SlideShare une entreprise Scribd logo

DefCon 2012 - Near-Field Communication / RFID Hacking - Lee

Michael Smith
Michael Smith
Technologie
1  sur  24
Télécharger pour lire hors ligne
DEFCON 20 NFC Hacking: The Easy Way Eddie Lee eddie{at}blackwinghq.com
!   Security Researcher for Blackwing Intelligence (formerly Praetorian Global) About Me !   We’re always looking for cool security projects !   Member of Digital Revelation !   2-time CTF Champs – Defcon 9 & 10 !   Not an NFC or RFID expert!
!   Radio Frequency Identification - RFID !   Broad range of frequencies: low kHz to super high GHz Introduction // RFID Primer !   Near Field Communication - NFC !   13.56 MHz !   Payment cards !   Library systems !   e-Passports !   Smart cards !   Standard range: ~3 - 10 cm !   RFID Tag !   Transceiver !   Antenna !   Chip (processor) or memory
!   RFID (tag) in credit cards !   Visa – PayWave Introduction // RFID Primer !   MasterCard – PayPass !   American Express – ExpressPay !   Discover – Zip !   Proximity Coupling Devices (PCD) / Point of Sale (POS) terminal / Reader !   EMV (Europay, Mastercard, and VISA) standard for communication between chipped credit cards and POS terminals !   Four “books” long !   Based on ISO 14443 and ISO 7816 !   Communicate with Application Protocol Data Units (APDUs)
!   Why create NFCProxy? !   I’m lazy Introduction // Motivation !   Don’t like to read specs !   Didn’t want to learn protocol (from reading specs) !   Future releases should work with other standards (diff protocols) !   Make it easier to analyze protocols !   Make it easier for other people to get involved !   Contribute to reasons why this standard should be fixed
!   Adam Laurie (Major Malfunction) ! RFIDIOt Previous work ! http://rfidiot.org ! Pablos Holman !   Skimming RFID credit cards with ebay reader ! http://www.youtube.com/watch?v=vmajlKJlT3U !   3ric Johanson ! Pwnpass ! http://www.rfidunplugged.com/pwnpass/ !   Kristen Paget !   Cloning RFID credit cards to mag strip ! http://www.shmoocon.org/2012/presentations/Paget_shmoocon2012-credit- cards.pdf !   Tag reading apps
!   Contactless Credit card reader (e.g. VivoPay, Verifone) !   ~$150 (retail) Typical Hardware !   ~$10 - $30 (ebay) !   Card reader ! OmniKey (~$50-90 ebay), ACG, etc. ! Proxmark ($230-$400) !   Mag stripe encoder ($200-$300)
!   What is NFCProxy? !   An open source Android app Tool Overview !   A tool that makes it easier to start messing with NFC/RFID !   Protocol analyzer !   Hardware required !   Two NFC capable Android phones for full feature set !   Nexus S (~$60 - $90 ebay) !   LG Optimus Elite (~$130 new. Contract free) !   No custom ROMs yet !   Galaxy Nexus, Galaxy S3, etc. (http://www.nfcworld.com/nfc-phones-list/) !   Software required !   One phone !   Android 2.3+ (Gingerbread) !   Tested 2.3.7 and ICS !   At least one phone needs: !   Cyanogen 9 nightly build from: Jan 20 - Feb 24 2012 !   Or Custom build of Cyanogen
! android_frameworks_base (Java API) ! https://github.com/CyanogenMod/android_frameworks_base/commit/ Cyanogen Card Emulation c80c15bed5b5edffb61eb543e31f0b90eddcdadf ! android_external_libnfc-nxp (native library) ! https://github.com/CyanogenMod/android_external_libnfc-nxp/ commit/34f13082c2e78d1770e98b4ed61f446beeb03d88 ! android_packages_apps_Nfc (Nfc.apk – NFC Service) ! https://github.com/CyanogenMod/android_packages_apps_Nfc/ commit/d41edfd794d4d0fedd91d561114308f0d5f83878 !   NFC Reader code disabled because it interferes with Google Wallet ! https://github.com/CyanogenMod/android_packages_apps_Nfc/ commit/75ad85b06935cfe2cc556ea1fe5ccb9b54467695
NFC Hardware Architecture Host   Antenna   Secure   NFC  Chip   Element  
!   Proxy transactions !   Save transactions Tool Features !   Export transactions !   Tag replay (on Cyanogen side) !   PCD replay !   Don’t need to know the correct APDUs for a real transactions !   Use the tool to learn about the protocol (APDUs)
Standard Transaction APDU   RFID   APDU  
How It Works // Proxy Mode WiFi   NFC   APDU   NFC   APDU  
Proxy Mode! How It Works // Terminology WiFi   NFC   Relay Mode! NFC  
!   Relay Mode !   Opens port and waits for connection from proxy How It Works // Modes !   Place Relay on card/tag !   Proxy Mode !   Swipe across reader !   Forwards APDUs from reader to card !   Transactions displayed on screen !   Long Clicking allows you to Save, Export, Replay, or Delete
!   Replay Reader (Skimming mode*) !   Put phone near credit card How It works // Replay Mode !   Nothing special going on here !   Know the right APDUs !   Replay Card (Spending mode) !   Swipe phone across reader !   Phone needs to be able to detect reader – Card Emulation mode !   Requires CyanogenMod tweaks !   Virtual wallet
!   A word about android NFC antennas !   Galaxy Nexus: CRAP! Antennas !   Nexus S: Good ! Optimus Elite: Good !   NFC communication is often incomplete !   Need to reengage/re-swipe the phone with a card/reader !   Check the “Status” tab in NFCProxy
!   EMV Book 3 ! http://www.emvco.com/download_agreement.aspx?id=654 APDU-Speak !   See RFIDIOt (ChAP.py) and pwnpass for APDUs used for skimming !   Proxy not needed for skimming and spending !   Just for protocol analysis
Sample Output
!   Let’s see it in action! Demo!
!   What’s next? !   Generic framework that works with multiple technologies Future Work !   Requires better reader detection !   Pluggable modules !   MITM !   Protocol Fuzzing
!   Now available for download and contribution! Source Code !   http://sourceforge.net/projects/nfcproxy/
!   Questions? Q & A !   Contact: eddie{at}blackwinghq.com

