NFC or the Near Field Communication allows cell phones to perform specified actions whenever they detect NFC tags or signals from other NFC enabled device. Most of the recent phones including Samsung Galaxy S3, Nokia Lumia 610, Blackberry Bold etc have NFC enabled with them. NFC even helps enterprise/payment gateways to ease up users actions, such as connecting to a wifi, setting a bookmark, making payments etc.
Gone are the days of sending Android malware links through URL or attachments. In this talk, we will be showing how an attacker could steal the private and sensitive information from one’s phone and even perform malicious actions on user’s phone, using NFC as an attack vector. NFC attack vectors come in two forms : Active(setting attacker’s phone as a proxy between victim’s smartphone and the payment terminal) and Passive(using NFC tags).For our demonstrations, we would be creating malicious NFC tags which when detected by any smartphone(NFC enabled) would steal sensitive informations from the phones (without the users knowledge) as well as trick user to install malicious applications to his phone. Thereafter, we would also be talking about how an attacker could get in close proximity of another NFC-enabled phone, get a remote shell on the victim’s phone and compromise the phone’s security. We would also be discussing how viral an NFC attack could go in future, if proper security measures are not enforced.
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gupta & Subho Halder
1. STAND CLOSE TO
ME AND YOU ARE
PWNED!
SUBHO HALDER | ADITYA GUPTA
@sunnyrockzzs @adi1391
Sunday, 2 December 12
2. WHO ARE WE !
INFORMATION SECURITY RESEARCHER
MOBILE EXPLOITER
CREATOR OF AFE (ANDROID FRAMEWORK FOR
EXPLOITATION)
PYTHON LOVERS
CO-FOUNDER OF XYSEC.
FOUND BUG IN SOME FAMOUS WEBSITES
INCLUDING GOOGLE, APPLE, MICROSOFT,
SKYPE, ADOBE AND MANY MORE
Sunday, 2 December 12
5. INTRODUCTION TO NFC
SET OF COMMUNICATION PROTOCOLS
BASED ON RFID STANDARDS INCLUDING ISO
14443
13.56 MHZ OPERATING FREQUENCY +/- 7KHZ
OPERATING RANGE LESS THAN 4 CM
Sunday, 2 December 12
6. COMMUNICATION MODES
PASSIVE ( RFID CARDS )
INITIATOR PROVIDES POWER
TARGET REFLECTS BACK THE SIGNAL
ACTIVE ( P2P )
BOTH INITIATOR AND TARGET SIMULATES
Sunday, 2 December 12
8. NFC PROTOCOL LAYER
PROTOCOL LAYER CONSISTS OF A PHYSICAL
LAYER AND RF LAYER
THESE LAYERS ARE FOCUSSED ON PHYSICAL
ASPECT OF STARTING COMMUNICATION
Sunday, 2 December 12
9. NFC PROTOCOL LAYER
Type 1 tags use a format sometimes called the
Topaz protocol. It uses a simple memory model
which is either static for tags with memory size
less than 120 bytes or dynamic for tags with
TYPE 1 (TOPAZ) larger memory. Bytes are read/written to the tag
using commands such as RALL, READ,
WRITE-E, WRITE-NE, RSEG, READ8, WRITE-
E8, WRITE-N8.
MIFARE classic tags are storage devices with
simple security mechanisms for access control.
They use an NXP proprietary security protocol
MIFARE CLASSIC for authentication and ciphering. This
encryption was reverse engineered and broken
in 2007
These tags are similar to Topaz tags. They
have a static memory layout when they have
less than 64 bytes available and a dynamic
layout otherwise. The first 16 bytes of memory
MIFARE-ULTRALIGHT contain metadata like a serial number, access
rights, and capability container. The rest is for
the actual data. Data is accessed using READ
and WRITE commands,
The previous protocol layers have all had
initiators and targets and the protocols are
designed around the initiator being able to read/
LLCP (P2P) write to the target. Logical Link Control Protocol
(LLCP) is different because it establishes
communication between two peer devices.
Sunday, 2 December 12
10. NFC APPLICATION LAYER
NDEF OR NFC DATA EXCHANGE FORMAT
SIMPLE BINARY MESSAGE FORMAT !
SAMPLE NDEF FORMAT FOR TEXT
Sunday, 2 December 12
11. 03 17 d1 01 13 54 02 65 6e 68 65 6c 6c 6f
20 63 6c 75 62 68 61 63 6B 20 21 fe
NDEF Message Start
Payload Length
MB, ME, SR, TNF= ”NFC Forum well-known type”
Type Length
Type “T”
Status Byte - Length of IANA lang code
Lang Code = “en”
“hello clubhack !” - text
NDEF Terminator
Sunday, 2 December 12
12. ANDROID NFC STACK
Kernel NFC Services
(com.android.nfc)
Tags,
libnfc.so MiFare, Topaz,
etc.
libnfc_jni.so
libpn544_fw.so
libnfc_ndef.so
Sunday, 2 December 12
21. LEVERAGING NFC
FOR ANDROID
BASED
VULNERABILITY
Sunday, 2 December 12
22. COM.ANDROID.NFC
FOR WELL KNOWN TYPE TAGS,
APPLICATIONS ARE CALLED AUTOMATICALLY
WWW BASED DATA, FIRES THE BROWSER
MAILTO: PROTOCOL FIRES UP MAIL CLIENT
UNEXPECTED VALUES IN NDEF, CRASHES
NFCSERVICE.JAVA
Sunday, 2 December 12
23. NFC AWARE MALWARES
LEVERAGING THE NFC PROTOCOL, NEW
BREED OF ANDROID MALWARE ARISES
PROXYING ANY REQUEST THROUGH THE
MALWARE WITHOUT INTERACTION !
Sunday, 2 December 12
24. NFC TAG no Instead of opening
interaction the Browser, opens
Any URL needed up an application !
Sunday, 2 December 12
25. LEVERAGING
USSD BASED
ATTACK
USING NFC
Sunday, 2 December 12
26. Opens the
NFC TAG no
malicious link at
interaction
http://xysec.com/
Malicious URL needed
ussd.html
Fires up the browser
and dials the number
in the user’s phone,
without any
interaction!
Sunday, 2 December 12