hacking the nfc cards for fun and honor degrees
play

Hacking the NFC cards for fun and honor degrees Ricardo J. Rodr - PowerPoint PPT Presentation

Sep 17, 2022 •37 likes •827 views

Hacking the NFC cards for fun and honor degrees Ricardo J. Rodr guez All wrongs reversed rjrodriguez@fi.upm.es @RicardoJRdez www.ricardojrodriguez.es Universidad Polit ecnica de Madrid Madrid, Spain November 15, 2013

  1. Hacking the NFC cards for fun and honor degrees Ricardo J. Rodr´ ıguez � All wrongs reversed rjrodriguez@fi.upm.es ※ @RicardoJRdez ※ www.ricardojrodriguez.es Universidad Polit´ ecnica de Madrid Madrid, Spain November 15, 2013 Universidad de Zaragoza Zaragoza (Espa˜ na)

  2. $ whoami $ whoami CLS member since early beginnings (2001) Ph.D. by University of Zaragoza (2013) Working for Technical University of Madrid R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 2 / 54

  3. $ whoami $ whoami CLS member since early beginnings (2001) Ph.D. by University of Zaragoza (2013) Working for Technical University of Madrid Performance analysis of complex systems Secure software engineering Fault-Tolerant systems (design and analysis) Malware analysis (techniques and relative stuff) Safety analysis in component-based systems R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 2 / 54

  4. $ whoami $ whoami CLS member since early beginnings (2001) Ph.D. by University of Zaragoza (2013) Working for Technical University of Madrid Performance analysis of complex systems Secure software engineering Fault-Tolerant systems (design and analysis) Malware analysis (techniques and relative stuff) Safety analysis in component-based systems Trainee at NcN, RootedCON, HIP. . . Speaker at NcN, HackLU, RootedCON, STIC CCN-CERT, HIP. . . R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 2 / 54

  5. $ whoami $ whoami CLS member since early beginnings (2001) Ph.D. by University of Zaragoza (2013) Working for Technical University of Madrid Performance analysis of complex systems Secure software engineering Fault-Tolerant systems (design and analysis) Malware analysis (techniques and relative stuff) Safety analysis in component-based systems Trainee at NcN, RootedCON, HIP. . . Speaker at NcN, HackLU, RootedCON, STIC CCN-CERT, HIP. . . Not an NFC (or RFID) expert! R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 2 / 54

  6. $ whoami $ whoami CLS member since early beginnings (2001) Ph.D. by University of Zaragoza (2013) Working for Technical University of Madrid Performance analysis of complex systems Secure software engineering Fault-Tolerant systems (design and analysis) Malware analysis (techniques and relative stuff) Safety analysis in component-based systems Trainee at NcN, RootedCON, HIP. . . Speaker at NcN, HackLU, RootedCON, STIC CCN-CERT, HIP. . . Not an NFC (or RFID) expert! Not giving any new 0-day or vulnerability, just recalling the state-of-the-art R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 2 / 54

  7. Outline Outline Near Field Communication (NFC) 1 What is it? Where is it used? MIFARE classic 2 What is it? Some of its common uses Internal Structure Communication Protocol A Few Words about its Cipher. . . Known Weaknesses Related Work 3 A Case Study 4 Problem Analysis Involving FyCSE. . . Lessons Learned Conclusions 5 R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 3 / 54

  8. Near Field Communication (NFC) Outline Near Field Communication (NFC) 1 What is it? Where is it used? MIFARE classic 2 What is it? Some of its common uses Internal Structure Communication Protocol A Few Words about its Cipher. . . Known Weaknesses Related Work 3 A Case Study 4 Problem Analysis Involving FyCSE. . . Lessons Learned Conclusions 5 R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 4 / 54

