Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eagle1753@onenetbeyond.org - bughardy@cryptolab.net How to build a safe NFC validating system Matteo Collura (Eagle1753) & Matteo Beccaro (bughardy)

Published byTravis Esworthy Modified over 10 years ago

Similar presentations

Presentation on theme: "Eagle1753@onenetbeyond.org - bughardy@cryptolab.net How to build a safe NFC validating system Matteo Collura (Eagle1753) & Matteo Beccaro (bughardy)"— Presentation transcript:

1 eagle1753@onenetbeyond.org - bughardy@cryptolab.net
How to build a safe NFC validating system Matteo Collura (Eagle1753) & Matteo Beccaro (bughardy) -

2 Who we are Matteo Collura Matteo Beccaro Nickname: Eagle1753
Mail: Student at Politecnico of Turin: Electronic Engineering Matteo Beccaro Nickname: bughardy Mail: Student at Politecnico of Turin: Computer Engineering Employee at Secure Network Both speakers at DefCon 21 («OTP it won’t save you from free rides»)

3 What we are dealing with
MIFARE ULTRALIGHT tags, as tickets Designed to MHz Manufactured by NXP Semiconductors Arduino Uno with NFC shield, as stamping machine Shield NFC by Adafruit

4 MIFARE ULTRALIGHT, Facts&Figures

5 Structure 512 bits (64 bytes) arranged in 16 pages Page Address Byte #
DEC HEX 1 2 3 0x00 UID 0x01 0x02 Internal Lock Bytes 0x03 OTP From 4 to 15 0x04 to 0x0F Data

6 UID + Internal 7 Bytes «Serial Number» + 1 Byte «Internal»
2 «Check Bytes», as a result of XOR operations Programmed by the manifacturer, read only Byte 0 Byte 1 Byte 2 Byte 3 Page 00h SN0 SN1 SN2 CB0 Page 01h SN3 SN4 SN5 SN6 Page 02h CB1 Internal Lock bytes Page Address Byte # DEC HEX 1 2 3 0x00 UID 0x01 0x02 Internal Lock Bytes 0x03 OTP From 4 to 15 0x04 to 0x0F Data

7 Lock Bytes 2 Bytes Possibility of making a whole page (4 bytes) read-only Possibility of making the Lock Bytes themselves read-only L - 7 L - 6 L - 5 L - 4 L - OTP BL – 10 to 15 BL – 4 to 9 BL - OTP L -15 L -14 L - 13 L - 12 L - 11 L - 10 L - 9 L - 8 Page Address Byte # DEC HEX 1 2 3 0x00 UID 0x01 0x02 Internal Lock Bytes 0x03 OTP From 4 to 15 0x04 to 0x0F Data

8 Lock Bytes They can’t be edited as you want OR 1
What you are about to write is simply bitwise Ored One bit in state «1» cannot be turned into «0» anymore OR 1 Page Address Byte # DEC HEX 1 2 3 0x00 UID 0x01 0x02 Internal Lock Bytes 0x03 OTP From 4 to 15 0x04 to 0x0F Data

9 OTP The only security function in MIFARE ULTRALIGHT tags
4 bytes, 0x00 by default As the Lock Bytes, what you are about to write is ORed with the previous It stands for «One-Time Programmable», not «One Time Password» Page Address Byte # DEC HEX 1 2 3 0x00 UID 0x01 0x02 Internal Lock Bytes 0x03 OTP From 4 to 15 0x04 to 0x0F Data

10 Data previously written
OTP Used for storing the number of rides left in a multiple-ride ticket Example of writing on OTP sector Data to be written Data previously written Final result Page Address Byte # DEC HEX 1 2 3 0x00 UID 0x01 0x02 Internal Lock Bytes 0x03 OTP From 4 to 15 0x04 to 0x0F Data

11 Data Widest sector Read/Write mode
48 Bytes, arranged in 12 pages Read/Write mode As regards transportation system applications you find here: Time of last stamp Validator Machine ID Bus line or underground stop Page Address Byte # DEC HEX 1 2 3 0x00 UID 0x01 0x02 Internal Lock Bytes 0x03 OTP From 4 to 15 0x04 to 0x0F Data

12 Pro & Cons of MIFARE ULTRALIGHT tags

13 Pros Cons Cheap Possibility of creating limited tickets
They expire after a finite number of times Good for public transportation system No hardware encryption Usually not well implemented on public transportation systems: Reset Attack Lock Attack Time Attack Replay Attack

