Transcription
YUMMY YUMMY FRUIT SALAD:AN ANALYSIS OF APPLE PAYImage stolen from: https://scratch.mit.edu/projects/10813101/
whoami Principle Consultant @ Payment SecurityConsulting Usually do PCI based work (hey, it’s a living) Enjoy hardware stuff Also enjoy poking at iOS applications Did a silly badge this year for the HardwareHacking Village – hope you got one! Trying to encourage more people to break stuff. See https://www.github.com/peterfillmore forsome (badly) written code.
Agenda What is ApplePay exactly Apple Pay Architecture XPC – How the components communicate Registering a card Using a card Remote wiping of cards Issues Tools developed and used References
ApplePay Another in the long running examples ofApple “inventing” something Nothing but a lot of existing technologiesbolted together with a fancy façade! Publicly available information is scant –people who work with the stuff are NDA’dheavily Good thing I blew a grand on an iPhone6
ApplePay consists of (iPhone 6):AMS AS3923Power BoosterNXP 65v10PN548SecureElement
Secure rview/blog/inside-the-iphone-6-and-iphone-6-plus
reDriversnfcdPN548 DriversNearfield.frameworkPN548 HAL.dylibseldPasskitUIPasskit.FrameworkpassdPN548 API.dylibPN548.dylib
XPCApplicationMachMessageXPCServiceDecodeand CallSystemResource The primary method of inter-process communicationin iOS Client/Server Model Designed to provide stability and privilegeseparation Passes serialized messages via a MACH message call
XPC Services used byApplePaynfcdpassd{ Label "com.apple.nfcd";MachServices { "com.apple.nfcd" 1;};ProcessType Interactive;Program "/usr/libexec/nfcd";UserName mobile;}{ EnableTransactions 1;Label "com.apple.passd"; .MachServices {"com.apple.passd.aps" 1;"com.apple.passd.bulletins" 1;"com.apple.passd.in-app-payment" 1;"com.apple.passd.library" 1;"com.apple.passd.payment" 1; };POSIXSpawnType Adaptive;ProgramArguments sd" );ThrottleInterval 0;UserName mobile;}seld{ Label "com.apple.seld";MachServices {"com.apple.seld" 1;"com.apple.seld.aps" 1; };Program "/usr/libexec/seld";RunAtLoad 1;UserName mobile;}
Client Must have thecorrect entitlements touse an XPC ServiceSELDNFCD com.apple.nfcd.se com.apple.seld.debug com.apple.nfcd.debug com.apple.seld.cm com.apple.nfcd.info
Example calling an XPCServiceCreate Connectionxpc connection t connection xpc connection create mach service("com.apple.nfcd", NULL, 0);Set Handlerxpc connection set event handler(connection, (xpc object t object) {Create XPC Objectxpc object t msgobject xpc dictionary create(NULL,NULL,0);xpc object t object xpc dictionary create(NULL, NULL, 0);xpc dictionary set int64(msgobject, "Controller", 6);Send object and get resultxpc object t reply xpc connection send message with reply sync(connection, object);
XPC Sum-up Calling applications must have appropriateentitlements to use an XPC service. XPC services run under a nominated account(“mobile” in the case of NFC components) Harder to exploit from userland.Better people then I have looked at this stuff:References: Ian Beer evisiting-apple-ipc-1-distributed 28.html
Enrolling a card – Step 1PassbookAuthenticationServerSend “card to authorise” details to appleUses Secure Element Identifier andAppleToken for /broker/v2/devices/ seID /cardsJSON of AID, card identifier, sanitized PANand URL for the terms and conditions
Enrolling a card – Step 2AuthenticationServerPassbookRetrieve “Terms and Conditions” fromprovided assets/ t&c version XML of terms and conditions
Enrolling a card – Step 3AuthenticationServerPassbookSend authorization details:CVV2, Device Name, Location, oker/v2/devices/ seID /cards/ identifier /enableURL of generated pass
Enrolling a card – Step 4AuthenticationServerPassbookRetreive the generated PassKit /passes/paymentpass.com.apple/ generateURL Zipped package containing:Images, JSON containing pass details andthe signature
Enrolling a card – Step 5AuthenticationServersecuritydVerify certificates using OCSPhttp://ocsp.apple.com/ocsp03-wwdr02/ hash of cert OCSP response(check with openssl:Openssl ocsp –respin response -text
Enrolling a card – Step 6AuthenticationServerseldRetrieve commands to run on the SecureElement, contains certificates, supportedcards and secure element Id.http://nc-pod2-smp-device.apple.com/tsm/ seId /get pending commandsList of EMV commands to execute on thesecure element.
