NFC Hacking: The Easy Way
1y ago
31 Views
1 Downloads
4.38 MB
29 Pages
Report/dmca
Download PDF

Transcription

DEFCON 20NFC Hacking: The Easy WayEddie Leeeddie{at}blackwinghq.com

!About MeSecurity Researcher for Blackwing Intelligence (formerly PraetorianGlobal)!New site live: blackwinghq.com!We’re always looking for interesting security projects!Member of Digital Revelation!!2-time CTF Champs – Defcon 9 & 10Not an NFC or RFID expert!

!Radio Frequency Identification - RFIDIntroduction // RFID Primer!!Near Field Communication - NFC!!!!Broad range of frequencies: low kHz to super high GHz13.56 MHz! Payment cards! Library systems! e-Passports! Smart cardsStandard range: 3 - 10 cmLots of new Android phones have NFCRFID Tag!!!TransceiverAntennaChip (processor) or memory

!RFID (tag) in credit cardsIntroduction // RFID Primer!!!!Visa – PayWaveMasterCard – PayPassAmerican Express – ExpressPayDiscover – Zip!Proximity Coupling Devices (PCD) / Point of Sale (POS) terminal /Card Reader!EMV (Europay, Mastercard, and VISA) standard for communicationbetween chipped credit cards and POS terminals!!!Four “books” longBased on ISO 14443 and ISO 7816Communicate with Application Protocol Data Units (APDUs)

!Why create NFCProxy?Introduction // Motivation!!!I’m lazyDon’t like to read specsDidn’t want to learn protocol (from reading specs)! Future releases should work with other standards (diff protocols)!Protocol Analysis!Make it easier for other people to get involved!Contribute to reasons why this standard should be fixed

!Adam Laurie (Major Malfunction)Previous work!!!Pablos ss/Kristin Paget!!!Skimming RFID credit cards with ebay readerhttp://www.youtube.com/watch?v vmajlKJlT3U3ric Johanson!!!RFIDIOthttp://rfidiot.orgCloning RFID credit cards to mag get shmoocon2012-creditcards.pdfTag reading apps

!Contactless Credit card reader (e.g. VivoPay, Verifone)Typical Hardware!!!Card reader!!! 150 (retail) 10 - 30 (ebay)OmniKey ( 50-90 ebay), ACG, etc.Proxmark ( 230- 400)Mag stripe encoder ( 200- 300)

!What is NFCProxy?Tool Overview!!!!Hardware required!!An open source Android appA tool that makes it easier to start messing with NFC/RFIDProtocol analyzerTwo NFC capable Android phones for full feature set! Nexus S ( 70 - 90 ebay)! LG Optimus Elite ( 130 new. Contract free)! No custom ROMs yet*! Galaxy Nexus, Galaxy S3, etc. (http://www.nfcworld.com/nfc-phones-list/)Software required!!One phone! Android 2.3 (Gingerbread)! Tested 2.3.7 and ICSAt least one phone needs:! CyanogenMod 9 nightly build from: Jan 20 – Mar 22 2012*

Cyanogen Card Emulation!Git commits that add ISO PCD reader support!android frameworks base (Java API)!!android external libnfc-nxp (native library)!!https://github.com/CyanogenMod/android frameworks dfhttps://github.com/CyanogenMod/android external eeb03d88android packages apps Nfc (Nfc.apk – NFC Service)!https://github.com/CyanogenMod/android packages apps 8

!NFC Reader code disabled because it interferes with Google WalletCyanogen Card Emulation!!!https://github.com/CyanogenMod/android packages apps 5Revert this commit to get reader support backNexus S nightly build te-cm-9-20120322-NIGHTLYcrespo4g-signed.zip

NFC Hardware entNFCChip

Standard TransactionAPDURFIDAPDU

Tool Features!!!!!Proxy transactionsSave transactionsExport transactionsPCD replayTag replay (on Cyanogen side)!Don’t need to know the right APDUs to query RFID tags!!Replaying is easy!Use the tool to learn about the protocol (APDUs)

How It Works // Proxy ModeNFCWiFi(IP)APDUNFCAPDU ProtocolAnalysis ImmediateSkimandUse

Proxy Mode (Cyanogen)!How It Works // TerminologyWiFiRelay Mode!NFCNFC

!Relay ModeHow It Works // Startup Modes!!!Proxy Mode!!!!!Place Relay on card/tagOpens port and waits for connection from proxySwipe across readerForwards APDUs from reader to cardTransactions displayed on screenLong clicking allows you to Save, Export, Replay or DeleteEncrypted Communication!!!Requires password (both sides)Slower transactionsCan disable! Faster! No Auth

