Near Field Communication Security

Thomas Patzke

22.04.2015

Who am I. . .

I Thomas Patzke (formerly Skora)

I Started with security related topics somewhere in the 90s

I University degree in 2006, RWTH Aachen, thesis about VoIPsecurity

I Security Consulting since 2006

I Primary security analysis/penetration testing

I (Web) Application Security

I Security analysis of”unusual“ stuff: POS, cash machines,

head units, security protocols

I Security Research in various areas

I Writing Security Tools

I Cryptography

Who am I. . .

I Thomas Patzke (formerly Skora)

I Started with security related topics somewhere in the 90s

I University degree in 2006, RWTH Aachen, thesis about VoIPsecurity

I Security Consulting since 2006

I Primary security analysis/penetration testing

I (Web) Application Security

I Security analysis of”unusual“ stuff: POS, cash machines,

head units, security protocols

I Security Research in various areas

I Writing Security Tools

I Cryptography

Who am I. . .

I Thomas Patzke (formerly Skora)

I Started with security related topics somewhere in the 90s

I University degree in 2006, RWTH Aachen, thesis about VoIPsecurity

I Security Consulting since 2006

I Primary security analysis/penetration testing

I (Web) Application Security

I Security analysis of”unusual“ stuff: POS, cash machines,

head units, security protocols

I Security Research in various areas

I Writing Security Tools

I Cryptography

What is this talk about?

I A introduction to NFC

I Security of the girogo system

I Security of Credit Cards

I How doors get open with replay attacks

I Securing NFC applications

I The NFC hackers toolbox

What is this talk about?

I A introduction to NFC

I Security of the girogo system

I Security of Credit Cards

I How doors get open with replay attacks

I Securing NFC applications

I The NFC hackers toolbox

What is this talk about?

I A introduction to NFC

I Security of the girogo system

I Security of Credit Cards

I How doors get open with replay attacks

I Securing NFC applications

I The NFC hackers toolbox

NFC=?

NFC=?

NFC=. . .

I Near Field Communication

I Few cm communication distance

I Power supply by reader

I 13,56 MHz, 424kBit/sI ISO standards

I 14443: Physical layer, frequency, transmitting power,initialisation, anti-collision, bit transfer

I 15693: Increased communication distance up to 1,5mI 18092, 21481: NFCIP - NFC Interface and Protocol

NFC=. . .

I Near Field Communication

I Few cm communication distance

I Power supply by reader

I 13,56 MHz, 424kBit/sI ISO standards

I 14443: Physical layer, frequency, transmitting power,initialisation, anti-collision, bit transfer

I 15693: Increased communication distance up to 1,5mI 18092, 21481: NFCIP - NFC Interface and Protocol

NFC=. . .

I Near Field Communication

I Few cm communication distance

I Power supply by reader

I 13,56 MHz, 424kBit/s

I ISO standards

I 14443: Physical layer, frequency, transmitting power,initialisation, anti-collision, bit transfer

I 15693: Increased communication distance up to 1,5mI 18092, 21481: NFCIP - NFC Interface and Protocol

NFC=. . .

I Near Field Communication

I Few cm communication distance

I Power supply by reader

I 13,56 MHz, 424kBit/sI ISO standards

I 14443: Physical layer, frequency, transmitting power,initialisation, anti-collision, bit transfer

I 15693: Increased communication distance up to 1,5mI 18092, 21481: NFCIP - NFC Interface and Protocol

Other systems

I 125 kHz Proximity Cards: Access Control

I Legic Prime: Proprietary in 13,56MHz, Access Control,Company Cards

I iClass, . . .

I NFC ⊂ RFID

Other systems

I 125 kHz Proximity Cards: Access Control

I Legic Prime: Proprietary in 13,56MHz, Access Control,Company Cards

I iClass, . . .

I NFC ⊂ RFID

Other systems

I 125 kHz Proximity Cards: Access Control

I Legic Prime: Proprietary in 13,56MHz, Access Control,Company Cards

I iClass, . . .

I NFC ⊂ RFID

Other systems

I 125 kHz Proximity Cards: Access Control

I Legic Prime: Proprietary in 13,56MHz, Access Control,Company Cards

I iClass, . . .

I NFC ⊂ RFID

Other systems

I 125 kHz Proximity Cards: Access Control

I Legic Prime: Proprietary in 13,56MHz, Access Control,Company Cards

I iClass, . . .

I NFC ⊂ RFID

Use Cases

I Access Control

I Payment

I Tickets in Public Transportation

I Determination of Position

I Verification of Ownership

I “Smart Posters”

I Business Cards

I Personalized Key

I Generally: Storage

Power Supply & Communication Basics

I Power supply via induction field

I Two transmission modes: passive and activeI Passive

I ConnectionlessI Roles: Initiator (Reader) and Target (Tag/Card)I Request/Response communication

I Active

I Connection-orientedI Equal communication partnersI Unusual

Power Supply & Communication Basics

I Power supply via induction field

I Two transmission modes: passive and active

I Passive

I ConnectionlessI Roles: Initiator (Reader) and Target (Tag/Card)I Request/Response communication

I Active

I Connection-orientedI Equal communication partnersI Unusual

Power Supply & Communication Basics

I Power supply via induction field

I Two transmission modes: passive and activeI Passive

I ConnectionlessI Roles: Initiator (Reader) and Target (Tag/Card)I Request/Response communication

