Man in the NFC by Haoqi Shan and Qing Yang
•Download as PPTX, PDF•
3 likes•1,376 views
NFC (Near Field Communication) technology is widely used in security, bank, payment and personal information exchange field now, which is highly well-developed. Corresponding, the attacking methods against NFC are also emerged in endlessly. What if we want to “steal” from someone’s EMV. QuickPass, VisaPay bank card without “get” his wallet? To solve this problem, we build a hardware tool which we called “UniProxy”. This tool contains two self-modified high frequency card readers and two radio transmitters, which is a master-salve way. The master part can help people easily and successfully read almost all ISO 14443A type cards no matter what kind of this card is, bank card, ID card, Passport, access card, or whatever, no matter what security protocol this card uses, as long as it meets the ISO 14443A standard, meanwhile replaying this card to corresponding legal card reader via slave part to achieve our “evil” goals. The master and slave communicates with radio transmitters and can be part between 50 – 200 meters.
Recommended
More Related Content
Similar to Man in the NFC by Haoqi Shan and Qing Yang
Similar to Man in the NFC by Haoqi Shan and Qing Yang (20)
More from CODE BLUE
More from CODE BLUE (20)
Recently uploaded
Recently uploaded (9)
Man in the NFC by Haoqi Shan and Qing Yang
- 1. 360UnicornTeam Build a NFC proxy tool from sketch Man in the NFC Man in the NFC1 Haoqi Shan @ UnicornTeam
- 2. Man in the NFC • Who we are • NFC & ISO14443A • Competitions • Yet anther wheel? • What is UniProxy? • Master and Slave • Issues in development • Thanks, Q&A 2 Agenda
- 3. Man in the NFC3 Quick Demo 1
- 4. Man in the NFC • Unicorn Team • Internal security research team of Qihoo 360, founded in 2014 • Focus on wireless/hardware hacking and defense • Security research/hardware development/pentest division • Serial wireless researches published in Defcon/BlackHat • Low-cost GPS spoofing, Defcon 23 • LTE redirection attack, Defcon 24 • Attack on powerline communication, BlackHat USA 2016 • `Ghost Telephonist’, Defcon 25/BlackHat USA 2017 • Serial hacking tools developed • HackID/HackID Pro/SafeRFID/HackNFC, etc • https://unicorn.360.com 4 Who we are • Haoqi Shan • Wireless/security researcher • Gave presentations on BH/Defcon/HITB/Cansecwest/Syscan
- 5. Man in the NFC • NFC • 13.56MHz • Low-cost • Not requires power • Well developed and deployed • ISO14443A • Widely usage • Supports many applications • Security/Passport/Bank Card 5 NFC & ISO14443A
- 6. Man in the NFC6 NFC & ISO14443A
- 7. Man in the NFC • ID card • Credit card • QuickPass – Unipay (*) • Starbucks POS machine • XX: “I thought this question has been solved like a thousand times” • More like a hacker 7 What we aim
- 8. Man in the NFC8 QuickPass
- 9. Man in the NFC • Targeting protocols • Proxmark III (The Best RFID Hardware) • ChameleonMini • Targeting data • NFCProxy • NFCGate 9 The way we used to hack
- 10. Man in the NFC • Proxmark III • Supports many protocols • Powerful • However, can‘t hack credit card or we are all rich now • NFCGate/NFCProxy • Based on Android • Modified firmware to relay NFC data • Monitor transmitted data • Rely on Wi-Fi • However, too much delay to complete whole payment procedure 10 Why not?
