WIXLIB

NFC/RFID Security Hands-onRMLL 2013Philippe TeuwenSECurity REsearch Team – LeuvenNXP Semiconductors09/07/2013

AgendaStandardsReadersToolsSecurity aspectsHands-onDemosHighly non-linear.2

NFC/RFID LiveCDGNU/LinuxDebian WheezyHybrid: ISO & dd of /dev/sdx"upgradable" via apt-getCan also run under VirtualBoxRFID-related software, drivers & docs (cf readme.txt)Not just for one-day experience!http://live.debian.net (3.x)http://nfc-live.googlecode.comxorriso -as cdrecord -isosize -v dev /dev/sr0 /dev/sdb3

RFID ZooFrequencyStandardsApplicationsLF (125–134 kHz)ISO 11784/85ISO 18000-2ISO 14443Animal ID, Car immobilizerHF (13.56 MHz)ISO 15693ISO 18000-3HF EPC Gen2Supply chain track & trace,Item level taggingUHF (840 – 960 MHz)ISO 18000-6UHF EPC Gen2Supply chain track & traceAFC, banking, eGovIncomplete picture:– More frequency bands– Many more standards4

RFID hacking on a PCCommercially available readers:No standard reader APISame as pre-PC/SC eraSome hooks on PC/SCLet's focus on readers & tools with open-source support5

ACG LF aka OMNIKEY 5534125 & 134.2 kHzEM4x02EM4x50EM4x05(ISO 11784/5 FDX-B)Hitag 1 / 2 / SQ5TI 64 bit R/O & R/WTI 1088 bit MultipageModule available at http://www.rfidiot.org6

ACG LF aka OMNIKEY 5534readlfx.py R READER ACG s baudrate rfdump(File / Prefs / ACG / baudrate then Reader / Start scan)screen /dev/ttyUSB0 baudrate !cdXloXo Xo Xpoffponrbwbrpwpsvxytest continuous readcontinuous readset tag settingsloginset tag typeinclude tag typeexclude tag typeantenna power offantenna power onread blockwrite blockread EEPROMwrite EEPROMselectget versionresetfield reset ! if active, F if notpoll, any key to stop SdH80 gain 2 sampling time 0lMIKR L ok X fail N no tagoH rb00 4 bytes wb0011223344 poll once y8080 off time (ms) recovery time (ms)7

Omnikey CardMan 5321Based on CL RC632ISO 14443ISO 15693Also contact interfaceLinux: PC/SC vendor driver(libccid only supports contact interface)Danger: be careful with dual-interface cards!8

PC/SCPersonal Computer / SmartCard1996Goal: interoperability through common scworkgroup.com9

PC/SCOffers reader vendor independent API reader independent applicationsControls shared accessSupports transaction management primitivesOS provides PC/SC serviceVendor provides PC/SC driver10

PC/SCIFD Handler device driver––––––RS232PS/2 (kbd)PCMCIAUSBUSB-CCID Linux & Mac OS X:pcsc-tools11

IFD Handler USB-CCIDFor Chip/SmartCard Interface DevicesOne common driver– USB device PC/SC– Microsoft: usbccid.sys– Linux & Mac OS X: libccid12

PC/SC APISCardEstablishContext(.)– First called, to talk to PC/SC serviceSCardListReaders(.)SCardConnect(reader, shared mode, proto,.)– Card power-up & reset, ATRScardTransmit(APDU, pbRecvBuffer,.)13

SmartCard ATR & APDUAnswer To Reset (ISO 7816-3)http://en.wikipedia.org/wiki/Answer to c-tools/smartcard list.txtApplication Protocol Data Unit (ISO ata]P2[Lc] [data][Le]SW1 SW214

Contactless ATR?Reader generates a PC/SC compliant ATRaccording to PC/SC v2.01, Part 3, 3.1.3.2:“Contactless Protocol Support”– Smartcards (ISO14443-4) ATS to ATR mapping, cf table 3.5 in 3.1.3.2.3.1– Storage cards cf table 3.6 in 3.1.3.2.3.1.Standard and card name mapped according to Part3 Supplemental Document of PCSC 2.0115

pcsc-toolsLudovic Rousseaupcsc scanscriptor / 16

Your reader: SCL37113 ways to use it.helper scripts on the ISO are availableWith its proprietary PCSC driverscl3711 pcsc propriodriverproprioWith the new ifdnfcopensource PCSC driver (still beta)scl3711 pcsc ifdnfcdriverifdnfcifdnfc activateWithout driver, via libnfcscl3711 libnfclibnfcYou might have to re-plug the reader if unresponsive17

driverpropriopcsc scan18

Contactless APDU?Smartcards ISO7816-4 APDU support, so just pass-thru GetData UID: FF CA 00 00 Lescriptor ffca000000 GetData ATS: FF CA 01 00 LedriverifdnfcStorage cards Transform APDU into specific command(s) filter/map requests & responses GetUID, Read Binary, Update Binary, Load Keys, GeneralAuthenticate, (Verify) Other vendor-specific mappings19

