Ben April Security BSides Boston 2013 - NFC I Don't Think It Means What You Think It Means

I'm Ben April Tren micro senior threat researcher um apparently all the talks I've been in today have made some big comment about you know these are my opinions not my employer my employer is actually not arguing with what I'm about to say they would have put me on a plane but I drove down from my house in New Hampshire so um de uh so basic just to this whole talk um there's a lot of talk of NC a lot of talk in the Press what is it what is it supposed to be what is it doing you know is it secure is it not secure well you know it may surprise you to know no one really claims it's

terribly secure um there are lots of elements associated with and connected to NFC that people like to think are secure and are most definitely not um also a lot of the attacks you see that claim to be you know the YouTube videos you see of you know you put your phone down or put a put a tag next to a computer and suddenly it's own owned are just using NFC as the transport medium you could have done the same thing with a QR code you could have done the same thing with downloading file um NC really had nothing to do with it other than it was the medium they used to insert insert the element

um there we go okay sorry all right so as I talk about this these are my friends John and Larry um Good Buddies they went to Cliff Art University together uh right now they uh manage competing restaurants in the north AV um one day John you know they're both early adopters Geeks like us uh so John goes out and gets um you know Galaxy Galaxy Nexus you know fun little fun little Gadget with a uh with an NFC chip in it uh when you look at the confi settings one of the first things you notice is there is a check box for NFC and as my as my early research started I'm sitting there going

it's got to be more complex than that is it really just yes or no um and as you dig into it in the case of Android it really is just yes or no um you either get all of NC or you get none of it um so in in John's effort to figure out whether he wants this checkbox checked or not goes looking what is NFC uh the more research you do the more confused you get or at least that's what I found in my case uh if you look hard enough will find people talking about Bluetooth and Wi-Fi as NFC assuming the devices are close enough together um pretty much a thrown out definition but you know near field

communication devices are near each other maybe I'm in a field I couldn't quite figure that um a lot of the definitions you see start involving isos specs 18092 seems to be the the the Kingpin here um it's talking about 13.56 I'm dyslexic so I usually say

15.36% into this bucket almost none of it is actually NFC uh to do NFC you have to be exchanging what they call end def records nearfield exchange data exchange format or I'm sorry nearfield communication data exchange format uh it's a very simple I'll I'll show you in a minute very simple format for the data records themselves if you want the NFC forum's stamp of approval blessing you that yes you are actually doing NFC you've got to be exchanging data in this format if you want want just close range stuff you go up here yeah can you just include it as an option or does it have to be the primary uh if you want the

official stamp you got to actually the protocol you're you're exchanging has to be passing epth records um a lot of the stuff payment cards Transit cards All That Jazz you see uh NFC compatible devices NFC enabled devices that's where we're talking about 092 um but they're not exchanging in defs um so that's kind of where a lot of the confusion comes in it's like yeah you need an NFC device to do the payment system stuff on the mobile or to do you the the the mobile app Transit stuff but it's not actually what would be called NFC um so it's actually a very small window of what really is NFC versus what kind of falls into the NFC bucket as far as

Hardware um speaking of the hardware uh defined by the NFC Forum same guys who who who bless the standards there are four official tag types so if you've got passive tags I've got a handful of them here just the little the stickers the key fobs uh credit card size bits um to be compatible with NSC they have to fit into one of one of these four categories uh one and two types one and two they're fast they're very low on feature sets and they're usually very small we're talking sub 1K kind of capacity um three and four uh come with more crypto capability in the cards most of it's not used in NFC itself um but but they're

more reliable bigger tags um there is a fifth type um this is actually created by nxp makes the chips sets and they make a lot of the tags and they've decided that they didn't like that their type was not included in the official standard um if you have a device that is using an nxp chipset very often you can read the 1K series my fair tags keep in mind if you're going to do something with NFC in the wild in the field there are lots of devices that can't read those tags if they don't have the nxp chip set most of the time they can't read those tags there is movement to get this added as the fifth type but