- 11. Man in the NFC • Why need this tool? • Inspired by mentioned brilliant hacking tool • Faster (ms level) • Lager ranger (50m, even more) • Pure hardware solution (PN7462AU) • Highly customization • Completely self-designed and modify everything we need 11 Yet another wheel
- 12. Man in the NFC • PN7462AU based NFC relay/proxy device • Support ISO14443A protocol • Targeting QuickPass(Unipay) credit cards • Reader emulator, card emulator • Point to Point wireless data transmission • Easy to adapt to ISO 14443B/15693 12 What’s UniProxy
- 13. Man in the NFC • Why PN7462AU? • NXP chip • 20 MHz Cortex-M0 core • Read/Write, Card Emulation & Peer-to-Peer Modes • Transmitter current up to 250 mA • Full MIFARE family support • Architecture • Reader/Card Emulator • NRF24L01 wireless transmitter • Power supply • Antenna 13 Core of UniProxy
- 14. Man in the NFC14 PN7462AU
- 15. Man in the NFC15 Master (Front)
- 16. Man in the NFC16 Master (Back)
- 17. Man in the NFC17 Process of Master (1)
- 18. Man in the NFC18 Process of Master (2) Communicate with card 14443A handshake and get parameters Send parameters to card emulator End Receive response before timeout Start block transmission End
- 19. Man in the NFC19 Process of Master (3) Start block transmission Wait response from card emulator before timeout End Forward data to real card, wait for real card response Get response before timeout Notify card emulator, communication is ended I-Block data Process Forward to card emulator
- 20. Man in the NFC20 Slave
- 21. Man in the NFC21 Process of Slave (1)
- 22. Man in the NFC22 Process of Slave (2) Start interaction with reader emulator Init card emulator with received parameters Reader nearby Start interaction with received parameters Handshake with real reader Start block transmission No No
- 23. Man in the NFC23 Process of Slave (3) Start Block transmission Received data I-Block data Forward to reader emulator, send delay command after half waiting time Received data from reader emulator Forward to real reader Flash error LED, self reset and send reset status to reader emulator Finish DESELECT command(S-Block) Process R-Block Forward DESELECT to reader emulator and send DESELECT to real reader Finish Yes Yes Yes No No Yes
- 24. Man in the NFC • First byte of UID • Waiting/Wakeup time • I/S/R – Block data • ISO 14443A Part 4 • Power supply • … 24 Issues in development
- 25. Man in the NFC25 Demo video
- 26. Man in the NFC • Blocking Sleeve • RFID Wallet • RFID Jammer • 360 SafeRFID • GuardBunny 26 Defend
- 27. Man in the NFC • What we learned • Read protocol document well • Better not developing without official support • Further more • Improve transmission range up to 100 meters • Targeting security ID cards, HID iClass, Chinese ID • Self-compatibility • How? 27 Summary
- 28. Man in the NFC • [NXP user guide](http://www.nxp.com/docs/en/user- guide/UM10883.pdf) • [NFC Gate](https://github.com/nfcgate) • [NFC Proxy](http://sourceforge.net/projects/nfcproxy) • [ISO14443A](https://www.iso.org/standard/70172.html) 28 References
- 29. Man in the NFC • Hardware dev division of Unicorn Team, especially Jian Yuan, Chaoran Wang, and Yunding Jian • Proxmark III • NFCProxy • NFCGate 29 Thanks
- 30. Man in the NFC • Mail me: shanhaoqi@360.cn 30 Q&A
Editor's Notes
- Good afternoon, everybody. It‘s really great to meet you guys and share my work with you people. My name is haoqi, shan. I’m a wireless/hardware security researcher from unicorn team, qihoo 360, which located in China. Initially I have a colleague to make presentation with me but unfortunately he had a issue with his visa. So I need to stand here on my own now. It’s my first time to stand here and share my team’s work, hope someone can remember me and don’t beat me for my poor accent and explanation. Today, I will explain and demonstrate you guys how to build a NFC proxy tool from sketch. In the end, maybe someone of you can get skills to steal someone’s money from his credit card and be rich. And please, don’t tell anybody you learn from here. Let’s step to our topic.
- So here is the agenda of this presentation and just draw a simple architecture diagram. I would introduce my great team, lead you guys back to the old time when we try hard to hack RFID, get back to the old fashion but powerful tools we used to use. Then the details of the newest RFID hacking tool, my UniProxy, will be introduced. Two demos will be showed via video. This presentation is about how to build a tool, so I will focus more on the idea instead of hacking skills, hope wont let you guys disappointed. BTW, this is the last presentation of today so I will try this fast, fun and wont delay your, I don’t know, fantasy trip? So here is the first quick video of my hacking tool and let you guys have a simple impression of Uniproxy.
