Neil Roebert - Mi - NFC - TM: How to proxy NFC comms using Android

today I'm going to speak to you about how to proxy NFC coms so first of a bit about me um I studied Computer Engineering at tux so that focuses on hardware and software side and really enjoyed it then did a internship at MWR enjoyed that even more and now currently security consultant at MWR info security also on their mobile team so I enjoy Android iOS and uh um all the new stuff that's coming out um lately did some zaran it's really really interesting so um yeah so I'm going to speak to you about the four W's of today um so firstly the wview that I'm going to give you um just a brief overview of

um NFC and basically why I why I did what I did and just a brief inter interview before that and then why it was necessary why I had to do this research and what was created what's borned out of this research and the improvements that still needs to be done to this so yeah during my talk I quite enjoy questions so if you want to just feel free throw them we can do them so I guess most of you have seen this symbol before um it's the newer contactless payment symbol so basically you just go you take your card and you tap for something and then you pay for it immediately without even entering a

pin so we can see that this is a very convenience driven payment implementation so convenient in fact that I recently read an article that in the UK they are actually petitioning contactless payments due to the fact that the people can't keep track of all the money they're spending now um we can also see that it's quite a relatively new standard um even though the the first actual contactless payment was done in 1997 the official communication protocol was only ratified in 2008 so that's fairly new in protocol standards and we can see that this is a new physical communication medium for an already existing communication protocol called EMV so so what is EMV um when I tell my

friends and family that are non-technical that I did a bit of research into EMV and everything that's surrounds it they're like okay what's electromagnetic something I don't know so what it actually is it stands for europay Master Guard and Visa so these three companies came together in 1994 and they saw that there was really no standard way of doing anything in the cards payments industry so they came together they standardized this standardized this they wrote the communication protocols they started implementing Security in this and yeah all made the worlds of the card payment industry just a better place so later on we saw some other well-known issues joining the fry they also started implementing EMV in

their products they wanted to give their clients this the standard of security that EMV provided and then today we see like over 23 Card issues that are part of EMV so EMV is quite a large product Spectrum um most of us know it know of it from the P devices where we use it every day in our bank cards in the ATMs so for POS device that it also is used in their mobile counter parts mobile P devices and also the newer contactless PA devices so there are a couple of non-payment places where it's actually also visible so your sim cards that you use actually also use MV your sim cards in your in your um cell phones and also

the smart cards that you use for your digital TV stuff also actually uses EMV as communication so what is EMV actually we can most of us know we are developers um we know what a communication protocol is but for just if there is somebody it's just a system of rules that allow two entities to communicate with each other so we can basically compare it to Mor code so to communicate with Mor code you can use any medium so smoke sound you can shine lights at each other it does not matter how it was sent it's just that the message was sent and the format that the dashes and the dots came through so just like mors EMV doesn't

rely on what type of medium is it's being sent over so the contactless research that I did is in essence just the same EMV messages the same protocol just over different physical medium so therefore that I I saw that some of the vulnerabilities that were found in the actual ICC part of the transactions the actual chip and pen is might also be present in the contactless counter parts so we can really see that EMV was designed with security in mind as the protocol is very very secure um and it is currently the most complex solution that has been found yet in the history of the payments card industry so if you just look at that roughly in the

1950s he were issued with a plastic card with just a number on it so people thought you wouldn't be able to clone that cuz nobody can make their own plastic cards right so people started making their own stuff produced fraud they then like started obis skating the data on mag Stripes so the ma Stripes people also thought this was the early Grail CU nobody really knows how em works so um yeah eventually people started figuring out that just by hacking apart an old tape recorder you would able to like read and write your own Max data so that that was also null and void so they later on went to um microprocessors on the chips which then

EMV then took over in 1994 so we can see that EMV requires an active component so that is what that little chip is on the card it's actually a little small computer using EMV as the Comm communication protocol and it's got different applications on it so applications like either your DStv decoder or your say you've got a card it's your um either your credit card or your debit card application so the thing that makes this chip and pin actually secure is the fact that it stores transaction data internally in an encrypted format and it also um generates a unique cryptogram with every transaction so that just adds a bit of Randomness to every transaction that you

doing so moving on when thinking about the actual EMV chips and to attack it there's two ways to attack it so you can either attack it on a hardware layer or you can attack it on a software layer so to attack MV the MV chip on a hardware layer would involve you to physically Decap the chip so this is some form of reverse engineering where you rip apart the chip and hope you don't hit the tampering like anti-tampering stuff so this is a very specialized process and if you want to do it properly it sometimes you like even require like partic microscopes and stuff to do it so it requires you to know what you're doing and very few