Recommandé

NFC attacks
NFC attacksNFC attacks
NFC attacksPeter Swedin
 
RFID/NFC for the Masses
RFID/NFC for the MassesRFID/NFC for the Masses
RFID/NFC for the MassesPositive Hack Days
 
Rfid and the Mobile phone quiz
Rfid and the Mobile phone quizRfid and the Mobile phone quiz
Rfid and the Mobile phone quizTheodor Tolstoy
 
NFC & RFID on Android
NFC & RFID on AndroidNFC & RFID on Android
NFC & RFID on Androidtodbotdotcom
 
Hacking Smartcards & RFID
Hacking Smartcards & RFIDHacking Smartcards & RFID
Hacking Smartcards & RFIDDevnology
 
MIFARE IC Soultion From NXP
MIFARE IC Soultion From NXPMIFARE IC Soultion From NXP
MIFARE IC Soultion From NXPDevanshu Shrivastava
 
Automating Your Life: A look at NFC
Automating Your Life: A look at NFC Automating Your Life: A look at NFC
Automating Your Life: A look at NFC Mitchell Muenster
 
6 - Barcodes and RFID
6 - Barcodes and RFID6 - Barcodes and RFID
6 - Barcodes and RFIDWilliam Helling
 

Recommandé

NFC attacks
NFC attacksNFC attacks
NFC attacksPeter Swedin
 
RFID/NFC for the Masses
RFID/NFC for the MassesRFID/NFC for the Masses
RFID/NFC for the MassesPositive Hack Days
 
Rfid and the Mobile phone quiz
Rfid and the Mobile phone quizRfid and the Mobile phone quiz
Rfid and the Mobile phone quizTheodor Tolstoy
 
NFC & RFID on Android
NFC & RFID on AndroidNFC & RFID on Android
NFC & RFID on Androidtodbotdotcom
 
