yummy yummy fruit salad an analysis of apple pay
play

YUMMY YUMMY FRUIT SALAD: AN ANALYSIS OF APPLE PAY Image stolen - PowerPoint PPT Presentation

Oct 12, 2023 •225 likes •637 views

YUMMY YUMMY FRUIT SALAD: AN ANALYSIS OF APPLE PAY Image stolen from: https://scratch.mit.edu/projects/10813101/ $whoami Principle Consultant @ Payment Security Consulting Usually do PCI based work (hey, its a living) Enjoy

  1. YUMMY YUMMY FRUIT SALAD: AN ANALYSIS OF APPLE PAY Image stolen from: https://scratch.mit.edu/projects/10813101/

  2. $whoami  Principle Consultant @ Payment Security Consulting  Usually do PCI based work (hey, it’s a living)  Enjoy hardware stuff  Also enjoy poking at iOS applications  Did a silly badge this year for the Hardware Hacking Village – hope you got one!  Trying to encourage more people to break stuff.  See https://www.github.com/peterfillmore for some (badly) written code.

  3. Agenda  What is ApplePay exactly  Apple Pay Architecture  XPC – How the components communicate  Registering a card  Using a card  Remote wiping of cards  Issues  Tools developed and used  References

  4. ApplePay  Another in the long running examples of Apple “inventing” something  Nothing but a lot of existing technologies bolted together with a fancy façade!  Publicly available information is scant – people who work with the stuff are NDA’d heavily   Good thing I blew a grand on an iPhone 6

  5. ApplePay consists of (iPhone 6): AMS AS3923 Power Booster NXP 65v10 Secure PN548 Element

  6. Secure Element http://www.chipworks.com/about- chipworks/overview/blog/inside-the-iphone-6-and-iphone-6-plus

  7. Software Hardware Applications Frameworks Daemons Drivers nfcd PN548 Drivers Nearfield. Passkit PN548_HAL. framework dylib seld PN548_API. dylib PN548. Passkit. dylib passd PasskitUI Framework

  8. XPC Mach XPC Decode System Application Message Service and Call Resource  The primary method of inter-process communication in iOS  Client/Server Model  Designed to provide stability and privilege separation  Passes serialized messages via a MACH message call

  9. XPC Services used by ApplePay passd nfcd { … Label = "com.apple.nfcd"; { … MachServices = EnableTransactions = 1; { "com.apple.nfcd" = 1;}; Label = "com.apple.passd"; ProcessType = Interactive; …. Program = "/usr/libexec/nfcd"; MachServices = { UserName = mobile;} "com.apple.passd.aps" = 1; "com.apple.passd.bulletins" = 1; seld "com.apple.passd.in-app-payment" = 1; "com.apple.passd.library" = 1; "com.apple.passd.payment" = 1; }; {…Label = "com.apple.seld"; POSIXSpawnType = Adaptive; MachServices = { ProgramArguments = ( "com.apple.seld" = 1; "/System/Library/Frameworks/PassKit.frame "com.apple.seld.aps" = 1; }; work/passd" ); Program = "/usr/libexec/seld"; ThrottleInterval = 0; RunAtLoad = 1; UserName = mobile;} UserName = mobile;}

  10. Client Must have the correct entitlements to use an XPC Service NFCD SELD  com.apple.nfcd.se  com.apple.seld.debug  com.apple.nfcd.debug  com.apple.seld.cm  com.apple.nfcd.info

  11. Example calling an XPC Service Create Connection xpc_connection_t connection = xpc_connection_create_mach_service("com.apple.nfcd", NULL, 0); Set Handler xpc_connection_set_event_handler(connection, ^(xpc_object_t object) { Create XPC Object xpc_object_t msgobject = xpc_dictionary_create(NULL,NULL,0); xpc_object_t object = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_int64(msgobject, "Controller", 6); Send object and get result xpc_object_t reply = xpc_connection_send_message_with_reply_sync(connection, object);

  12. XPC Sum-up  Calling applications must have appropriate entitlements to use an XPC service.  XPC services run under a nominated account (“mobile” in the case of NFC components)  Harder to exploit from userland. Better people then I have looked at this stuff: References:  Ian Beer - http://googleprojectzero.blogspot.com.au/2015/ 09/revisiting-apple-ipc-1-distributed_28.html

