Transcription
NFC/RFID Security Hands-onRMLL 2013Philippe TeuwenSECurity REsearch Team – LeuvenNXP Semiconductors09/07/2013
AgendaStandardsReadersToolsSecurity aspectsHands-onDemosHighly non-linear.2
NFC/RFID LiveCDGNU/LinuxDebian WheezyHybrid: ISO & dd of /dev/sdx"upgradable" via apt-getCan also run under VirtualBoxRFID-related software, drivers & docs (cf readme.txt)Not just for one-day experience!http://live.debian.net (3.x)http://nfc-live.googlecode.comxorriso -as cdrecord -isosize -v dev /dev/sr0 /dev/sdb3
RFID ZooFrequencyStandardsApplicationsLF (125–134 kHz)ISO 11784/85ISO 18000-2ISO 14443Animal ID, Car immobilizerHF (13.56 MHz)ISO 15693ISO 18000-3HF EPC Gen2Supply chain track & trace,Item level taggingUHF (840 – 960 MHz)ISO 18000-6UHF EPC Gen2Supply chain track & traceAFC, banking, eGovIncomplete picture:– More frequency bands– Many more standards4
RFID hacking on a PCCommercially available readers:No standard reader APISame as pre-PC/SC eraSome hooks on PC/SCLet's focus on readers & tools with open-source support5
ACG LF aka OMNIKEY 5534125 & 134.2 kHzEM4x02EM4x50EM4x05(ISO 11784/5 FDX-B)Hitag 1 / 2 / SQ5TI 64 bit R/O & R/WTI 1088 bit MultipageModule available at http://www.rfidiot.org6
ACG LF aka OMNIKEY 5534readlfx.py R READER ACG s baudrate rfdump(File / Prefs / ACG / baudrate then Reader / Start scan)screen /dev/ttyUSB0 baudrate !cdXloXo Xo Xpoffponrbwbrpwpsvxytest continuous readcontinuous readset tag settingsloginset tag typeinclude tag typeexclude tag typeantenna power offantenna power onread blockwrite blockread EEPROMwrite EEPROMselectget versionresetfield reset ! if active, F if notpoll, any key to stop SdH80 gain 2 sampling time 0lMIKR L ok X fail N no tagoH rb00 4 bytes wb0011223344 poll once y8080 off time (ms) recovery time (ms)7
Omnikey CardMan 5321Based on CL RC632ISO 14443ISO 15693Also contact interfaceLinux: PC/SC vendor driver(libccid only supports contact interface)Danger: be careful with dual-interface cards!8
PC/SCPersonal Computer / SmartCard1996Goal: interoperability through common scworkgroup.com9
PC/SCOffers reader vendor independent API reader independent applicationsControls shared accessSupports transaction management primitivesOS provides PC/SC serviceVendor provides PC/SC driver10
PC/SCIFD Handler device driver––––––RS232PS/2 (kbd)PCMCIAUSBUSB-CCID Linux & Mac OS X:pcsc-tools11
IFD Handler USB-CCIDFor Chip/SmartCard Interface DevicesOne common driver– USB device PC/SC– Microsoft: usbccid.sys– Linux & Mac OS X: libccid12
PC/SC APISCardEstablishContext(.)– First called, to talk to PC/SC serviceSCardListReaders(.)SCardConnect(reader, shared mode, proto,.)– Card power-up & reset, ATRScardTransmit(APDU, pbRecvBuffer,.)13
SmartCard ATR & APDUAnswer To Reset (ISO 7816-3)http://en.wikipedia.org/wiki/Answer to c-tools/smartcard list.txtApplication Protocol Data Unit (ISO ata]P2[Lc] [data][Le]SW1 SW214
Contactless ATR?Reader generates a PC/SC compliant ATRaccording to PC/SC v2.01, Part 3, 3.1.3.2:“Contactless Protocol Support”– Smartcards (ISO14443-4) ATS to ATR mapping, cf table 3.5 in 3.1.3.2.3.1– Storage cards cf table 3.6 in 3.1.3.2.3.1.Standard and card name mapped according to Part3 Supplemental Document of PCSC 2.0115
pcsc-toolsLudovic Rousseaupcsc scanscriptor / 16
Your reader: SCL37113 ways to use it.helper scripts on the ISO are availableWith its proprietary PCSC driverscl3711 pcsc propriodriverproprioWith the new ifdnfcopensource PCSC driver (still beta)scl3711 pcsc ifdnfcdriverifdnfcifdnfc activateWithout driver, via libnfcscl3711 libnfclibnfcYou might have to re-plug the reader if unresponsive17
