Near Field CommunicationsSecurity Concerns and NFCProxy

Shane TurnerMaster of Science in Information Security

68-595 Information Security PracticumLewis UniversityApril 22, 2013

NFC Security - Introduction

Near Field Communication (NFC)• NFC is a short range wireless technology that allows communications to take

place between devices that either touch or are momentarily held close together.

• Frequency 13.56Mhz • Subset of RFID

• Range – usually less than 4cm• Narrow Bandwidth (106 to 424 Kbits/s)• Patented in 1983, ISO 14443 and ISO 7816

• First phone to use NFC – Nokia 6131• Nokia, Sony and Phillips formed the NFC Forum

NFC Security – How is NFC Used ?

Uses for NFC Technology• Digital Wallet (i.e. Google Wallet)

• Expect NFC smartphones to account for about 50 percent of the phone marketplace by 2014 [source: Popular Science]

• Info Tags or Smart Tags• A system called Personal Rosetta Stone that lets cemetery visitors pull information from chip-laden headstones

to read the life stories and obituaries of the deceased [source: Rosetta Stone].

• Movies Posters embedded with NFC chips will be able to link the user to the movie trailer or coupons that could be used at the theater.

• Gentags• Diagnostic skin tags that are affixed directly to the patient. These tags can monitor temperature, glucose levels

or ultraviolet light exposure and then send pertinent health information directly to a smartphone.

NFC Security – How is NFC Used ?

Uses for NFC Technology• NFC in your Car

• Car companies are using NFC technology for proximity sensors that allow you to unlock your car

• Push button start in cars as long as your NFC device is in the car.

• Hotels• NFC chips are embedded into devices that will unlock the door to your hotel room.

• At Work• NFC Devices used as access control devices allowing or disallowing access into secure areas.

NFC Security – How is NFC Used ?

Uses for NFC Technology• Virtual press kits and business cards (http://www.tapmy.biz/)

• Smartphones

• Information points such as posters

• Speakers, Headphones, various music players

• Cameras

• TV

• Appliances

• Computers

• Smart Meters for Utilities Companies

• Digital bubble gum machine

• Heart Monitor

• Wii U

• Public Transportation

NFC Security – Advantages of NFC

What are the Advantages of NFC?• Augmented Shopping Experience• Many Tech Companies are getting on board

• Other companies – McDonalds, Toys-R-Us, CVS, Home Depot, Radio Shack, Office Max, Walgreens, Sports Authority and many other retailers

• Quick and Easy access• Improved Customer Service• Real Time Updates

• Versatility• Safety

NFC Security – Risks

What are the Security Risks of NFC?• Sensitive Financial Data• Data confidentiality

• Eavesdropping

• Data Corruption

• Viruses

• Man-in-the-middle

• Lack of Education• Theft

NFC Security – NFCProxy Demonstration

NFCProxyDemonstration

NFC Security – NFCProxy

What is NFCProxy?• Proof of Concept Tool for Pentesters

• Demonstrates insecurities in near field communication and contactless credit cards.

• Demonstrated by Eddie Lee @ Defcon 20 (Security Researcher @ BlackWing Intelligence)

• Software developed by Igor Miladinovic.• Useful in NFC protocol analysis for further NFC security research. • Project was to create a pentest tool that could analyze RFID protocols and

proxy transactions using Android phones.

• Proxy transactions, Save transactions, Export transactions, PCD relay and Tag relay

NFC Security – NFCProxy Architecture

Architecture

NFCProxy

Normal

List of Acronyms• APDU - Application Protocol Data Unit• NFC – Near Field Communications• PCD - Proximity Coupling Device• POS - Point of Sale

NFC Security – NFCProxy Hardware

NFCProxy Hardware• A Proximity Coupling Device (PCD) such as one made by VivioPay• Two Android smartphones with NFC capabilities. For example; Galaxy S3,

Nexus S or Galaxy Nexus.• A contactless credit card.

NFC Security – NFCProxy Software

NFCProxy Software• NFCProxy which can be found at soundforge.net• CyanogenMod – custom ROM found at cyanogenmod.org

• Must be installed on smartphone used for Proxy Mode

• Android version 2.3 (Gingerbread) or newer running on the smartphones.