  13. Enrolling a card – Step 1 Authentication Passbook Server Send “card to authorise” details to apple Uses Secure Element Identifier and AppleToken for authentication https://nc-pod2-smp-device.apple.com/broker/v2/devices/<seID>/cards JSON of AID, card identifier, sanitized PAN and URL for the terms and conditions

  14. Enrolling a card – Step 2 Authentication Passbook Server Retrieve “Terms and Conditions” from provided URL https://nc-pod2-smp-device.apple.com/broker/v1/assets/<t&c version> XML of terms and conditions

  15. Enrolling a card – Step 3 Authentication Passbook Server Send authorization details: CVV2, Device Name, Location, Phone Number https://nc-pod2-smp-device.apple.com/broker/v2/devices/ <seID>/cards/<identifier>/enable URL of generated pass

  16. Enrolling a card – Step 4 Authentication Passbook Server Retreive the generated PassKit pass https://nc-pod2-smp-device.apple.com/broker/v1/passes/ paymentpass.com.apple/<generateURL> Zipped package containing: Images, JSON containing pass details and the signature

  17. Enrolling a card – Step 5 Authentication securityd Server Verify certificates using OCSP http://ocsp.apple.com/ocsp03-wwdr02/<hash of cert> OCSP response (check with openssl: Openssl ocsp – respin <response> -text

  18. Enrolling a card – Step 6 Authentication seld Server Retrieve commands to run on the Secure Element, contains certificates, supported cards and secure element Id. http://nc-pod2-smp-device.apple.com/tsm/ <seId>/get_pending_commands List of EMV commands to execute on the secure element.

  19. Enrolling a card – Step 7 Authentication Passbook Server Retrieve a list of the authentication methods supported https://nc-pod2-smp-device.apple.com/broker/v2/devices/ passes/paymentpass.com.apple/<providedURL>/activationMethods JSON of authentication method data. e.g email, SMS or phone call

  20. Enrolling a card – Step 8 Authentication Passbook Server Send selected method identifer https://nc-pod2-smp-device.apple.com/broker/v2/devices/ passes/paymentpass.com.apple/<providedURL>/sendActivationMethod Confirm Response

  21. Enrolling a card – Step 9 seld Authentication Server Send results of EMV command execution from the secure element http://nc-pod2-smp-device.apple.com/tsm/ <seId>/get_pending_commands Confirm Response

  22. Enrolling a card – Step 10 Authentication Passbook Server Send activation code https://nc-pod2-smp-device.apple.com/broker/v2/devices/ passes/paymentpass.com.apple/<providedURL>/activationCode Provide URL to generated PassKit Pass

  23. Enrolling a card – Step 11 Authentication Passbook Server Retreive the generated PassKit pass https://nc-pod2-smp-device.apple.com/broker/v2/devices/ passes/paymentpass.com.apple/<providedURL>/ Zipped package containing: Images, JSON containing pass details and the signature

  24. Enrolling a card – Step 12 passd Authentication Server Register device PAN with VISA https://vntnotificationservice.visa.com/TxnHist/1/1/devices/ <something>/registrations/dpan/<generated DPAN> Authentication token

  25. Enrolling a card – Step 13 Authentication Passbook Server Get transactions from VISA https://vntnotificationservice.visa.com/TxnHist/1/1/devices/ <something>/dpan/<generated DPAN>/transactions HTTP Code 304 – no content

  26. Using a card

  27. Remote Wiping of a Card

  28. What is right  Secure element provides a highly limited attack surface. – all sensitive information is loaded encrypted  Tokenization means that your personal account number is not stored or used by the device (I haven’t found anything but a sanitized version)  Issuer of the card can deactivate the token remotely (has happened to me twice so far)  Applications which use ApplePay must have the correct entitlements to use it.  You have to authenticate to use ApplePay

  29. Bad verification of the cardholders http://www.nytimes.com/2015/03/17/business/banks-find-fraud-abounds-in-apple-pay.html?_r=0  Verification methods and back end are chosen by the card issuers/bank  In the case of Wells Fargo the verification code can be sent through email, text or call to them.  Banks were skipping verification checks – allowing for the ability to load stolen cards onto devices with minimal verification