driverpropriopcsc scan18
Contactless APDU?Smartcards ISO7816-4 APDU support, so just pass-thru GetData UID: FF CA 00 00 Lescriptor ffca000000 GetData ATS: FF CA 01 00 LedriverifdnfcStorage cards Transform APDU into specific command(s) filter/map requests & responses GetUID, Read Binary, Update Binary, Load Keys, GeneralAuthenticate, (Verify) Other vendor-specific mappings19
PC/SC 2.0 Part 3 sup 2New extension covering all you dreamed about for contactless readers– Raw modes, modulations, etcSo it will be possible to write contactless-oriented applicationsagnostic to the type of reader you haveNOT covering NFCcf nfc-doc/technology/PCSC/pcsc3 v2.02.00 sup2.pdfFirst(?) compliant reader chip: NXP PR53320
PN53x familyNFC (ISO18092 NFCIP-1)ISO14443-A Tag Read/WriteISO14443-B Tag Read/WriteISO14443-3A (Mifare ) Tag EmulateFeliCaTM Tag Read/Write/EmulatePN532 (SPI / I2C / UART)– Automatic Polling Sequence– ISO14443-4A (T CL) Tag EmulatePN533 (USB 2.0)– NFC-SEC, PayPass21
NFC: more than p2pemulISO14443AFeliCap2pISO14443BISO1569322
NFC: NFCIP NFC-Forum23
NFC-ForumNDEF (NFC Data Exchange Format)LLCP (Logical Link Control Protocol)SNEP (Simple NDEF Exchange Protocol)Android NPP (NDEF Push Protocol)NFC-Forum Tags:– Type 1: Innovision Topaz/Jewel (ISO14443-3A)– Type 2: NXP Mifare Ultralight (ISO14443-3A)– Type 3: Sony FeliCa– Type 4: ISO7816-4 on ISO14443-4 A or B24
PN53x familyTAMA languageD4D5CC[data]CC 1 [data]Ex: GetFirmware()D4 02PN531 responseD5 03 04 02PN532 responseD5 03 32 01 06 07PN533 responseD5 03 33 02 07 07cf nfc-doc/products/NXP/{PN532 PN533}/25
PN533-based: SCL3711 & ASK LoGOSCL3711– PCSC driver proprio– PCSC driver opensource– Direct libnfc supportASK LoGO– Supports ISO14443-B' (*)– Progressive field forISO14443-B– PCSC driver opensource– Direct libnfc support(*) now in all libnfc supported readers26
SCL3711 through libusb libnfcscl3711 libnfclibnfcpn53x tamashellD4D5CC[data]CC 1 [data]CC[data][data]27
GetFirmwareVersion0233 02 07 07IC 33 (PN533)Ver 02Rev 07Support 07 (ISO18092 ISO14443B ISO14443A)28
libnfcInitiated by Roel VerdultNow mainly Romuald Conty, I & 10 developersLibrary to support PN53x readers tools & examplesvia libusb, PC/SC, UART, SPI, I2Chttp://www.libnfc.orgnfc TAB TAB libnfc29
libnfc-related projectslibfreefare (MIFARE Classic, DESFire, UltralightC,.)ifdnfcnfc-tools:lsnfc, libnfc-llcp, pam nfc, NfcEventD, DeskNFC,.qnfcd, pynfc, nfosc, libfm1208, micmd, mtoolsRFIDIOtmfoc, mfcuk, readnfcccmfocuino, nfcdoorlock30
ifdnfc: bringing the missing pieceIFD Handler based on libnfcGoal: make libnfc-supported devices PC/SC part 3 sup 2 compliantCurrent status:– PC/SC support (ATR & APDU) for ISO14443A-4– FFCA000000 & FFCA010000– Supports UART & USB devices– Handles transparently USB libnfc devices,in the same way libccid supports USB CCID devices– Handles multiple devices at once– Can replace SCL3711 proprietary driverhttps://code.google.com/p/ifdnfcDid I say it's still beta?31
Anticollisionnfc listnfc list vnfc anticol(only TypeA)libnfc32
2f0 REQA (7 bit)ATQA ( anticol, double UID)SEL (cascade level 1)CT, UID(byte 1,2,3), BCCSELSAK ( cascade bit)SEL (cascade level 2)UID(byte 4,5,6,7), BCCSELSAK (14443 4 compliant)RATSATSHALT33
UID7-byte:Cascade Level 1: 88 u1 u2 u3 (u1 04 NXP; 05 Infineon,.)Cascade Level 2: u4 u5 u6 u74-byte:Cascade Level 1: u1 u2 u3 u4u1 08 Random ID (used in card emulation, ePassports,.)u1 xF FNUID “F” Non-Unique IDMIFARE Classic since 2010:11-byte foreseenin the standards34