Hacking Smartcards & RFID
Hacking Smartcards & RFIDHacking Smartcards & RFID
Hacking Smartcards & RFIDDevnology
 
MIFARE IC Soultion From NXP
MIFARE IC Soultion From NXPMIFARE IC Soultion From NXP
MIFARE IC Soultion From NXPDevanshu Shrivastava
 
Automating Your Life: A look at NFC
Automating Your Life: A look at NFC Automating Your Life: A look at NFC
Automating Your Life: A look at NFC Mitchell Muenster
 
6 - Barcodes and RFID
6 - Barcodes and RFID6 - Barcodes and RFID
6 - Barcodes and RFIDWilliam Helling
 
Identify vehicle visibility 20121117_r01_wn
Identify vehicle visibility 20121117_r01_wnIdentify vehicle visibility 20121117_r01_wn
Identify vehicle visibility 20121117_r01_wnWirote Ng
 
Near field communication(nfc)
Near field communication(nfc)Near field communication(nfc)
Near field communication(nfc)Bhaumik Gagwani
 
Securing the Network, por Ricardo Ross
Securing the Network, por Ricardo RossSecuring the Network, por Ricardo Ross
Securing the Network, por Ricardo RossForo Global Crossing
 
RFID Protocols and Privacy Models for RFID
RFID Protocols and Privacy Models for RFIDRFID Protocols and Privacy Models for RFID
RFID Protocols and Privacy Models for RFIDFaisal Razzak
 
Near Field Communication by Mohammed Mudassir
Near Field Communication by Mohammed MudassirNear Field Communication by Mohammed Mudassir
Near Field Communication by Mohammed MudassirMohammed Mudassir
 
Use of rfid in operations management
Use of rfid in operations managementUse of rfid in operations management
Use of rfid in operations managementmusicalmood
 
E-Catalogue Of HUAYUAN RFID Products
E-Catalogue Of HUAYUAN RFID ProductsE-Catalogue Of HUAYUAN RFID Products
E-Catalogue Of HUAYUAN RFID ProductsHUAYUAN ELECTRONIC
 
IDEX Smartfinger Product Data Sheet
IDEX Smartfinger Product Data SheetIDEX Smartfinger Product Data Sheet
IDEX Smartfinger Product Data SheetIDEX ASA
 
Talk-ID Engels (1)
Talk-ID Engels (1)Talk-ID Engels (1)
Talk-ID Engels (1)Richard van der Vegt
 
Contactless NFC Tags For Mobile Loyalty
Contactless NFC Tags For Mobile LoyaltyContactless NFC Tags For Mobile Loyalty
Contactless NFC Tags For Mobile LoyaltyMerchant360, Inc.
 
Nfc power point
Nfc power pointNfc power point
Nfc power pointRajeev Verma
 
QR code
QR codeQR code
QR codeNoah Kim
 
Smart Phone in 2013
Smart Phone in 2013Smart Phone in 2013
Smart Phone in 2013JJ Wu
 
117_SIRJ_HMS
117_SIRJ_HMS117_SIRJ_HMS
117_SIRJ_HMSChandan Raj
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012JJ Wu
 
My best effort
My best effortMy best effort
My best effortsujataray
 
การใช้งานโปรแกรม Power point
การใช้งานโปรแกรม Power pointการใช้งานโปรแกรม Power point
การใช้งานโปรแกรม Power pointanniesimcard
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSecuRing
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)PROIDEA
 
NFC on Android - Near Field Communication
NFC on Android - Near Field CommunicationNFC on Android - Near Field Communication
NFC on Android - Near Field CommunicationSven Haiges
 
Making Sense of Wireless Technologies
Making Sense of Wireless TechnologiesMaking Sense of Wireless Technologies
Making Sense of Wireless TechnologiesAnton Mills
 

Contenu connexe

Tendances

Identify vehicle visibility 20121117_r01_wn
Identify vehicle visibility 20121117_r01_wnIdentify vehicle visibility 20121117_r01_wn
Identify vehicle visibility 20121117_r01_wnWirote Ng
 