  30. Depends on existing contactless standards  Same attacks are possible on ApplePay  This is because it is the issuers that control the transaction – not Apple  And because reasons it has to support these broken modes  US market is still heavily invested in MagStripe – and this means broken contactless modes as  Proper EMV rollout in the US is not going as quick as thought (In a month there in 2015 I they my EMV chip two times …)  See my talk from last year (Crash & Pay)

  31. Cloning Demo!

  32. Transactions are logged and stored unencrypted • Located in /var/mobile/Library/passes/passes23.sqlite • Contains amounts, (accurate) locations, merchant location etc • Make sure you remote wipe your ApplePay device if lost!

  33. SQL Dump Demo

Recommend

Join us Saturday, August 4 th , from 8-11 am to learn more about STEM while having fun too! There

Join us Saturday, August 4 th , from 8-11 am to learn more about STEM while having fun too! There

This Photo by Unknown Author is licensed under CC BY-SA Join us Saturday, August 4 th , from 8-11 am to learn more about STEM while having fun too! There will be an introducHon with a few guest speakers while the girls get to enjoy some yummy

118 views • 10 slides
Juice with different flavors ( Apple , Guava, Mango and Cocktail ) And other flavors are

Juice with different flavors ( Apple , Guava, Mango and Cocktail ) And other flavors are

Juice with different flavors ( Apple , Guava, Mango and Cocktail ) And other flavors are available upon request Fruit Concentration : 25% Fruit Concentrate 50% Fruit Concentrate Percentage of 12 x 200ml 12 x 250 ml 12 x 300 ml 6 x 1 Liter

367 views • 4 slides
Review of Canadian Apple Market &amp; Trends 2015 Mid-Summer Meeting- Canadian Apple Industry

Review of Canadian Apple Market &amp; Trends 2015 Mid-Summer Meeting- Canadian Apple Industry

Review of Canadian Apple Market &amp; Trends 2015 Mid-Summer Meeting- Canadian Apple Industry Wolfville, NS August 4 th , 2015 Farid Makki Sector Development &amp; Analysis Directorate Agriculture and Agri-Food Canada Significance of Apple

645 views • 28 slides
www.fruitflyhotel.com www.pcm-global.com EVER HAD: Pesky Fruit Fly insurgence around your

www.fruitflyhotel.com www.pcm-global.com EVER HAD: Pesky Fruit Fly insurgence around your

www.fruitflyhotel.com www.pcm-global.com EVER HAD: Pesky Fruit Fly insurgence around your household Unwanted Fruit Fly guests at social gatherings Fruit Flies endlessly diving into your wine glass Fruit Flies feasting on your fruit, vegetables

332 views • 18 slides
Corporate Campaign Presentation By : Blaise Meyer, Ryan Garn, and Emily Gong History of Apple Inc.

Corporate Campaign Presentation By : Blaise Meyer, Ryan Garn, and Emily Gong History of Apple Inc.

Corporate Campaign Presentation By : Blaise Meyer, Ryan Garn, and Emily Gong History of Apple Inc. Apple Inc. Apples Involvement In Music Situational Analysis SWOT Analysis Of Apple Music Strengths Weakness Cross-platform compatibility

349 views • 34 slides
Ronald Wayne, The Third Founder of Apple Drew first Apple logo Wrote the Apple I manual

Ronald Wayne, The Third Founder of Apple Drew first Apple logo Wrote the Apple I manual

Ronald Wayne, The Third Founder of Apple Drew first Apple logo Wrote the Apple I manual Sold 10% of Apple for $2300 because of concern over a legal risk that could easily have been resolved Sells stamps from his home

702 views • 20 slides
Marketing Strategy of Apple Published by : www.studymarketing.org 1 Introducing Apple Steve

Marketing Strategy of Apple Published by : www.studymarketing.org 1 Introducing Apple Steve

Marketing Strategy of Apple Published by : www.studymarketing.org 1 Introducing Apple Steve Jobs is the brain behind the very famous and very Popular Apple Company. Apple creates and designs desktop computers, Mac laptops, iTunes, iPods, the

