Scribd
Upload
972 views24 pages

Defcon 20 Lee NFC Hacking

This document introduces NFCProxy, an open source Android application that acts as a proxy for Near Field Communication (NFC) transactions. It allows the user to intercept, view, replay, and export NFC communications between credit cards and point of sale readers. The tool demonstrates how NFC communications can be analyzed without knowing the exact protocols, and discusses how it could be expanded to support other technologies and fuzz testing in the future.

Uploaded by

Mardiant Djokovic
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
972 views24 pages

Defcon 20 Lee NFC Hacking

This document introduces NFCProxy, an open source Android application that acts as a proxy for Near Field Communication (NFC) transactions. It allows the user to intercept, view, replay, and export NFC communications between credit cards and point of sale readers. The tool demonstrates how NFC communications can be analyzed without knowing the exact protocols, and discusses how it could be expanded to support other technologies and fuzz testing in the future.

Uploaded by

Mardiant Djokovic
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

DEFCON 20

NFC Hacking: The Easy Way

Eddie Lee eddie{at}blackwinghq.com

! " Security Researcher for Blackwing Intelligence (formerly Praetorian Global) ! " Were always looking for cool security projects ! " Member of Digital Revelation
! " 2-time CTF Champs Defcon 9 & 10

About Me!

! " Not an NFC or RFID expert!

! " Radio Frequency Identification - RFID


! " Broad range of frequencies: low kHz to super high GHz

Introduction // RFID Primer!

! " Near Field Communication - NFC


! " 13.56 MHz ! " Payment cards ! " Library systems ! " e-Passports ! " Smart cards ! " Standard range: ~3 - 10 cm

! " RFID Tag


! " Transceiver ! " Antenna ! " Chip (processor) or memory

! " RFID (tag) in credit cards


! ! ! ! " " " " Visa PayWave MasterCard PayPass American Express ExpressPay Discover Zip

Introduction // RFID Primer!

! " Proximity Coupling Devices (PCD) / Point of Sale (POS) terminal / Reader ! " EMV (Europay, Mastercard, and VISA) standard for communication between chipped credit cards and POS terminals
! " Four books long ! " Based on ISO 14443 and ISO 7816 ! " Communicate with Application Protocol Data Units (APDUs)

! " Why create NFCProxy?


! " Im lazy ! " Dont like to read specs ! " Didnt want to learn protocol (from reading specs) ! " Future releases should work with other standards (diff protocols) ! " Make it easier to analyze protocols ! " Make it easier for other people to get involved ! " Contribute to reasons why this standard should be fixed

Introduction // Motivation!

! " Adam Laurie (Major Malfunction)


! ! RFIDIOt http://rfidiot.org

Previous work!

Pablos Holman
! " Skimming RFID credit cards with ebay reader ! http://www.youtube.com/watch?v=vmajlKJlT3U

! " 3ric Johanson


! ! Pwnpass http://www.rfidunplugged.com/pwnpass/

! " Kristen Paget


! " Cloning RFID credit cards to mag strip ! http://www.shmoocon.org/2012/presentations/Paget_shmoocon2012-creditcards.pdf

! " Tag reading apps

! " Contactless Credit card reader (e.g. VivoPay, Verifone)


! " ~$150 (retail) ! " ~$10 - $30 (ebay)

Typical Hardware!

! " Card reader


! ! OmniKey (~$50-90 ebay), ACG, etc. Proxmark ($230-$400)

! " Mag stripe encoder ($200-$300)

! " What is NFCProxy?


! " An open source Android app ! " A tool that makes it easier to start messing with NFC/RFID ! " Protocol analyzer

Tool Overview!

! " Hardware required


! " Two NFC capable Android phones for full feature set ! " Nexus S (~$60 - $90 ebay) ! " LG Optimus Elite (~$130 new. Contract free) ! " No custom ROMs yet ! " Galaxy Nexus, Galaxy S3, etc. (http://www.nfcworld.com/nfc-phones-list/)

! " Software required


! " One phone ! " Android 2.3+ (Gingerbread) ! " Tested 2.3.7 and ICS ! " At least one phone needs: ! " Cyanogen 9 nightly build from: Jan 20 - Feb 24 2012 ! " Or Custom build of Cyanogen

android_frameworks_base (Java API)


! https://github.com/CyanogenMod/android_frameworks_base/commit/ c80c15bed5b5edffb61eb543e31f0b90eddcdadf

Cyanogen Card Emulation!

android_external_libnfc-nxp (native library)


! https://github.com/CyanogenMod/android_external_libnfc-nxp/ commit/34f13082c2e78d1770e98b4ed61f446beeb03d88

android_packages_apps_Nfc (Nfc.apk NFC Service)


! https://github.com/CyanogenMod/android_packages_apps_Nfc/ commit/d41edfd794d4d0fedd91d561114308f0d5f83878

! " NFC Reader code disabled because it interferes with Google Wallet
! https://github.com/CyanogenMod/android_packages_apps_Nfc/ commit/75ad85b06935cfe2cc556ea1fe5ccb9b54467695

NFC Hardware Architecture!

!"#$% 54$-446% ,-./0-% 12-3-4$%

&'(%()*+%

! ! ! ! !

" " " " "

Proxy transactions Save transactions Export transactions Tag replay (on Cyanogen side) PCD replay

Tool Features!

! " Dont need to know the correct APDUs for a real transactions
! " Use the tool to learn about the protocol (APDUs)

Standard Transaction!

!"#$%

7'89%

!"#$%

&'(%

!"#$%

:*'*%

How It Works // Proxy Mode!

&'(%

!"#$%

Proxy Mode!

How It Works // Terminology!

:*'*%

&'(%

Relay Mode!

&'(%

! " Relay Mode


! " Opens port and waits for connection from proxy ! " Place Relay on card/tag

How It Works // Modes!

! " Proxy Mode


! ! ! ! " " " " Swipe across reader Forwards APDUs from reader to card Transactions displayed on screen Long Clicking allows you to Save, Export, Replay, or Delete

! " Replay Reader (Skimming mode*)


! " Put phone near credit card ! " Nothing special going on here ! " Know the right APDUs

How It works // Replay Mode!

! " Replay Card (Spending mode)


! ! ! ! " " " " Swipe phone across reader Phone needs to be able to detect reader Card Emulation mode Requires CyanogenMod tweaks Virtual wallet

! " A word about android NFC antennas


! " Galaxy Nexus: CRAP! ! " Nexus S: Good ! Optimus Elite: Good

Antennas!

! " NFC communication is often incomplete


! " Need to reengage/re-swipe the phone with a card/reader ! " Check the Status tab in NFCProxy

! " EMV Book 3


! http://www.emvco.com/download_agreement.aspx?id=654

APDU-Speak!

! " See RFIDIOt (ChAP.py) and pwnpass for APDUs used for skimming ! " Proxy not needed for skimming and spending
! " Just for protocol analysis

Sample Output!

! " Lets see it in action!

Demo!!

! " Whats next?


! " Generic framework that works with multiple technologies ! " Requires better reader detection ! " Pluggable modules ! " MITM ! " Protocol Fuzzing

Future Work!

! " Now available for download and contribution!

Source Code!

! " http://sourceforge.net/projects/nfcproxy/

! " Questions?

Q & A!

! " Contact: eddie{at}blackwinghq.com

You might also like