Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю

931 views

Published on

Ведущий: Маттео Беккаро (Matteo Beccaro)

Доклад посвящен общим вопросам транспортной безопасности, мошенничества и технологических сбоев и будет интересен как профессиональным пентестерам, так и любителям. Докладчик рассмотрит несколько серьезных уязвимостей в реальных транспортных системах, в которых используется технология NFC, и продемонстрирует открытое приложение для тестирования таких систем со смартфона.

Published in: Technology
  • Be the first to comment

NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю

  1. 1. NFC Naked Fried Chicken Matteo Beccaro || Opposing Force phdays 2016 – May 18, 2016 © Opposing Force. All right reserved.
  2. 2. Who || Matteo Beccaro Founder || Chief Technology Officer at Opposing Force, the first Italian company specialized in offensive physical security Twitter: @_bughardy_ © Opposing Force. All right reserved.
  3. 3. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.
  4. 4. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.
  5. 5. NFC: What are we talking about?|| © Opposing Force. All right reserved. What is NFC? • NFC stands for Near Field Communication • Frequency at 13.56 MHz • 3-5 cm of range • Widely used in: – Access Control systems – Ticketing – Mobile phones
  6. 6. NFC: What are we talking about?|| © Opposing Force. All right reserved. NFC most notorious families: • MIFARE – MIFARE Classic – MIFARE Ultralight – MIFARE DesFire • HID iClass • Calypso • FeliCa
  7. 7. NFC: What are we talking about?|| © Opposing Force. All right reserved. MIFARE Classic • Memory storage device ( 1K or 4K ) • Strong access control mechanisms – A key is required to access data sector – Use of Crypto1 Crapto1 algorithm – Broken… – .. But widely used ( RFID Door token, transport ticket, etc )
  8. 8. NFC: What are we talking about?|| © Opposing Force. All right reserved. MIFARE Ultralight • Memory storage device ( 64 bytes ) • Basic security mechanism – OTP ( One-Time-Programmable ) sector – Lock bytes sector – Mostly used for disposable tickets – It has some more secure children:
  9. 9. NFC: What are we talking about?|| © Opposing Force. All right reserved. MIFARE DesFire • Advanced security mechanisms ( 3DES, AES, etc ) • File system structure • 2KB, 4KB or 8KB memory size • Several variant: – DESFIRE, DESFIRE EV1 and DESFIRE EV2
  10. 10. NFC: What are we talking about?|| © Opposing Force. All right reserved. HID iClass • Same encryption and authentication keys are shared across all HID iCLASS Standard Security installations. • Keys are already been extracted • Two variants: – iClass Standard ( common ) – iClass High Secure ( less common ) Both broken
  11. 11. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.
  12. 12. Transport system structure|| © Opposing Force. All right reserved.  Defining a transportation system:  We need to create a common methodology  We need to have tools  We need to be able to use schemas to help our works
  13. 13. Transport system structure|| © Opposing Force. All right reserved.  Defining a schema
  14. 14. Transport system structure|| © Opposing Force. All right reserved.  Defining a schema Local Remot e
  15. 15. Transport system structure|| © Opposing Force. All right reserved.  More in details…
  16. 16. Transport system structure|| © Opposing Force. All right reserved.  Token:  Usually a NFC card • MIFARE ULTRALIGHT • MIFARE CLASSIC • CALYPSO  Can store: • multiple rides or subscriptions • timestamp of last stamping • details of where it has been used • other data
  17. 17. Transport system structure|| © Opposing Force. All right reserved.  Token:  MIFARE CLASSIC • Just broken  MIFARE ULTRALIGHT • Lock attack • Time attack • Reply attack  Calypso • All documentation is under NDA
  18. 18. Transport system structure|| © Opposing Force. All right reserved.  Reader|Controller:  Can operate offline or online  Can be wire or wireless connected to the controller  Usually supports multiple standards  Its purpose is to check if a ticket is valid and stamp it  It can stores secrets and keys
  19. 19. Transport system structure|| © Opposing Force. All right reserved.  Backend  Sometimes known as “Cloud”  It can perform several operations:  Statistics  OTA updates  Fraud detection  Fraud prevention
  20. 20. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool(s)  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.
  21. 21. Our tool(s)|| © Opposing Force. All right reserved.  What tools we can use:  HydraNFC  Proxmark3  ChameleonMini  NFCulT