NFC Security – NFCProxy Setup

NFCProxy Setup• Must have a Wi-Fi connection to transport data.• Download and install NFCProxy Software to both smartphones.• Configure Wi-Fi Connection between phones.

• Have PCD unit powered on.

NFC Security – NFCProxy - Proxy Mode

Proxy Mode• Set up the smartphone (not running Cyanogen) in Relay mode near the credit

card you want to use for a transaction.• Go to the other smartphone that is running the Cyanogen custom ROM and

ensure NFCProxy is running in Proxy mode.• Relay mode opens up a network socket and waits for a network connection

from the other device running NFCProxy in proxy mode.

• With the Relay Mode smartphone, place it near the contactless credit card until NFCProxy displays the credit card information on the screen.

• Now send the information to the smartphone running in Proxy Mode.• With the smartphone running in Proxy Mode swipe the phone in front of the

PCD and you should hear an alert and see green light upon a successful transaction.

NFC Security – NFCProxy Credit Card Data

Credit Card Data

Credit Card Data Successful Transaction

NFC Security – NFCProxy - Proxy Mode

NFC

NFCWiFi (IP)

Proxy Mode

Set to REPLAY

Mode

Set to PROXY Mode

APDU

APDU

NFC Security – NFCProxy – Relay Mode

Relay Mode• Use smartphone running Cyanogen ROM• Open NFCProxy and set it in Replay mode. • Scan RFID credit card and acquire the information on card.

• Long click on the credit card information on the screen and then select the “REPLAY TAG” option at the top of the phone

• You should then see a letter “T” at the top of the screen.

• Place the smartphone in front of the credit card reader.• Credit Card reader should light up and beep if there is a successful transaction

NFC Security – NFCProxy - Relay Mode

NFC

NFC

RelayMode APDU

APDU

Set toRelay Mode

Walk to PCD

NFC Security – NFCProxy Discussion

Discussion / Lessons Learned• Both phones must be rooted

• Need correct tools to complete this process

• Install correct version Cyanogen Mod• Most current version is now working

• Point of Sale devices like the PCD units are easy to acquire• Able to acquire on EBay (VivioPay 4000 & VivioPay 4500)

• Local Wi-Fi connections easy to set up, long distance connection - some advanced networking skills needed (VPN knowledge)

• Acquiring an RFID credit Card.• Visa - PayPass

• Built in security from credit card companies• Attempts to scan the card out of sequence the card will be deactivated.

NFC Security – Vulnerabilities in Detail

Vulnerabilities • Credit Card skimming using NFCProxy

• Identity Theft

• Financial ruin

• Malware• Know Malware programs

• End of July 2012 – 5,000

• End of September 2012 - 51,500

• End of 2012 - 283,000

• Scanning of malicious NFC tags

• Can transfer your data if compromised

• 25% or 25,000,000 Android Devices are infected

NFC Security – Vulnerabilities in Detail

Vulnerabilities Continued• Google Apps

• 75% of malware-infected apps downloaded from Google Play [McAfee Mobile Security]

• One-in-six chance of downloading a risky app

• ¼ of these apps contain both malware and a suspicious URL capable of • Click fraud

• Phishing schemes

• McAfee Labs - found that 40% of malware misbehaved in a complex way• Hard to detect

• Take advantage of specific technology (NFC)

NFC Security – Mitigating NFC Security Risks

Mitigations • Needs to be a team effort – Proactive not Reactive

• NFC Forum Members

• Consumers

• Application Developers

• Manufactures

• Turn NFC off

• Do not use RFID credit Cards• Virus Protection on Smartphone• Use trusted / certified apps only

NFC Security – Questions

Questions?

NFC Security – Other Resources

Other NFC Resources Worth Mention • NFC Videos

• NFC Proxy Demo - http://www.youtube.com/watch?v=w_vYuLyfw3E

• Defcon 20 video, NFC Hacking: The Easy Way -http://www.youtube.com/watch?v=7ElZBI9PufY

• NFC Proxy – University of Texas at Austin - UT ComSoc -http://www.youtube.com/watch?v=Yjfc60LGjik

• Shmoocon 2012: Credit Card Fraud: The Contactless Generation Application Developers -http://www.youtube.com/watch?v=HRXb-FZ6WFM

• How NFC phones can steal your credit card info -http://www.youtube.com/watch?v=EKks3vfiy6Q

Thank You