0
STAND CLOSE TO                                           ME AND YOU ARE                                                  P...
WHO ARE WE !                        INFORMATION SECURITY RESEARCHER                        MOBILE EXPLOITER               ...
SOME COMPANIES WE’VE FOUND VULNS IN..                                   And MORE...Sunday, 2 December 12
AGENDA !                        INTRODUCTION TO NFC.                        NFC STACK.                        NFC PROTOCOL...
INTRODUCTION TO NFC                        SET OF COMMUNICATION PROTOCOLS                        BASED ON RFID STANDARDS I...
COMMUNICATION MODES                        PASSIVE ( RFID CARDS )                          INITIATOR PROVIDES POWER       ...
NFC STACKSunday, 2 December 12
NFC PROTOCOL LAYER                        PROTOCOL LAYER CONSISTS OF A PHYSICAL                        LAYER AND RF LAYER ...
NFC PROTOCOL LAYER                                      Type 1 tags use a format sometimes called the                     ...
NFC APPLICATION LAYER                         NDEF OR NFC DATA EXCHANGE FORMAT                         SIMPLE BINARY MESSA...
03 17 d1 01 13 54 02 65 6e 68 65 6c 6c 6f             20 63 6c 75 62 68 61 63 6B 20 21 fe                                 ...
ANDROID NFC STACK                           Kernel          NFC Services                                         (com.andr...
ATM CARD SKIMMER !Sunday, 2 December 12
HOW TO RECOGNIZE NFC                        ENABLED CREDIT CARD?Sunday, 2 December 12
AID SELECTION                        SOME WELL KNOWN AIDS:                         VISA DEBIT/CREDIT CARD:                ...
EMV DECODING !                        DATA ENCODING IS DONE THROUGH BER TLV                        ONLINE DECODER AVILABLE...
HOW TO PROTECT ?                        ORGANIZATIONS SHOULD IMPLEMENT PCI                        DSS COMPLIANT           ...
http://www.thinkgeek.com/product/8cdd/Sunday, 2 December 12
NFC RELAY ATTACK !Sunday, 2 December 12
NFC POSTER SKIMMING !Sunday, 2 December 12
LEVERAGING NFC                           FOR ANDROID                                 BASED                         VULNERA...
COM.ANDROID.NFC                        FOR WELL KNOWN TYPE TAGS,                        APPLICATIONS ARE CALLED AUTOMATICA...
NFC AWARE MALWARES                         LEVERAGING THE NFC PROTOCOL, NEW                         BREED OF ANDROID MALWA...
NFC TAG       no         Instead of opening                                  interaction   the Browser, opens             ...
LEVERAGING                        USSD BASED                            ATTACK                          USING NFCSunday, 2...
Opens the                          NFC TAG             no                                                         maliciou...
ANDROID FRAMEWORK                        FOR EXPLOITATION (AFE)Sunday, 2 December 12
THANK YOU !                        SECURITY@XYSEC.COMSunday, 2 December 12
Upcoming SlideShare
Loading in...5
×

Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder

2,653

Published on

NFC or the Near Field Communication allows cell phones to perform specified actions whenever they detect NFC tags or signals from other NFC enabled device. Most of the recent phones including Samsung Galaxy S3, Nokia Lumia 610, Blackberry Bold etc have NFC enabled with them. NFC even helps enterprise/payment gateways to ease up users actions, such as connecting to a wifi, setting a bookmark, making payments etc.

Gone are the days of sending Android malware links through URL or attachments. In this talk, we will be showing how an attacker could steal the private and sensitive information from one’s phone and even perform malicious actions on user’s phone, using NFC as an attack vector. NFC attack vectors come in two forms : Active(setting attacker’s phone as a proxy between victim’s smartphone and the payment terminal) and Passive(using NFC tags).For our demonstrations, we would be creating malicious NFC tags which when detected by any smartphone(NFC enabled) would steal sensitive informations from the phones (without the users knowledge) as well as trick user to install malicious applications to his phone. Thereafter, we would also be talking about how an attacker could get in close proximity of another NFC-enabled phone, get a remote shell on the victim’s phone and compromise the phone’s security. We would also be discussing how viral an NFC attack could go in future, if proper security measures are not enforced.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,653
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
21
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder"

