NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
1 like•1,570 views
The document discusses Near Field Communication (NFC) technology, its applications, and vulnerabilities in transport systems, particularly focusing on different NFC standards such as Mifare and HID. It outlines tools for pentesting NFC systems, including Hydranfc and Proxmark3, and presents a methodology for identifying security weaknesses in ticketing systems. Case studies highlight specific vulnerabilities in various NFC applications, revealing significant risks associated with current implementations.
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
- 1. NFC Naked Fried Chicken Matteo Beccaro || Opposing Force phdays 2016 – May 18, 2016 © Opposing Force. All right reserved.
- 2. Who || Matteo Beccaro Founder || Chief Technology Officer at Opposing Force, the first Italian company specialized in offensive physical security Twitter: @_bughardy_ © Opposing Force. All right reserved.
- 3. Agenda || NFC: What are we talking about? Transport system structure Our tool Pentesting methodology Attack Surface Analyzing the elements Vulnerabilities Case studies © Opposing Force. All right reserved.
- 4. Agenda || NFC: What are we talking about? Transport system structure Our tool Pentesting methodology Attack Surface Analyzing the elements Vulnerabilities Case studies © Opposing Force. All right reserved.
- 5. NFC: What are we talking about?|| © Opposing Force. All right reserved. What is NFC? • NFC stands for Near Field Communication • Frequency at 13.56 MHz • 3-5 cm of range • Widely used in: – Access Control systems – Ticketing – Mobile phones
- 6. NFC: What are we talking about?|| © Opposing Force. All right reserved. NFC most notorious families: • MIFARE – MIFARE Classic – MIFARE Ultralight – MIFARE DesFire • HID iClass • Calypso • FeliCa
- 7. NFC: What are we talking about?|| © Opposing Force. All right reserved. MIFARE Classic • Memory storage device ( 1K or 4K ) • Strong access control mechanisms – A key is required to access data sector – Use of Crypto1 Crapto1 algorithm – Broken… – .. But widely used ( RFID Door token, transport ticket, etc )
- 8. NFC: What are we talking about?|| © Opposing Force. All right reserved. MIFARE Ultralight • Memory storage device ( 64 bytes ) • Basic security mechanism – OTP ( One-Time-Programmable ) sector – Lock bytes sector – Mostly used for disposable tickets – It has some more secure children:
- 9. NFC: What are we talking about?|| © Opposing Force. All right reserved. MIFARE DesFire • Advanced security mechanisms ( 3DES, AES, etc ) • File system structure • 2KB, 4KB or 8KB memory size • Several variant: – DESFIRE, DESFIRE EV1 and DESFIRE EV2
- 10. NFC: What are we talking about?|| © Opposing Force. All right reserved. HID iClass • Same encryption and authentication keys are shared across all HID iCLASS Standard Security installations. • Keys are already been extracted • Two variants: – iClass Standard ( common ) – iClass High Secure ( less common ) Both broken
- 11. Agenda || NFC: What are we talking about? Transport system structure Our tool Pentesting methodology Attack Surface Analyzing the elements Vulnerabilities Case studies © Opposing Force. All right reserved.
- 12. Transport system structure|| © Opposing Force. All right reserved. Defining a transportation system: We need to create a common methodology We need to have tools We need to be able to use schemas to help our works
- 13. Transport system structure|| © Opposing Force. All right reserved. Defining a schema
- 14. Transport system structure|| © Opposing Force. All right reserved. Defining a schema Local Remot e
- 15. Transport system structure|| © Opposing Force. All right reserved. More in details…
- 16. Transport system structure|| © Opposing Force. All right reserved. Token: Usually a NFC card • MIFARE ULTRALIGHT • MIFARE CLASSIC • CALYPSO Can store: • multiple rides or subscriptions • timestamp of last stamping • details of where it has been used • other data
- 17. Transport system structure|| © Opposing Force. All right reserved. Token: MIFARE CLASSIC • Just broken MIFARE ULTRALIGHT • Lock attack • Time attack • Reply attack Calypso • All documentation is under NDA
- 18. Transport system structure|| © Opposing Force. All right reserved. Reader|Controller: Can operate offline or online Can be wire or wireless connected to the controller Usually supports multiple standards Its purpose is to check if a ticket is valid and stamp it It can stores secrets and keys
- 19. Transport system structure|| © Opposing Force. All right reserved. Backend Sometimes known as “Cloud” It can perform several operations: Statistics OTA updates Fraud detection Fraud prevention
- 20. Agenda || NFC: What are we talking about? Transport system structure Our tool(s) Pentesting methodology Attack Surface Analyzing the elements Vulnerabilities Case studies © Opposing Force. All right reserved.
