Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder
description
Transcript of Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder
STAND CLOSE TO ME AND YOU ARE
PWNED!SUBHO HALDER | ADITYA GUPTA @sunnyrockzzs @adi1391
Sunday, 2 December 12
WHO ARE WE !INFORMATION SECURITY RESEARCHERMOBILE EXPLOITERCREATOR OF AFE (ANDROID FRAMEWORK FOR EXPLOITATION)PYTHON LOVERSCO-FOUNDER OF XYSEC.FOUND BUG IN SOME FAMOUS WEBSITES INCLUDING GOOGLE, APPLE, MICROSOFT, SKYPE, ADOBE AND MANY MORE
Sunday, 2 December 12
SOME COMPANIES WE’VE FOUND VULNS IN..
And MORE...Sunday, 2 December 12
AGENDA !INTRODUCTION TO NFC.NFC STACK.NFC PROTOCOL LAYERS.NFC APPLICATION LAYERS.ANDROID NFC STACKNFC ATTACKSLEVERAGING NFC ATTACKS
Sunday, 2 December 12
INTRODUCTION TO NFC
SET OF COMMUNICATION PROTOCOLS BASED ON RFID STANDARDS INCLUDING ISO 1444313.56 MHZ OPERATING FREQUENCY +/- 7KHZOPERATING RANGE LESS THAN 4 CM
Sunday, 2 December 12
COMMUNICATION MODES
PASSIVE ( RFID CARDS )INITIATOR PROVIDES POWERTARGET REFLECTS BACK THE SIGNAL
ACTIVE ( P2P )BOTH INITIATOR AND TARGET SIMULATES
Sunday, 2 December 12
NFC STACK
Sunday, 2 December 12
NFC PROTOCOL LAYER
PROTOCOL LAYER CONSISTS OF A PHYSICAL LAYER AND RF LAYERTHESE LAYERS ARE FOCUSSED ON PHYSICAL ASPECT OF STARTING COMMUNICATION
Sunday, 2 December 12
TYPE 1 (TOPAZ)
MIFARE CLASSIC
MIFARE-ULTRALIGHT
LLCP (P2P)
Type 1 tags use a format sometimes called the Topaz protocol. It uses a simple memory model which is either static for tags with memory size less than 120 bytes or dynamic for tags with larger memory. Bytes are read/written to the tag using commands such as RALL, READ, WRITE-E, WRITE-NE, RSEG, READ8, WRITE-E8, WRITE-N8.MIFARE classic tags are storage devices with simple security mechanisms for access control. They use an NXP proprietary security protocol for authentication and ciphering. This encryption was reverse engineered and broken in 2007These tags are similar to Topaz tags. They have a static memory layout when they have less than 64 bytes available and a dynamic layout otherwise. The first 16 bytes of memory contain metadata like a serial number, access rights, and capability container. The rest is for the actual data. Data is accessed using READ and WRITE commands,The previous protocol layers have all had initiators and targets and the protocols are designed around the initiator being able to read/write to the target. Logical Link Control Protocol (LLCP) is different because it establishes communication between two peer devices.
NFC PROTOCOL LAYER
Sunday, 2 December 12
NFC APPLICATION LAYERNDEF OR NFC DATA EXCHANGE FORMATSIMPLE BINARY MESSAGE FORMAT !SAMPLE NDEF FORMAT FOR TEXT
Sunday, 2 December 12
03 17 d1 01 13 54 02 65 6e 68 65 6c 6c 6f 20 63 6c 75 62 68 61 63 6B 20 21 fe
NDEF Message Start
Payload Length
MB, ME, SR, TNF= ”NFC Forum well-known type”
Type Length
Type “T”
Status Byte - Length of IANA lang code
Lang Code = “en”
“hello clubhack !” - text
NDEF Terminator
Sunday, 2 December 12
ANDROID NFC STACKKernel NFC Services
(com.android.nfc)
Tags,MiFare, Topaz,
etc.
libpn544_fw.so
libnfc.so
libnfc_jni.so
libnfc_ndef.so
Sunday, 2 December 12
ATM CARD SKIMMER !
Sunday, 2 December 12
HOW TO RECOGNIZE NFC ENABLED CREDIT CARD?
Sunday, 2 December 12
AID SELECTIONSOME WELL KNOWN AIDS:
VISA DEBIT/CREDIT CARD: A0 00 00 00 03 10 10MASTERCARD CREDIT:A0 00 00 00 04 10 10AMERICAN EXPRESS:A0 00 00 00 25 00 00
Sunday, 2 December 12
EMV DECODING !
DATA ENCODING IS DONE THROUGH BER TLV ONLINE DECODER AVILABLE !HTTP://EMVLAB.ORG/TLVUTILS/
Sunday, 2 December 12
HOW TO PROTECT ?
ORGANIZATIONS SHOULD IMPLEMENT PCI DSS COMPLIANTNFC PAYMENTS NOT YET COMPLIANTUSE A BETTER WALLET
Sunday, 2 December 12
http://www.thinkgeek.com/product/8cdd/
Sunday, 2 December 12
NFC RELAY ATTACK !
Sunday, 2 December 12
NFC POSTER SKIMMING !
Sunday, 2 December 12
LEVERAGING NFC FOR ANDROID
BASED VULNERABILITY
Sunday, 2 December 12
COM.ANDROID.NFC
FOR WELL KNOWN TYPE TAGS, APPLICATIONS ARE CALLED AUTOMATICALLY
WWW BASED DATA, FIRES THE BROWSERMAILTO: PROTOCOL FIRES UP MAIL CLIENTUNEXPECTED VALUES IN NDEF, CRASHES NFCSERVICE.JAVA
Sunday, 2 December 12
NFC AWARE MALWARES
LEVERAGING THE NFC PROTOCOL, NEW BREED OF ANDROID MALWARE ARISESPROXYING ANY REQUEST THROUGH THE MALWARE WITHOUT INTERACTION !
Sunday, 2 December 12
NFC TAG
Any URL
Instead of opening the Browser, opens up an application !
no interaction
needed
Sunday, 2 December 12
LEVERAGING USSD BASED
ATTACK USING NFC
Sunday, 2 December 12
NFC TAG
Malicious URL
Opens the malicious link athttp://xysec.com/
ussd.html
Fires up the browser and dials the number in the user’s phone,
without any interaction!
no interaction
needed
Sunday, 2 December 12
ANDROID FRAMEWORK FOR EXPLOITATION (AFE)
Sunday, 2 December 12
THANK YOU !
Sunday, 2 December 12