Reading/Writing raw tags & NDEF tagsnfc mfultralight r foonfc mfclassic r a foomifare ultralight infomifare classic formatmifare classic write ndefmifare classic read ndef o foomifare desfire formatmifare desfire create ndefmifare desfire write ndefmifare desfire read ndef o foomifare desfire info35
NFC: NFCIP1 p2pBring two readers against each otherOn the first machine:nfc dep targetOn the second machine:nfc dep initiator36
NFC SecurityNFC is intrinsically secure because it's short range“about 15cm”Seriously?source: xaurorartx.deviantart.com37
Short range?Best results so far:Reader to card communication sniffed 22m away– office environment, ISO14443 type A&BCard to reader communication sniffed 3.5m away– office environment, typeBReader to card communication sniffed 4m awaywith an electric antenna– so sniffing E rather than HPierre-Henri Thevenon'sPhD thesis, 201138
NFC “touch” & implicit user consentAppealing but dangerous!Privacy-leaking RFID tagsRelay-attacks on tags & NFC devicesExploiting implicit intents on NFC devices39
Privacy-leaking RFID tagsContactlesscredit cards(US, UK)40
14443A-4 relay attack via TCP/Bluetoothby Michael Weiß ation/15741
Idem with off-the-shelve NFC phonesby Lishoy Francis, Gerhard Hancke et al.Using BlackBerry 9900 as proxy tokenhttp://eprint.iacr.org/2011/618.pdf42
CyanogenMod allowing sw card emulationby Blackwing, Eddie Lee, 2012http://sourceforge.net/p/nfcproxy43
Libnfc:Relay attacksnfc relay– Sw card emulationnfc relay picc– PN532 only– Works over TCP/IP44
14443A relay attack via 2.4GHz video TXby Gerhard P. Hancke iew-2009.pdf45
Fastest wireless relay so farBy Pierre-Henri Thevenonabout 700ns 200mhttp://ieeexplore.ieee.org/xpl/freeabs all.jsp?arnumber 606444946
Defense against Relay AttacksDistance bounding protocols– Guarantee that the tag/device is not further away than X meters– Based on timing of authentified unpredictable messages– MIFARE Plus proximity checkBut what about legit relays?Source: Ethertrust47
Exploiting implicit intents on NFC devicesMuch cooler withoutuser confirmationBut be careful E.g. Roel Verdult attack against Nokia 6212:Fake smartposter (actually a p2p device) initiating BT content sharing via OBEX pushing malicious app privilege escalation up to manufacturer/operator domainhttp://www.cs.ru.nl/ rverdult/Practical attacks on NFC enabled cell phones-NFC11.pdfToday, still no confirmation to accept data from Android Beam.48
But before asking for user intentions Fuzzing attacks with malformed NDEF attacks, exploiting NFCstack before any chance for user to accept or not.NDEF fuzzing library by Colin Mullinerhttp://www.mulliner.org/nfc49
NFC “touch” attacks, what for?Crash system and/or app– Some could lead to successful exploitsSystem targets: browser / dialer / sms handlerHijack phone by installing malicious appsBugs & design issues fc ndef security ninjacon blications/vulnanalysisattacknfcmobilephones mulliner 2009.pdf50
“NFC phishing” attacks on SmartposterIn this scenario the user needs to give his explicit consentBut for what?51
Smartposter URL:Abusing title fieldSame attack on phone calls & SMS redirect to surcharged call/SMS52
Smartposter URL: Man-in-the-Middle ProxyTransparent for the user as URL not displayed on mobile browsersInject malicious content (e.g. auto-install trojan JAR bug in Nokia)Steal credentialsetc53
Smartposter URL:Attacking Selecta vendor machinesMake tags pointing to machine A and stick them on machine B, C, D, .Wait at machine A and pull out your free snackSource: Colin Mulliner54
More issues & mitigationsProblem of shortened URLs:– Handy to store long URL on cheap NFC Tag1– Is http://bit.ly/FHYSq safe or not?Want to deploy smartposters?– Use signed NDEF if possible (in its new version.)– Turn tags physically read-only55