it doesn't automatically make it retroactive in all the devices in the field uh one thing to note if you're going you know trying to put together a kit of NFC stuff like I have here uh if you go to a lot of until recently if you go to like aduit or spark fund and look for NFC you'd actually buy end up buying 1K tags uh they both changed their wording they're now they're they're now saying my fa tags but at one point they did say NSC tags which if I wanted to get techical would be incorrect but what goes on um so after a while of staring at it I kind of put put this stack together

you've got the lowle stuff um you know the wire the the air protocols there's actually a spec for protocol between the radio and and your device on top of that over here we've got device to device so holding two phones together like like those Samsung commercials um 15693 it's called vicinity cards they work to about a meter in normal operation uh sometimes a meter and a half if you're really good with antennas um 14443 this is my fair cards the felica stuff is actually what would have been type c um but the iso for ISO rejected the spec um so I've got it here with an as it's not actually a standard uh a is the

actual patent based myair B is a patent-free implementation um so most of the tag types most of the tag types fall into a if you're looking at it but there are a few a few c's for real NFC you don't don't even really get into B but I put it there um nfci ip2 this spec is talking about when I've got two devices with multiple capabilities and you put them together uh this is the protocol that's going to decide what communication which of these strategies you're going to use to communicate between the two um I think it's just added there to confuse me uh you've got your card types you're exchanging NF records and then on top of the NF

records NFC Forum also specifies um what they call use cases we'll talk a little bit about the different use cases um these are all pretty well standardized um all right so for some initial use cases John buys some tags and decides to play around at home the Handover use case you put your Wi-Fi details you know your your SSID and your your web key your WPA key if you're saying um into the tag and say stick it to your coffee table when your friends come over they tap their phone to your coffee table they're on your network you know that's a nice convenience kind of cute um you you can also encode an SMS message or a phone

call or an email you know hey honey I'm home put it by the door something in the fridge to say I need to buy more milk send you an email remind you you know none of these are terribly terribly in need of high security um at the end of the day this is really what NFC is meant to do this kind of lowkey you know what what's the worst that's going to happen kind of stuff uh other use cases smart poster is really just a text string and a URL uh it's intended for you know your poster at the mall or something you know hey scan it and it gives you brings you to a

URL uh you know phone call SMS we mentioned that vCard and actually any other mime object can exist within the NF format so you can do a spreadsheet you can do an image you can do any of that stuff um again that's where you know if you see the YouTube videos of oh how I owned NFC that's usually what you're looking at is somebody found somebody's got a word dock with a known vulnerability encoded into the mime object they hit it hit it to their computer and po their own well yes that had nothing to do with nxc um there also non-standard use cases so depending on the app you're using to write the tag or the code you're using

to write the tag um there are different use cases that don't fall into the standard buckets uh Samsung has got an app that called Tech tile that offers most of these and other functionality the key point is and they don't work with other apps so if you don't have the app that wrote the tag you don't get the same functionality um you know so if you were going to use NFC in the FI field it's helpful to make sure that you're actually looking at you know the standard NFC record type and format so that anyone can read it not just people with your app uh the message format is dead simple uh NF messages are literally just a set

of NF records there's no header there's no footer there's no nothing it's literally just stacked together what's thein there nothing it's literally just stacked together one after the other I looked for an hour and a half because there's no way you don't have no you don't have the limiter because I'll show you the the record format it defines size um and this is this is blue field for fuzzing I'm I'm absolutely sure of it um one very important thing to note in Mobile mobile devices Android will only look at the first record so stacking multiple records or you know stacking multiple functionalities forget it if it's not in first record it's ignored completely so so that was that was one

of my first oo let's go down this road and see how far we get no nothing um so the record itself is more complex you've got a message begin bit and a message end bit so it's trying to tell you whether you're the first record or the last record uh chunk fragment uh each record can hold four gigs of data if if you have the full address length um if you're going to have more than one you'll need multiple you'll need to start setting the chunk flag on every subsequent record I don't know why you want to do four GES of beta but it's there um so if you set the chart record bit you can remove three of the four address

values or I'm sorry um life values so a lot of the fields a lot of the tags you see out in the wild only have you know are under 255 bytes in length did they add that just to make it more annoying to write AP part I believe so at 13 MHz wouldn't it take something like 6 hours to transit for four gigs of data I say again I have no idea why you want to do that but it's think possible I was just CU would it take a hilariously long amount of time I think so I I can safely say I've never seen that bit set and I don't think I want to you've also got an ID length and an