Enrolling a card – Step 7PassbookAuthenticationServerRetrieve a list of the authentication om/broker/v2/devices/passes/paymentpass.com.apple/ providedURL /activationMethodsJSON of authentication method data.e.g email, SMS or phone call
Enrolling a card – Step 8AuthenticationServerPassbookSend selected method er/v2/devices/passes/paymentpass.com.apple/ providedURL /sendActivationMethodConfirm Response
Enrolling a card – Step 9seldAuthenticationServerSend results of EMV command executionfrom the secure elementhttp://nc-pod2-smp-device.apple.com/tsm/ seId /get pending commandsConfirm Response
Enrolling a card – Step 10AuthenticationServerPassbookSend activation /devices/passes/paymentpass.com.apple/ providedURL /activationCodeProvide URL to generated PassKit Pass
Enrolling a card – Step 11AuthenticationServerPassbookRetreive the generated PassKit /devices/passes/paymentpass.com.apple/ providedURL /Zipped package containing:Images, JSON containing pass details andthe signature
Enrolling a card – Step 12passdAuthenticationServerRegister device PAN with t/1/1/devices/ something /registrations/dpan/ generated DPAN Authentication token
Enrolling a card – Step 13AuthenticationServerPassbookGet transactions from t/1/1/devices/ something /dpan/ generated DPAN /transactionsHTTP Code 304 – no content
Using a card
Remote Wiping of a Card
What is right Secure element provides a highly limited attacksurface. – all sensitive information is loadedencrypted Tokenization means that your personal accountnumber is not stored or used by the device (Ihaven’t found anything but a sanitized version) Issuer of the card can deactivate the tokenremotely (has happened to me twice so far) Applications which use ApplePay must have thecorrect entitlements to use it. You have to authenticate to use ApplePay
Bad verification of siness/banks-find-fraud-abounds-in-apple-pay.html? r 0 Verification methods and back end are chosenby the card issuers/bank In the case of Wells Fargo the verification codecan be sent through email, text or call to them. Banks were skipping verification checks – allowingfor the ability to load stolen cards onto deviceswith minimal verification
Depends on existingcontactless standards Same attacks are possible on ApplePay This is because it is the issuers that control thetransaction – not Apple And because reasons it has to support thesebroken modes US market is still heavily invested in MagStripe –and this means broken contactless modes as Proper EMV rollout in the US is not going as quickas thought (In a month there in 2015 I they myEMV chip two times ) See my talk from last year (Crash & Pay)
Cloning Demo!
Transactions are loggedand stored unencrypted Located in/var/mobile/Library/passes/passes23.sqlite Contains amounts, (accurate) locations,merchant location etc Make sure you remote wipe your ApplePaydevice if lost!
SQL Dump Demo
Android Pay Similar to ApplePay with the implementation Intended to replace “Google Wallet” Standalone application rather then imbedded into the OS Can’t use it on a ‘rooted’ device googlewallet-using-secure.html cureelement-execution.html p/androidpay-custom-rom-t3199843
SamsungPay Based off “LoopPay” which uses traditionalmagstripe over NFC. (you heard me right) Idea is that you can use it with old terminals. Utilises tokenization again. Doesn’t work “rooted” Further research needed!
Logging function callsusing tweaks1.Dump all the headers from the device classdump-dyld –o dump dir -r / -c2.Generate the “Tweak.xm” file to log the service youwant logify.pl *.h Tweak.xm3.Create the tweak project nic.plNIC 2.0 - New Instance Creator-----------------------[9.] iphone/tweak4.Copy the Tweak.xm to the project and compile
Logging function callsusing tweaks Generated a whole heap of iOS tweaks to logcalls to work out what was happening. Updated my RFIDiot scripts to do ApplePayTransations Quick IDA scripts to rename “redacted” functionsin some binaries. Test XPC programs to test reversed functions.
Solving the “Redacted”problemUse the Xcode tool “atos” - convert numeric addresses to symbols ofbinary images or processes.Requires that the iOS device under test has been connected to theMac to generate the symbolic files xcrun atos –arch arm64 –o /Library/Developer/Xcode/iOS ateFrameworks/PassKitCore.framework/PassKitCore 0x18d3d5298 copy helper block 162 (in PassKitCore) 0
References Iphonedevwiki – http://iphonedevwiki.net/index.php “Snakeninny and Hangcom” – iOS App ppReverseEngineering Ian Beers XPC preso at 44 con and Google 09/revisiting-apple-ipc-1-distributed 28.html Tielei Wang, Hao Xu, Xiaobo Chen of Team Pangu n-iOS-8.pdf Sebas Guerro (@0xroot) “Demystifying Apple 'Pie' &TouchID” epie-touchid
Source Code https://github.com/michaelquinlan/swift basic apple pay https://github.com/beatty/applepay crypto demo https://github.com/peterfillmore/ApplePayStuff
Bad verification of the cardholders Verification methods and back end are chosen by the card issuers/bank In the case of Wells Fargo the verification code can be sent through email, text or call to them. Banks were skipping verification checks -allowing for the ability to load stolen cards onto devices with minimal verification