I ActiveI Connection-orientedI Equal communication partnersI Unusual

Power Supply & Communication Basics

I Power supply via induction field

I Two transmission modes: passive and activeI Passive

I ConnectionlessI Roles: Initiator (Reader) and Target (Tag/Card)I Request/Response communication

I ActiveI Connection-orientedI Equal communication partnersI Unusual

Low Level Communication

I ISO 14443-3: Initialization and AnticollisionI 8 Bit + 1 Parity BitI Basic Protocol: Command + Parameter + Data + CRC

I ISO 14443-4: Transmission Protocol

I Length + Format + Interface Bytes + Historical Bytes + Data+ CRC

I Interface Bytes: communication options (optional)I Historical Bytes: misc. infos (optional, ISO 7816-4)

Low Level Communication

I ISO 14443-3: Initialization and AnticollisionI 8 Bit + 1 Parity BitI Basic Protocol: Command + Parameter + Data + CRC

I ISO 14443-4: Transmission ProtocolI Length + Format + Interface Bytes + Historical Bytes + Data

+ CRCI Interface Bytes: communication options (optional)I Historical Bytes: misc. infos (optional, ISO 7816-4)

Anti Collision Protocol

I Usual Question: what happens if multiple cards are in therange of a reader?

I Solution: Anticollision Protocol

I Initiator chooses target by unique target identifiers (UIDs)

I Some kind of binary search: targets send UID prefixes,initiator chooses

I Negotiation of higher level protocols

Anti Collision Protocol

I Usual Question: what happens if multiple cards are in therange of a reader?

I Solution: Anticollision Protocol

I Initiator chooses target by unique target identifiers (UIDs)

I Some kind of binary search: targets send UID prefixes,initiator chooses

I Negotiation of higher level protocols

Anti Collision Protocol

I Usual Question: what happens if multiple cards are in therange of a reader?

I Solution: Anticollision Protocol

I Initiator chooses target by unique target identifiers (UIDs)

I Some kind of binary search: targets send UID prefixes,initiator chooses

I Negotiation of higher level protocols

Anti Collision Protocol

I Usual Question: what happens if multiple cards are in therange of a reader?

I Solution: Anticollision Protocol

I Initiator chooses target by unique target identifiers (UIDs)

I Some kind of binary search: targets send UID prefixes,initiator chooses

I Negotiation of higher level protocols

Anti Collision Protocol

CC BY-NC-SA 2.0 libnfc.org

Anti Collision Protocol

Any security here?

Anti Collision Protocol

Anti Collision Protocol

Anti Collision Protocol

Nope!

