Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

28
STAND CLOSE TO ME AND YOU ARE PWNED! SUBHO HALDER | ADITYA GUPTA @sunnyrockzzs @adi1391 Sunday, 2 December 12

description

NFC or the Near Field Communication allows cell phones to perform specified actions whenever they detect NFC tags or signals from other NFC enabled device. Most of the recent phones including Samsung Galaxy S3, Nokia Lumia 610, Blackberry Bold etc have NFC enabled with them. NFC even helps enterprise/payment gateways to ease up users actions, such as connecting to a wifi, setting a bookmark, making payments etc. Gone are the days of sending Android malware links through URL or attachments. In this talk, we will be showing how an attacker could steal the private and sensitive information from one’s phone and even perform malicious actions on user’s phone, using NFC as an attack vector. NFC attack vectors come in two forms : Active(setting attacker’s phone as a proxy between victim’s smartphone and the payment terminal) and Passive(using NFC tags).For our demonstrations, we would be creating malicious NFC tags which when detected by any smartphone(NFC enabled) would steal sensitive informations from the phones (without the users knowledge) as well as trick user to install malicious applications to his phone. Thereafter, we would also be talking about how an attacker could get in close proximity of another NFC-enabled phone, get a remote shell on the victim’s phone and compromise the phone’s security. We would also be discussing how viral an NFC attack could go in future, if proper security measures are not enforced.

Transcript of Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

Page 1: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

STAND CLOSE TO ME AND YOU ARE

PWNED!SUBHO HALDER | ADITYA GUPTA @sunnyrockzzs @adi1391

Sunday, 2 December 12

Page 2: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

WHO ARE WE !INFORMATION SECURITY RESEARCHERMOBILE EXPLOITERCREATOR OF AFE (ANDROID FRAMEWORK FOR EXPLOITATION)PYTHON LOVERSCO-FOUNDER OF XYSEC.FOUND BUG IN SOME FAMOUS WEBSITES INCLUDING GOOGLE, APPLE, MICROSOFT, SKYPE, ADOBE AND MANY MORE

Sunday, 2 December 12

Page 3: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

SOME COMPANIES WE’VE FOUND VULNS IN..

And MORE...Sunday, 2 December 12

Page 4: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

AGENDA !INTRODUCTION TO NFC.NFC STACK.NFC PROTOCOL LAYERS.NFC APPLICATION LAYERS.ANDROID NFC STACKNFC ATTACKSLEVERAGING NFC ATTACKS

Sunday, 2 December 12

Page 5: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

INTRODUCTION TO NFC

SET OF COMMUNICATION PROTOCOLS BASED ON RFID STANDARDS INCLUDING ISO 1444313.56 MHZ OPERATING FREQUENCY +/- 7KHZOPERATING RANGE LESS THAN 4 CM

Sunday, 2 December 12

Page 6: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

COMMUNICATION MODES

PASSIVE ( RFID CARDS )INITIATOR PROVIDES POWERTARGET REFLECTS BACK THE SIGNAL

ACTIVE ( P2P )BOTH INITIATOR AND TARGET SIMULATES

Sunday, 2 December 12

Page 7: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

NFC STACK

Sunday, 2 December 12

Page 8: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

NFC PROTOCOL LAYER

PROTOCOL LAYER CONSISTS OF A PHYSICAL LAYER AND RF LAYERTHESE LAYERS ARE FOCUSSED ON PHYSICAL ASPECT OF STARTING COMMUNICATION

Sunday, 2 December 12

Page 9: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

TYPE 1 (TOPAZ)

MIFARE CLASSIC

MIFARE-ULTRALIGHT

LLCP (P2P)