  1. 1. STAND CLOSE TO ME AND YOU ARE PWNED! SUBHO HALDER | ADITYA GUPTA @sunnyrockzzs @adi1391Sunday, 2 December 12
  2. 2. WHO ARE WE ! INFORMATION SECURITY RESEARCHER MOBILE EXPLOITER CREATOR OF AFE (ANDROID FRAMEWORK FOR EXPLOITATION) PYTHON LOVERS CO-FOUNDER OF XYSEC. FOUND BUG IN SOME FAMOUS WEBSITES INCLUDING GOOGLE, APPLE, MICROSOFT, SKYPE, ADOBE AND MANY MORESunday, 2 December 12
  3. 3. SOME COMPANIES WE’VE FOUND VULNS IN.. And MORE...Sunday, 2 December 12
  4. 4. AGENDA ! INTRODUCTION TO NFC. NFC STACK. NFC PROTOCOL LAYERS. NFC APPLICATION LAYERS. ANDROID NFC STACK NFC ATTACKS LEVERAGING NFC ATTACKSSunday, 2 December 12
  5. 5. INTRODUCTION TO NFC SET OF COMMUNICATION PROTOCOLS BASED ON RFID STANDARDS INCLUDING ISO 14443 13.56 MHZ OPERATING FREQUENCY +/- 7KHZ OPERATING RANGE LESS THAN 4 CMSunday, 2 December 12
  6. 6. COMMUNICATION MODES PASSIVE ( RFID CARDS ) INITIATOR PROVIDES POWER TARGET REFLECTS BACK THE SIGNAL ACTIVE ( P2P ) BOTH INITIATOR AND TARGET SIMULATESSunday, 2 December 12
  7. 7. NFC STACKSunday, 2 December 12
  8. 8. NFC PROTOCOL LAYER PROTOCOL LAYER CONSISTS OF A PHYSICAL LAYER AND RF LAYER THESE LAYERS ARE FOCUSSED ON PHYSICAL ASPECT OF STARTING COMMUNICATIONSunday, 2 December 12
  9. 9. NFC PROTOCOL LAYER Type 1 tags use a format sometimes called the Topaz protocol. It uses a simple memory model which is either static for tags with memory size less than 120 bytes or dynamic for tags with TYPE 1 (TOPAZ) larger memory. Bytes are read/written to the tag using commands such as RALL, READ, WRITE-E, WRITE-NE, RSEG, READ8, WRITE- E8, WRITE-N8. MIFARE classic tags are storage devices with simple security mechanisms for access control. They use an NXP proprietary security protocol MIFARE CLASSIC for authentication and ciphering. This encryption was reverse engineered and broken in 2007 These tags are similar to Topaz tags. They have a static memory layout when they have less than 64 bytes available and a dynamic layout otherwise. The first 16 bytes of memory MIFARE-ULTRALIGHT contain metadata like a serial number, access rights, and capability container. The rest is for the actual data. Data is accessed using READ and WRITE commands, The previous protocol layers have all had initiators and targets and the protocols are designed around the initiator being able to read/ LLCP (P2P) write to the target. Logical Link Control Protocol (LLCP) is different because it establishes communication between two peer devices.Sunday, 2 December 12
  10. 10. NFC APPLICATION LAYER NDEF OR NFC DATA EXCHANGE FORMAT SIMPLE BINARY MESSAGE FORMAT ! SAMPLE NDEF FORMAT FOR TEXTSunday, 2 December 12
  11. 11. 03 17 d1 01 13 54 02 65 6e 68 65 6c 6c 6f 20 63 6c 75 62 68 61 63 6B 20 21 fe NDEF Message Start Payload Length MB, ME, SR, TNF= ”NFC Forum well-known type” Type Length Type “T” Status Byte - Length of IANA lang code Lang Code = “en” “hello clubhack !” - text NDEF TerminatorSunday, 2 December 12
  12. 12. ANDROID NFC STACK Kernel NFC Services (com.android.nfc) Tags, libnfc.so MiFare, Topaz, etc. libnfc_jni.so libpn544_fw.so libnfc_ndef.soSunday, 2 December 12
  13. 13. ATM CARD SKIMMER !Sunday, 2 December 12
  14. 14. HOW TO RECOGNIZE NFC ENABLED CREDIT CARD?Sunday, 2 December 12
  15. 15. AID SELECTION SOME WELL KNOWN AIDS: VISA DEBIT/CREDIT CARD: A0 00 00 00 03 10 10 MASTERCARD CREDIT: A0 00 00 00 04 10 10 AMERICAN EXPRESS: A0 00 00 00 25 00 00Sunday, 2 December 12
  16. 16. EMV DECODING ! DATA ENCODING IS DONE THROUGH BER TLV ONLINE DECODER AVILABLE ! HTTP://EMVLAB.ORG/TLVUTILS/Sunday, 2 December 12
  17. 17. HOW TO PROTECT ? ORGANIZATIONS SHOULD IMPLEMENT PCI DSS COMPLIANT NFC PAYMENTS NOT YET COMPLIANT USE A BETTER WALLETSunday, 2 December 12
  18. 18. http://www.thinkgeek.com/product/8cdd/Sunday, 2 December 12
  19. 19. NFC RELAY ATTACK !Sunday, 2 December 12
  20. 20. NFC POSTER SKIMMING !Sunday, 2 December 12
  21. 21. LEVERAGING NFC FOR ANDROID BASED VULNERABILITYSunday, 2 December 12
  22. 22. COM.ANDROID.NFC FOR WELL KNOWN TYPE TAGS, APPLICATIONS ARE CALLED AUTOMATICALLY WWW BASED DATA, FIRES THE BROWSER MAILTO: PROTOCOL FIRES UP MAIL CLIENT UNEXPECTED VALUES IN NDEF, CRASHES NFCSERVICE.JAVASunday, 2 December 12
  23. 23. NFC AWARE MALWARES LEVERAGING THE NFC PROTOCOL, NEW BREED OF ANDROID MALWARE ARISES PROXYING ANY REQUEST THROUGH THE MALWARE WITHOUT INTERACTION !Sunday, 2 December 12
  24. 24. NFC TAG no Instead of opening interaction the Browser, opens Any URL needed up an application !Sunday, 2 December 12
  25. 25. LEVERAGING USSD BASED ATTACK USING NFCSunday, 2 December 12
  26. 26. Opens the NFC TAG no malicious link at interaction http://xysec.com/ Malicious URL needed ussd.html Fires up the browser and dials the number in the user’s phone, without any interaction!Sunday, 2 December 12
  27. 27. ANDROID FRAMEWORK FOR EXPLOITATION (AFE)Sunday, 2 December 12
  28. 28. THANK YOU ! SECURITY@XYSEC.COMSunday, 2 December 12
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×