Near field communication(nfc)
Near field communication(nfc)Near field communication(nfc)
Near field communication(nfc)Bhaumik Gagwani
 
Securing the Network, por Ricardo Ross
Securing the Network, por Ricardo RossSecuring the Network, por Ricardo Ross
Securing the Network, por Ricardo RossForo Global Crossing
 
RFID Protocols and Privacy Models for RFID
RFID Protocols and Privacy Models for RFIDRFID Protocols and Privacy Models for RFID
RFID Protocols and Privacy Models for RFIDFaisal Razzak
 
Near Field Communication by Mohammed Mudassir
Near Field Communication by Mohammed MudassirNear Field Communication by Mohammed Mudassir
Near Field Communication by Mohammed MudassirMohammed Mudassir
 
Use of rfid in operations management
Use of rfid in operations managementUse of rfid in operations management
Use of rfid in operations managementmusicalmood
 
E-Catalogue Of HUAYUAN RFID Products
E-Catalogue Of HUAYUAN RFID ProductsE-Catalogue Of HUAYUAN RFID Products
E-Catalogue Of HUAYUAN RFID ProductsHUAYUAN ELECTRONIC
 
IDEX Smartfinger Product Data Sheet
IDEX Smartfinger Product Data SheetIDEX Smartfinger Product Data Sheet
IDEX Smartfinger Product Data SheetIDEX ASA
 
Contactless NFC Tags For Mobile Loyalty
Contactless NFC Tags For Mobile LoyaltyContactless NFC Tags For Mobile Loyalty
Contactless NFC Tags For Mobile LoyaltyMerchant360, Inc.
 
Smart Phone in 2013
Smart Phone in 2013Smart Phone in 2013
Smart Phone in 2013JJ Wu
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012JJ Wu
 

Tendances (15)

Identify vehicle visibility 20121117_r01_wn
Identify vehicle visibility 20121117_r01_wnIdentify vehicle visibility 20121117_r01_wn
Identify vehicle visibility 20121117_r01_wn
 
Near field communication(nfc)
Near field communication(nfc)Near field communication(nfc)
Near field communication(nfc)
 
Securing the Network, por Ricardo Ross
Securing the Network, por Ricardo RossSecuring the Network, por Ricardo Ross
Securing the Network, por Ricardo Ross
 
RFID Protocols and Privacy Models for RFID
RFID Protocols and Privacy Models for RFIDRFID Protocols and Privacy Models for RFID
RFID Protocols and Privacy Models for RFID
 
Near Field Communication by Mohammed Mudassir
Near Field Communication by Mohammed MudassirNear Field Communication by Mohammed Mudassir
Near Field Communication by Mohammed Mudassir
 
Use of rfid in operations management
Use of rfid in operations managementUse of rfid in operations management
Use of rfid in operations management
 
E-Catalogue Of HUAYUAN RFID Products
E-Catalogue Of HUAYUAN RFID ProductsE-Catalogue Of HUAYUAN RFID Products
E-Catalogue Of HUAYUAN RFID Products
 
IDEX Smartfinger Product Data Sheet
IDEX Smartfinger Product Data SheetIDEX Smartfinger Product Data Sheet
IDEX Smartfinger Product Data Sheet
 
Talk-ID Engels (1)
Talk-ID Engels (1)Talk-ID Engels (1)
Talk-ID Engels (1)
 
Contactless NFC Tags For Mobile Loyalty
Contactless NFC Tags For Mobile LoyaltyContactless NFC Tags For Mobile Loyalty
Contactless NFC Tags For Mobile Loyalty
 
Nfc power point
Nfc power pointNfc power point
Nfc power point
 
QR code
QR codeQR code
QR code
 
Smart Phone in 2013
Smart Phone in 2013Smart Phone in 2013
Smart Phone in 2013
 
117_SIRJ_HMS
117_SIRJ_HMS117_SIRJ_HMS
117_SIRJ_HMS
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012
 