I No transport encryption

I Overwritten data visible

Anticollision Protocol Example

1. R: 26 ⇒ Welcome (REQA)

2. T: 44 03 ⇒ Respond (ATQA)

3. R: 93 20 ⇒ Select cascade 1 (SEL)

4. T: 88 04 34 74 cc ⇒ CT, UID(byte 1,2,3), BCC

5. R: 93 70 88 04 34 74 cc 0e 05 ⇒ Select available tag (SEL)

6. T: 24 d8 36 ⇒ Select Acknowledge (SAK)

7. R: 95 20 ⇒ Select cascade 2 (SEL)

8. T: e1 e3 1c 80 9e ⇒ UID(byte 4,5,6,7), BCC

9. R: 95 70 e1 e3 1c 80 9e b9 e1 ⇒ Finish select (SEL)

10. T: 20 fc 70 ⇒ SAK without cascade bit set

11. R: e0 50 bc a5 ⇒ Request Answer to Select (RATS)

12. T: 06 75 77 81 02 80 ⇒ ATS (DESFire EV1)

13. R: 50 00 57 cd ⇒ Disable (HALT)

CC BY-NC-SA 2.0 libnfc.org

Anticollision Protocol Example

1. R: 26 ⇒ Welcome (REQA)

2. T: 44 03 ⇒ Respond (ATQA)

3. R: 93 20 ⇒ Select cascade 1 (SEL)

4. T: 88 04 34 74 cc ⇒ CT, UID(byte 1,2,3), BCC

5. R: 93 70 88 04 34 74 cc 0e 05 ⇒ Select available tag (SEL)

6. T: 24 d8 36 ⇒ Select Acknowledge (SAK)

7. R: 95 20 ⇒ Select cascade 2 (SEL)

8. T: e1 e3 1c 80 9e ⇒ UID(byte 4,5,6,7), BCC

9. R: 95 70 e1 e3 1c 80 9e b9 e1 ⇒ Finish select (SEL)

10. T: 20 fc 70 ⇒ SAK without cascade bit set

11. R: e0 50 bc a5 ⇒ Request Answer to Select (RATS)

12. T: 06 75 77 81 02 80 ⇒ ATS (DESFire EV1)

13. R: 50 00 57 cd ⇒ Disable (HALT)

CC BY-NC-SA 2.0 libnfc.org

Anticollision Protocol Example

1. R: 26 ⇒ Welcome (REQA)

2. T: 44 03 ⇒ Respond (ATQA)

3. R: 93 20 ⇒ Select cascade 1 (SEL)

4. T: 88 04 34 74 cc ⇒ CT, UID(byte 1,2,3), BCC

5. R: 93 70 88 04 34 74 cc 0e 05 ⇒ Select available tag (SEL)

6. T: 24 d8 36 ⇒ Select Acknowledge (SAK)

7. R: 95 20 ⇒ Select cascade 2 (SEL)

8. T: e1 e3 1c 80 9e ⇒ UID(byte 4,5,6,7), BCC

9. R: 95 70 e1 e3 1c 80 9e b9 e1 ⇒ Finish select (SEL)

10. T: 20 fc 70 ⇒ SAK without cascade bit set

11. R: e0 50 bc a5 ⇒ Request Answer to Select (RATS)

12. T: 06 75 77 81 02 80 ⇒ ATS (DESFire EV1)

13. R: 50 00 57 cd ⇒ Disable (HALT)

CC BY-NC-SA 2.0 libnfc.org

Anticollision Protocol Example

1. R: 26 ⇒ Welcome (REQA)

2. T: 44 03 ⇒ Respond (ATQA)

3. R: 93 20 ⇒ Select cascade 1 (SEL)

4. T: 88 04 34 74 cc ⇒ CT, UID(byte 1,2,3), BCC

5. R: 93 70 88 04 34 74 cc 0e 05 ⇒ Select available tag (SEL)

6. T: 24 d8 36 ⇒ Select Acknowledge (SAK)

7. R: 95 20 ⇒ Select cascade 2 (SEL)

8. T: e1 e3 1c 80 9e ⇒ UID(byte 4,5,6,7), BCC

9. R: 95 70 e1 e3 1c 80 9e b9 e1 ⇒ Finish select (SEL)

10. T: 20 fc 70 ⇒ SAK without cascade bit set

11. R: e0 50 bc a5 ⇒ Request Answer to Select (RATS)

12. T: 06 75 77 81 02 80 ⇒ ATS (DESFire EV1)

13. R: 50 00 57 cd ⇒ Disable (HALT)

CC BY-NC-SA 2.0 libnfc.org

Anticollision Protocol Example

1. R: 26 ⇒ Welcome (REQA)

2. T: 44 03 ⇒ Respond (ATQA)

3. R: 93 20 ⇒ Select cascade 1 (SEL)

4. T: 88 04 34 74 cc ⇒ CT, UID(byte 1,2,3), BCC

5. R: 93 70 88 04 34 74 cc 0e 05 ⇒ Select available tag (SEL)

6. T: 24 d8 36 ⇒ Select Acknowledge (SAK)

7. R: 95 20 ⇒ Select cascade 2 (SEL)

8. T: e1 e3 1c 80 9e ⇒ UID(byte 4,5,6,7), BCC

9. R: 95 70 e1 e3 1c 80 9e b9 e1 ⇒ Finish select (SEL)

10. T: 20 fc 70 ⇒ SAK without cascade bit set

11. R: e0 50 bc a5 ⇒ Request Answer to Select (RATS)

12. T: 06 75 77 81 02 80 ⇒ ATS (DESFire EV1)

13. R: 50 00 57 cd ⇒ Disable (HALT)

CC BY-NC-SA 2.0 libnfc.org

Anticollision Protocol Example

1. R: 26 ⇒ Welcome (REQA)

2. T: 44 03 ⇒ Respond (ATQA)

3. R: 93 20 ⇒ Select cascade 1 (SEL)

4. T: 88 04 34 74 cc ⇒ CT, UID(byte 1,2,3), BCC

5. R: 93 70 88 04 34 74 cc 0e 05 ⇒ Select available tag (SEL)

6. T: 24 d8 36 ⇒ Select Acknowledge (SAK)

7. R: 95 20 ⇒ Select cascade 2 (SEL)

8. T: e1 e3 1c 80 9e ⇒ UID(byte 4,5,6,7), BCC

9. R: 95 70 e1 e3 1c 80 9e b9 e1 ⇒ Finish select (SEL)

10. T: 20 fc 70 ⇒ SAK without cascade bit set

11. R: e0 50 bc a5 ⇒ Request Answer to Select (RATS)

12. T: 06 75 77 81 02 80 ⇒ ATS (DESFire EV1)

13. R: 50 00 57 cd ⇒ Disable (HALT)

CC BY-NC-SA 2.0 libnfc.org

Lets talk about security!

I NFC itself was made to be contactless, not secure.

I There is no security at lower protocol layers!

I Security is implemented at the application layer

I . . . if it is implemented.

Lets talk about security!

I NFC itself was made to be contactless, not secure.

I There is no security at lower protocol layers!

I Security is implemented at the application layer

I . . . if it is implemented.

Lets talk about security!

I NFC itself was made to be contactless, not secure.

I There is no security at lower protocol layers!

I Security is implemented at the application layer

I . . . if it is implemented.

Lets talk about security!

I NFC itself was made to be contactless, not secure.

I There is no security at lower protocol layers!

I Security is implemented at the application layer

I . . . if it is implemented.

NFC in EC Cards

I Since end of 2011, Sparkassen in Germany started to issuecards with a contactless payment system.

I Somewhere in 2012 it was rebranded to girogo

I Basically it is the GeldKarte system with a radio interface.I There’s an app for reading these cards (S-Reader)

I Loaded amount of moneyI Validity of cardI Charging and Payments

I Is this all data?

NFC in EC Cards

I Since end of 2011, Sparkassen in Germany started to issuecards with a contactless payment system.

I Somewhere in 2012 it was rebranded to girogo

I Basically it is the GeldKarte system with a radio interface.I There’s an app for reading these cards (S-Reader)

I Loaded amount of moneyI Validity of cardI Charging and Payments

I Is this all data?

NFC in EC Cards

I Since end of 2011, Sparkassen in Germany started to issuecards with a contactless payment system.

I Somewhere in 2012 it was rebranded to girogo

I Basically it is the GeldKarte system with a radio interface.I There’s an app for reading these cards (S-Reader)

I Loaded amount of moneyI Validity of cardI Charging and Payments

I Is this all data?