How It works // Replay Mode!Proxy not required for replay!Replay PCD (Skimming mode*)!!!!Put phone near credit cardDifferent types of cards - Different RequestsNothing special going on hereReplay Tag (Spending mode)!!!!Swipe phone across readerRequires CyanogenMod tweaksVirtual walletPitfalls! Don’t’ replay the same saved transaction twice at a real POS terminal! Replay in the right order! Haven’t test Discover or Amex at live POS

!A word about android NFC antennasAntennas!!!!Galaxy Nexus: CRAP!Nexus S: GoodOptimus Elite: GoodNFC communication is often incomplete!!Need to reengage/re-swipe the phone with a card/readerCheck the “Status” tab in NFCProxy

Sample Output

!EMV Book 3APDU-Speak!http://www.emvco.com/download agreement.aspx?id 654!See RFIDIOt (ChAP.py) and pwnpass for APDUs used for skimming!More info on service code and iCVV!!ISO/IEC /02/deconstructing-creditcards-data.html

!Let’s see it in action!Demo!

!What’s next?Future Work!!Generic framework that works with multiple technologies! Requires better reader detectionPluggable modules! MITM! Protocol Fuzzing

Source Code!Now available for download and roxy/

Q&A!Questions?!Contact: eddie{at}blackwinghq.com

!High level overviewHow It Works!!!!!!Communicates over wifiAfter you capture the transactions you only need one phoneAnd why it works this way!!!Proxy! One end on card, one end on PCDOne end is a standard nfc enabled android phoneOne end needs to be able to detect a reader! Go into card emulationProxy is used so that the protocol(?) can be analyzedQuick way to learn APDUs without needing to read documentation! Just replay

Walkthrough!!Pick ModeRelay Mode!!!!Opens port and waits for proxySettingsPlace Relay on card/tagProxy Mode!!!!!!!!!Note connection finickiness! Gnex aweful anntenna! Optimus Elite/Nexus S goodSwipe across readerTransaction is automatically proxiedSlight lagData on screen is temporary. Must manually saveDescribe dataLong Clicking allows you to save,export,replay,deleteWatch status tab for errorsSave tab contains built-in PCD and saved transactions

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!I. Introductiona. Brief primer on NFC/RFIDb.Motivationi.Why create this tool?II. Other/Previous worka. Scanning and reading RFID credit card from POSi.Pablos Holmanii.3ric - Pwnpassb.Converting RFID to swipe-able cardi.K. Pagetc. Tag reading appsIII.How it worksa. High level overviewb.Standard hardwarei.Custom Rom featuresIV.Tool featuresa. Proxy modei.Capture PCD requests and Tag responsesii.Don’t really need to understand protocol for replayb.Replay Tagsc. Replay PCDsV. Walkthrough (via slides)a. Show proxy transaction of CC and POS terminali.Show physical setupii.Show data outputb.Show replay of credit cardc. Show replay of PCD/POSVI.Future work/Hopesa. Make tool into a generic framework that supports multiple

Lots of new Android phones have NFC ! RFID Tag ! Transceiver ! Antenna ! Chip (processor) or memory . Introduction // RFID Primer! RFID (tag) in credit cards ! Visa – PayWave ! MasterCard – PayPass ! American Express – ExpressPay ! Discover – Zip ! Proximity Co

Related Books

Claim Appeals, Adjustments and Voids - Nevada

Claim Appeals, Adjustments and Voids - Nevada

NFC Hacking: The Easy Way - DEF CON

NFC Hacking: The Easy Way - DEF CON

A Seminar report On Ethical Hacking - Study Mafia

A Seminar report On Ethical Hacking - Study Mafia

Section 701 Syllabus Page Introduction to Ethical Hacking .

Section 701 Syllabus Page Introduction to Ethical Hacking .

Learn Hacking in 1 Day - Guru99

Learn Hacking in 1 Day - Guru99

Computer Hacking: A beginners guide to computer

Computer Hacking: A beginners guide to computer

Ethical Hacking - GitHub Pages

Ethical Hacking - GitHub Pages

SHOP MANUAL MASSEY-HARRIS - Free

SHOP MANUAL MASSEY-HARRIS - Free

Hacking Secrets Exposed - A Beginner's Guide - January 1,

Hacking Secrets Exposed - A Beginner's Guide - January 1,

HACKING INTO COMPUTER SYSTEMS A Beginners Guide

HACKING INTO COMPUTER SYSTEMS A Beginners Guide

Hacking Techniques in Wired Networks

Hacking Techniques in Wired Networks

PopularTags

Recent Views