Type 1 tags use a format sometimes called the Topaz protocol. It uses a simple memory model which is either static for tags with memory size less than 120 bytes or dynamic for tags with larger memory. Bytes are read/written to the tag using commands such as RALL, READ, WRITE-E, WRITE-NE, RSEG, READ8, WRITE-E8, WRITE-N8.MIFARE classic tags are storage devices with simple security mechanisms for access control. They use an NXP proprietary security protocol for authentication and ciphering. This encryption was reverse engineered and broken in 2007These tags are similar to Topaz tags. They have a static memory layout when they have less than 64 bytes available and a dynamic layout otherwise. The first 16 bytes of memory contain metadata like a serial number, access rights, and capability container. The rest is for the actual data. Data is accessed using READ and WRITE commands,The previous protocol layers have all had initiators and targets and the protocols are designed around the initiator being able to read/write to the target. Logical Link Control Protocol (LLCP) is different because it establishes communication between two peer devices.

NFC PROTOCOL LAYER

Sunday, 2 December 12

Page 10: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

NFC APPLICATION LAYERNDEF OR NFC DATA EXCHANGE FORMATSIMPLE BINARY MESSAGE FORMAT !SAMPLE NDEF FORMAT FOR TEXT

Sunday, 2 December 12

Page 11: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

03 17 d1 01 13 54 02 65 6e 68 65 6c 6c 6f 20 63 6c 75 62 68 61 63 6B 20 21 fe

NDEF Message Start

Payload Length

MB, ME, SR, TNF= ”NFC Forum well-known type”

Type Length

Type “T”

Status Byte - Length of IANA lang code

Lang Code = “en”

“hello clubhack !” - text

NDEF Terminator

Sunday, 2 December 12

Page 12: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

ANDROID NFC STACKKernel NFC Services

(com.android.nfc)

Tags,MiFare, Topaz,

etc.

libpn544_fw.so

libnfc.so

libnfc_jni.so

libnfc_ndef.so

Sunday, 2 December 12

Page 13: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

ATM CARD SKIMMER !

Sunday, 2 December 12

Page 14: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

HOW TO RECOGNIZE NFC ENABLED CREDIT CARD?

Sunday, 2 December 12

Page 15: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

AID SELECTIONSOME WELL KNOWN AIDS:

VISA DEBIT/CREDIT CARD: A0 00 00 00 03 10 10MASTERCARD CREDIT:A0 00 00 00 04 10 10AMERICAN EXPRESS:A0 00 00 00 25 00 00

Sunday, 2 December 12

Page 16: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

EMV DECODING !

DATA ENCODING IS DONE THROUGH BER TLV ONLINE DECODER AVILABLE !HTTP://EMVLAB.ORG/TLVUTILS/

Sunday, 2 December 12

http://emvlab.org/tlvutils/
http://emvlab.org/tlvutils/
Page 17: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

HOW TO PROTECT ?

ORGANIZATIONS SHOULD IMPLEMENT PCI DSS COMPLIANTNFC PAYMENTS NOT YET COMPLIANTUSE A BETTER WALLET

Sunday, 2 December 12

Page 18: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

http://www.thinkgeek.com/product/8cdd/

Sunday, 2 December 12

http://www.thinkgeek.com/product/8cdd/
http://www.thinkgeek.com/product/8cdd/
Page 19: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

NFC RELAY ATTACK !

Sunday, 2 December 12

Page 20: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

NFC POSTER SKIMMING !

Sunday, 2 December 12

Page 21: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

LEVERAGING NFC FOR ANDROID

BASED VULNERABILITY

Sunday, 2 December 12

Page 22: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

COM.ANDROID.NFC

FOR WELL KNOWN TYPE TAGS, APPLICATIONS ARE CALLED AUTOMATICALLY

WWW BASED DATA, FIRES THE BROWSERMAILTO: PROTOCOL FIRES UP MAIL CLIENTUNEXPECTED VALUES IN NDEF, CRASHES NFCSERVICE.JAVA

Sunday, 2 December 12

Page 23: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

NFC AWARE MALWARES

LEVERAGING THE NFC PROTOCOL, NEW BREED OF ANDROID MALWARE ARISESPROXYING ANY REQUEST THROUGH THE MALWARE WITHOUT INTERACTION !