Similaire à DefCon 2012 - Near-Field Communication / RFID Hacking - Lee

My best effort
My best effortMy best effort
My best effortsujataray
 
การใช้งานโปรแกรม Power point
การใช้งานโปรแกรม Power pointการใช้งานโปรแกรม Power point
การใช้งานโปรแกรม Power pointanniesimcard
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSecuRing
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCSlawomir Jasek
 
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)PROIDEA
 
NFC on Android - Near Field Communication
NFC on Android - Near Field CommunicationNFC on Android - Near Field Communication
NFC on Android - Near Field CommunicationSven Haiges
 
Making Sense of Wireless Technologies
Making Sense of Wireless TechnologiesMaking Sense of Wireless Technologies
Making Sense of Wireless TechnologiesAnton Mills
 
Rfid101 rfid introduction_lr
Rfid101 rfid introduction_lrRfid101 rfid introduction_lr
Rfid101 rfid introduction_lrCecile Tan
 
Rfid101 rfid introduction_lr
Rfid101 rfid introduction_lrRfid101 rfid introduction_lr
Rfid101 rfid introduction_lrCecile Tan
 
Meetup -- RFID
Meetup -- RFIDMeetup -- RFID
Meetup -- RFIDKevin2600
 
Rfid security workshop v0.9 -nahuel_grisolia
Rfid security workshop v0.9 -nahuel_grisoliaRfid security workshop v0.9 -nahuel_grisolia
Rfid security workshop v0.9 -nahuel_grisoliaPositive Hack Days
 
Nahuel Grisolia. RFID Workshop.
Nahuel Grisolia. RFID Workshop.Nahuel Grisolia. RFID Workshop.
Nahuel Grisolia. RFID Workshop.Positive Hack Days
 
Rfid Tag Manufacturer | Identis
Rfid Tag Manufacturer | IdentisRfid Tag Manufacturer | Identis
Rfid Tag Manufacturer | IdentisSMO Clicks
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
NFC Bootcamp Seattle Day 2
NFC Bootcamp Seattle Day 2 NFC Bootcamp Seattle Day 2
NFC Bootcamp Seattle Day 2 traceebeebe
 
Leverage RFID with NFC for Better ROI - by Steve McRae
Leverage RFID with NFC for Better ROI - by Steve McRaeLeverage RFID with NFC for Better ROI - by Steve McRae
Leverage RFID with NFC for Better ROI - by Steve McRaeMerchant360, Inc.
 

Similaire à DefCon 2012 - Near-Field Communication / RFID Hacking - Lee (20)

My best effort
My best effortMy best effort
My best effort
 
การใช้งานโปรแกรม Power point
การใช้งานโปรแกรม Power pointการใช้งานโปรแกรม Power point
การใช้งานโปรแกรม Power point
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFC
 
A 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFCA 2018 practical guide to hacking RFID/NFC
A 2018 practical guide to hacking RFID/NFC
 
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)
CONFidence 2018: A 2018 practical guide to hacking RFID/NFC (Sławomir Jasek)
 
NFC on Android - Near Field Communication
NFC on Android - Near Field CommunicationNFC on Android - Near Field Communication
NFC on Android - Near Field Communication
 
Making Sense of Wireless Technologies
Making Sense of Wireless TechnologiesMaking Sense of Wireless Technologies
Making Sense of Wireless Technologies
 
Rfid101 rfid introduction_lr
Rfid101 rfid introduction_lrRfid101 rfid introduction_lr
Rfid101 rfid introduction_lr
 
Rfid101 rfid introduction_lr
Rfid101 rfid introduction_lrRfid101 rfid introduction_lr
Rfid101 rfid introduction_lr
 
Aidc technology
Aidc technologyAidc technology
Aidc technology
 
Meetup -- RFID
Meetup -- RFIDMeetup -- RFID
Meetup -- RFID
 
NFC In Mobile Commerce
NFC In Mobile CommerceNFC In Mobile Commerce
NFC In Mobile Commerce
 
RFID Technology
RFID TechnologyRFID Technology
RFID Technology
 
Hftn
HftnHftn
Hftn
 
Rfid security workshop v0.9 -nahuel_grisolia
Rfid security workshop v0.9 -nahuel_grisoliaRfid security workshop v0.9 -nahuel_grisolia
Rfid security workshop v0.9 -nahuel_grisolia
 
Nahuel Grisolia. RFID Workshop.
Nahuel Grisolia. RFID Workshop.Nahuel Grisolia. RFID Workshop.
Nahuel Grisolia. RFID Workshop.
 