833 views • 48 slides
Menu Day Week 1 Week 2 Week 3 Week 4 Monday +Pork and Apple Casserole or +Meat Loaf or Lamb

Menu Day Week 1 Week 2 Week 3 Week 4 Monday +Pork and Apple Casserole or +Meat Loaf or Lamb

Menu Day Week 1 Week 2 Week 3 Week 4 Monday +Pork and Apple Casserole or +Meat Loaf or Lamb Steaklet +Savoury Flan with Salad +Grilled sausage and Lamb Steak and Kidney Pie +Rice Pudding or or Roast Pork casserole +Jelly of Chocolate

548 views • 3 slides
What is single-cell RNA-Seq, and why is it useful? S IN GLE-CELL RN A-S EQ W ORK F LOW S IN R

What is single-cell RNA-Seq, and why is it useful? S IN GLE-CELL RN A-S EQ W ORK F LOW S IN R

What is single-cell RNA-Seq, and why is it useful? S IN GLE-CELL RN A-S EQ W ORK F LOW S IN R Fanny Perraudeau Senior Data Scientist, Whole Biome Milkshake or fruit salad?. SINGLE-CELL RNA-SEQ WORKFLOWS IN R scRNA-Seq could revolutionize

676 views • 25 slides
Apple LLVM GPU Compiler: Embedded Dragons Charu Chandrasekaran, Apple Marcello Maggioni, Apple

Apple LLVM GPU Compiler: Embedded Dragons Charu Chandrasekaran, Apple Marcello Maggioni, Apple

Apple LLVM GPU Compiler: Embedded Dragons Charu Chandrasekaran, Apple Marcello Maggioni, Apple 1 Agenda How Apple uses LLVM to build a GPU Compiler Factors that affect GPU performance The Apple GPU compiler Pipeline passes

1.1k views • 71 slides
Not Your Mamas Mediterranean Meal Theme Meal by Patricia, Madeline, Irene, Christina, and

Not Your Mamas Mediterranean Meal Theme Meal by Patricia, Madeline, Irene, Christina, and

Not Your Mamas Mediterranean Meal Theme Meal by Patricia, Madeline, Irene, Christina, and Micaela The Menu SALAD STARCH Quinoa Tabbouleh Salad Lemon Herb Potatoes Chopped Kale Greek Salad Greek Rice SOUP VEGETABLE Chicken &amp; Shrimp

383 views • 23 slides
Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem

Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem

Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem Dergachev, Apple Agenda Introduction to Clang Static Analyzer Using coverage-based iteration order Improved C++ constructor and destructor

789 views • 40 slides
APPLE TV FOR THE CLASSROOM Leslie Markley UNM Language Learning Center WHAT IS AN APPLE TV?

APPLE TV FOR THE CLASSROOM Leslie Markley UNM Language Learning Center WHAT IS AN APPLE TV?

APPLE TV FOR THE CLASSROOM Leslie Markley UNM Language Learning Center WHAT IS AN APPLE TV? Small, portable box that can be connected to the instructor station. Used to project any Apple device: phone, laptop, iPad, etc. HOW DO YOU

495 views • 11 slides
Apple File System Slack Analysis and Detection of Hidden Data Axel Koolhaas Woudt van

Apple File System Slack Analysis and Detection of Hidden Data Axel Koolhaas Woudt van

Apple File System Slack Analysis and Detection of Hidden Data Axel Koolhaas Woudt van Steenbergen Introduction to Apple File System (APFS) 2016 Filesystem released, replacing HFS+ 2017 K. H. Hansen &amp; F. Toolan: Decoding the APFS

625 views • 24 slides
mission on. our our fruit fruit farm farm program. program. we invite media, customers and

mission on. our our fruit fruit farm farm program. program. we invite media, customers and

fruit on a a mission on. our our fruit fruit farm farm program. program. we invite media, customers and influencers in the public sphere to join us on fruit farm trip. we do this to tell our story and communicate our belief in trade not

130 views • 12 slides
Compiler-assisted Performance Analysis Adam Nemet Apple anemet@apple.com Hotspot User

Compiler-assisted Performance Analysis Adam Nemet Apple anemet@apple.com Hotspot User

Compiler-assisted Performance Analysis Adam Nemet Apple anemet@apple.com Hotspot User Bottleneck Compiler Optimization X, Y 2 Hotspot Hotspot Legality User Compiler Bottleneck Cost Model Compiler Optimization Some Optimizations?

