DEFCON 20
NFC Hacking: The Easy Way
Eddie Lee eddie{at}blackwinghq.com Intelligence (formerly Praetorian
9 & 10 9 & 10 Defcon Blackwing blackwinghq.com 2-time CTF Champs – New site live:
� � Not NFCexpert!an or RFID We’re alwaysWe’re looking for interesting security projects Member of Digital Revelation Security Researcher for Global)
� � � �
About Me Payment cards systemsLibrary e-Passports cards Smart
� � � � Lots Lots of new Android phones have NFC Transceiver Antenna Chip (processor) or memory 13.56 MHz cm ~3 Standard - range: 10 Broad range Broad of frequencies: low to kHz super high GHz
� � � � � � � RFID Tag RFID Near Field Communication - NFC Radio Radio Frequency Identification - RFID
� � �
Introduction // RFID Primer
, and VISA) standard for communication and VISA) ,
ExpressPay
PayPass Mastercard , PayWave Europay Four “books” long Four “books” 7816Basedand ISO on 14443 ISO Communicate with Application Protocol Data Units (APDUs) American ExpressAmerican – Discover – Zip Visa – Visa – MasterCard
� � � � � � � Proximity Proximity Coupling Devices (PCD) Point / of Sale (POS) terminal / ( EMV RFID (tag) RFID in credit cards between chipped credit cards and POS terminals Card Reader
� � �
Introduction // RFID Primer ? NFCProxy Future releases should withwork other standards (diff protocols)
� Contribute to reasons why this standard should be fixed Didn’t Didn’t want to learn protocol (from reading specs) Protocol Analysis Make it easier for other people to get involved I’m lazy likeDon’t to read specs
� � � � � � Why Why create
�
Introduction // Motivation
reader reader ebay
Holman Johanson Skimming RFID credit RFID Skimming cards with http://www.youtube.com/watch?v=vmajlKJlT3U Pwnpass http://www.rfidunplugged.com/pwnpass/ Cloningcredit RFID cards to mag strip http://www.shmoocon.org/2012/presentations/Paget_shmoocon2012-credit- RFIDIOt http://rfidiot.org cards.pdf
� � � � � � � � Kristin Paget Tag reading apps Pablos 3ric Adam Laurie (Major Adam Malfunction)Laurie
� � � � �
Previous work ) Verifone , VivoPay ), ACG, etc. ACG, ), ebay ) ebay ($230-$400) ($230-$400) (~$50-90 OmniKey Proxmark ~$150 ~$150 (retail) ( - $30 ~$10
� � � � Card reader Mag stripe encoder ($200-$300) Contactless Credit card reader (e.g.
� � �
Typical Hardware )
Jan 20 Jan –Mar22 2012* http://www.nfcworld.com/nfc-phones-list/ * ) ebay 9 nightly build from: Elite new. Contract free)(~$130 ? No custom ROMs yet
Optimus � NFC capable Android phones for full feature set Nexus S (~$70 - $90 LG Galaxy Nexus, etc.Galaxy ( S3, (Gingerbread) Android 2.3+ Tested and ICS 2.3.7 CyanogenMod NFCProxy
� � � � � � Two One phone At least one phone needs: An openAn source Android app A tool that makes it easier to start messing with NFC/RFID Protocol analyzer
� � � � � � Software required Hardware required What isWhat
� � �
Tool Overview
– NFC Service) Nfc.apk ( (native library) (Java API) API) (Java https://github.com/CyanogenMod/android_packages_apps_Nfc/ https://github.com/CyanogenMod/android_frameworks_base/commit/ https://github.com/CyanogenMod/android_external_libnfc-nxp/ commit/d41edfd794d4d0fedd91d561114308f0d5f83878 c80c15bed5b5edffb61eb543e31f0b90eddcdadf commit/34f13082c2e78d1770e98b4ed61f446beeb03d88 commits that add PCD ISO reader support � � � android_packages_apps_Nfc android_external_libnfc-nxp Git android_frameworks_base � � � �
Cyanogen Card Emulation
Revert this commit to get reader support back http://goo.im/cm/crespo4g/nightly/update-cm-9-20120322-NIGHTLY- https://github.com/CyanogenMod/android_packages_apps_Nfc/ crespo4g-signed.zip commit/75ad85b06935cfe2cc556ea1fe5ccb9b54467695
� � � Nexus S nightly build (3/22/2012) Nexus S nightly build (3/22/2012) NFC Reader code disabled because it interferes with Google Wallet
� �
Cyanogen Card Emulation PCD Reader/ Antenna Antenna NFC Chip Host Secure Element
NFC Hardware Architecture APDU RFID
APDU
Standard Transaction Use the tool to learn about the protocol (APDUs) Replaying is easy!