Rfid Tag Manufacturer | Identis
Rfid Tag Manufacturer | IdentisRfid Tag Manufacturer | Identis
Rfid Tag Manufacturer | Identis
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
NFC Bootcamp Seattle Day 2
NFC Bootcamp Seattle Day 2 NFC Bootcamp Seattle Day 2
NFC Bootcamp Seattle Day 2
 
Leverage RFID with NFC for Better ROI - by Steve McRae
Leverage RFID with NFC for Better ROI - by Steve McRaeLeverage RFID with NFC for Better ROI - by Steve McRae
Leverage RFID with NFC for Better ROI - by Steve McRae
 

Plus de Michael Smith

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsMichael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)Michael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)Michael Smith
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...Michael Smith
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerMichael Smith
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)Michael Smith
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKMichael Smith
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersMichael Smith
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesMichael Smith
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsMichael Smith
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksMichael Smith
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYMichael Smith
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingMichael Smith
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersMichael Smith
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesMichael Smith
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataMichael Smith
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingMichael Smith
 

Plus de Michael Smith (20)

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency Security
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water Meters
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over Powerlines
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM Attacks
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware Vulnerabilities
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter Hacking
 

Dernier

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Dernier (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

DefCon 2012 - Near-Field Communication / RFID Hacking - Lee

  • 1. DEFCON 20 NFC Hacking: The Easy Way Eddie Lee eddie{at}blackwinghq.com
  • 2. !   Security Researcher for Blackwing Intelligence (formerly Praetorian Global) About Me !   We’re always looking for cool security projects !   Member of Digital Revelation !   2-time CTF Champs – Defcon 9 & 10 !   Not an NFC or RFID expert!
  • 3. !   Radio Frequency Identification - RFID !   Broad range of frequencies: low kHz to super high GHz Introduction // RFID Primer !   Near Field Communication - NFC !   13.56 MHz !   Payment cards !   Library systems !   e-Passports !   Smart cards !   Standard range: ~3 - 10 cm !   RFID Tag !   Transceiver !   Antenna !   Chip (processor) or memory
  • 4. !   RFID (tag) in credit cards !   Visa – PayWave Introduction // RFID Primer !   MasterCard – PayPass !   American Express – ExpressPay !   Discover – Zip !   Proximity Coupling Devices (PCD) / Point of Sale (POS) terminal / Reader !   EMV (Europay, Mastercard, and VISA) standard for communication between chipped credit cards and POS terminals !   Four “books” long !   Based on ISO 14443 and ISO 7816 !   Communicate with Application Protocol Data Units (APDUs)
  • 5. !   Why create NFCProxy? !   I’m lazy Introduction // Motivation !   Don’t like to read specs !   Didn’t want to learn protocol (from reading specs) !   Future releases should work with other standards (diff protocols) !   Make it easier to analyze protocols !   Make it easier for other people to get involved !   Contribute to reasons why this standard should be fixed