1.19k views • 90 slides
B L A S T B L A S T - A spontaneous event finder MySQL Apple Core Location framework Apple

B L A S T B L A S T - A spontaneous event finder MySQL Apple Core Location framework Apple

GRACE QIU (GRACEQIU) CARSON GULLEDGE (CGULL) B L A S T B L A S T - A spontaneous event finder MySQL Apple Core Location framework Apple Maps API Apple Push Notification Service Facebook SDK

477 views • 3 slides
MANAGING SOIL MICROBIAL COMMUNITIES TO ENHANCE GROWTH OF APPLE IN REPLANT SOILS Mark Mazzola * ,

MANAGING SOIL MICROBIAL COMMUNITIES TO ENHANCE GROWTH OF APPLE IN REPLANT SOILS Mark Mazzola * ,

MANAGING SOIL MICROBIAL COMMUNITIES TO ENHANCE GROWTH OF APPLE IN REPLANT SOILS Mark Mazzola * , USDA-ARS, Tree Fruit Research Laboratory, 1104 N. Western Avenue, Wenatchee, WA 98801 Typically, there are few biological impediments to the growth

162 views • 4 slides
Apple on Health I believe, if you zoom out into the future, and you look back, and you ask the

Apple on Health I believe, if you zoom out into the future, and you look back, and you ask the

Apple on Health I believe, if you zoom out into the future, and you look back, and you ask the question, 'What was Apple's greatest contribution to mankind?', it will be about health. --Tim Cook (Apple CEO) Every day I come into Apple,

501 views • 30 slides
BAKERY RANGE Bakery/Industry Standard Range Frutta fruit fillings Fruit filling

BAKERY RANGE Bakery/Industry Standard Range Frutta fruit fillings Fruit filling

BAKERY RANGE Bakery/Industry Standard Range Frutta fruit fillings Fruit filling stirred Base for fruit Fruit fillings for long-life with pieces Bakeproof jams strained for doughnuts 13,3 kg creames 4,5 kg bakery prod.

377 views • 11 slides
Apple@30 1976-Apple in the Garage At the VCF 9.0 Brought to you by the DigiBarn Computer

Apple@30 1976-Apple in the Garage At the VCF 9.0 Brought to you by the DigiBarn Computer

Apple@30 1976-Apple in the Garage At the VCF 9.0 Brought to you by the DigiBarn Computer Museum the Vintage Computer Festival the Computer History Museum and a special group of Apple 76ers Want to cook up an industry? Its easy! Just

398 views • 17 slides
Genetic dissection of grape berry ripening and composition Sara Zenoni Fruit ripening Fruit is

Genetic dissection of grape berry ripening and composition Sara Zenoni Fruit ripening Fruit is

Genetic dissection of grape berry ripening and composition Sara Zenoni Fruit ripening Fruit is the organ specialized for seed dispersal and the transition from unripe to ripe fruit represents a crucial survival strategy irreversible phenomenon

531 views • 51 slides
PITAYA &amp; PITAHAYA ( DRAGON FRUIT ) THE LEGEND OF THE DRAGON FRUIT (The sensation surrounding

PITAYA &amp; PITAHAYA ( DRAGON FRUIT ) THE LEGEND OF THE DRAGON FRUIT (The sensation surrounding

PITAYA &amp; PITAHAYA ( DRAGON FRUIT ) THE LEGEND OF THE DRAGON FRUIT (The sensation surrounding this fabulous fruit can be attributed to a legend created by ingenious Asian marketers.) According to the legend The fruit was created thousands

486 views • 29 slides
11/13/17 Crucified Peoples Strange Fruit Southern trees bear a strange fruit Blood on the

11/13/17 Crucified Peoples Strange Fruit Southern trees bear a strange fruit Blood on the

11/13/17 Crucified Peoples Strange Fruit Southern trees bear a strange fruit Blood on the leaves, blood at the root Black bodies swinging in the Southern breeze Strange fruit hanging from the poplar trees Pastoral scene of the gallant South

368 views • 3 slides

More recommend