ID field this is intended for caching so you put you're you're meant to put a URI in the ID field so that your device could keep track of tags it's seen in the past and know you don't need to download four gigs over the tag again um very often the ID length field bit is set to zero and that's removed we pack up into a nice small it's all specified and none of it's I don't know so finally you've got the type name format this is actually where you're telling the parser what the type looks like um so it can be mind type it can be the well knowns are capital u for URL capital S lower case P for smart poster

uh capital T for text there are a couple others that aren't really that important um you can make up your own type you can put a URL in there um they wanted to be extensible I think they've accomplished that um all right so not to be at Don Larry's gonna pick up his own device and he's going to have some fun with John uh the tag that was by milk go buy some beer so in general in the wild these are pretty easy to overwrite um right protect is somewhat of a joke um you can if you if you do your research find tags that you can buy from the factory hardcoded with the tag you want on there

that's if if you're putting something out in the wild that's best way to go it's harder um there are some tags usually the type one and type twos that have the onetime program capability big caveat that means you can set in most cases most implementations that means you can set any bit in the tag to one exactly once if I can bit squat your tag too malicious by flipping zeros to ones that's no problem um key based I'll talk more about uh 14443 keys my Keys later uh completely and totally hosed um practical and fits in this handy dandy Pelican case um never trust them for anything on the same format those cards have two keys a key a and a key B they

also have access bits so you can say key a can read or write keyb can read or write if you set up a tag one of those tags so that no key can write currently nobody's found a good way around that um so that's possible there's also software I protect there are apps out there I swear to God that set a bit in some of the slack space to one if they don't want themselves to write to the tag again later they set a bit in the data asking the next app to please not write to me there's absolutely no structure behind it you stomp over it you know if you use something that's not paying attention to

that bit you can stomp over it in heartbeat um how's the factory uh the my understanding is the Factory literally ROM codes it probably laser edges it right in the ROM and it's um I've only seen a couple of those tags and they were kind of hard to come by um so there's some things you can do uh one of the things is NFC SEC couple you know first of all it looks like it's pretty well designed um if you've got something more than a really tiny um wirelessly powered device um you know some Fel cards can do it it's not very well implemented it's not well sorry it's not very well used um yeah there's not there's not much

more to say about yes just a quick question can any reader be used as a writer I don't think you covered if like a phone can program a card yeah phone can absolutely program a card I'll definitely get to that more um I'm not I am aware of a few readers that are commoditized to the point where they don't have WR capability they're just literally stripped down so far that they have they just don't have the ability to write um but that's because they don't have software in them to write there's no um there's no no change in the electromechanical not electromechanical um the electromagnetic functionality as far as writing it's literally just flipping the bits you know in a

different direction um so in general yes just about everything that can read can right with with very rare exceptions all right so John's learned his lesson um a little bit more on right protect saw this at Logan maybe maybe two months ago walked by it three times before I realized there's actually an NFC tag right here and they want you to put your phone up there and and get know what is this a free ebook or something um it's kind of unfortunate they have to go this far to to provide instructions on exactly how to do it um you I was thinking about it and realized that you know if they put a QR code there anyone walking by would

probably know exactly what to do and not have to worry about it in NFC what the I'm sorry what is the of

trust I don't know of it I I got to the point where I realized that nobody's using it in in in Mobile level devices so I pretty much stopped that I'll talk to you after I've got a little bit on hor but um so to kind of yeah funny story there so to combat the lack of QR recognition capability the NFC Forum has produced this lovely guy um in order to use this in a scenario where it's not actually an active NFC tag I had I had to call that out um you have to go through quite a few legal Hoops to to you got to sign up and sign off on their whole copyright

thing to use it um I'm allowed to use it in presentation um but the idea is they're trying to train the user population that when you see this symbol and you have an NFC capable phone you need to be waiting your phone at this I'm not entirely convinced that's what we want to be training people to do but okay um all right so so another interesting thing that's been discovered over time if you if you're out in the wild if you've got that uh that sign it Logan and you got a really nice um you know felica tag you know High crypto capability really good lock down if I stick a topaz on there that's going to win uh basically

