Transcription
DEFCON 20NFC Hacking: The Easy WayEddie Leeeddie{at}blackwinghq.com
About Me!Security Researcher for Blackwing Intelligence (formerly PraetorianGlobal)!We’re always looking for cool security projects!Member of Digital Revelation!!2-time CTF Champs – Defcon 9 & 10Not an NFC or RFID expert!
!Radio Frequency Identification - RFIDIntroduction // RFID Primer!!Near Field Communication - NFC!!!Broad range of frequencies: low kHz to super high GHz13.56 MHz! Payment cards! Library systems! e-Passports! Smart cardsStandard range: 3 - 10 cmRFID Tag!!!TransceiverAntennaChip (processor) or memory
!RFID (tag) in credit cardsIntroduction // RFID Primer!!!!Visa – PayWaveMasterCard – PayPassAmerican Express – ExpressPayDiscover – Zip!Proximity Coupling Devices (PCD) / Point of Sale (POS) terminal /Reader!EMV (Europay, Mastercard, and VISA) standard for communicationbetween chipped credit cards and POS terminals!!!Four “books” longBased on ISO 14443 and ISO 7816Communicate with Application Protocol Data Units (APDUs)
!Why create NFCProxy?Introduction // Motivation!!I’m lazyDon’t like to read specsDidn’t want to learn protocol (from reading specs)! Future releases should work with other standards (diff protocols)Make it easier to analyze protocolsMake it easier for other people to get involved!Contribute to reasons why this standard should be fixed!!!
!Adam Laurie (Major Malfunction)Previous work!!!Pablos ss/Kristen Paget!!!Skimming RFID credit cards with ebay readerhttp://www.youtube.com/watch?v vmajlKJlT3U3ric Johanson!!!RFIDIOthttp://rfidiot.orgCloning RFID credit cards to mag get shmoocon2012-creditcards.pdfTag reading apps
!Contactless Credit card reader (e.g. VivoPay, Verifone)Typical Hardware!!!Card reader!!! 150 (retail) 10 - 30 (ebay)OmniKey ( 50-90 ebay), ACG, etc.Proxmark ( 230- 400)Mag stripe encoder ( 200- 300)
!What is NFCProxy?Tool Overview!!!!Hardware required!!An open source Android appA tool that makes it easier to start messing with NFC/RFIDProtocol analyzerTwo NFC capable Android phones for full feature set! Nexus S ( 60 - 90 ebay)! LG Optimus Elite ( 130 new. Contract free)! No custom ROMs yet! Galaxy Nexus, Galaxy S3, etc. (http://www.nfcworld.com/nfc-phones-list/)Software required!!One phone! Android 2.3 (Gingerbread)! Tested 2.3.7 and ICSAt least one phone needs:! Cyanogen 9 nightly build from: Jan 20 - Feb 24 2012! Or Custom build of Cyanogen
!android frameworks base (Java API)Cyanogen Card Emulation!!android external libnfc-nxp (native library)!!https://github.com/CyanogenMod/android external eeb03d88android packages apps Nfc (Nfc.apk – NFC Service)!!https://github.com/CyanogenMod/android frameworks dfhttps://github.com/CyanogenMod/android packages apps 8NFC Reader code disabled because it interferes with Google Wallet!https://github.com/CyanogenMod/android packages apps 5
NFC Hardware ArchitectureHostAntennaSecureElementNFCChip
Tool Features!!!!!Proxy transactionsSave transactionsExport transactionsTag replay (on Cyanogen side)PCD replay!Don’t need to know the correct APDUs for a real transactions!Use the tool to learn about the protocol (APDUs)
Standard TransactionAPDURFIDAPDU
How It Works // Proxy ModeNFCWiFiAPDUNFCAPDU
Proxy Mode!How It Works // TerminologyWiFiRelay Mode!NFCNFC
!Relay ModeHow It Works // Modes!!!Opens port and waits for connection from proxyPlace Relay on card/tagProxy Mode!!!!Swipe across readerForwards APDUs from reader to cardTransactions displayed on screenLong Clicking allows you to Save, Export, Replay, or Delete
!Replay Reader (Skimming mode*)How It works // Replay Mode!!!!Put phone near credit cardNothing special going on hereKnow the right APDUsReplay Card (Spending mode)!!!!Swipe phone across readerPhone needs to be able to detect reader – Card Emulation modeRequires CyanogenMod tweaksVirtual wallet
!A word about android NFC antennasAntennas!!!!Galaxy Nexus: CRAP!Nexus S: GoodOptimus Elite: GoodNFC communication is often incomplete!!Need to reengage/re-swipe the phone with a card/readerCheck the “Status” tab in NFCProxy
!EMV Book 3APDU-Speak!http://www.emvco.com/download agreement.aspx?id 654!See RFIDIOt (ChAP.py) and pwnpass for APDUs used for skimming!Proxy not needed for skimming and spending!Just for protocol analysis
Sample Output
!Let’s see it in action!Demo!
!What’s next?Future Work!!Generic framework that works with multiple technologies! Requires better reader detectionPluggable modules! MITM! Protocol Fuzzing
Source Code!Now available for download and roxy/
Q&A!Questions?!Contact: eddie{at}blackwinghq.com
An open source Android app ! A tool that makes it easier to start messing with NFC/RFID ! Protocol analyzer ! Hardware required . nfc tool android nfcproxy, Defcon, DEF CON, Hacker,Security Conference, Presentations,Technology,Phreaking
