NFC Hacking: The Easy Way



Similar documents
NFC Hacking: The Easy Way

How To Secure A Paypass Card From Being Hacked By A Hacker

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

NACCU Migrating to Contactless:

Mobile MasterCard PayPass Testing and Approval Guide. December Version 2.0

Relay Attacks in EMV Contactless Cards with Android OTS Devices

The EMV Readiness. Collis America. Guy Berg President, Collis America

Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Contactless Payments with Mobile Wallets. Overview and Technology

Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz BT Hackito Ergo Sum 2012 April 12,13,14 Paris, France

Credit Card Fraud The Contactless Generation Kristin Paget

Overview of Contactless Payment Cards. Peter Fillmore. July 20, 2015

Mobile NFC 101. Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited

Index. 1-FLYPOS hardware/firmware Technology Overview 2-FLYPOS software architecture 3-Gateway/Acquirer Interface 4-Letters of Approval

Bringing Mobile Payments to Market for an International Retailer

Understand the Business Impact of EMV Chip Cards

How Secure are Contactless Payment Systems?

Using RFID Techniques for a Universal Identification Device

Android pay. Frequently asked questions

EMV and Small Merchants:

NFC Application Mobile Payments

Mobile Near-Field Communications (NFC) Payments

A Guide to Contactless Cards

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

Mobile Electronic Payments

BGS MOBILE PLATFORM HCE AND CLOUD BASED PAYMENTS

permitting close proximity communication between devices in this case a phone and a terminal.

What is a Smart Card?

Credit Card Processing Overview

Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

How to connect your D210 using Bluetooth. How to connect your D210 using GPRS (SIM Card)

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

How To Hack An Rdi Credit Card

Technical Article. NFiC: a new, economical way to make a device NFC-compliant. Prashant Dekate

Crash and Pay: Owning and Cloning Payment Devices

What Merchants Need to Know About EMV

CardControl. Credit Card Processing 101. Overview. Contents

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses. National Computer Corporation

An NFC Ticketing System with a new approach of an Inverse Reader Mode

How to connect your D200 using Bluetooth. How to connect your D200 using GPRS (SIM Card)

SETUP GUIDE. Thank you for your purchase of Hamilton products! In this handy guide, you will discover: ADDITIONAL REQUIREMENTS SETUP HOW IT WORKS

PCI and EMV Compliance Checkup

Better Security Through Mobile The One-Two Punch Industry Best Practices

NFC. Technical Overview. Release r05

Mobile Payment: The next step of secure payment VDI / VDE-Colloquium. Hans-Jörg Frey Senior Product Manager May 16th, 2013

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

Inside the Mobile Wallet: What It Means for Merchants and Card Issuers

Your Mobile Phone as a Ticket (NFC)

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

welcome to liber8:payment

Grow with our omni-channel payment processing technologies and merchant services.

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

Apple Pay. Frequently Asked Questions UK Launch

NFC Test Challenges for Mobile Device Developers Presented by: Miguel Angel Guijarro

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

RFID Hacking. Live Free or RFID Hard. 01 Aug 2013 Black Hat USA 2013 Las Vegas, NV. Presented by: Francis Brown Bishop Fox

Mobile Contactless Payments and Data Privacy

CANADA VS THE USA - THE CONTRAST AND LESSONS FOR MOBILE PAYMENTS

Training MIFARE SDK. Public. MobileKnowledge June 2015

Significance of Tokenization in Promoting Cloud Based Secure Elements

American Express Contactless Payments

a leap ahead in analog

DEVELOPING NFC APPS for BLACKBERRY

Frequently asked questions - Visa paywave

Chytré karty opět o rok dál...

Training. NFC in Android. Public. MobileKnowledge October 2015

The mobile phone as a contactless ticket

Loyalty Systems over Near Field Communication (NFC)

Cloning Credit Cards: A combined pre-play and downgrade attack on EMV Contactless

Beginner s Guide to Point of Sale

Abracon PTM Introduction to ANFCA Series Flexible Peel & Stick NFC Antennas

CONTACTLESS INTEROPERABILITY IN TRANSIT

Banking. Extending Value to Customers. KONA Banking product matrix. is leading the next generation of payment solutions.

An NFC Ticketing System with a new approach of an Inverse Reader Mode

Card Technology Choices for U.S. Issuers An EMV White Paper

Apple Pay. Frequently Asked Questions UK

What standards ISO/CEI ISO/CEI EPC class 1 gen 2. RFID standards. ISO14443,ISO15693 and EPCGlobal. Mate SoosINRIA.

Exercise 1: Set up the Environment

Latest and Future development of Mobile Payment in Hong Kong

Mobile Payment using HCE and mpoint payment gateway based on NFC enabled phones. AUTHOR : GRZEGORZ MILCARZ S111040

Information about this New Guide

Information Security Group (ISG) Core Research Areas. The ISG Smart Card Centre. From Smart Cards to NFC Smart Phone Security

CONTACTLESS PAYMENTS. Joeri de Ruiter. University of Birmingham. (some slides borrowed from Tom Chothia)

EMV : Frequently Asked Questions for Merchants

EMV Frequently Asked Questions for Merchants May, 2014

Mobile and Contactless Payment Security

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

How To Make Money From Mobile Payment On Wirecard

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

PN532 NFC RFID Module User Guide

Workshop: NEAR FIELD COMMUNICATION TECHNOLOGY

Best practices for choosing and integrating a mobile payments platform. A GlobalOnePay White Paper

Transcription:

DEFCON 20 NFC Hacking: The Easy Way Eddie Lee eddie{at}blackwinghq.com

About Me! Security Researcher for Blackwing Intelligence (formerly Praetorian Global)! We re always looking for cool security projects! Member of Digital Revelation! 2-time CTF Champs Defcon 9 & 10! Not an NFC or RFID expert!