  9. Near Field Communication (NFC) What is it? Near Field Communication: What is it? (I) Near Field Communication (NFC) Standard to establish radio communication between devices By touching or bringing them into close proximity Builds upon RFID Radio-Frequency ID: identify and track (things/animals/people) using radio waves Works at 13.56MHz band on ISO/IEC 18000-3 (no license needed) Distance needed: ≤ 10cm (theoretically ≤ 20) Rates: 106 − 424 kbit/s Two main actors Initiator: generates a RF field Target Two working modes Passive: initiator device provides a carrier field. Target is a transponder Active: initiator + target generate their own fields R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 5 / 54

  10. Near Field Communication (NFC) What is it? Near Field Communication: What is it? (II) “Big” actors NFC Forum Non-profit industry association Formed on March 18, 2004 Founders: NXP Semiconductors (formerly Philips Semiconductors), Sony and Nokia Promotes implementation and standardisation of NFC 190 member companies (June 2013). Some located at Spain: Applus AT4 Wireless R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 6 / 54

  11. Near Field Communication (NFC) What is it? Near Field Communication: What is it? (III) Real actors (1) PICC Proximity Integrated Circuit Card Commonly named as tag Passive or active (depends on power supply) Widely used (cheaper): passive ones It contains: Internal capacitor Stores the energy coming from the reader Resistor R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 7 / 54

  12. Near Field Communication (NFC) What is it? Near Field Communication: What is it? (III) Real actors (2) PCD Proximity Coupling Device Commonly named as reader/writer Active (forced) Contains the antenna Communication at the 13.56MHz ( ± 7kHz) frequency Electronic field R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 8 / 54

  13. Near Field Communication (NFC) What is it? Near Field Communication: What is it? (IV) An interesting reading on this topic. . . [Taken from 13.56 MHz RFID Proximity Antennas ( http://www.nxp.com/documents/application_note/AN78010.pdf )] R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 9 / 54

  14. Near Field Communication (NFC) Where is it used? Near Field Communication: Where is it used? (V) R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 10 / 54

  15. MIFARE classic Outline Near Field Communication (NFC) 1 What is it? Where is it used? MIFARE classic 2 What is it? Some of its common uses Internal Structure Communication Protocol A Few Words about its Cipher. . . Known Weaknesses Related Work 3 A Case Study 4 Problem Analysis Involving FyCSE. . . Lessons Learned Conclusions 5 R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 11 / 54

  16. MIFARE classic What is it? MIFARE Classic (I): What is it? MIFARE product family Introduced in 1995 by NXP “Advanced technology for RFID identification” Based on ISO/IEC 14443 Type A 13.56 MHz standard Several products: Ultralight Classic DESFire SmartMX R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 12 / 54

  17. MIFARE classic What is it? MIFARE Classic (I): What is it? MIFARE product family Introduced in 1995 by NXP “Advanced technology for RFID identification” Based on ISO/IEC 14443 Type A 13.56 MHz standard Several products: Ultralight Classic DESFire SmartMX 50M reader and 5B card components sold ∼ 80% contactless ticketing credentials (according to ABI Research) R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 12 / 54

  18. MIFARE classic Some of its common uses MIFARE Classic (II): Some of its common uses Some systems using MIFARE Classic Access Controls University of Zaragoza Personal entrance Schiphol Airport (AMS) Dutch military bases Hotel room keys Many office and official buildings Ticketing events Public transport systems OV-Chipkaart (NL) Oyster card (London, UK) Smartrider (AU) EMT (M´ alaga, Spain) Wikipedia: http://en.wikipedia.org/wiki/MIFARE R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 13 / 54

  19. MIFARE classic Internal Structure MIFARE Classic (III): Internal Structure (1) Logical Structure EEPROM memory Basic unit: 16B block A sector is a set of blocks Two size variants: 1KB (16 sectors, 4 blocks each) 4KB (40 sectors, first 32 sectors are 4-block, the rest 16-block) R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 14 / 54

  20. MIFARE classic Internal Structure MIFARE Classic (III): Internal Structure (1) Logical Structure EEPROM memory Basic unit: 16B block A sector is a set of blocks Two size variants: 1KB (16 sectors, 4 blocks each) 4KB (40 sectors, first 32 sectors are 4-block, the rest 16-block) Let me show you this graphically. . . R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 14 / 54