14 Known Vulnerabilities

15 Reset Attack [2011] It works if the rides are stored in the data sector Just dump a fresh ticket Once it is expired write the previous dump on the ticket Have fun with your restored ticket ! Hardly appliable as it is a well known exploit (theoretically speaking)

16 Lock Attack [2013] It works fine if the stamp machine does not check the lock bit of the OTP Just turn it from state «0» to «1» Have fun with your ticket for life ! L - 7 L - 6 L - 5 L - 4 L - OTP BL – 10 to 15 BL – 4 to 9 BL - OTP L -15 L -14 L - 13 L - 12 L - 11 L - 10 L - 9 L - 8 Page Address Byte # DEC HEX 1 2 3 0x00 UID 0x01 0x02 Internal Lock Bytes 0x03 OTP From 4 to 15 0x04 to 0x0F Data

17 Lock Attack [2013] Whoops Quick summary: No feedback  WIN
Check last time stamp more than X min ago: No  the ticket is still valid Yes  let’s stamp the the ticket Check if there are rides left: No  your ticket is useless Yes  let’s stamp it! Write timestamp  OK Write other stuff  OK Write the new number of rides left Fail No feedback  WIN Do Not forget to take one ride off ! Type of multiple ride ticket = 5 rides ticket Ticket is valid, Rides left = 5 Whoops

18 Time Attack [2013] Assume you know: Stamp the ticket by yourself:
Where the time of last stamp is stored It is not encrypted Stamp the ticket by yourself: Just write the actual time in the same way & location Fully Undetectable: Just doing the stamp machine work Number of rides left doesn’t change

19 Replay Attack [Never applied]
Assume that data regarding timestamp is encrypted: Non-univocal parameters are used I.e. Everything that is not unique for the ticket (UID) A possible encryption could be: AES (timestamp,key) Replay the encrypted timestamp on several tickets

20 How to build a safe ticketing system

21 How to build a safe ticketing system
Fix the previous vulnerabilities: Reset Attack: Rides left must not be stored in DATA sector Lock Attack: Possibility of writing on the OTP sector Check if the lock bit state is 1 or 0 If 1  Do not stamp the ticket If 0  Do the usual operations

22 How to build a safe ticketing system
Fix the previous vulnerabilities: Time Attack: Encrypt those kind of data Replay Attack: Use univocal ticket detail (as UID) while generating encrypted string

23 The Sample Lib

24 The Sample Lib Arduino + NFC Shield by Adafruit + hours in coding = a little sample lib. encrypt_aes() valid_or_not() otp_check() power() // just power function, the one in Math.h sucks rides_check() remove_rides() Just an example to point out the functions which are necessary to get a «secure» ticketing system.

25 Why «secure»? Unfortunately it is not 100% safe,
but it could well be enough secure We are going to see this later.

26 encrypt_aes(int result[64])
The Sample Lib encrypt_aes(int result[64]) It requires an array of size 64 on the ticket where to write the encrypted actual timestamp Unix timestamp divided by 60 to get minutes, more useful to be checked The encryption algorithm used is AES128 (NSA didn’t pay us, or better, not so much) By default, we used a strong key Use of the UID to prevent replay attacks The final result is: aes(timestamp()/60 + UID, key)

27 The Sample Lib valid_or_not()
It does exactly the opposite job of encrypt_aes() It reads and decrypt all the encrypted data and check if Actual timestamp() – stored timestamp() < 100 We chose 100 minutes for our sample

28 otp_check(char* lock_page)
The Sample Lib otp_check(char* lock_page) Fundamental function to avoid the lock attack. It takes as input the lock_page of the ticket It checks if the OTP lock bit is set to 1 or 0, replying 0 or 1 respectively You can easily refuse to stamp the ticket if OTP is read-only.

29 otp_check(char* lock_page)
The Sample Lib otp_check(char* lock_page) It takes as input the OTP page: Checks how many zeroes are there One zero = one ride left It gives the number of zeroes left as output. Note: In this sample lib we used only half size of OTP sector. So, you can have just 16 rides per ticket. You can easily edit it to get up to 16 rides more.

30 remove_rides(char* otp)
The Sample Lib remove_rides(char* otp) It takes the OTP page as input It writes on the ticket the new OTP page, taking one ride off It just turns one bit from «0» into «1» It returns 1 if the operation goes through Note: This function does not check whether the OTP is writable or not. It is already done by otp_ckeck(char* lock_page)

31 otp_check(char* lock_page)
What if you don’t use otp_check(char* lock_page) Something like this may occur Type of multiple ride ticket = 5 rides ticket Ticket is valid, Rides left = 5 WTF???