NFC in EC Cards

I Since end of 2011, Sparkassen in Germany started to issuecards with a contactless payment system.

I Somewhere in 2012 it was rebranded to girogo

I Basically it is the GeldKarte system with a radio interface.I There’s an app for reading these cards (S-Reader)

I Loaded amount of moneyI Validity of cardI Charging and Payments

I Is this all data?

Reverse Engineering of girogo1. Is there existing information?

Yes:I a leaked spec from 1997:

http://koeln.ccc.de/archiv/doku/geldkarte.pdfI EMV specs, publicly available:

https://www.emvco.com/specifications.aspx

2. Decompilation of the appI dex2jarI jd-gui

3. Built a fuzzer that tries to access further records

4. Built an app that extracts the data

I It reads everything that the official app reads

andadditionally. . .

I The date of activation (boring)I bank code number (hmmm)I an unique card identifier (privacy)I the card number (privacy)I an account number, but not the customers (what???)I for each transaction: the identifier of the counterpart (privacy!)

Reverse Engineering of girogo1. Is there existing information? Yes:

I a leaked spec from 1997:http://koeln.ccc.de/archiv/doku/geldkarte.pdf

I EMV specs, publicly available:https://www.emvco.com/specifications.aspx

2. Decompilation of the appI dex2jarI jd-gui

3. Built a fuzzer that tries to access further records

4. Built an app that extracts the data

I It reads everything that the official app reads

andadditionally. . .

I The date of activation (boring)I bank code number (hmmm)I an unique card identifier (privacy)I the card number (privacy)I an account number, but not the customers (what???)I for each transaction: the identifier of the counterpart (privacy!)

Reverse Engineering of girogo1. Is there existing information? Yes:

I a leaked spec from 1997:http://koeln.ccc.de/archiv/doku/geldkarte.pdf

I EMV specs, publicly available:https://www.emvco.com/specifications.aspx

2. Decompilation of the appI dex2jarI jd-gui

3. Built a fuzzer that tries to access further records

4. Built an app that extracts the data

I It reads everything that the official app reads

andadditionally. . .

I The date of activation (boring)I bank code number (hmmm)I an unique card identifier (privacy)I the card number (privacy)I an account number, but not the customers (what???)I for each transaction: the identifier of the counterpart (privacy!)

Reverse Engineering of girogo

Reverse Engineering of girogo1. Is there existing information? Yes:

I a leaked spec from 1997:http://koeln.ccc.de/archiv/doku/geldkarte.pdf

I EMV specs, publicly available:https://www.emvco.com/specifications.aspx

2. Decompilation of the appI dex2jarI jd-gui

3. Built a fuzzer that tries to access further records

4. Built an app that extracts the data

I It reads everything that the official app reads

andadditionally. . .

I The date of activation (boring)I bank code number (hmmm)I an unique card identifier (privacy)I the card number (privacy)I an account number, but not the customers (what???)I for each transaction: the identifier of the counterpart (privacy!)

Reverse Engineering of girogo

Reverse Engineering of girogo1. Is there existing information? Yes:

I a leaked spec from 1997:http://koeln.ccc.de/archiv/doku/geldkarte.pdf

I EMV specs, publicly available:https://www.emvco.com/specifications.aspx

2. Decompilation of the appI dex2jarI jd-gui

3. Built a fuzzer that tries to access further records

4. Built an app that extracts the dataI It reads everything that the official app reads and

additionally. . .

I The date of activation (boring)I bank code number (hmmm)I an unique card identifier (privacy)I the card number (privacy)I an account number, but not the customers (what???)I for each transaction: the identifier of the counterpart (privacy!)

Reverse Engineering of girogo1. Is there existing information? Yes:

I a leaked spec from 1997:http://koeln.ccc.de/archiv/doku/geldkarte.pdf

I EMV specs, publicly available:https://www.emvco.com/specifications.aspx

2. Decompilation of the appI dex2jarI jd-gui

3. Built a fuzzer that tries to access further records

4. Built an app that extracts the dataI It reads everything that the official app reads and

additionally. . .I The date of activation (boring)I bank code number (hmmm)I an unique card identifier (privacy)I the card number (privacy)

I an account number, but not the customers (what???)I for each transaction: the identifier of the counterpart (privacy!)

Reverse Engineering of girogo1. Is there existing information? Yes:

I a leaked spec from 1997:http://koeln.ccc.de/archiv/doku/geldkarte.pdf

I EMV specs, publicly available:https://www.emvco.com/specifications.aspx

2. Decompilation of the appI dex2jarI jd-gui

3. Built a fuzzer that tries to access further records

4. Built an app that extracts the dataI It reads everything that the official app reads and

additionally. . .I The date of activation (boring)I bank code number (hmmm)I an unique card identifier (privacy)I the card number (privacy)I an account number, but not the customers (what???)I for each transaction: the identifier of the counterpart (privacy!)

Screenshots

Screenshots

Screenshots

Screenshots

Summary of the (short) girogo analysis

I Payment is secured cryptographically, at least nothing that isbreakable in few days.

I Kasse2Go (the payment app, very short analysis withoutretailer card)

I online verification of retailer card - no possibility was found toconvince the backend that I’m a retailer.

I communication with backend is authenticated and encrypted.

I No obvious possibilities to interfere the payment process fromthe network.

I Payment runs on a smartphone, software under control ofpotentially malicious merchants.