when you put the device when you put the tag into the device's field it gets powered up by by your mobile device and this this in case we're passing tag um it goes through its initialization routine and the first thing it's going to do is announce its autoc cision code it's its unique identifier so that the device can address it mobile devices especially are only going to pay attention to the first one they hear the first um AC code they hear so if I slap a topaz tag which is faster than a desfire or Fel tag on top of that whatever I put on that tag is going to be what people walking by will

read and that's actually been we've done some some work in our group and it's pretty repeatable um yeah so one of the things one of the things we were playing with is the idea of a way to if you put your tag behind glass that's a good way to say to make it very visible that there's a tag in front of it and shield from behind um this also brings up a cool Point um NFC tags the stickers are not tended to work on metal you can buy special ones for use in the industrial industries that are the antennas are specially structured so they work on metal but if you want to put a tag on metal you have

to either buy those tags or put a spacer about a quar inch seems to work um okay so we're having fun with that Larry's going to try to play with Loyalty cards at his restaurant you know so he's start started a new started a new offer if you buy three meals at his restaurant you get free appetising you servers all have mobile devices they can they can read your card and find out your balance and do all that stuff um stored value is a real huge mess I don't know if you guys um you know the Charlie Card incident a couple years ago um this guy is a soer card from Tokyo uh it's based on the felica standard and as far

as I'm aware at this point it's actually held up pretty well um also note that most of these cases I I have yet to see a St value scenario that is actually using uh endf Records um I used to say that desire ev1 was holding up well um the last time I said that L at a conference someone reported to me that the day before um chaos communication Congress had a talk about how it's completely blown so that one's gone uh the moment F seems to be holding up well uh the general rule of thumb is if you can avoid stored value in one of these cards do do so um that brings us to NFC Sig uh which

is the idea of adding a NF record to the end of your tag containing a signature couple minor problems if you're going to put the trust chain in there you just blew up a 1K card um yeah so so they they haven't solved the chain of trust there that one I'm sure of um you need big tags for that um and and a key caveat that we've noticed is that it only validates the previous it only validates the records to that point so it can't guarantee that it hasn't been cloned to another card just that the data is what you intended to be there um so that that brings me to my toy box here um you can come look at it after

um under 500 bucks you've got yourself a kit where you do most of the most of the nastiness that can be done to NFC uh in in in a tiny little box uh Pro Mark 3i I'll warn you the documentation is lousy um software is sketchy but it will blow through my fair what nothing else um the pn532 there a couple different form factors I like the one that snaps right onto the uino um I'll talk a little later I built a hotel keycard cloner we're B uh we're quite Dandy um specific to certain hotels it's not here anymore um you know some cables stuff like that that's really all you need um most of the work

I do in my my playing with NFC is actually with a mobile device um I'll show you a couple apps in a minute that do most of the heavy lifting really the only time I need something more is when I'm trying to write specific bites to a card I haven't found a good app to do that and I can't be bothered to write one uh or if you need need to break like my fair keys or some of the some of the lower end on the card crypto is that a question or Scrat it's a question yeah scratching my head sideways no so the PM 532 is an NFC breakout prox Mark is a rid reader why do you need the

532 you don't strictly speaking but it comes in really handy um it's just it's nice to be able to um give you an example I was in a hotel in the Philippines couple months ago and they had some really really good security to the point where the key on the sectors of the card were actually coded based on the uid of the card so if you read the uid but it's good and bad if you read the uid of the card you work out the key and read it thank you um and with the pn532 it was really easy to write some quick Arduino code and and just tap through it whereas I'd have to go out

and write firmware for the for the pro market okay um you know the 532 is great for things like all right I want to copy this sector to this card every time you know first card copy second card write it's great for that kind of scripting fuzzing kind of work um strictly speaking you don't need it you're absolutely right um you know so get like that you can do some some pretty basic stuff um I'm going to try to cruise through some of this um all right so my two favorite apps uh tag info by nxp uh and NFC tag info confusingly similar names two different organizations I love this guy if I'm in the field and

