Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nfc security shane_turner_spring2013


Published on

  • Yes you are right. There are many research paper writing services available now. But almost services are fake and illegal. Only a genuine service will treat their customer with quality research papers. ⇒ ⇐
    Are you sure you want to  Yes  No
    Your message goes here
  • You might get some help from ⇒ ⇐ Success and best regards!
    Are you sure you want to  Yes  No
    Your message goes here
  • Many thanks to your team at Gov-Auctions. Your information was current and very helpful. Keep up the good work you guys. Learn more... ❤❤❤
    Are you sure you want to  Yes  No
    Your message goes here

Nfc security shane_turner_spring2013

  1. 1. Near Field CommunicationsSecurity Concerns and NFCProxyShane TurnerMaster of Science in Information Security68-595 Information Security PracticumLewis UniversityApril 22, 2013
  2. 2. NFC Security - IntroductionNear Field Communication (NFC)• NFC is a short range wireless technology that allows communications to takeplace between devices that either touch or are momentarily held closetogether.• Frequency 13.56Mhz• Subset of RFID• Range – usually less than 4cm• Narrow Bandwidth (106 to 424 Kbits/s)• Patented in 1983, ISO 14443 and ISO 7816• First phone to use NFC – Nokia 6131• Nokia, Sony and Phillips formed the NFC Forum
  3. 3. NFC Security – How is NFC Used ?Uses for NFC Technology• Digital Wallet (i.e. Google Wallet)• Expect NFC smartphones to account for about 50 percent of the phone marketplace by 2014 [source: PopularScience]• Info Tags or Smart Tags• A system called Personal Rosetta Stone that lets cemetery visitors pull information from chip-laden headstonesto read the life stories and obituaries of the deceased [source: Rosetta Stone].• Movies Posters embedded with NFC chips will be able to link the user to the movie trailer or coupons thatcould be used at the theater.• Gentags• Diagnostic skin tags that are affixed directly to the patient. These tags can monitor temperature, glucose levelsor ultraviolet light exposure and then send pertinent health information directly to a smartphone.
  4. 4. NFC Security – How is NFC Used ?Uses for NFC Technology• NFC in your Car• Car companies are using NFC technology for proximity sensors that allow you to unlock your car• Push button start in cars as long as your NFC device is in the car.• Hotels• NFC chips are embedded into devices that will unlock the door to your hotel room.• At Work• NFC Devices used as access control devices allowing or disallowing access into secure areas.
  5. 5. NFC Security – How is NFC Used ?Uses for NFC Technology• Virtual press kits and business cards (• Smartphones• Information points such as posters• Speakers, Headphones, various music players• Cameras• TV• Appliances• Computers• Smart Meters for Utilities Companies• Digital bubble gum machine• Heart Monitor• Wii U• Public Transportation
  6. 6. NFC Security – Advantages of NFCWhat are the Advantages of NFC?• Augmented Shopping Experience• Many Tech Companies are getting on board• Other companies – McDonalds, Toys-R-Us, CVS, Home Depot, Radio Shack, Office Max,Walgreens, Sports Authority and many other retailers• Quick and Easy access• Improved Customer Service• Real Time Updates• Versatility• Safety
  7. 7. NFC Security – RisksWhat are the Security Risks of NFC?• Sensitive Financial Data• Data confidentiality• Eavesdropping• Data Corruption• Viruses• Man-in-the-middle• Lack of Education• Theft
  8. 8. NFC Security – NFCProxy DemonstrationNFCProxyDemonstration
  9. 9. NFC Security – NFCProxyWhat is NFCProxy?• Proof of Concept Tool for Pentesters• Demonstrates insecurities in near field communication and contactless credit cards.• Demonstrated by Eddie Lee @ Defcon 20 (Security Researcher @ BlackWing Intelligence)• Software developed by Igor Miladinovic.• Useful in NFC protocol analysis for further NFC security research.• Project was to create a pentest tool that could analyze RFID protocols andproxy transactions using Android phones.• Proxy transactions, Save transactions, Export transactions, PCD relay and Tagrelay
  10. 10. NFC Security – NFCProxy ArchitectureArchitectureNFCProxyNormalList of Acronyms• APDU - Application Protocol Data Unit• NFC – Near Field Communications• PCD - Proximity Coupling Device• POS - Point of Sale