I Some privacy-relevant information is available via NFC.

I How widespread is this app?

Summary of the (short) girogo analysis

I Payment is secured cryptographically, at least nothing that isbreakable in few days.

I Kasse2Go (the payment app, very short analysis withoutretailer card)

I online verification of retailer card - no possibility was found toconvince the backend that I’m a retailer.

I communication with backend is authenticated and encrypted.

I No obvious possibilities to interfere the payment process fromthe network.

I Payment runs on a smartphone, software under control ofpotentially malicious merchants.

I Some privacy-relevant information is available via NFC.

I How widespread is this app?

Summary of the (short) girogo analysis

I Payment is secured cryptographically, at least nothing that isbreakable in few days.

I Kasse2Go (the payment app, very short analysis withoutretailer card)

I online verification of retailer card - no possibility was found toconvince the backend that I’m a retailer.

I communication with backend is authenticated and encrypted.

I No obvious possibilities to interfere the payment process fromthe network.

I Payment runs on a smartphone, software under control ofpotentially malicious merchants.

I Some privacy-relevant information is available via NFC.

I How widespread is this app?

Summary of the (short) girogo analysis

I Payment is secured cryptographically, at least nothing that isbreakable in few days.

I Kasse2Go (the payment app, very short analysis withoutretailer card)

I online verification of retailer card - no possibility was found toconvince the backend that I’m a retailer.

I communication with backend is authenticated and encrypted.

I No obvious possibilities to interfere the payment process fromthe network.

I Payment runs on a smartphone, software under control ofpotentially malicious merchants.

I Some privacy-relevant information is available via NFC.

I How widespread is this app?

Summary of the (short) girogo analysis

I Payment is secured cryptographically, at least nothing that isbreakable in few days.

I Kasse2Go (the payment app, very short analysis withoutretailer card)

I online verification of retailer card - no possibility was found toconvince the backend that I’m a retailer.

I communication with backend is authenticated and encrypted.

I No obvious possibilities to interfere the payment process fromthe network.

I Payment runs on a smartphone, software under control ofpotentially malicious merchants.

I Some privacy-relevant information is available via NFC.

I How widespread is this app?

Summary of the (short) girogo analysis

EMV

I Communication is defined in the EMV standardI APDU: CLA + INS + P1 + P2 + Ld + Data + LeI EMV further defines a structure somewhat similar to folders

(Application IDs) and files

I Activation of the GeldKarte/girogo AID: 00 A4 04 0C 09 D276 00 00 25 45 50 02 00

I 00 B2 01 xx 00 reads a data recordI C4: EF BETRAG (amount of loaded money)I CC: EF BOERSE (bank id, account number)

I 00 B2 xx EC 00: read transactions

I Data is clear-text (ASCII) or BCD encoded (25,00 EUR =0x25 0x00)

EMV

I Communication is defined in the EMV standardI APDU: CLA + INS + P1 + P2 + Ld + Data + LeI EMV further defines a structure somewhat similar to folders

(Application IDs) and files

I Activation of the GeldKarte/girogo AID: 00 A4 04 0C 09 D276 00 00 25 45 50 02 00

I 00 B2 01 xx 00 reads a data recordI C4: EF BETRAG (amount of loaded money)I CC: EF BOERSE (bank id, account number)

I 00 B2 xx EC 00: read transactions

I Data is clear-text (ASCII) or BCD encoded (25,00 EUR =0x25 0x00)

EMV

I Communication is defined in the EMV standardI APDU: CLA + INS + P1 + P2 + Ld + Data + LeI EMV further defines a structure somewhat similar to folders

(Application IDs) and files

I Activation of the GeldKarte/girogo AID: 00 A4 04 0C 09 D276 00 00 25 45 50 02 00

I 00 B2 01 xx 00 reads a data recordI C4: EF BETRAG (amount of loaded money)I CC: EF BOERSE (bank id, account number)

I 00 B2 xx EC 00: read transactions

I Data is clear-text (ASCII) or BCD encoded (25,00 EUR =0x25 0x00)

EMV

I Communication is defined in the EMV standardI APDU: CLA + INS + P1 + P2 + Ld + Data + LeI EMV further defines a structure somewhat similar to folders

(Application IDs) and files

I Activation of the GeldKarte/girogo AID: 00 A4 04 0C 09 D276 00 00 25 45 50 02 00

I 00 B2 01 xx 00 reads a data recordI C4: EF BETRAG (amount of loaded money)I CC: EF BOERSE (bank id, account number)

I 00 B2 xx EC 00: read transactions

I Data is clear-text (ASCII) or BCD encoded (25,00 EUR =0x25 0x00)

Lets look at credit cards

Lets look at credit cards

I Mastercard PayPass

I Visa PayWave

I Again looked with the NFC Fuzzer at it. . .

Lets look at credit cards

I Mastercard PayPass

I Visa PayWave

I Again looked with the NFC Fuzzer at it. . .

Lets look at credit cards

Lets look at credit cards

Lets look at credit cards

But there is the CVC!!1 The shops must verify it!!!

Lets look at credit cards

Really?