see a tag I'm going to open this guy first the key thing to remember here um if you approach a tag with your mobile device unlocked it's and it's got a URL at least the devices I've had my hands on will go to that URL unless you've opened a reader app first if you've opened a reader app first it'll tell you everything that's on the tag um so that's handy I use that in the field all the time if you want to play with NFC um it's an NF editor plugin for Eclipse it's great it's got the nice you know you can pull down the structure and tweet the values creates a QR code that

the NFC developer app will read the QR code touch it to a tag it will write it to the tag it's great for just kind of Rapid Fire you know fuzzing and playing with things uh there's also the NF editor. comom does exactly the same thing web based um all right so the scenario um my team the threat research team at Tren micro we were all getting together for a team meeting about it once a quarter we'll get together in the same place um we walked into our hotel I got to the front desk and they handed me a my fair card and I just smiled the whole way to the elevator within 10 minutes of getting

back to my room the you know the pro Mark was out I had the key I had the key that was locking the sector that allow control the doors um right right away I could make my a copy of my card you know step one we're talking half an hour done easy um you know step two break it down and figure out the format it took a handful of cards sitting around the bar luckily we run forign country and most people didn't know what we were talking about um if you're familiar with M stripe cards they have a guest ID that's incremented every time a new guest checks in basically when the when the lock sees that ID it will invalidate any

card prior to that um the date and time look very carefully notice anything interesting this is a hex dump um checked out October 13 2012 W what was on the card I swear and then the room ID all good worked first I copied this line to the card worked wonderfully one thing I missed there's a one right there any guesses how many cards are is you go elevator bit got downstairs found myself screwed thankfully I had a friend um all right so I cloned a card I understand the coded card um so now I want to get a room number from a card so that was my room this was a colleagues he gave me his code number all right I

read it off his card for him unfortunately this hotel used the same key for every C every C every door had the same key if you knew it you program it into your mobile device and you're reading cards um it's really that bad um so some quick math I told him he was in 417 he laughed and went upstairs hahaa you're wrong he came down the next day the room next to him was a sitting area if I had gone upstairs and counted doors I would hit so I consider that a win slight Miss um finally you know we had we had a guy we had these three individuals sitting there well all right uh 12:25 and 1227

were sitting down at the bar with me 1226 was upstairs doing email um worked that out pretty quick sent his manager upstairs knocked on the door this is where the stories diverge um one one thought he heard come in and the other one thought he said coming um he did it's all good but um there was a catch so I had to guess the guest ID to clone to make that card from scratch um we used it to it was used to open the door and put in the power slot like you see a lot of U international hotels um he went downstairs with his room key which was now invalid came back up didn't work went

back down to the desk this was the original sector that actually controls the door this one is empty except for it has this key after the front desk recoded it so it turns out this is the code having this key in there is the code to reset the guest ID F thank you um so these are these are my fair cards we're literally talking under 10 minutes worst case scenario to get the keys off those cards um it's practical and it's easy to do um I I can teach my seven-year-old to do it so don't rely on it it's not um not not a good thing anymore all right so unfortunately for Larry he used my fa 1K cards uh and John

had a new promotion at his restaurant if you buy a meal at John's you get free appetizer Larry's all right so the AC anti- Collision uid um is no longer unique um as far as I'm aware all the vendors have announced that started they've rolled numers numers theyve roll ID codes um so don't count on it for anything unique I've seen a number of applications where just having a card with a given uid means you get either access to the room or you know it it looks up in a database based on that ID um it's trivial to find the right vendor in in in China say and get a card that you can write that U ID to

don't count on it um you know mobile devices or the proart can generate that ID on lot so it's it's crap now um you know I my general rule is if I wouldn't lick the tag I use a reader first um you know don't use keys don't use my fa Keys uh never use the uid and uh if you can avoid it stay away from storage value because there are a lot of people like us out there who have nothing better to do than figure out how to either put more money in or take money out of of stort value cards any questions icry I mean card it depends on the card uh felica and desfire do actually can do