  11. 11. NFC Security – NFCProxy HardwareNFCProxy Hardware• A Proximity Coupling Device (PCD) such as one made by VivioPay• Two Android smartphones with NFC capabilities. For example; Galaxy S3,Nexus S or Galaxy Nexus.• A contactless credit card.
  12. 12. NFC Security – NFCProxy SoftwareNFCProxy Software• NFCProxy which can be found at• CyanogenMod – custom ROM found at• Must be installed on smartphone used for Proxy Mode• Android version 2.3 (Gingerbread) or newer running on the smartphones.
  13. 13. NFC Security – NFCProxy SetupNFCProxy Setup• Must have a Wi-Fi connection to transport data.• Download and install NFCProxy Software to both smartphones.• Configure Wi-Fi Connection between phones.• Have PCD unit powered on.
  14. 14. NFC Security – NFCProxy - Proxy ModeProxy Mode• Set up the smartphone (not running Cyanogen) in Relay mode near the creditcard you want to use for a transaction.• Go to the other smartphone that is running the Cyanogen custom ROM andensure NFCProxy is running in Proxy mode.• Relay mode opens up a network socket and waits for a network connectionfrom the other device running NFCProxy in proxy mode.• With the Relay Mode smartphone, place it near the contactless credit carduntil NFCProxy displays the credit card information on the screen.• Now send the information to the smartphone running in Proxy Mode.• With the smartphone running in Proxy Mode swipe the phone in front of thePCD and you should hear an alert and see green light upon a successfultransaction.
  15. 15. NFC Security – NFCProxy Credit Card DataCredit Card DataCredit Card Data Successful Transaction
  16. 16. NFC Security – NFCProxy - Proxy ModeNFCNFCWiFi (IP)ProxyModeSet toREPLAYModeSet toPROXY ModeAPDUAPDU
  17. 17. NFC Security – NFCProxy – Relay ModeRelay Mode• Use smartphone running Cyanogen ROM• Open NFCProxy and set it in Replay mode.• Scan RFID credit card and acquire the information on card.• Long click on the credit card information on the screen and then select the“REPLAY TAG” option at the top of the phone• You should then see a letter “T” at the top of the screen.• Place the smartphone in front of the credit card reader.• Credit Card reader should light up and beep if there is a successful transaction
  18. 18. NFC Security – NFCProxy - Relay ModeNFCNFCRelayMode APDUAPDUSet toRelay ModeWalk to PCD
  19. 19. NFC Security – NFCProxy DiscussionDiscussion / Lessons Learned• Both phones must be rooted• Need correct tools to complete this process• Install correct version Cyanogen Mod• Most current version is now working• Point of Sale devices like the PCD units are easy to acquire• Able to acquire on EBay (VivioPay 4000 & VivioPay 4500)• Local Wi-Fi connections easy to set up, long distance connection - some advancednetworking skills needed (VPN knowledge)• Acquiring an RFID credit Card.• Visa - PayPass• Built in security from credit card companies• Attempts to scan the card out of sequence the card will be deactivated.
  20. 20. NFC Security – Vulnerabilities in DetailVulnerabilities• Credit Card skimming using NFCProxy• Identity Theft• Financial ruin• Malware• Know Malware programs• End of July 2012 – 5,000• End of September 2012 - 51,500• End of 2012 - 283,000• Scanning of malicious NFC tags• Can transfer your data if compromised• 25% or 25,000,000 Android Devices are infected
  21. 21. NFC Security – Vulnerabilities in DetailVulnerabilities Continued• Google Apps• 75% of malware-infected apps downloaded from Google Play [McAfee Mobile Security]• One-in-six chance of downloading a risky app• ¼ of these apps contain both malware and a suspicious URL capable of• Click fraud• Phishing schemes• McAfee Labs - found that 40% of malware misbehaved in a complex way• Hard to detect• Take advantage of specific technology (NFC)
  22. 22. NFC Security – Mitigating NFC Security RisksMitigations• Needs to be a team effort – Proactive not Reactive• NFC Forum Members• Consumers• Application Developers• Manufactures• Turn NFC off• Do not use RFID credit Cards• Virus Protection on Smartphone• Use trusted / certified apps only
  23. 23. NFC Security – QuestionsQuestions?
  24. 24. NFC Security – Other ResourcesOther NFC Resources Worth Mention• NFC Videos• NFC Proxy Demo -• Defcon 20 video, NFC Hacking: The Easy Way -• NFC Proxy – University of Texas at Austin - UT ComSoc -• Shmoocon 2012: Credit Card Fraud: The Contactless Generation Application Developers -• How NFC phones can steal your credit card info -
  25. 25. Thank You