- After the quick demo video of Uniproxy which recorded in test environment, I would like you guys give me a minute to introduce ourgreat team and allow me to give them some credit cause they did a lot of works when design and manufacture this proxy tool. My team‘s name is unicorn team, which from Qihoo 360, China. We are the internal security research team and founded in 2014. But my team focus on the wireless, hardware security research. Recently we have three divisions, one for wireless/hardware security research, one for hardware development, and one for regular pentest work. We had serial security research results published and presented since the begin of our team. Blablabla, guess you guys tired of my bluffing so let’s skip to next page.
- I believe you guys are not inexperienced in the near field communication hacking cause it‘s wildly used in our modern life, you credit card, your ID card, your security door card and widely deployed in military, airport. The NFC card don’t need power itself and take power from the reader. There are many protocols used in NFC card, ISO 14443, ISO 15693, etc. But now, we only focus on ISO 14443 as a example. The ISO14443 protocol is basically most popular protocol in NFC cards, it supports many applications. In China, the security card, the passport, and the bank card which with chip and pin, use ISO 14443 protocol to communicate with the reader. The wild usage leads a lot of attacking methods aiming at NFC card, and me too.
- SO Why do we want to hack an NFC card? As we mentioned before, we are hackers and of course we want to fake someone’s security card to enter some forbidden area. And also, some people might want use other people’s credit cards instead of theirs, which I highly recommend you don’t do that. For me, there is another story, my company is a huge company in China and has a strict rule to make sure the staff work and off work in time. Everyone in my company has a unique security ID card and the security system will log the time when you open any gate of the company. Thus, your boss will easily know you are late or not. If you are late for work, you ganna lost your salary. So I was thinking, maybe, I can build a tool to fake my ID card and place it near some secluded door with a reader, so I don’t have to get up early everyday. But we are a security company, actually the security system is designed by our team, so that’s awkward, we use HID card as our ID card. I don’t know any easy way to fake my ID card cause we cant break the security protocol. Then I just think, maybe I can build a proxy tool to transfer the signal between the reader and my card, then let the near turns to far away so I can sleep well. Then I was thinking, I can use the same way on credit card with chip and pin, you guys do have chip and pin credit cards to buys something by just tapping somewhere, and you don’t need any password. It‘s also based on NFC tech so we are able to hijack it.
- Let’s just have a quick review what we used to hack the NFC card, we use the proxmark III, which is the best RFID hacking tool ever, we can hack low frequeney, high frequency with one tool. We also use chameleon mini,
- SO what is uniproxy, I believe you guys have a clear view now. It’s a PN7462AU based NFC proxy devices, which aims the NFC card you cant break and clone. Currently, this device only support ISO 14443A protocol now. But it can easily be extended for some other protocol as long as the chipset supports. Now this devices are targeting the Quickpass credit card. The uniproxy contains two parts, the master one and slave one. The master part is a reader emulator and the slave one is a card emulator. The payment transmits information with be transferred between master and slave via 24L01 chipset, which means it‘s point to point wireless data transmission. As I just mentioned, it’s easily to adapt to ISO 14443B/15693 standard NFC card.
- So here is the core of uniproxy, we use PN7462AU chipset as a core, it’s NXP chip and support full mifare family cards. It’s can read, write and emulate a card. Quite powerful. And it’s really rare chip used I hacking tool thus we are not easy to find document and example to use it. Needless to say we didn’t buy the service of NXP so we don’t have any office support. But we are hackers, right? So the architecture of Uniproxy is as said on the screen, it’s simple. We used a quite simple electric circuit design which slight modified from NXP official recommendation. So don’t worry about the hardware design. It’s not a big issue. The chipset is highly integrated and very powerful. That‘s also the reason we choose this one.
- So, this is the front face of our uniproxy tool, you can see the NFC antenna here, sorry about that, I used a pen and my ipad pro to do the mark cause I’m not good at using powerpoint. So this is the antenna with a team logo on it. In the left corner, you can see the power supply circuit. This tool is powered by lutetium battery and is also chargeable. So you can take this outside to do something hacking and without any notice. In the right corner, you can see the 24L01 chip model, we use 24L02 to communicate between master and slave. I don’t know if you guys can see the core chip, NXP chip under the end of the narrow, it’s a little bit dark. So you can see the hardware of this hacking tool isnt complicated at all. With the official recommendation design, everybody can draw and map and build a same one.
