Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Man in the NFC by Haoqi Shan and Qing Yang


Published on

NFC (Near Field Communication) technology is widely used in security, bank, payment and personal information exchange field now, which is highly well-developed. Corresponding, the attacking methods against NFC are also emerged in endlessly. What if we want to “steal” from someone’s EMV. QuickPass, VisaPay bank card without “get” his wallet? To solve this problem, we build a hardware tool which we called “UniProxy”. This tool contains two self-modified high frequency card readers and two radio transmitters, which is a master-salve way. The master part can help people easily and successfully read almost all ISO 14443A type cards no matter what kind of this card is, bank card, ID card, Passport, access card, or whatever, no matter what security protocol this card uses, as long as it meets the ISO 14443A standard, meanwhile replaying this card to corresponding legal card reader via slave part to achieve our “evil” goals. The master and slave communicates with radio transmitters and can be part between 50 – 200 meters.

Published in: Devices & Hardware
  • Be the first to comment

Man in the NFC by Haoqi Shan and Qing Yang

  1. 1. 360UnicornTeam Build a NFC proxy tool from sketch Man in the NFC Man in the NFC1 Haoqi Shan @ UnicornTeam
  2. 2. Man in the NFC • Who we are • NFC & ISO14443A • Competitions • Yet anther wheel? • What is UniProxy? • Master and Slave • Issues in development • Thanks, Q&A 2 Agenda
  3. 3. Man in the NFC3 Quick Demo 1
  4. 4. Man in the NFC • Unicorn Team • Internal security research team of Qihoo 360, founded in 2014 • Focus on wireless/hardware hacking and defense • Security research/hardware development/pentest division • Serial wireless researches published in Defcon/BlackHat • Low-cost GPS spoofing, Defcon 23 • LTE redirection attack, Defcon 24 • Attack on powerline communication, BlackHat USA 2016 • `Ghost Telephonist’, Defcon 25/BlackHat USA 2017 • Serial hacking tools developed • HackID/HackID Pro/SafeRFID/HackNFC, etc • 4 Who we are • Haoqi Shan • Wireless/security researcher • Gave presentations on BH/Defcon/HITB/Cansecwest/Syscan
  5. 5. Man in the NFC • NFC • 13.56MHz • Low-cost • Not requires power • Well developed and deployed • ISO14443A • Widely usage • Supports many applications • Security/Passport/Bank Card 5 NFC & ISO14443A
  6. 6. Man in the NFC6 NFC & ISO14443A
  7. 7. Man in the NFC • ID card • Credit card • QuickPass – Unipay (*) • Starbucks POS machine • XX: “I thought this question has been solved like a thousand times” • More like a hacker 7 What we aim
  8. 8. Man in the NFC8 QuickPass
  9. 9. Man in the NFC • Targeting protocols • Proxmark III (The Best RFID Hardware) • ChameleonMini • Targeting data • NFCProxy • NFCGate 9 The way we used to hack
  10. 10. Man in the NFC • Proxmark III • Supports many protocols • Powerful • However, can‘t hack credit card or we are all rich now • NFCGate/NFCProxy • Based on Android • Modified firmware to relay NFC data • Monitor transmitted data • Rely on Wi-Fi • However, too much delay to complete whole payment procedure 10 Why not?
  11. 11. Man in the NFC • Why need this tool? • Inspired by mentioned brilliant hacking tool • Faster (ms level) • Lager ranger (50m, even more) • Pure hardware solution (PN7462AU) • Highly customization • Completely self-designed and modify everything we need 11 Yet another wheel
  12. 12. Man in the NFC • PN7462AU based NFC relay/proxy device • Support ISO14443A protocol • Targeting QuickPass(Unipay) credit cards • Reader emulator, card emulator • Point to Point wireless data transmission • Easy to adapt to ISO 14443B/15693 12 What’s UniProxy
  13. 13. Man in the NFC • Why PN7462AU? • NXP chip • 20 MHz Cortex-M0 core • Read/Write, Card Emulation & Peer-to-Peer Modes • Transmitter current up to 250 mA • Full MIFARE family support • Architecture • Reader/Card Emulator • NRF24L01 wireless transmitter • Power supply • Antenna 13 Core of UniProxy
  14. 14. Man in the NFC14 PN7462AU
  15. 15. Man in the NFC15 Master (Front)
  16. 16. Man in the NFC16 Master (Back)
  17. 17. Man in the NFC17 Process of Master (1)
  18. 18. Man in the NFC18 Process of Master (2) Communicate with card 14443A handshake and get parameters Send parameters to card emulator End Receive response before timeout Start block transmission End
  19. 19. Man in the NFC19 Process of Master (3) Start block transmission Wait response from card emulator before timeout End Forward data to real card, wait for real card response Get response before timeout Notify card emulator, communication is ended I-Block data Process Forward to card emulator
  20. 20. Man in the NFC20 Slave
  21. 21. Man in the NFC21 Process of Slave (1)
  22. 22. Man in the NFC22 Process of Slave (2) Start interaction with reader emulator Init card emulator with received parameters Reader nearby Start interaction with received parameters Handshake with real reader Start block transmission No No
  23. 23. Man in the NFC23 Process of Slave (3) Start Block transmission Received data I-Block data Forward to reader emulator, send delay command after half waiting time Received data from reader emulator Forward to real reader Flash error LED, self reset and send reset status to reader emulator Finish DESELECT command(S-Block) Process R-Block Forward DESELECT to reader emulator and send DESELECT to real reader Finish Yes Yes Yes No No Yes
  24. 24. Man in the NFC • First byte of UID • Waiting/Wakeup time • I/S/R – Block data • ISO 14443A Part 4 • Power supply • … 24 Issues in development
  25. 25. Man in the NFC25 Demo video
  26. 26. Man in the NFC • Blocking Sleeve • RFID Wallet • RFID Jammer • 360 SafeRFID • GuardBunny 26 Defend
  27. 27. Man in the NFC • What we learned • Read protocol document well • Better not developing without official support • Further more • Improve transmission range up to 100 meters • Targeting security ID cards, HID iClass, Chinese ID • Self-compatibility • How? 27 Summary
  28. 28. Man in the NFC • [NXP user guide]( guide/UM10883.pdf) • [NFC Gate]( • [NFC Proxy]( • [ISO14443A]( 28 References
  29. 29. Man in the NFC • Hardware dev division of Unicorn Team, especially Jian Yuan, Chaoran Wang, and Yunding Jian • Proxmark III • NFCProxy • NFCGate 29 Thanks
  30. 30. Man in the NFC • Mail me: 30 Q&A