people in the world world actually know how to do this right so direct tax on this is very costly and hard to implement um so it didn't really seem like a feasible attack past throughout in the beginning so it's much easier to attack EMV on the software layer so as any code is implemented bugs might arise errors might arise so in essence the human implementation might make something insecure that was designed to be secure so if you think of a web app as as an example EMV can be seen as the TLs encryption that is used in that the server can seen as either the P device or the D DTV decoder or the ATM or

whatever the device is and the application well can be compared to the web app so when a website is exploited you don't really see that attackers go and try and attack the deal is um yeah you sometimes do but that's not very very common so the attackers usually go for the lower hanging fruit like attacking the actual application itself so CSS xss um SQL injection all that so that's what we also decided to do so we could see that researchers actually started focusing on this as well um so in 2010 uh the research in cambrid found vulnerability that actually allowed them to complete transactions um without authentication so without entering the pin they were able to um just send back a p accepted

command and the terminal would accept it and they would get their goods or money so our research as well found system level flaws in B devices and mobile pass devices I'll speak a bit about that bit later in 2014 researchers at Cambridge Glen found a pre-play attack which was just a poor implementation of that random cryptogram that was said to so in fact that the randomness was just a counter so yeah um and then in 2016 this year hackers at defon presented uh that the actual POS devices were communicating with the backends through an unencrypted Channel which is actually quite bad if you were to be able to intercept that so we also started focusing our research on that and at M

Labs we have like a nice research platform where we publish all that stuff and uh yeah as part of that we um decided also to start looking at POS devices and stuff like that so by looking at the pause terminal in general we can see that it it has a specific application running on it so that's usually issued by the bank or the retailer um it has OS on it just normal so it's usually it's a arm arm seven or I think the new ones are even R 11 um so that's just usually a Unix based operating system so and then you've got the EMV kernel that handles the communications and handles some of the

security protocols and then you've got the the physical medium which you just use as an entry point so that's either contact contactless as the EMV um but the normal B devices also has USB or Bluetooth or depending on what terminal you're using and what technology is available so by actually attacking something through EMV um you would physically need to be able to um send something send the the PA device command okay yes um okay yes um sorry that was supposed to be um so yes to actually be able to um send the device commands um you would need to be able to program something in that that would be able to send the MV command so for that we used a Java card

so that's basically just a reprogrammable ship card which you can use to debug or write your own applications on um so the testing process involved us actually taking the card putting it in the device recording some data altering the data take it out putting like reading it back into the computer reading the data altering the data analyzing the data take it out put it back in the pause machine take it out put it in the computer take it out put in the pause machine take it out put in the computer so yeah that was uh it it worked in the end so we got results from that so we got the thing to crash and uh

um eventually got memory corruption vulnerability that led to system level access um and then with this system level access we actually being the hackers that we are we wrote a game for the postive I so you put your card in and then the it would do the M corruption vulnerability and then it would actually program a game in this this one was on a normal chip and pin it was a normal PA device and it was called pin pad racer um yeah um it was presented by a researcher from us at Defcon in I think 2012 um also the as you see the infection and retrieval cards we will also be able to infect the devices with

malware that during the day like in the morning would go you insert your card you would gather and harvest all the pins and all the mag data and all the chip data at the end you would take another card you would retrieve it and then I press so you have a lot of bins and card data so this the second one that I want to show you is something that we did on mobile P devices these are much newer um yet we found a similar um memory coruption vulnerability and we're able to exploit it here you can see a Flappy Bird clone called chippy pin that we wrote um yeah it's what quite it's quite

fun um so that got me wondering to actually if these vulnerabilities are available on all the interfaces um it should also be available on the contact list interface as well so moving over to the contactless interface um first off something that I checked was actually looking at the cards that NFC that the NFC cards the data that it actually has on so um went around the office got a random batch of cards everything everybody that had NFC cards so um what I found was that some of the cards actually displayed ample amounts of data and other ones were actually quite secure so this led me to believe that it is actually an implementation fault not something it it seems to be

changeable so on some cards yeah that's actually my card um so just by tap you can see my last 2 transactions um you can see my track to equivalent Mac shop data you can see my name you can see the application data from the issuer you can see the cryptogram that's going to be used so yeah quite severe um and that's just by brushing up against me um so something that we saw was that um all of the devices that we tested were actually PCI Compliant so um yeah what is PC compliance actually it's it's costly assessments that basically just tells you if a device is functioning as it should be in a certain range of

criteria so what it actually does not do is it does not look at how the device handles unintended input um so all of the devices that we actually found all the the vulnerabilities in were PCI Compliant they had the PCI Seer on it and they were so yeah it doesn't really seems it it doesn't really mean that much currently so yeah in the future it might mean more but currently it doesn't mean that much um so to be able to actually test these vulnerabilities we need to start fuzzing it so um fuzzing the protocol and fast testing the devices so F testing is basically the process of supplying the application with large amounts of semi- random data that it