- So this is the back side of master part, nothing else just the back of antenna and a lithium battery. After the hardware design,
- After the hardware design introduction, let’s step to the software process of our hacking tool. Actually, in my opinion, I really believe the source code can explain everything. When I ganna to make this presentation, I thought, let’s just make this open source and volia I can just play around. But as you know it’s not my own work and it’s ”Company Property”. That’s why Im need to stand here and only present a few source code screenshots, that makes me feel sorry. Just back to topic. So firstly you need to initicalize the reader library API then there will be a loop to put our chip in nisfferring mode, it will detect any RF field with a 14443 protocal around and if it is, the code will go to the handshake step.
- So our master part, as you know, a reader emulator, will try to run the handshake routine with the card which just fall in the RF range of it. After the handshake, our master part will get the parameter of this card and set a timeout number, then it will pack and transfer all the raw data to card emulator immediately. Then the master just wait to receive the data which come back from the slave one before it’s timed out. If everything is OK, the whole routine will just start the block transmission.
- This is the block transmission routine, also the last routine of our master part. When it start to tramsit block data, it will just wait response from card emulator before the timeout, then just forward, spread the data it just received from card emulator and wait for the response from the real card. If there is something wrong with the real card and it didn’t get reponse before timeout, the master will notify slave, the communication is ended. Or our emulator will get the I Block data, the I block data isn’t real data package which carrying some important information so we can just process it and directly response the real card. In the other case, the data will be directly forworded to the card emulator, thus, form a loop, until the whloe process is ended.
- So this is the front photo of the slave part of our hacking tool. Now you can notice the hardware design is totally same with the master one. Both of them has same models, same parts. The only difference is the software design.
- The process of our slave part is just corresponed to master one, or we wont call it master and slave. After the start of our hardware, the program will init the card emulator function and trying to receive 14443 parameters from 24L01, as we described before, it’s coming from our reader emulator. Once it gets the parameter, the slave will send a success command response back to master part and notify it
- So here is the second part of slave software design. The slave will start interaction with reader emulator and init the card emulator wih received parameters. If there is a real reader nearby, the slave part, aka, card emulator will start interaction between real reader with received parameters. Then it will act like a reader card to make handshake with real reader. Then, correspongding to our master part, start the block tramsmission.
- The card emulator is much more complicated than reader emulator in the software design way. After the start of block transimission, card emulator will recevice data from a real reader. If the data is not I-Block data, the slave will detect if it’s DESELCT command, if it is, just forward to reader emulator and send this command to real reader, this process would save time.If it’s not a S block, instead, a R Block data, the card emualtor would just process it by itself. Back to upper level, card emulator would just forward the data to card emulator and send delay command after half waitting time, this action would level up the success rate very efficency cause there will always be some unexpected delay. Then the slave would recevice data from reader emulator then forward a real reader. All the actions would form a loop and corporate with reader emulator and finnally finish the whloe tramsimission. In the end you can be rich.
- The principle which I just described is very simple, but I would like you know there were a lot of issues occurred in the development. So I’d like you have a impresssion so you wont stuck in there when you made a new proxy tool. First, the chipset we just use can’t change the fisrt byte of UID, it’s burned in the firmware and we didn’t find a way to modify it in our long time test. But luckily, we don’t need the UID cause most money related applications wont check the identy of the card with UID. In the other hand, I think this is a good way to prevent this kind of proxy attack. Secondly, the waiting/wakeup time is a real issue when you developing an NFC proxy tool. As you know, the NFC card wont carry a power, it use the power from reader, if the card haven‘t receive any reponse from reader, it will lose power and turned off, apparently, the whole attacking progress is just failed. So please remember to modify the wake up time when you programming. Remember the hacking tool, nfcgate, which we mentioned in the beginning? I also tested it many times, but it didn’t consider the wake up time so it would be a major reason to cause the fail I think. Thirdly, in order to fasten the whole progress, we don’t need to transfer all kind of data between reader emulator and card emulator, we just need to transfer I block data and just directly progress S/R block data and reponse to the real one. This also mentioned in ISO 14443A part 4, please read it careflly. And also, the power supply might cause
- defend