PC/SC 2.0 Part 3 sup 2New extension covering all you dreamed about for contactless readers– Raw modes, modulations, etcSo it will be possible to write contactless-oriented applicationsagnostic to the type of reader you haveNOT covering NFCcf nfc-doc/technology/PCSC/pcsc3 v2.02.00 sup2.pdfFirst(?) compliant reader chip: NXP PR53320

PN53x familyNFC (ISO18092 NFCIP-1)ISO14443-A Tag Read/WriteISO14443-B Tag Read/WriteISO14443-3A (Mifare ) Tag EmulateFeliCaTM Tag Read/Write/EmulatePN532 (SPI / I2C / UART)– Automatic Polling Sequence– ISO14443-4A (T CL) Tag EmulatePN533 (USB 2.0)– NFC-SEC, PayPass21

NFC: more than p2pemulISO14443AFeliCap2pISO14443BISO1569322

NFC: NFCIP NFC-Forum23

NFC-ForumNDEF (NFC Data Exchange Format)LLCP (Logical Link Control Protocol)SNEP (Simple NDEF Exchange Protocol)Android NPP (NDEF Push Protocol)NFC-Forum Tags:– Type 1: Innovision Topaz/Jewel (ISO14443-3A)– Type 2: NXP Mifare Ultralight (ISO14443-3A)– Type 3: Sony FeliCa– Type 4: ISO7816-4 on ISO14443-4 A or B24

PN53x familyTAMA languageD4D5CC[data]CC 1 [data]Ex: GetFirmware()D4 02PN531 responseD5 03 04 02PN532 responseD5 03 32 01 06 07PN533 responseD5 03 33 02 07 07cf nfc-doc/products/NXP/{PN532 PN533}/25

PN533-based: SCL3711 & ASK LoGOSCL3711– PCSC driver proprio– PCSC driver opensource– Direct libnfc supportASK LoGO– Supports ISO14443-B' (*)– Progressive field forISO14443-B– PCSC driver opensource– Direct libnfc support(*) now in all libnfc supported readers26

SCL3711 through libusb libnfcscl3711 libnfclibnfcpn53x tamashellD4D5CC[data]CC 1 [data]CC[data][data]27

GetFirmwareVersion0233 02 07 07IC 33 (PN533)Ver 02Rev 07Support 07 (ISO18092 ISO14443B ISO14443A)28

libnfcInitiated by Roel VerdultNow mainly Romuald Conty, I & 10 developersLibrary to support PN53x readers tools & examplesvia libusb, PC/SC, UART, SPI, I2Chttp://www.libnfc.orgnfc TAB TAB libnfc29

libnfc-related projectslibfreefare (MIFARE Classic, DESFire, UltralightC,.)ifdnfcnfc-tools:lsnfc, libnfc-llcp, pam nfc, NfcEventD, DeskNFC,.qnfcd, pynfc, nfosc, libfm1208, micmd, mtoolsRFIDIOtmfoc, mfcuk, readnfcccmfocuino, nfcdoorlock30

ifdnfc: bringing the missing pieceIFD Handler based on libnfcGoal: make libnfc-supported devices PC/SC part 3 sup 2 compliantCurrent status:– PC/SC support (ATR & APDU) for ISO14443A-4– FFCA000000 & FFCA010000– Supports UART & USB devices– Handles transparently USB libnfc devices,in the same way libccid supports USB CCID devices– Handles multiple devices at once– Can replace SCL3711 proprietary driverhttps://code.google.com/p/ifdnfcDid I say it's still beta?31

Anticollisionnfc listnfc list vnfc anticol(only TypeA)libnfc32

2f0 REQA (7 bit)ATQA ( anticol, double UID)SEL (cascade level 1)CT, UID(byte 1,2,3), BCCSELSAK ( cascade bit)SEL (cascade level 2)UID(byte 4,5,6,7), BCCSELSAK (14443 4 compliant)RATSATSHALT33

UID7-byte:Cascade Level 1: 88 u1 u2 u3 (u1 04 NXP; 05 Infineon,.)Cascade Level 2: u4 u5 u6 u74-byte:Cascade Level 1: u1 u2 u3 u4u1 08 Random ID (used in card emulation, ePassports,.)u1 xF FNUID “F” Non-Unique IDMIFARE Classic since 2010:11-byte foreseenin the standards34

Reading/Writing raw tags & NDEF tagsnfc mfultralight r foonfc mfclassic r a foomifare ultralight infomifare classic formatmifare classic write ndefmifare classic read ndef o foomifare desfire formatmifare desfire create ndefmifare desfire write ndefmifare desfire read ndef o foomifare desfire info35

NFC: NFCIP1 p2pBring two readers against each otherOn the first machine:nfc dep targetOn the second machine:nfc dep initiator36