Implementation Details

I AIDs depend on card, they are printed on receipts andavailable from public sources, e.g.https://www.eftlab.com.au/index.php/site-map/

knowledge-base/211-emv-aid-rid-pix

I AIDs differ even between countries

I Examples for application selection sequences:I VISA: 00 A4 04 0C 07 A0 00 00 00 03 10 10 00I MasterCard: 00 A4 04 0C 07 A0 00 00 00 04 99 99 00

I The interesting file is requested with: 00 B2 01 0C 00

I ASCII encoding

I Implementation (girogo + MasterCard/VISA): https://github.com/thomaspatzke/android-nfc-paycardreader

Implementation Details

I AIDs depend on card, they are printed on receipts andavailable from public sources, e.g.https://www.eftlab.com.au/index.php/site-map/

knowledge-base/211-emv-aid-rid-pix

I AIDs differ even between countriesI Examples for application selection sequences:

I VISA: 00 A4 04 0C 07 A0 00 00 00 03 10 10 00I MasterCard: 00 A4 04 0C 07 A0 00 00 00 04 99 99 00

I The interesting file is requested with: 00 B2 01 0C 00

I ASCII encoding

I Implementation (girogo + MasterCard/VISA): https://github.com/thomaspatzke/android-nfc-paycardreader

Implementation Details

I AIDs depend on card, they are printed on receipts andavailable from public sources, e.g.https://www.eftlab.com.au/index.php/site-map/

knowledge-base/211-emv-aid-rid-pix

I AIDs differ even between countriesI Examples for application selection sequences:

I VISA: 00 A4 04 0C 07 A0 00 00 00 03 10 10 00I MasterCard: 00 A4 04 0C 07 A0 00 00 00 04 99 99 00

I The interesting file is requested with: 00 B2 01 0C 00

I ASCII encoding

I Implementation (girogo + MasterCard/VISA): https://github.com/thomaspatzke/android-nfc-paycardreader

Implementation Details

I AIDs depend on card, they are printed on receipts andavailable from public sources, e.g.https://www.eftlab.com.au/index.php/site-map/

knowledge-base/211-emv-aid-rid-pix

I AIDs differ even between countriesI Examples for application selection sequences:

I VISA: 00 A4 04 0C 07 A0 00 00 00 03 10 10 00I MasterCard: 00 A4 04 0C 07 A0 00 00 00 04 99 99 00

I The interesting file is requested with: 00 B2 01 0C 00

I ASCII encoding

I Implementation (girogo + MasterCard/VISA): https://github.com/thomaspatzke/android-nfc-paycardreader

Summary of Credit Card Vulnerabilities

I No authentication and authorization before access to sensibledata.

I No transport encryption - data can be sniffed over the air.

I The insecure magstripe mode shown here is implemented forcompatibility reasons. There is a secure EMV mode (akaChip&PIN)

Payment process:

1. Salesperson enters amount

2. Customer puts card on payment terminal

3. After a short time the payment is done

I Where is the authorization (PIN entry) gone?

I The card companies say: putting the card on the terminal is aconsent of the card owner!

I This is secure the say!

Summary of Credit Card Vulnerabilities

I No authentication and authorization before access to sensibledata.

I No transport encryption - data can be sniffed over the air.

I The insecure magstripe mode shown here is implemented forcompatibility reasons. There is a secure EMV mode (akaChip&PIN)

Payment process:

1. Salesperson enters amount

2. Customer puts card on payment terminal

3. After a short time the payment is done

I Where is the authorization (PIN entry) gone?

I The card companies say: putting the card on the terminal is aconsent of the card owner!

I This is secure the say!

Summary of Credit Card Vulnerabilities

I No authentication and authorization before access to sensibledata.

I No transport encryption - data can be sniffed over the air.

I The insecure magstripe mode shown here is implemented forcompatibility reasons. There is a secure EMV mode (akaChip&PIN)

Payment process:

1. Salesperson enters amount

2. Customer puts card on payment terminal

3. After a short time the payment is done

I Where is the authorization (PIN entry) gone?

I The card companies say: putting the card on the terminal is aconsent of the card owner!

I This is secure the say!

Summary of Credit Card Vulnerabilities

I No authentication and authorization before access to sensibledata.

I No transport encryption - data can be sniffed over the air.

I The insecure magstripe mode shown here is implemented forcompatibility reasons. There is a secure EMV mode (akaChip&PIN)

Payment process:

1. Salesperson enters amount

2. Customer puts card on payment terminal

3. After a short time the payment is done

I Where is the authorization (PIN entry) gone?

I The card companies say: putting the card on the terminal is aconsent of the card owner!

I This is secure the say!

Summary of Credit Card Vulnerabilities

I No authentication and authorization before access to sensibledata.

I No transport encryption - data can be sniffed over the air.

I The insecure magstripe mode shown here is implemented forcompatibility reasons. There is a secure EMV mode (akaChip&PIN)

Payment process:

1. Salesperson enters amount

2. Customer puts card on payment terminal

3. After a short time the payment is done

I Where is the authorization (PIN entry) gone?

I The card companies say: putting the card on the terminal is aconsent of the card owner!

I This is secure the say!

Summary of Credit Card Vulnerabilities

I No authentication and authorization before access to sensibledata.

I No transport encryption - data can be sniffed over the air.

I The insecure magstripe mode shown here is implemented forcompatibility reasons. There is a secure EMV mode (akaChip&PIN)

Payment process:

1. Salesperson enters amount

2. Customer puts card on payment terminal

3. After a short time the payment is done

I Where is the authorization (PIN entry) gone?

I The card companies say: putting the card on the terminal is aconsent of the card owner!

I This is secure the say!

Summary of Credit Card Vulnerabilities

I No authentication and authorization before access to sensibledata.

I No transport encryption - data can be sniffed over the air.