- 21. Our tool(s)|| © Opposing Force. All right reserved. What tools we can use: HydraNFC Proxmark3 ChameleonMini NFCulT
- 22. Our tool(s)|| © Opposing Force. All right reserved. HydraNFC ( ~ 90 € ) • Use Texas Instrument TRF7970A NFC chipset ( 13.56MHz only ) • MIFARE 1k and 14443A UID emulation • ISO 14443A sniffing ( also autonomous mode ) • 2 different raw modes • Still in development ( @hydrabus ) • More info at http://hydrabus.com/hydranfc-1-0- specifications/
- 23. Our tool(s)|| © Opposing Force. All right reserved. Proxmark3 ( ~ 200 € ) • HF e LF capabilities • Big community • Supports almost all known RFID tags • Supports sniffing • Supports emulation • More info at http://proxmark.org/forum/index.php
- 24. Our tool(s)|| © Opposing Force. All right reserved. ChameleonMini ( ~ 100 € ) • HF ( 13.56MHz ) only • Almost same capabilities of HydraNFC • Different chipset • Firmware available only for the old revision at the moment • More info at http://kasper-oswald.de/gb/chameleonmini/
- 25. Our tool(s)|| © Opposing Force. All right reserved. NFCulT ( ~ 0 € ) • Mobile application for NFC-enabled Android smartphones • Its aim is to provide quick help during assessment of ticketing systems • Implements Lock, Time and Reply attacks • It has a custom edit mode to edit bit by bit the ticket data • Supports MIFARE ULTRALIGHT and planned support for CLASSIC
- 26. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Lock Attack • Set the OTP page in Read-Only mode • Operation irreversible • If the reader does not check if it can write the OTP sector: free rides
- 27. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Time Attack • If you find and decode the timestamp you can stamp the ticket by yourself. • Again, free rides
- 28. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Reply Attack • Use of UID magic ticket ( ~ 15 € ) • Can bypass all offline anti fraud prevention mechanisms • Guess what? Free rides
- 29. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Custom edit • Useful for understanding the architecture of the data saved on the ticket ( e.g. for finding the correct timestamp ) • You can quickly transform from hex to bin and viceversa • You can edit bit by bit the data and write back on the ticket
- 30. Agenda || NFC: What are we talking about? Transport system structure Our tool(s) Pentesting methodology Attack Surface Analyzing the elements Vulnerabilities Case studies © Opposing Force. All right reserved.
- 31. Pentesting methodology|| © Opposing Force. All right reserved. What are we looking for?
- 32. Pentesting methodology|| © Opposing Force. All right reserved. Stamping machine Attack Surface Attacks to Perform Impact NFC Interface Analyze the stamping mechanisms Free tickets Hardware board Analyze the exposed interface ( JTAG, UART, etc ) Firmware / secrets dumping GSM/GPRS/Eth Interface Is MITM possible? Intercepting the data Intercepting secrets / sensitive data
- 33. Pentesting methodology|| © Opposing Force. All right reserved. Vending machine Attack Surface Attacks to Perform Impact NFC Interface Analyze the recharging mechanisms Free tickets, for everyone Hardware board Analyze the exposed interface ( JTAG, UART, etc ) Firmware / secrets dumping GSM/GPRS/Eth Interface Is MITM possible? Intercepting the data Intercepting secrets / sensitive data ( e.g. credit card details, etc ) Computer Application Analyzing network services exposed Complete control of the machine
- 34. Pentesting methodology|| © Opposing Force. All right reserved. The backend Attack Surface Attacks to Perform Impact Web application(s) Web app pentesting Various Network services Network pentesting Various Physical location Try to get physical access to the servers Pwned
- 35. Agenda || NFC: What are we talking about? Transport system structure Our tool(s) Pentesting methodology Attack Surface Analyzing the elements Vulnerabilities Case studies © Opposing Force. All right reserved.
- 36. Case studies || © Opposing Force. All right reserved. A MIFARE ULTRALIGHT ticketing system
- 37. Case studies || © Opposing Force. All right reserved. A MIFARE ULTRALIGHT ticketing system
- 38. Case studies || © Opposing Force. All right reserved. A MIFARE ULTRALIGHT ticketing system Lock bit for the OTP sector is not checked by the stamping machine Absence of a UID blacklist in the backend Timestamp are not encrypted nor signed
- 39. Case studies || © Opposing Force. All right reserved. A MIFARE CLASSIC door lock
- 40. Case studies || © Opposing Force. All right reserved. A MIFARE CLASSIC door lock
- 41. Case studies || © Opposing Force. All right reserved. A MIFARE hotel door lock Card’s UID Room number: int(0x17ea, 16) = 6122
- 42. ThanksOpposing Force - challenging your security - @_opposingforce https://www.opposingforce.it | [email protected] © Opposing Force. All right reserved.
- 43. Q&A Time!Opposing Force - challenging your security - @_opposingforce © Opposing Force. All right reserved. https://www.opposingforce.it | [email protected]