The document discusses Near Field Communication (NFC) technology and security issues related to NFC-based ticketing systems. It provides an overview of common NFC card standards like MIFARE Classic and Ultralight, describes vulnerabilities that have been found in their cryptographic protections. The document outlines a reference architecture for modern ticketing systems and examines security weaknesses in each component. It then introduces several tools that can be used to evaluate such systems, including the HydraNFC, Proxmark3, and NFCulT Android app created by Opposing Force. Attack techniques like lock, time and reply attacks are explained as ways to exploit NFC tickets and bypass validation mechanisms.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
NFC: Naked Fried Chicken (PHDays VI)
1. N
F
C
Naked
Fried
Chicken
Matteo
Beccaro ||
May
18th,
2016
2. Me
||
§ Matteo
Beccaro
§ Founder &
Chief
Technology
Officer
at
Opposing
Force
§ The
first
Italian
company
specialize
in
offensive
physical
security
§ Twitter:
@_bughardy_
|
@_opposingforce
3. Agenda
||
§ NFC:
what
are
we
talking
about?
§ Modern
ticketing
systems
security
§ Weapons
for
NFC-‐based
solutions
mass
destruction
§ Penetration
testing
methodology
§ Case
studies
4. Agenda
||
§ NFC:
what
are
we
talking
about?
§ Modern
ticketing
systems
security
§ Weapons
for
NFC-‐based
solutions
mass
destruction
§ Penetration
testing
methodology
§ Case
studies
5. What
is
NFC?
||
§ NFC
stands
for
Near
Field
Communication
§ Frequency
at
13.56
MHz
§ 3-‐5
cm
of
range
§ Widely
used
for
§ Access
control
systems
§ Electronic
ticketing
systems
§ Mobile
phone
applications
7. MIFARE
Classic
||
§ 1-‐4
KB
memory
storage
device
§ Strong access
control
mechanisms
§ A
key
is
required
to
access
data
sectors
§ Use
of
Crypto1 Crapto1 algorithm
§ Sadly
broken..
§ ..but
still
so
widely
used
(!)
– RFID
door
tokens,
transport
tickets,
etc.
8. MIFARE
Ultralight
||
§ 64
byte
memory
storage
device
§ Basic
security
mechanisms
§ OTP
(One-‐Time-‐Programmable)
sector
§ Lock
bytes
sector
§ Mostly
used
for
disposable
tickets
§ It
has
some
more
secure
children:
• ULTRALIGHT
C
• ULTRALIGHT
EV
9. MIFARE
DesFire ||
§ 2
KB,
4KB
or
8
KB
memory
size
§ Advanced
security
mechanisms
(3DES,
AES,
etc.)
§ File
system
structure
is
supported
§ Several
variants
are
available
§ DESFIRE
§ DESFIRE
EV1
§ DESFIRE
EV2
10. HID
iClass ||
§ Same
encryption
and
authentication
keys
are
shared
across
every
HID
iClass Standard
Security
installations
(!)
§ Keys
have
already
been
extracted
(!!)
§ Two
variants
§ iClass Standard
(very
common)
§ iClass High
Secure
(not
that
common)
§ Both
variants
are
BROKEN
11. Agenda
||
§ NFC:
what
are
we
talking
about?
§ Modern
ticketing
systems
security
§ Weapons
for
NFC-‐based
solutions
mass
destruction
§ Penetration
testing
methodology
§ Case
studies
12. Modern
ticketing
systems
security
||
§ We
need
to
create
a
common
methodology
§ We
need
tools to
effectively
assess
these
systems
§ We
need
secure
architecturesas
references
and
best
practices
16. The
token
||
§ Usually
a
NFC
card
§ MIFARE
Ultralight
§ MIFARE
Classic
§ Calypso
§ The
card
can
store
§ Multiple
rides
or
subscriptions
§ Timestamp
of
the
last
stamping
§ Details
on
the
location
where
we
used
the
ticket
§ Other
data
17. The
token
||
§ What
about
MIFACE
Classic?
§ It
is
just
BROKEN
§ What
about
MIFACE
Ultralight?
§ Well,
it’s
bleeding..
§ Lock
attack
§ Time
attack
§ Reply
attack..
§ Calypso
§ Currently
we
are
under
NDA,
sorry
J
18. Readers
and
controllers
||
§ Can
operate
offline
or
online
§ Wire
or
wireless
connected
to
the
controller
§ Usually
supports
multiple
standards
§ Simply
checks
if
the
ticket
is
valid
§ Is
the
ticket
“genuine”?
§ Is
the
stored
stamp
ok?
§ Can
store
secrets
and
keys
used
for
validation
19. The
backend
||
§ It
can
be
cloud-‐based
or
not
§ Performs
multiple
operations
§ Provide
ticket
validation
“logic”
§ Fraud
prevention?
§ Statistics
§ OTA
updates
for
readers
§ Frauds
detection
20. Agenda
||
§ NFC:
what
are
we
talking
about?