Introduction // RFID Primer! Radio Frequency Identification - RFID! Broad range of frequencies: low khz to super high GHz! Near Field Communication - NFC! 13.56 MHz! Payment cards! Library systems! e-passports! Smart cards! Standard range: ~3-10 cm! RFID Tag! Transceiver! Antenna! Chip (processor) or memory

Introduction // RFID Primer! RFID (tag) in credit cards! Visa PayWave! MasterCard PayPass! American Express ExpressPay! Discover Zip! Proximity Coupling Devices (PCD) / Point of Sale (POS) terminal / Reader! EMV (Europay, Mastercard, and VISA) standard for communication between chipped credit cards and POS terminals! Four books long! Based on ISO 14443 and ISO 7816! Communicate with Application Protocol Data Units (APDUs)

Introduction // Motivation! Why create NFCProxy?! I m lazy! Don t like to read specs! Didn t want to learn protocol (from reading specs)! Future releases should work with other standards (diff protocols)! Make it easier to analyze protocols! Make it easier for other people to get involved! Contribute to reasons why this standard should be fixed

Previous work! Adam Laurie (Major Malfunction)! RFIDIOt! http://rfidiot.org! Pablos Holman! Skimming RFID credit cards with ebay reader! http://www.youtube.com/watch?v=vmajlkjlt3u! 3ric Johanson! Pwnpass! http://www.rfidunplugged.com/pwnpass/! Kristen Paget! Cloning RFID credit cards to mag strip! http://www.shmoocon.org/2012/presentations/paget_shmoocon2012-creditcards.pdf! Tag reading apps

Typical Hardware! Contactless Credit card reader (e.g. VivoPay, Verifone)! ~$150 (retail)! ~$10 - $30 (ebay)! Card reader! OmniKey (~$50-90 ebay), ACG, etc.! Proxmark ($230-$400)! Mag stripe encoder ($200-$300)

Tool Overview! What is NFCProxy?! An open source Android app! A tool that makes it easier to start messing with NFC/RFID! Protocol analyzer! Hardware required! Two NFC capable Android phones for full feature set! Nexus S (~$60 - $90 ebay)! LG Optimus Elite (~$130 new. Contract free)! No custom ROMs yet! Galaxy Nexus, Galaxy S3, etc. (http://www.nfcworld.com/nfc-phones-list/)! Software required! One phone! Android 2.3+ (Gingerbread)! Tested 2.3.7 and ICS! At least one phone needs:! Cyanogen 9 nightly build from: Jan 20 - Feb 24 2012! Or Custom build of Cyanogen

Cyanogen Card Emulation! android_frameworks_base (Java API)! https://github.com/cyanogenmod/android_frameworks_base/commit/ c80c15bed5b5edffb61eb543e31f0b90eddcdadf! android_external_libnfc-nxp (native library)! https://github.com/cyanogenmod/android_external_libnfc-nxp/ commit/34f13082c2e78d1770e98b4ed61f446beeb03d88! android_packages_apps_nfc (Nfc.apk NFC Service)! https://github.com/cyanogenmod/android_packages_apps_nfc/ commit/d41edfd794d4d0fedd91d561114308f0d5f83878! NFC Reader code disabled because it interferes with Google Wallet! https://github.com/cyanogenmod/android_packages_apps_nfc/ commit/75ad85b06935cfe2cc556ea1fe5ccb9b54467695

NFC Hardware Architecture Host Secure Element NFC Chip Antenna

Tool Features! Proxy transactions! Save transactions! Export transactions! Tag replay (on Cyanogen side)! PCD replay! Don t need to know the correct APDUs for a real transactions! Use the tool to learn about the protocol (APDUs)

Standard Transaction APDU RFID APDU

How It Works // Proxy Mode NFC WiFi APDU NFC APDU

Proxy Mode! How It Works // Terminology WiFi Relay Mode! NFC NFC

How It Works // Modes! Relay Mode! Opens port and waits for connection from proxy! Place Relay on card/tag! Proxy Mode! Swipe across reader! Forwards APDUs from reader to card! Transactions displayed on screen! Long Clicking allows you to Save, Export, Replay, or Delete

How It works // Replay Mode! Replay Reader (Skimming mode*)! Put phone near credit card! Nothing special going on here! Know the right APDUs! Replay Card (Spending mode)! Swipe phone across reader! Phone needs to be able to detect reader Card Emulation mode! Requires CyanogenMod tweaks! Virtual wallet

Antennas! A word about android NFC antennas! Galaxy Nexus: CRAP!! Nexus S: Good! Optimus Elite: Good! NFC communication is often incomplete! Need to reengage/re-swipe the phone with a card/reader! Check the Status tab in NFCProxy

APDU-Speak! EMV Book 3! http://www.emvco.com/download_agreement.aspx?id=654! See RFIDIOt (ChAP.py) and pwnpass for APDUs used for skimming! Proxy not needed for skimming and spending! Just for protocol analysis

Sample Output

Demo!! Let s see it in action!

Future Work! What s next?! Generic framework that works with multiple technologies! Requires better reader detection! Pluggable modules! MITM! Protocol Fuzzing

! Now available for download and contribution! Source Code! http://sourceforge.net/projects/nfcproxy/

! Questions? Q & A! Contact: eddie{at}blackwinghq.com