  21. MIFARE classic Internal Structure MIFARE Classic (III): Internal Structure(2) R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 15 / 54

  22. MIFARE classic Internal Structure MIFARE Classic (III): Internal Structure (3) Manufacturer block Sector 0, block 0 (yellow one in previous slide) Contains: UID (4B) BCC (bit count check, 1B): XOR-ing of UID bytes Manufacturer data (11B) Set and locked by manufacturer → read only! R.J. Rodr´ ıguez Hacking the NFC cards for fun and honor degrees 15 Nov’13 16 / 54

Recommend

Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz BT renaud.lifchitz@bt.com

Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz BT renaud.lifchitz@bt.com

Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz BT renaud.lifchitz@bt.com DeepSec 2012 November 27-30 Vienna, Austria Speaker's bio French computer security engineer working at BT France Main activities:

498 views • 32 slides
Hacking Mifare Classic Cards Mrcio Almeida (marcioalma@gmail.com) !! DISCLAIMERS !!

Hacking Mifare Classic Cards Mrcio Almeida (marcioalma@gmail.com) !! DISCLAIMERS !!

Hacking Mifare Classic Cards Mrcio Almeida (marcioalma@gmail.com) !! DISCLAIMERS !! Disclaimer 1: The content of this presentation results from independent research conducted by me on my own time and of my own accord. This research was not

783 views • 50 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
B) 15 degrees C) 28 degrees D) 56 degrees E) 90 degrees Knight Problem 8.29 An 85,000 kg stunt

B) 15 degrees C) 28 degrees D) 56 degrees E) 90 degrees Knight Problem 8.29 An 85,000 kg stunt

A car is taking a turn that follows a circular path on a flat section of road. The radius of the circle is 200 m and the cars instantaneous speed is 15 m/s. The car is speeding up at a rate of 0.75 m/s per second. What is the tangential

70 views • 5 slides
www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create

www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create

www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create dialogue on learning. RETHINK CARDS Use as a brainstorming tool to spark new ideas. ACT CARDS Use to transform insights into action. Licence to Dare

434 views • 24 slides
Honor Council: Faculty Senate Presentation On my honor, I have neither given nor received any

Honor Council: Faculty Senate Presentation On my honor, I have neither given nor received any

Honor Council: Faculty Senate Presentation On my honor, I have neither given nor received any unauthorized aid on this (exam, quiz, paper). The Honor Council Elected group of students who review cases of Honor Code violations and vote

659 views • 12 slides
HONOR ROLL D A V I N C I D E S I G N WHAT IS HONOR ROLL? Da Vinci Designs Honor Roll is

HONOR ROLL D A V I N C I D E S I G N WHAT IS HONOR ROLL? Da Vinci Designs Honor Roll is

HONOR ROLL D A V I N C I D E S I G N WHAT IS HONOR ROLL? Da Vinci Designs Honor Roll is an academic distinction given to students based on their grade point average Each academic year, based on your grades, you have the opportunity

748 views • 5 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
Mariam Badr Bank Accounts Credit Cards Information Applications users Licenses and

Mariam Badr Bank Accounts Credit Cards Information Applications users Licenses and

Ahmed Khaled Hossam Alaa Mariam Badr Bank Accounts Credit Cards Information Applications users Licenses and certificates Identity thefts Systems hacking Illegal transactions Most web and network applications are

416 views • 27 slides
NANO MINING POOL CLOUD CONTRACTS AND MINING SERVICES OUR PRODUCTS Cloud cards are mining cards

NANO MINING POOL CLOUD CONTRACTS AND MINING SERVICES OUR PRODUCTS Cloud cards are mining cards

NANO MINING POOL CLOUD CONTRACTS AND MINING SERVICES OUR PRODUCTS Cloud cards are mining cards and help in earning respective payouts on allocated Hash power. Cloud cards are GPU cards. CLOUD CARDS Rigs provide you more mining speed and make

324 views • 13 slides
SIM Card Hacking What is it? Social engineering attack that tricks carrier reps to swap sim