Sunday, 2 December 12

Page 24: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

NFC TAG

Any URL

Instead of opening the Browser, opens up an application !

no interaction

needed

Sunday, 2 December 12

Page 25: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

LEVERAGING USSD BASED

ATTACK USING NFC

Sunday, 2 December 12

Page 26: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

NFC TAG

Malicious URL

Opens the malicious link athttp://xysec.com/

ussd.html

Fires up the browser and dials the number in the user’s phone,

without any interaction!

no interaction

needed

Sunday, 2 December 12

http://xysec.com/ussd.html
http://xysec.com/ussd.html
http://xysec.com/ussd.html
http://xysec.com/ussd.html
Page 27: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

ANDROID FRAMEWORK FOR EXPLOITATION (AFE)

Sunday, 2 December 12

Page 28: Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

THANK YOU !

[email protected]

Sunday, 2 December 12

mailto:[email protected]
mailto:[email protected]

Some stupid app i pwned on a sunday morning

Some stupid app i pwned on a sunday morning

Halder - Orodjarski katalog

Halder - Orodjarski katalog

How To Get Pwned by Google - God of SEO

How To Get Pwned by Google - God of SEO

Chappuis Halder & Co - VaR estimation solutions

Chappuis Halder & Co - VaR estimation solutions

1100.500 Base Plates - Halder

1100.500 Base Plates - Halder

PEAP: Pwned Extensible Authentication · PDF filePEAP: Pwned Extensible Authentication Protocol ShmooCon 2008 Joshua Wright, jwright@willhackforsushi.com Brad Antoniewicz, Brad.Antoniewicz@foundstone.com

PEAP: Pwned Extensible Authentication · PDF filePEAP: Pwned Extensible Authentication Protocol ShmooCon 2008 Joshua Wright, [email protected] Brad Antoniewicz, [email protected]

 · 35 10922 201610265 23 February 2016 ISHAN HALDER BOY 05 November 2009 JABA HALDER SANJIT HALDER 5 SC 36 10608 ...

 · 35 10922 201610265 23 February 2016 ISHAN HALDER BOY 05 November 2009 JABA HALDER SANJIT HALDER 5 SC 36 10608 ...

Chappuis Halder - SREP one pager april 2015

Chappuis Halder - SREP one pager april 2015

THE KOLKATA MUNICIPAL CORPORATION117 hhs7.0200012968 jayanti halder jayanti halder 65,canal road f 65 self (female) 117 hhs7.0200012969 ramesh halder jayanti halder 65,canal road m

THE KOLKATA MUNICIPAL CORPORATION117 hhs7.0200012968 jayanti halder jayanti halder 65,canal road f 65 self (female) 117 hhs7.0200012969 ramesh halder jayanti halder 65,canal road m

Data Science by Chappuis Halder & Co.

Data Science by Chappuis Halder & Co.

Illustrations By Mitrarun Halder

Illustrations By Mitrarun Halder

Priyanka Halder Mallick1,*, Susanta Kumar Chakraborty1 · Priyanka Halder Mallick1,*, Susanta Kumar Chakraborty1 1 Vidyasagar University, Department of Zoology, Midnapore, 721102,

Priyanka Halder Mallick1,*, Susanta Kumar Chakraborty1 · Priyanka Halder Mallick1,*, Susanta Kumar Chakraborty1 1 Vidyasagar University, Department of Zoology, Midnapore, 721102,

Games List-Arkajyoti Halder

Games List-Arkajyoti Halder

1100.300 Base Plates - Halder

1100.300 Base Plates - Halder

DIR ISF - Email keeps getting us pwned v1.1

DIR ISF - Email keeps getting us pwned v1.1

Shift Pwned Aaron "Government don't care About us…"

Shift Pwned Aaron "Government don't care About us…"

c Halder 1993

c Halder 1993

Orange subho

Orange subho

From LOW to PWNED

From LOW to PWNED

3 Winding Transformer Dr,Suman Halder

3 Winding Transformer Dr,Suman Halder