. Write the desired balance and the corresponding mirror bytes back to the card.

The Defensive Reality

Defending against this is difficult because the vulnerability is baked into the hardware. These systems are distributed, offline, and expensive to replace. The only real solution is to move away from stored-value cards entirely in favor of systems that perform authorization against a centralized database. If a facility must use RFID, they should at least implement cards that support AES-128 encryption and require a secure handshake with the reader.

For now, these laundry cards remain a perfect example of why you should never trust data stored on a client device. If you are testing a system that uses Mifare Classic, stop looking for complex exploits and start looking at the memory map. You will likely find that the "security" is just a few bytes of data that you can change at will.