would not normally expect so in order to test the larg number of devices um I explained the process previously so we we're tired of actually removing the cards entering removing entering so we actually build a research platform for the contact stuff so this was our research platform designed by one of our Engineers so this allowed us to just sniff and alter and fuzz the data and actually manually automatically insert and actually take out the card for us so we could just program a bunch of test cases that we wanted and leave it to do its magic come back after coffee your Lune and then we would have a crash or similar results so having looked at how the

previous device works I really thought it was necessary that we keep up with the technology and actually still um look at this new attack surface that the newer P devices prevent gives us so it's quite fairly unknown it is still um the communication protocol is still is altered very very regularly so um we can see that not a lot of knowledge has gone into this so then I started extending my research onto this so why Android so I decided to look at the the contactless um so all of you know that the contactless uses NFC as the technology to communicate so I looked at either Hardware or software uh attack vectors and uh I really wasn't um Keen to do um 6

months of Hardware research on this so I just quickly um built an app over the weekend because we had the full NFC stack already there in Android so like I said we rather wanted to do software rather than hardware and it's easier to redistribute as well and it Android actually provides us extra functionality as well and it is already available I mean anybody anybody in this room I guess would actually have an NFC Reader on their car on their actual phone device and would be able to use or like look at car data if they really wanted to so this really reduced my research time not having to delve into the the actual um Hardware

side of this and actually that Android provides a full stack of NFC for us so it's a full plethora of NFC modes that it actually works with and in the end I came up with one device to rule them all so it was something that can maybe that can test the cards can test the vice and can test and can proxy Communications so this is uh to be able to effectively do our research um I developed This contactless protoc contactless research platform to be able to intercept Communications between the card and the B device due to the fact that um going to hardw route or actually going through the IM the IM side of this actually seemed a

bit difficult um and something that would actually waste time rather than add um any wealth to This research um so we rather wanted to intercept it via Android communication well the the Android platform so to intercept NFC um this this platform would allow you to intercept Communications between a card and a device so meaning you can emulate the the device to do whatever you tell it to do and then send fuzz data to the card this would also allow you to fuzz a device as if you were card so um fuzzing the the actual device itself and looking at different entry points and it would also like I said allow it to intercept the communications between an actual

transaction stream that's going on just to actually see what's going on between the two devices so just to give you uh an example of a normal NFC transaction firstly the Android device we just select the PPS this is basically just um telling the card that hey I'm here I want to communicate with you the card would then respond with the application identifier the aid um this contained the all of the applications that were currently on the card so meaning either the um credit card application or the debit card application the device would then select the application and send the response back the card would then respond with something called the the pedol which is the processing options data list and

also the get processing options information this allowed the um the device to understand what is further in the card so the device then in initiates an application process um and then the card response with the goodies which would be the The Unwanted stuff so the the track two data or the the information or the transaction information and it also sends the actual file system of the the the card through which is the application file loc locator so then you can go and start requesting entries out of the application file locator and then it would give you even more information on the card so it would respond and then you can just basically Loop until you're

done so yeah that's basically uh what this does so you're looking at that previous stuff we did um that can be done in about 50 lines of code getting all of this information so basically just receiving an INT intent from the the Android application that an NFC device has been detected and then just responding with all the correct information would give you all of this quite I wouldn't say I wouldn't want my data to be floating around which it currently is that that specific data so yeah it is quite bad so to to look at some of the improvements that I could make some of the stuff that I've noticed um EMV is quite sensitive

to timing um I'm currently bus busy implementing um research done by a security researcher from PWC Netherlands he really um he looked at um at the actual proxy side of this before where he actually caches the data on the one device so that it doesn't have to request the device the request Mak so many requests for the um the the car data from the two devices um so another thing that I actually wanted to do was having having used BP before I know what is what I would like in something that that intercepts and catches information so I would try to I'm going to try and make it modular so add modularity and so that people can actually add their own

code their own logic and own passes through the data and whatever they want to do to make it fuzz better and then also just some general performance improvements so I saw that it lost performance at certain stages um during the transaction and just basically improving that something that I also didn't mention was that the actual two Android devices um I found that the best way for them to communicate was over Wi-Fi peer-to-peer so this was easy to implement it like I said Android gives us the options to do this and it's quite fast and it's um not fast enough for some of the EMV timings but like I said just Implement local cach and I'm going to try and sort that

out so um in summary we we can see that there's various NFC standards that exist we can see that they are various implementations of EMV and NFC and there various implement of where this can actually be used um another use case that I thought of was maybe actually using this to fuzz um um card readers um for Access Control and maybe just seeing if I can't get something like the cool CSI plug over box going that like runs a bunch of numbers and then eventually just opens the door for me um yeah so and the last point that I just saw was that Android actually proves a viable method to proxy NFC comes and yeah that's that's what I

got to [Applause]