NFC securityUIDs are unique, you can rely on themseriously?56
Well, not anymoreNFC technology barrier has fallen since a while for hackers “One-shot” cheap designsOpen-source dedicated designsOff-the-shelf NFC chips with open-source softwareOff-the-shelf readers & phonesIndustrial hacking products57
Chinese MFC clone with R/W “UID”About 25 Can be fully reprogrammed, even if ACL data is corruptedQuickly acquired by the “usual suspects” (nfc security researchers)Quickly reversed and now supported by open-source tools58
Libnfc:Tag emulationnfc emulate uidThen from another machine try nfc anticolTry a second time nfc anticolnfc emulate forum tag2nfc emulate forum tag4 (pn532 only)59
PN532 breakout boardhttps://www.adafruit.com/products/364 40 SPI, UART, I2CUID forgery still possible towards some readers60
PN532 NFC shield for Arduinohttp://seeedstudio.com/wiki/index.php?title NFC Shield 29.50 SPI61
PN532-based OpenPCD2http://www.openpcd.org/OpenPCD 2 RFID Reader for 13.56MHzARM Cortex-M3 libnfc-compatible FWRead/Sniff/Emulate62
RFIDIOtAdam Lauriehttp://rfidiot.orgmany tools for LF & HF tags, some not much maintainedisotype.pymultiselect.py– try on epassport, then. killall multiselect.pylibnfc(or ifdnfc)63
RFIDIOtmrpkey.pyCHECK mrz PLAIN copy in /tmp– Supports short MRZ: 1-9;14-19;22-27– Supports “?” in numeric part of document nr(demo)Vonjeek/JMRTD applets: path WRITE mrz PLAIN WRITESETBAC / UNSETBAC (Vonjeek only)64
ePassport: Machine-Readable Zone & Basic Access ControlBAC key based on short MRZ: 1-9;14-19;22-2765
oogle.com/p/epassportviewer/ (not yet up-to-date)Latest versions:– CSCA– Attacks Err fingerprintdriver BAC Brute forceifdnfcor driver MAC traceabilityproprio Active Auth before BAC– Forgery66
ePassport ! US Passport CardUHFChris Paget: 250 on eBay– Symbol XR400RFID reader– Motorola AN400patch antenna67
cardpeek“L1L1”Extensible with LUA scriptsEMV, Navigo, Calypso, Vitale, Moneo, rproprio68
MOBIB ExtractorUCL/GSIMOBIB ExtractorOpen ://sites.uclouvain.be/security/mobib.htmllibnfc69
Proxmark IIIJonathan Westhues160 / 188 / 229 ARM7 FPGAOpensource design & software (OS/ARM/FPGA)LF (125kHz / 132KHz) & HF (13.56MHz)Read, sniff (both directions), emulate & /p/proxmark3/wiki/RunningPM370
Proxmark III 130 commands, half of them offline, readline support– cf – Readers / sniffers / emulators / – LF:FlexPass, Indala, VeriChip, EM410x, EM4x50,HID Proxcard(*), TI, T55xx, Hitag(*) works standalone– HF:ISO14443A, ISO14443B, SRI, ISO15693,Legic, iClass, MFC71
PM3: LF analog trace demoproxmark3pm3 data load/usr/local/share/proxmark3/traces/indala TAB pm3 data plotpm3 data decpm3 data load. ( to go back in history)pm3 lf indalademod72
PM3: Flashing latest firmwarecd /usr/local/share/proxmark3/firmware r708Proxmarks with still an old bootloader (SVN rev 674):flasher old b bootrom.elf fullimage.elfProxmarks with already new bootloader:flasher fullimage.elfIdentifying unknown tag, first step:pm3 hw tune73
PM3: ISO14443A sniffingpm3 hf 14a snoop pn53x tamashell 4a 01 00 pcsc scan!! PRESS PM3 BUTTON TO STOP SNIFFINGpm3 hf 14a list74
Chameleon: cloning MFC/DF for 25 Mifare Classic, Desfire & DesfireEV1 emulationPowered by battery, 43/75
Thanks!Want s.orghttp://wiki.yobi.be/wiki/RFIDFeedback / Questions?Now, or:Jabber/GTalk: phil@jabber.reseaucitoyen.beEmail: phil@teuwen.org76
Android NPP (NDEF Push Protocol) NFC-Forum Tags: – Type 1: Innovision Topaz/Jewel (ISO14443-3A) – Type 2: NXP Mifare Ultralight (ISO14443-3A) – Typ