32 Issues regarding the Sample Lib

33 Issues regarding the Sample Lib
Everything is very nice, but... It is not 100% secure... Why? Security features are all in the ticket RFID frequencies could be jammed There aren’t any live statistics about what is happening to your network By using this lib you can create a system that is enough secure for a little transport network As regards the bigger ones...

34 Issues regarding the Sample Lib
... Use an online database. If it is possible to connect the stamping machines to the network, you can share a db with the following data: UID of stamped tickets Rides left for each ticket Blacklist of UID tickets Update key for stamping machines Company stats Number of tickets used per day Lines used most

35 A little contribute We love bitcoins
BTC address: 1nfciKph3dfCgHAwUiCA4Qq9KTkn872Pj If you appreciated our job, please send us a little help. If you want to implement our lib on your system please let us know that. We are glad to receive suggestions and also criticisms.

36 Thank you!!

Download ppt "Eagle1753@onenetbeyond.org - bughardy@cryptolab.net How to build a safe NFC validating system Matteo Collura (Eagle1753) & Matteo Beccaro (bughardy)"

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
How to Use the Earthquake Travel Time Graph (Page 11

How to Use the Earthquake Travel Time Graph (Page 11
(nothing to see here). First thing you need to learn is that sysadmin is about people, not technology If youre a sysadmin so you dont have to deal with.

(nothing to see here). First thing you need to learn is that sysadmin is about people, not technology If youre a sysadmin so you dont have to deal with.
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
© 2010 Pearson Addison-Wesley. All rights reserved. Addison Wesley is an imprint of Chapter 11: Structure and Union Types Problem Solving & Program Design.

© 2010 Pearson Addison-Wesley. All rights reserved. Addison Wesley is an imprint of Chapter 11: Structure and Union Types Problem Solving & Program Design.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
XFEL 2D Pixel Clock and Control System Train Builder Meeting, DESY 22 October 2009 Martin Postranecky, Matt Warren, Matthew Wing.

XFEL 2D Pixel Clock and Control System Train Builder Meeting, DESY 22 October 2009 Martin Postranecky, Matt Warren, Matthew Wing.
1 PRS Demonstration: Ask the Audience in Your Lectures! 13 th February 2008 Wendy Beekes Accounting and Finance.

1 PRS Demonstration: Ask the Audience in Your Lectures! 13 th February 2008 Wendy Beekes Accounting and Finance.
© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.

© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
6/2/2014 1 Online Group Enrollment. 6/2/2014 2 Introduction Thank you for choosing Online Enrollment! This presentation will walk you through the Online.

6/2/ Online Group Enrollment. 6/2/ Introduction Thank you for choosing Online Enrollment! This presentation will walk you through the Online.
MX250 Power on and off, Console Mode. January 2004 Page 2 Power Supply MX250 has ac and dc inputs –ac 100 to 240 V, 5A, 50 to 60 Hz –dc –48 V, 6A –worldwide.

MX250 Power on and off, Console Mode. January 2004 Page 2 Power Supply MX250 has ac and dc inputs –ac 100 to 240 V, 5A, 50 to 60 Hz –dc –48 V, 6A –worldwide.
Chapter 11: Models of Computation

Chapter 11: Models of Computation
Why should I consider Implementing a Document Imaging / Management System? Created by Harold Hegerhorst North American Technology. LLC © North American.

Why should I consider Implementing a Document Imaging / Management System? Created by Harold Hegerhorst North American Technology. LLC © North American.
March 27, 2014 How to get started RMA Portal MOTOROLA SOLUTIONS 1.

March 27, 2014 How to get started RMA Portal MOTOROLA SOLUTIONS 1.
Programming with Alice Computing Institute for K-12 Teachers Summer 2011 Workshop.

Programming with Alice Computing Institute for K-12 Teachers Summer 2011 Workshop.
Modern Programming Languages, 2nd ed.

Modern Programming Languages, 2nd ed.
1 Designing Hash Tables Sections 5.3, 5.4, 5.5. 2 Designing a hash table 1.Hash function: establishing a key with an indexed location in a hash table.

1 Designing Hash Tables Sections 5.3, 5.4, Designing a hash table 1.Hash function: establishing a key with an indexed location in a hash table.

Similar presentations

Ads by Google