I The insecure magstripe mode shown here is implemented forcompatibility reasons. There is a secure EMV mode (akaChip&PIN)

Payment process:

1. Salesperson enters amount

2. Customer puts card on payment terminal

3. After a short time the payment is done

I Where is the authorization (PIN entry) gone?

I The card companies say: putting the card on the terminal is aconsent of the card owner!

I This is secure the say!

Summary of Credit Card Vulnerabilities

I No authentication and authorization before access to sensibledata.

I No transport encryption - data can be sniffed over the air.

I The insecure magstripe mode shown here is implemented forcompatibility reasons. There is a secure EMV mode (akaChip&PIN)

Payment process:

1. Salesperson enters amount

2. Customer puts card on payment terminal

3. After a short time the payment is done

I Where is the authorization (PIN entry) gone?

I The card companies say: putting the card on the terminal is aconsent of the card owner!

I This is secure the say!

Secure?

Is the card moved to the payment terminal?

. . . or is the terminal moved to the card?And then there are relaying attacks

Secure?

Is the card moved to the payment terminal?

. . . or is the terminal moved to the card?

And then there are relaying attacks

Secure?

Is the card moved to the payment terminal?

. . . or is the terminal moved to the card?And then there are relaying attacks

Access Control

I Access control systems are often based on dumb 125kHz tags

I Dumb? Yes, because of this:

Access Control

I Access control systems are often based on dumb 125kHz tags

I Dumb? Yes, because of this:

Access Control

I Access control systems are often based on dumb 125kHz tags

I Dumb? Yes, because of this:

Securing NFC SystemsI Personal protection

I Put your card in sleevesI Cut the antenna

I Building a product?

I Don’t use known insecure systemsI If you’re nailed on an insecure system: under certain

conditions, vulnerabilities can be mitigatedI Encrypt the communication, ensure integrityI Consider side channelsI Consider replay and relay attacksI Identify sensible data and require authentication/authorization

for access, write protectionI Don’t rely on availability: tags can be destroyed or replacedI Tags can be moved: don’t believe that someone scans the tag

where you placed it.I Transmissions can be sniffed up to 10m awayI Communication can possibly be initiated at bigger ranges,

than just some cm - consider at least 1,5mI Monitor the usage, e.g. one tag used at the same time in

different locations.

Securing NFC SystemsI Personal protection

I Put your card in sleevesI Cut the antenna

I Building a product?

I Don’t use known insecure systemsI If you’re nailed on an insecure system: under certain

conditions, vulnerabilities can be mitigatedI Encrypt the communication, ensure integrityI Consider side channelsI Consider replay and relay attacksI Identify sensible data and require authentication/authorization

for access, write protectionI Don’t rely on availability: tags can be destroyed or replacedI Tags can be moved: don’t believe that someone scans the tag

where you placed it.I Transmissions can be sniffed up to 10m awayI Communication can possibly be initiated at bigger ranges,

than just some cm - consider at least 1,5mI Monitor the usage, e.g. one tag used at the same time in

different locations.

Securing NFC SystemsI Personal protection

I Put your card in sleevesI Cut the antenna

I Building a product?I Don’t use known insecure systemsI If you’re nailed on an insecure system: under certain

conditions, vulnerabilities can be mitigated

I Encrypt the communication, ensure integrityI Consider side channelsI Consider replay and relay attacksI Identify sensible data and require authentication/authorization

for access, write protectionI Don’t rely on availability: tags can be destroyed or replacedI Tags can be moved: don’t believe that someone scans the tag

where you placed it.I Transmissions can be sniffed up to 10m awayI Communication can possibly be initiated at bigger ranges,

than just some cm - consider at least 1,5mI Monitor the usage, e.g. one tag used at the same time in

different locations.

Securing NFC SystemsI Personal protection

I Put your card in sleevesI Cut the antenna

I Building a product?I Don’t use known insecure systemsI If you’re nailed on an insecure system: under certain

conditions, vulnerabilities can be mitigatedI Encrypt the communication, ensure integrityI Consider side channels

I Consider replay and relay attacksI Identify sensible data and require authentication/authorization

for access, write protectionI Don’t rely on availability: tags can be destroyed or replacedI Tags can be moved: don’t believe that someone scans the tag

where you placed it.I Transmissions can be sniffed up to 10m awayI Communication can possibly be initiated at bigger ranges,

than just some cm - consider at least 1,5mI Monitor the usage, e.g. one tag used at the same time in

different locations.

Securing NFC SystemsI Personal protection

I Put your card in sleevesI Cut the antenna

I Building a product?I Don’t use known insecure systemsI If you’re nailed on an insecure system: under certain

conditions, vulnerabilities can be mitigatedI Encrypt the communication, ensure integrityI Consider side channelsI Consider replay and relay attacks

I Identify sensible data and require authentication/authorizationfor access, write protection

I Don’t rely on availability: tags can be destroyed or replacedI Tags can be moved: don’t believe that someone scans the tag

where you placed it.I Transmissions can be sniffed up to 10m awayI Communication can possibly be initiated at bigger ranges,

than just some cm - consider at least 1,5mI Monitor the usage, e.g. one tag used at the same time in

different locations.

Securing NFC SystemsI Personal protection

I Put your card in sleevesI Cut the antenna

I Building a product?I Don’t use known insecure systemsI If you’re nailed on an insecure system: under certain

conditions, vulnerabilities can be mitigatedI Encrypt the communication, ensure integrityI Consider side channelsI Consider replay and relay attacksI Identify sensible data and require authentication/authorization

for access, write protection

I Don’t rely on availability: tags can be destroyed or replacedI Tags can be moved: don’t believe that someone scans the tag

where you placed it.I Transmissions can be sniffed up to 10m awayI Communication can possibly be initiated at bigger ranges,

than just some cm - consider at least 1,5mI Monitor the usage, e.g. one tag used at the same time in

different locations.