  • 6. !   Adam Laurie (Major Malfunction) ! RFIDIOt Previous work ! http://rfidiot.org ! Pablos Holman !   Skimming RFID credit cards with ebay reader ! http://www.youtube.com/watch?v=vmajlKJlT3U !   3ric Johanson ! Pwnpass ! http://www.rfidunplugged.com/pwnpass/ !   Kristen Paget !   Cloning RFID credit cards to mag strip ! http://www.shmoocon.org/2012/presentations/Paget_shmoocon2012-credit- cards.pdf !   Tag reading apps
  • 7. !   Contactless Credit card reader (e.g. VivoPay, Verifone) !   ~$150 (retail) Typical Hardware !   ~$10 - $30 (ebay) !   Card reader ! OmniKey (~$50-90 ebay), ACG, etc. ! Proxmark ($230-$400) !   Mag stripe encoder ($200-$300)
  • 8. !   What is NFCProxy? !   An open source Android app Tool Overview !   A tool that makes it easier to start messing with NFC/RFID !   Protocol analyzer !   Hardware required !   Two NFC capable Android phones for full feature set !   Nexus S (~$60 - $90 ebay) !   LG Optimus Elite (~$130 new. Contract free) !   No custom ROMs yet !   Galaxy Nexus, Galaxy S3, etc. (http://www.nfcworld.com/nfc-phones-list/) !   Software required !   One phone !   Android 2.3+ (Gingerbread) !   Tested 2.3.7 and ICS !   At least one phone needs: !   Cyanogen 9 nightly build from: Jan 20 - Feb 24 2012 !   Or Custom build of Cyanogen
  • 9.
  • 10. ! android_frameworks_base (Java API) ! https://github.com/CyanogenMod/android_frameworks_base/commit/ Cyanogen Card Emulation c80c15bed5b5edffb61eb543e31f0b90eddcdadf ! android_external_libnfc-nxp (native library) ! https://github.com/CyanogenMod/android_external_libnfc-nxp/ commit/34f13082c2e78d1770e98b4ed61f446beeb03d88 ! android_packages_apps_Nfc (Nfc.apk – NFC Service) ! https://github.com/CyanogenMod/android_packages_apps_Nfc/ commit/d41edfd794d4d0fedd91d561114308f0d5f83878 !   NFC Reader code disabled because it interferes with Google Wallet ! https://github.com/CyanogenMod/android_packages_apps_Nfc/ commit/75ad85b06935cfe2cc556ea1fe5ccb9b54467695
  • 11. NFC Hardware Architecture Host   Antenna   Secure   NFC  Chip   Element  
  • 12. !   Proxy transactions !   Save transactions Tool Features !   Export transactions !   Tag replay (on Cyanogen side) !   PCD replay !   Don’t need to know the correct APDUs for a real transactions !   Use the tool to learn about the protocol (APDUs)
  • 13. Standard Transaction APDU   RFID   APDU  
  • 14. How It Works // Proxy Mode WiFi   NFC   APDU   NFC   APDU  
  • 15. Proxy Mode! How It Works // Terminology WiFi   NFC   Relay Mode! NFC  
  • 16. !   Relay Mode !   Opens port and waits for connection from proxy How It Works // Modes !   Place Relay on card/tag !   Proxy Mode !   Swipe across reader !   Forwards APDUs from reader to card !   Transactions displayed on screen !   Long Clicking allows you to Save, Export, Replay, or Delete
  • 17. !   Replay Reader (Skimming mode*) !   Put phone near credit card How It works // Replay Mode !   Nothing special going on here !   Know the right APDUs !   Replay Card (Spending mode) !   Swipe phone across reader !   Phone needs to be able to detect reader – Card Emulation mode !   Requires CyanogenMod tweaks !   Virtual wallet
  • 18. !   A word about android NFC antennas !   Galaxy Nexus: CRAP! Antennas !   Nexus S: Good ! Optimus Elite: Good !   NFC communication is often incomplete !   Need to reengage/re-swipe the phone with a card/reader !   Check the “Status” tab in NFCProxy
  • 19. !   EMV Book 3 ! http://www.emvco.com/download_agreement.aspx?id=654 APDU-Speak !   See RFIDIOt (ChAP.py) and pwnpass for APDUs used for skimming !   Proxy not needed for skimming and spending !   Just for protocol analysis
  • 21. !   Let’s see it in action! Demo!
  • 22. !   What’s next? !   Generic framework that works with multiple technologies Future Work !   Requires better reader detection !   Pluggable modules !   MITM !   Protocol Fuzzing
  • 23. !   Now available for download and contribution! Source Code !   http://sourceforge.net/projects/nfcproxy/
  • 24. !   Questions? Q & A !   Contact: eddie{at}blackwinghq.com