NFC Hacking: The Eddie Lee eddie{at}blackwinghq.com Easy Way BLACKWINGINTELLIGENCE * O CD * Security Researcher for Blackwing Intelligence (formerly Praetorian Global) * We're always looking for cool security projects * Member of Digital Revelation # 2-time CTF Champs - Defcon 9 & 10 * Not an NFC or RFID expert! BLACKWINGINTELLIGENCE * O o 30 3 CD * Radio Frequency Identification - RFID * Broad range of frequencies: low kHz to super high GHz * Near Field Communication - NFC 13.56 MHz * Payment cards * Library systems * e-Passports * Smart cards * Standard range: ~3 - 10 cm * RFID Tag * Transceiver * Antenna * Chip (processor) or memory BLACKWINGINTELLIGENCE * O o it RFID (tag) in credit cards * Visa - PayWave * MasterCard - PayPass * American Express - ExpressPay * Discover - Zip express ■■■■■ m iffVfi — * Proximity Coupling Devices (PCD) / Point of Sale (POS) terminal / Reader 4 30 3 CD * EMV (Europay, Mastercard, and VISA) standard for communication between chipped credit cards and POS terminals * Four "books" long * Based on ISO 14443 and ISO 7816 * Communicate with Application Protocol Data Units (APDUs) BLACKWINGINTELLIGENCE * O o o o * Why create NFCProxy? * I'm lazy * Don't like to read specs * Didn't want to learn protocol (from reading specs) * Future releases should work with other standards (diff protocols) * Make it easier to analyze protocols * Make it easier for other people to get involved * Contribute to reasons why this standard should be fixed Adam Laurie (Major Malfunction) ★ RFIDIOt * http: / / rfidiot.org Pablos Holman + Skimming RFID credit cards with ebay reader * http : / / www.youtube . com / watch?v= vmailKJrT.qU 3ric Johanson * Pwnpass * http: / /www.rfidunplugged.com/pwnpass/ Kristen Paget it Cloning RFID credit cards to mag strip if http://www.shmoocon.org/2012/presentations/Paget shmoocon20i2-credit- cards.pdf Tag reading apps BLACKWINGINTELLIGENCE * 0) CD * Contactless Credit card reader (e.g. VivoPay, Verifone) * ~$ 150 (retail) * -$10 - $30 (ebay) * Card reader * OmniKey (-$50-90 ebay), ACG, etc. * Proxmark ($230-$400) * Mag stripe encoder ($200-$30o) BLACKWINGINTELLIGENCE * O O CD CD What is NFCProxy? * An open source Android app * A tool that makes it easier to start messing with NFC/RFID * Protocol analyzer Hardware required * Two NFC capable Android phones for full feature set * Nexus S (~$6o - $90 ebay) * LG Optimus Elite (~$130 new. Contract free) * No custom ROMs yet * Galaxy Nexus, Galaxy S3, etc. f http: / /www.nfcworld.com/nfc-phones-list/ ) Software required * One phone * Android 2.3+ (Gingerbread) * Tested 2.3.7 and ICS * At least one phone needs: * Cyanogen 9 nightly build from: Jan 20 - Feb 24 2012 * Or Custom build of Cyanogen BLACKWINGINTELLIGENCE github Signup and Pricing Explore GitHub Features Blog Sign in public |M CyanogenMod / android_frameworks_base of watch 717 p Fork forked from Kelly MaharVandroidJramffworks base Code Network Pull Requests 24 Graphs v branch: ics [ I Files Co mm its Branches 12 Tags s Downloads History for android_frameworks_base / core / java / android / nfc / tech / IsoPcdAJava Feb 25, 2012 Revert back to the public a pi/c urrent.txt and properly @hide the new ... ... j koush authored 4 months ago 7B39cbaei4 + Browse code ■ Jan 20, 2012 Added NFC Reader support for two new tag types: ISO PCD type A and IS... doug yeager authored 6 months ago ■ ■ ■ Browse coda BLACKWINGINTELLIGENCE * O CD 3 O android_frameworks_base (Java API) * https://github.com/CyanogenMod/android frameworks base/commit/ c8oci^bed^b.^edfib6iebf;4^e^ifobQoeddcdadf android_external_libnfc-nxp (native library) * https://github.com/CyanogenMod/android external libnfc-nxp/ commit/^4fi^Q82C2e78di770eQ8b4ed6if446beebQ.^d88 android_packages_apps_Nfc (Nfc.apk - NFC Service) * https://github.com/CyanogenMod/android packages apps commit/d4iedfd7Q4d4dofeddQidf;6iii4^o8fodf;f8^878 Nfc/ * NFC Reader code disabled because it interferes with Google Wallet * https://github.com/CyanogenMod/android packages apps Nfc/ commit/7f;ad8sbo6Q^scfe2ccsf;6eaifef;ccbQbs44676QS BLACKWINGINTELLIGENCE * CD > CD O CD Host Antenna Secure Element BLACKWINGINTELLIGENCE * Proxy transactions * Save transactions * Export transactions * Tag replay (on Cyanogen side) * PCD replay * Don't need to know the correct APDUs for a real transactions * Use the tool to learn about the protocol (APDUs) BLACKWINGINTELLIGENCE BLACKWINGINTELLIGENCE BLACKWINGINTELLIGENCE * Proxy Mode o o CO CD 3 © o Relay Mode BLACKWINGINTELLIGENCE * O O CO o CD CO Relay Mode * Opens port and waits for connection from proxy * Place Relay on card/tag Proxy Mode * Swipe across reader * Forwards APDUs from reader to card * Transactions displayed on screen * Long Clicking allows you to Save, Export, Replay, or Delete BLACKWINGINTELLIGENCE * O O CO 39 CD O CD it Replay Reader (Skimming mode*) * Put phone near credit card * Nothing special going on here * Know the right APDUs * Replay Card (Spending mode) * Swipe phone across reader * Phone needs to be able to detect reader - Card Emulation mode * Requires CyanogenMod tweaks * Virtual wallet BLACKWINGINTELLIGENCE * > CD CO it A word about android NFC antennas * Galaxy Nexus: CRAP! * Nexus S: Good * Optimus Elite: Good * NFC communication is often incomplete * Need to reengage/re-swipe the phone with a card/reader ★ Check the "Status" tab in NFCProxy BLACKWINGINTELLIGENCE * > ★ EMVBook3 * http:/ /www.emvco. com/download agreement.aspx?id=6f;4 * See RFIDIOt (ChAP.py) and pwnpass for APDUs used for skimming i CO CD * Proxy not needed for skimming and spending * Just for protocol analysis BLACKWINGINTELLIGENCE * CO 3 CD A 12:16 NFCProxy DATA STATUS SAVED BLACKWINGINTELLIGENCE * it Let's see it in action! CD 3 o BLACKWINGINTELLIGENCE * CD O ★ What's next? Generic framework that works with multiple technologies * Requires better reader detection Pluggable modules * MITM * Protocol Fuzzing BLACKWINGINTELLIGENCE * it Now available for download and contribution CO o o CD o o CD * http: / / sourceforge.net/projects/nfcproxy/ BLACKWINGINTELLIGENCE it Questions? * Contact: eddie{at}blackwinghq.com