Securing NFC SystemsI Personal protection

I Put your card in sleevesI Cut the antenna

I Building a product?I Don’t use known insecure systemsI If you’re nailed on an insecure system: under certain

conditions, vulnerabilities can be mitigatedI Encrypt the communication, ensure integrityI Consider side channelsI Consider replay and relay attacksI Identify sensible data and require authentication/authorization

for access, write protectionI Don’t rely on availability: tags can be destroyed or replacedI Tags can be moved: don’t believe that someone scans the tag

where you placed it.

I Transmissions can be sniffed up to 10m awayI Communication can possibly be initiated at bigger ranges,

than just some cm - consider at least 1,5mI Monitor the usage, e.g. one tag used at the same time in

different locations.

Securing NFC SystemsI Personal protection

I Put your card in sleevesI Cut the antenna

I Building a product?I Don’t use known insecure systemsI If you’re nailed on an insecure system: under certain

conditions, vulnerabilities can be mitigatedI Encrypt the communication, ensure integrityI Consider side channelsI Consider replay and relay attacksI Identify sensible data and require authentication/authorization

for access, write protectionI Don’t rely on availability: tags can be destroyed or replacedI Tags can be moved: don’t believe that someone scans the tag

where you placed it.I Transmissions can be sniffed up to 10m awayI Communication can possibly be initiated at bigger ranges,

than just some cm - consider at least 1,5m

I Monitor the usage, e.g. one tag used at the same time indifferent locations.

Securing NFC SystemsI Personal protection

I Put your card in sleevesI Cut the antenna

I Building a product?I Don’t use known insecure systemsI If you’re nailed on an insecure system: under certain

conditions, vulnerabilities can be mitigatedI Encrypt the communication, ensure integrityI Consider side channelsI Consider replay and relay attacksI Identify sensible data and require authentication/authorization

for access, write protectionI Don’t rely on availability: tags can be destroyed or replacedI Tags can be moved: don’t believe that someone scans the tag

where you placed it.I Transmissions can be sniffed up to 10m awayI Communication can possibly be initiated at bigger ranges,

than just some cm - consider at least 1,5mI Monitor the usage, e.g. one tag used at the same time in

different locations.

NFC Hacking - Android

I Android DevicesI Android Framework: the android.nfc.* API offers interesting

possibilities. NfcAdapter, NfcManager, NdefMessage,NdefRecord.

I http://developer.android.com/guide/topics/

connectivity/nfc/index.htmlI Supports SO 14443-3A, 14443-3B, 14443-4, NDEF, Mifare

Classic+Ultralight and few other systems.I Communication with smartcards, reading/writing NDEF tags

etc.

I But: no proprietary systems, no low-level access, restrictedcard simulation, restricted timing control

I Several 100EUR. Possibly a bit expensive, if you don’t need anew phone/tablet.

NFC Hacking - Android

I Android DevicesI Android Framework: the android.nfc.* API offers interesting

possibilities. NfcAdapter, NfcManager, NdefMessage,NdefRecord.

I http://developer.android.com/guide/topics/

connectivity/nfc/index.htmlI Supports SO 14443-3A, 14443-3B, 14443-4, NDEF, Mifare

Classic+Ultralight and few other systems.I Communication with smartcards, reading/writing NDEF tags

etc.I But: no proprietary systems, no low-level access, restricted

card simulation, restricted timing controlI Several 100EUR. Possibly a bit expensive, if you don’t need a

new phone/tablet.

NFC Hacking - Android Apps

I NXP NFC TagInfo: https://play.google.com/store/apps/details?id=com.nxp.taginfolite

I NXP TagWriter: https://play.google.com/store/apps/details?id=com.nxp.nfc.tagwriter

I NFC TagInfo: https://play.google.com/store/apps/details?id=at.mroland.android.apps.nfctaginfo

I Banking Card Reader NFC (EMV):https://play.google.com/store/apps/details?id=

com.github.devnied.emvnfccard

I . . . and its API: https://github.com/devnied/EMV-NFC-Paycard-Enrollment

I CardTest: https://play.google.com/store/apps/details?id=com.samj.CardTest

NFC Hacking - NFC Readers

I NFC ReadersI Tikitag, OpenPCDI libnfc: http://nfc-tools.orgI Live RFID Hacking System:

http://www.openpcd.org/Live_RFID_Hacking_SystemI Price: <50EURI Same drawbacks as above

I Proxmark3I SDR-based, can principally support very much in 13,56MHz

and 125-134kHz.I FPGA: precise timing, for attacks like MIFARE breaking.I Expensive: 230-500EURI a bit “hacky”

NFC Hacking - NFC Readers

I NFC ReadersI Tikitag, OpenPCDI libnfc: http://nfc-tools.orgI Live RFID Hacking System:

http://www.openpcd.org/Live_RFID_Hacking_SystemI Price: <50EURI Same drawbacks as above

I Proxmark3I SDR-based, can principally support very much in 13,56MHz

and 125-134kHz.I FPGA: precise timing, for attacks like MIFARE breaking.I Expensive: 230-500EURI a bit “hacky”

Questions?

Web: http://patzke.orgMail: thomas@patzke.orgTwitter: @blubbfiction