� � PCD replay Tag replay (on Cyanogen side) needDon’t to know the right APDUs to tagsquery RFID Proxy Proxy transactions Save transactions Export transactions
� � � � � �
Tool Features APDU NFC Protocol Analysis Immediate Skim and Use
• •
APDU WiFi (IP) NFC
How It Works // Proxy Mode NFC Proxy Mode (Cyanogen) ! Proxy Mode
WiFi Relay Mode! NFC
How It Works // Terminology
Auth Faster No
� � Requires password (both sides) Slower transactions Can disable Swipe across reader Forwards APDUs from reader to card displayedTransactions on screen clicking Long allows you toExport, Replay Save, or Delete Place Relay on card/tag Opens port and waits for connection from proxy
� � � � � � � � � Encrypted Communication Proxy Mode Relay Mode
� � �
How It Works // Startup Modes tweaks tweaks
CyanogenMod t’ t’ replay the same saved transaction twice at a real POS terminal ’ Don Replay in the right order testHaven’t Discover or Amex at live POS
� � � Virtual walletVirtual Pitfalls Put phone creditnear card Different types of cards -> Different Requests Nothing special going on here Swipe phone across reader Requires
� � � � � � � Replay Tag (Spending mode) Proxy Proxy not required for replay Replay mode*)PCD (Skimming
� � �
How It works // Replay Mode
NFCProxy Elite: Good Optimus Need to reengage/re-swipe the phone with a card/reader Check the “Status” tab in Galaxy Nexus: CRAP! Galaxy Nexus: Nexus Good S:
� � � � � NFC communication is often incomplete A A word about android NFC antennas
� �
Antennas Sample Output
for APDUs used for skimming
iCVV pwnpass ) and
ChAP.py ( RFIDIOt ISO/IEC 7813:2006 7813:2006 ISO/IEC http://blog.opensecurityresearch.com/2012/02/deconstructing-credit- http://www.emvco.com/download_agreement.aspx?id=654 cards-data.html
� � � See More info on service code and EMV Book 3 3 Book EMV
� � �
APDU-Speak Let’s Let’s see it in action!
�
Demo! MITM MITM Protocol Fuzzing Requires better reader detection
� � � Pluggable modules Generic thatframework works with multiple technologies
� � What’s next? What’s
�
Future Work / nfcproxy /projects/ sourceforge.net Now available for download and contribution! http://
� �
Source Code
blackwinghq.com {at} eddie Questions? Contact:
� �
Q & A enabled android phone
nfc wifi Just replay Go into card emulation One end one on card, end on PCD
� � � Proxy Proxy is used so that the protocol(?) can be analyzed Quick way to learn APDUs without needing to read documentation One end is a standard to detect a reader One end needs to be able Communicates over After you capture the transactions you only need one phone Proxy
� � � � � � �
And And why it works this way High level overview
� � �
How It Works
proxied save,export,replay,delete
anntenna finickiness
Elite/Nexus S good aweful
Gnex Optimus � � Slight lag Data on screen is temporary. Must manually save Describe data Clicking Long allows you to Watch status tab for errors Save tab contains built-in PCD and saved transactions Settings Place Relay on card/tag Note connection Swipe across reader is automaticallyTransaction Opens port and waits for proxy
� � � � � � � � � � � � Proxy Mode Pick ModePick Relay Mode
� � �
Walkthrough � I. Introduction � a. Brief primer on NFC/RFID � b. Motivation � i. Why create this tool? � II. Other/Previous work � a. Scanning and reading RFID credit card from POS � i. Pablos Holman � ii. 3ric - Pwnpass � b. Converting RFID to swipe-able card � i. K. Paget � c. Tag reading apps � III. How it works � a. High level overview � b. Standard hardware � i. Custom Rom features � IV. Tool features � a. Proxy mode � i. Capture PCD requests and Tag responses � ii. Don’t really need to understand protocol for replay � b. Replay Tags � c. Replay PCDs � V. Walkthrough (via slides) � a. Show proxy transaction of CC and POS terminal � i. Show physical setup � ii. Show data output � b. Show replay of credit card � c. Show replay of PCD/POS � VI. Future work/Hopes � a. Make tool into a generic framework that supports multiple