NFC SecurityNFC is intrinsically secure because it's short range“about 15cm”Seriously?source: xaurorartx.deviantart.com37

Short range?Best results so far:Reader to card communication sniffed 22m away– office environment, ISO14443 type A&BCard to reader communication sniffed 3.5m away– office environment, typeBReader to card communication sniffed 4m awaywith an electric antenna– so sniffing E rather than HPierre-Henri Thevenon'sPhD thesis, 201138

NFC “touch” & implicit user consentAppealing but dangerous!Privacy-leaking RFID tagsRelay-attacks on tags & NFC devicesExploiting implicit intents on NFC devices39

Privacy-leaking RFID tagsContactlesscredit cards(US, UK)40

14443A-4 relay attack via TCP/Bluetoothby Michael Weiß ation/15741

Idem with off-the-shelve NFC phonesby Lishoy Francis, Gerhard Hancke et al.Using BlackBerry 9900 as proxy tokenhttp://eprint.iacr.org/2011/618.pdf42

CyanogenMod allowing sw card emulationby Blackwing, Eddie Lee, 2012http://sourceforge.net/p/nfcproxy43

Libnfc:Relay attacksnfc relay– Sw card emulationnfc relay picc– PN532 only– Works over TCP/IP44

14443A relay attack via 2.4GHz video TXby Gerhard P. Hancke iew-2009.pdf45

Fastest wireless relay so farBy Pierre-Henri Thevenonabout 700ns 200mhttp://ieeexplore.ieee.org/xpl/freeabs all.jsp?arnumber 606444946

Defense against Relay AttacksDistance bounding protocols– Guarantee that the tag/device is not further away than X meters– Based on timing of authentified unpredictable messages– MIFARE Plus proximity checkBut what about legit relays?Source: Ethertrust47

Exploiting implicit intents on NFC devicesMuch cooler withoutuser confirmationBut be careful E.g. Roel Verdult attack against Nokia 6212:Fake smartposter (actually a p2p device) initiating BT content sharing via OBEX pushing malicious app privilege escalation up to manufacturer/operator domainhttp://www.cs.ru.nl/ rverdult/Practical attacks on NFC enabled cell phones-NFC11.pdfToday, still no confirmation to accept data from Android Beam.48

But before asking for user intentions Fuzzing attacks with malformed NDEF attacks, exploiting NFCstack before any chance for user to accept or not.NDEF fuzzing library by Colin Mullinerhttp://www.mulliner.org/nfc49

NFC “touch” attacks, what for?Crash system and/or app– Some could lead to successful exploitsSystem targets: browser / dialer / sms handlerHijack phone by installing malicious appsBugs & design issues fc ndef security ninjacon blications/vulnanalysisattacknfcmobilephones mulliner 2009.pdf50

“NFC phishing” attacks on SmartposterIn this scenario the user needs to give his explicit consentBut for what?51

Smartposter URL:Abusing title fieldSame attack on phone calls & SMS redirect to surcharged call/SMS52

Smartposter URL: Man-in-the-Middle ProxyTransparent for the user as URL not displayed on mobile browsersInject malicious content (e.g. auto-install trojan JAR bug in Nokia)Steal credentialsetc53

Smartposter URL:Attacking Selecta vendor machinesMake tags pointing to machine A and stick them on machine B, C, D, .Wait at machine A and pull out your free snackSource: Colin Mulliner54

More issues & mitigationsProblem of shortened URLs:– Handy to store long URL on cheap NFC Tag1– Is http://bit.ly/FHYSq safe or not?Want to deploy smartposters?– Use signed NDEF if possible (in its new version.)– Turn tags physically read-only55

NFC securityUIDs are unique, you can rely on themseriously?56

Well, not anymoreNFC technology barrier has fallen since a while for hackers “One-shot” cheap designsOpen-source dedicated designsOff-the-shelf NFC chips with open-source softwareOff-the-shelf readers & phonesIndustrial hacking products57

Chinese MFC clone with R/W “UID”About 25 Can be fully reprogrammed, even if ACL data is corruptedQuickly acquired by the “usual suspects” (nfc security researchers)Quickly reversed and now supported by open-source tools58

Libnfc:Tag emulationnfc emulate uidThen from another machine try nfc anticolTry a second time nfc anticolnfc emulate forum tag2nfc emulate forum tag4 (pn532 only)59

PN532 breakout boardhttps://www.adafruit.com/products/364 40 SPI, UART, I2CUID forgery still possible towards some readers60

PN532 NFC shield for Arduinohttp://seeedstudio.com/wiki/index.php?title NFC Shield 29.50 SPI61

PN532-based OpenPCD2http://www.openpcd.org/OpenPCD 2 RFID Reader for 13.56MHzARM Cortex-M3 libnfc-compatible FWRead/Sniff/Emulate62