§ Modern
ticketing
systems
security
§ Weapons
for
NFC-‐based
solutions
mass
destruction
§ Penetration
testing
methodology
§ Case
studies
21. Tools
of
the
trade
||
§ HydraNFC
§ ProxMark3
§ ChameleonMini
§ NFCulT
22. HydraNFC ||
§ HydraNFC (~90
€)
§ http://hydrabus.com/hydranfc-‐1-‐0-‐specifications/
§ Users
Texas
Instrument
TRF7970A NFC
chipset
(13.56MHz
only)
§ MIFARE
1k
and
14443A
UID
emulation
§ ISO
14443A
sniffing
(also
autonomous
mode)
§ 2
different
raw
modes
23. ProxMark3
||
§ ProxMark3
(~200
€)
§ HF
and
LF
capabilities
§ Very
large
community
§ http://proxmark.org/forum/index.php
§ Supports
almost
every
known
RFID
tags
§ Support
sniffing
and
emulation
24. ChameleonMini ||
§ ChameleonMini (~100
€)
§ http://kasper-‐oswald.de/gb/chameleonmini/
§ HF
(13.56MHz)
only
§ Almost
same
capabilities
as
HydraNFC
§ Different
chipset
§ The
firmware
is
only
available
for
old
revision
25. Opposing
Force
own
weapon
||
§ NFCulT (~0
€)
§ Mobile
app
for
NFC-‐enabled
Android
smartphones
§ Implements
Lock,
Time
and
Reply
attacks
§ A
“custom
edit
mode”
is
available
for
bit
by
bit
data
editing
§ The
app
currently
supports
the
MIFARE
Ultralight
format
only
§ MIFARE
Classic
support
will
be
released
during
summer
2016
26. The
lock
attack
feature
||
§ Sets
the
OTP
page
in
Read-‐Only
mode
§ The
operation
is
irreversible
§ If
the
reader
doesn’t
check
for
writing
permission
on
OTP
sector..
§ ..free
rides!
27. The
time
attack
feature
||
§ The
features
allows
the
forging
(stamping)
(free)
tickets
§ The
tester
is
required
to
identify
and
decode
the
ticket’s
timestamps
28. The
reply
attack
feature
||
§ Reply
attacks
can
be
implemented
using
UID
magic
tickets
(~15€ per
ticket)
§ The
attack
can
bypass
every
(offline)
anti-‐fraud
prevention
mechanisms
§ Anyway,
guess
what?
Free
rides!
29. The
custom
editing
feature
||
§ The
features
is
useful
to
better
understand
the
structure
of
data
stored
onto
the
ticket
(e.g.,
exact
location
of
timestamp)
§ Quick
encoding
from
hex
to
bin
and
back
§ The
app
allows
ticket’s
bit
per
bit
data
editing
30. Agenda
||
§ NFC:
what
are
we
talking
about?
§ Modern
ticketing
systems
security
§ Weapons
for
NFC-‐based
solutions
mass
destruction
§ Penetration
testing
methodology
§ Case
studies
32. The
stamping
machine
||
Attack Surface Attacks to
Perform Impact
NFC Interface
Analyze
the
stamping
mechanisms
Free
tickets
Hardware
board
Analyze the
exposed
interface
(JTAG,
UART,
etc.)
Firmware
or secrets
dumping
GSM/GPRS/Eth Interface
Is
MITM
possible?
Intercepting the
exchanged
data
Intercepting secrets
or
sensitive
data
• We
can
identify
it
as
the
reader
+
controller
34. The
vending
machine
||
Attack Surface Attacks to
Perform Impact
NFC Interface
Analyze
the
recharging
mechanisms
Free
tickets, for
everyone
Hardware
board
Analyze the
exposed
interface
(JTAG,
UART,
etc.)
Firmware
or secrets
dumping
GSM/GPRS/Eth Interface
Is
MITM
possible?
Intercepting the
data
Intercepting secrets
or
sensitive
data
(e.g.,
credit
card
details)
Computer
Application
Analyzing exposed
network
services
Complete control
of
the
machine
• We
can
identify
it
as
one
the
possible
clients
36. The
backend||
Attack Surface Attacks to
Perform Impact
Web
application(s)
Classic
web
app-‐related
attacks
Data
exfiltration,
service
interruption,
etc.
Network service(s)
Classic
network
services-‐related attacks
Data
exfiltration,
service
interruption,
etc.
Physical location
Try
to
get
physical
access
to
the
servers
Basically,
heavily
PWNED
38. Agenda
||
§ NFC:
what
are
we
talking
about?
§ Modern
ticketing
systems
security
§ Weapons
for
NFC-‐based
solutions
mass
destruction
§ Penetration
testing
methodology
§ Case
studies
41. MIFARE
Ultralight
ticketing
system
||
Lock
bit
for
the
OTP
sector
is
not
checked
by
the
stamping
machine
Absence
of
a
UID
blacklist
in
the
backend
Timestamp
are
not
encrypted
nor
signed