SIM Card Hacking What is it? Social engineering attack that tricks carrier reps to swap sim

SIM Card Hacking What is it? Social engineering attack that tricks carrier reps to swap sim cards Deactivates a victims SIM Activates the attackers SIM under the victims account. What can happen? Attackers now have

299 views • 15 slides
Honor Roll & High Honor Roll in Our S econdary S chools January, 2013 Presentation to the

Honor Roll & High Honor Roll in Our S econdary S chools January, 2013 Presentation to the

Honor Roll & High Honor Roll in Our S econdary S chools January, 2013 Presentation to the Board of Education Todd Winch, Assistant Superintendent for Curriculum & Instruction Reasons for Honor Roll Recognize academic excellence

333 views • 6 slides
SimpleGraphs: Degrees lastweek Multi-Graph thisweek degrees.1 degrees.2 AlbertRMeyer

SimpleGraphs: Degrees lastweek Multi-Graph thisweek degrees.1 degrees.2 AlbertRMeyer

TypesofGraphs MathematicsforComputerScience MIT 6.042J/18.062J Simple DirectedGraph Graph SimpleGraphs: Degrees lastweek Multi-Graph thisweek degrees.1 degrees.2 AlbertRMeyer April1,2013 AlbertRMeyer April1,2013

322 views • 6 slides
COPH Honor Council 2020 Honor Council Members Please familiarize yourself with the principles of

COPH Honor Council 2020 Honor Council Members Please familiarize yourself with the principles of

COPH Honor Council 2020 Honor Council Members Please familiarize yourself with the principles of conduct laid out in the COPH Honor Council Constitution. If you have any questions please contact Associate Dean for Student and Alumni Affairs

427 views • 31 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Hon Honor Roll or Roll SY1920 Congratulations to all the 7 th grade scholars who received Honor

Hon Honor Roll or Roll SY1920 Congratulations to all the 7 th grade scholars who received Honor

Pre resents sents the he th Gr rd Qu 7 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll SY1920 Congratulations to all the 7 th grade scholars who received Honor Roll for the 3 rd Quarter. Honor nor Roll:

175 views • 16 slides
REPORT CARDS: an old tradition with a new look Transitioning to Standards-Based Report Cards

REPORT CARDS: an old tradition with a new look Transitioning to Standards-Based Report Cards

REPORT CARDS: an old tradition with a new look Transitioning to Standards-Based Report Cards REPORT CARDS...theyre a lot of work, so why do we do them? To clearly, fairly, and objectively communicate how a child is progressing in

343 views • 10 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

487 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Radians & Degrees Radians & Degrees & Co-terminal angles Arc Length & Area

Radians & Degrees Radians & Degrees & Co-terminal angles Arc Length & Area

Slide 1 / 162 Slide 2 / 162 Algebra II Trigonometric Functions 2015-12-17 www.njctl.org Slide 3 / 162 Slide 4 / 162 click on the topic to go Trig Functions to that section Radians & Degrees Radians & Degrees & Co-terminal

392 views • 27 slides
An Example Blackjack: Goal is to obtain cards whose sum is as great as possible without exceeding

An Example Blackjack: Goal is to obtain cards whose sum is as great as possible without exceeding

An Example Blackjack: Goal is to obtain cards whose sum is as great as possible without exceeding 21. All face cards count as 10, and an Ace can be About this class worth either 1 or 11. Back to MDPs Game proceeds as follows: two cards are

435 views • 9 slides
Paris Agreement (2015) UN IPCC Report (2018) Significant differences between 1.5 degrees C and 2

Paris Agreement (2015) UN IPCC Report (2018) Significant differences between 1.5 degrees C and 2

Paris Agreement (2015) UN IPCC Report (2018) Significant differences between 1.5 degrees C and 2 degrees C Health Water supply Livelihoods Economic growth Food security UN IPCC Report (2018) 1.5 .5 degrees C vs 2 2 degrees C Population

371 views • 22 slides

More recommend