encryption on the card itself um the communication between some of the devices and the reader is encrypted so that makes ease dropping harder um but they're not done with very you know they're not they're not DH they're not done very well so um a a motivated attacker can get that um the other thing I should mention that I used to talk about is antennas um in general standard NC antennas are going to work for about 4 to 6 centimeters is what they're designed to do um there are plenty of research papers out there if you look hard enough of researchers in the W in controlled environments getting 5 10 15 meters um either reads or

easts so that's that that's something to keep in mind it's not easy but it's definitely not impossible other questions what if you were to say uh put a topaz tag uh in the battery is it a mobile device with NFC or without yeah so each time they would go to tag St or to no anytime they unlocked it it would read yeah it would um so that's another good point um un locked mobile or at least Android will not read NFC I can you know there's a whole bag of tags I can smash it all day long until I unlock it it won't read but the moment I do it would read that tag repeatedly most of them come locked no

no I mean literally just punching your code right oh oh I switch Yeah I not not like uh boot loader unlock but like literally just device yeah yes I think um some different phones have settings on to whether you have to have the app open or it might even do it if your phone is locked I that's that's why I say Android because I know I believe it's it's not Blackberry I think there are some nokas that will actually do it even if even if the phone's closed but I haven't have my hands on yes okay so we've uh trained Grandma to not click on everything and not open her every link that gets mailed to her how are we going

to treat Mom how are we going to train mom to not slap her her phone against all these cool things that like do these wonderful uh give you these wonderful bonuses especially when you're in the supermarket you know take their turn it off and say they don't have what going get the marketplace to secure get get this at least cuz you can't even see what it is at least in the emails you can see that it's some kind of Rel this way you don't even know what your phone is going to do I feel your pain checking checking the NFC off and then locking on the set that's what you do but I mean I mean what's going to get

the general public at large either companies who do this are going to have to get sued or or I mean what what's going to have to what has to happen to um fix it what do you think of it's a very contentious push you've got o easy convenient on one end and you've got you know how do we how do we teach people to be secure and foring you more more than you supposed to do they are they're really driving you in that direction because it's as easy for them as it is for you and I that's that's it that's why I'm out here at least talking about it trying to get awareness up that not just the users we can't make

the users all aware of what they need to know we also have to make the people offering these Services aware of how to do it or at least how to try to do it safely yeah it's not that people it's not that people legitimately offering Services who have no but those people can do things to make their services harder to compromise hard make it legiate um you know if I'm running a business and I run around sticking just stickers all over the place to try to advertise my business that's probably a bad idea um they do that they do do that um it's the same but it's the same thing with a an ad how do you know what's on that QR an

adversary can still walk around putting stickers all over the place advertising your business yes but if the good guys aren't doing it hopefully the bad yes that's what I want to say though the study that came out 6 months ago said that no one even college kids reads QR codes cuz nobody gives a crap there's like 2% of college kids said that they would ever having done it once ever reuse a QR code again you think it's the dumbest thing why would this get any more adoption now you actually have to touch a Jeremy freaking poster someway have to touch it you can stay my hand you are here yeah but nobody but did you scan it

of course not that's up you can trust

them I'm supposed to trust you say you

trust that's the dire I see the ad while you're getting something from them information off of you is there anything in spe that would allow that their end would have to be smarter than the tag can't device some form but it's definitely possible

forag reest in that when you scan it it's asking your phone to reprogram the tag

that would be entirely

possible but how do you

know me far away strength the strength of the field the problem is you're generating the field okay um so what happens when you're acting with a passive tag uh your device generates a magnetic field all right the tag receives its power from that field when you modulate your signal when you're trying to send a message to the tag you modulate um you essentially modulate 100% the field is on or field is off and the T will read that when the tags talking back all it's doing is modulating how much of that power it's drawing okay um if you had access to say the amplifier in the in the radio itself I think that's conceivable but

I'm not aware of any chipsets that actually offer it at that level so I need special equipment to try and triangulate where tag was coming from yeah I think so and I think the hard part is you're talking about again you're talking about you know four to six cent so there's not there's not a lot of space there to even get two antennas to triangulate uh not much uh you know second and half of the microwave it's gone um I'm done okay appar understanding

between