  22. 22. Our tool(s)|| © Opposing Force. All right reserved. HydraNFC ( ~ 90 € ) • Use Texas Instrument TRF7970A NFC chipset ( 13.56MHz only ) • MIFARE 1k and 14443A UID emulation • ISO 14443A sniffing ( also autonomous mode ) • 2 different raw modes • Still in development ( @hydrabus ) • More info at http://hydrabus.com/hydranfc-1-0- specifications/
  23. 23. Our tool(s)|| © Opposing Force. All right reserved. Proxmark3 ( ~ 200 € ) • HF e LF capabilities • Big community • Supports almost all known RFID tags • Supports sniffing • Supports emulation • More info at http://proxmark.org/forum/index.php
  24. 24. Our tool(s)|| © Opposing Force. All right reserved. ChameleonMini ( ~ 100 € ) • HF ( 13.56MHz ) only • Almost same capabilities of HydraNFC • Different chipset • Firmware available only for the old revision at the moment • More info at http://kasper-oswald.de/gb/chameleonmini/
  25. 25. Our tool(s)|| © Opposing Force. All right reserved. NFCulT ( ~ 0 € ) • Mobile application for NFC-enabled Android smartphones • Its aim is to provide quick help during assessment of ticketing systems • Implements Lock, Time and Reply attacks • It has a custom edit mode to edit bit by bit the ticket data • Supports MIFARE ULTRALIGHT and planned support for CLASSIC
  26. 26. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Lock Attack • Set the OTP page in Read-Only mode • Operation irreversible • If the reader does not check if it can write the OTP sector: free rides
  27. 27. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Time Attack • If you find and decode the timestamp you can stamp the ticket by yourself. • Again, free rides
  28. 28. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Reply Attack • Use of UID magic ticket ( ~ 15 € ) • Can bypass all offline anti fraud prevention mechanisms • Guess what? Free rides
  29. 29. Our tool(s)|| © Opposing Force. All right reserved. NFCulT • Custom edit • Useful for understanding the architecture of the data saved on the ticket ( e.g. for finding the correct timestamp ) • You can quickly transform from hex to bin and viceversa • You can edit bit by bit the data and write back on the ticket
  30. 30. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool(s)  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.
  31. 31. Pentesting methodology|| © Opposing Force. All right reserved. What are we looking for?
  32. 32. Pentesting methodology|| © Opposing Force. All right reserved. Stamping machine Attack Surface Attacks to Perform Impact NFC Interface Analyze the stamping mechanisms Free tickets Hardware board Analyze the exposed interface ( JTAG, UART, etc ) Firmware / secrets dumping GSM/GPRS/Eth Interface Is MITM possible? Intercepting the data Intercepting secrets / sensitive data
  33. 33. Pentesting methodology|| © Opposing Force. All right reserved. Vending machine Attack Surface Attacks to Perform Impact NFC Interface Analyze the recharging mechanisms Free tickets, for everyone Hardware board Analyze the exposed interface ( JTAG, UART, etc ) Firmware / secrets dumping GSM/GPRS/Eth Interface Is MITM possible? Intercepting the data Intercepting secrets / sensitive data ( e.g. credit card details, etc ) Computer Application Analyzing network services exposed Complete control of the machine
  34. 34. Pentesting methodology|| © Opposing Force. All right reserved. The backend Attack Surface Attacks to Perform Impact Web application(s) Web app pentesting Various Network services Network pentesting Various Physical location Try to get physical access to the servers Pwned
  35. 35. Agenda ||  NFC: What are we talking about?  Transport system structure  Our tool(s)  Pentesting methodology  Attack Surface  Analyzing the elements  Vulnerabilities  Case studies © Opposing Force. All right reserved.
  36. 36. Case studies || © Opposing Force. All right reserved. A MIFARE ULTRALIGHT ticketing system
  37. 37. Case studies || © Opposing Force. All right reserved. A MIFARE ULTRALIGHT ticketing system
  38. 38. Case studies || © Opposing Force. All right reserved. A MIFARE ULTRALIGHT ticketing system Lock bit for the OTP sector is not checked by the stamping machine Absence of a UID blacklist in the backend Timestamp are not encrypted nor signed
  39. 39. Case studies || © Opposing Force. All right reserved. A MIFARE CLASSIC door lock
  40. 40. Case studies || © Opposing Force. All right reserved. A MIFARE CLASSIC door lock
  41. 41. Case studies || © Opposing Force. All right reserved. A MIFARE hotel door lock Card’s UID Room number: int(0x17ea, 16) = 6122
  42. 42. ThanksOpposing Force - challenging your security - @_opposingforce https://www.opposingforce.it | engage@opposingforce.it © Opposing Force. All right reserved.
  43. 43. Q&A Time!Opposing Force - challenging your security - @_opposingforce © Opposing Force. All right reserved. https://www.opposingforce.it | engage@opposingforce.it

×