NFC Payments: The Art of Relay & Replay Attacks

Transcription

1 NFC Payments: The Art of Relay & Replay Attacks

2 Who am I? Security Co-founder of Women in Tech Fund (WomenInTechFund.org)

3 NFC Technology

4 RFID Spectrum (Radio Frequency Identification) NFC

5 NFC Technology 13.56MHz Passive mode Widely implemented ISO-14443A

6 NFC Technology

7 NFC Transaction (SE) 1/2 Terminal: 00A404000E E E #Select (PPSE)2PAY.SYS.DDF01 Fitbit: 6f5d840e e e a54bbf0c48611a4f07a f2a f a4f07a f2a f e4f09a Terminal: 00A A #Select AID Fitbit: 6f4f8407a a5449f381b9f66049f02069f03069f1a f2a029a039c01 9f37049f4e14bf0c179f4d f f5a a

8 NFC Transaction (SE) 2/2 Terminal: 80A B CAEE #Get processing Fitbit: f b9f2608e631e8efb623e1a49f10201f4a f6c d f9f6e f Terminal: 00B2011C00 #Leer SFI(Short File Identifier) Fitbit: 70375f f0702c0809f f f241d #Payment Account Reference (PAR)

9 EMV Flow Detect Card & Reset Verify Cardholder Process Online/Offline List Applications Processing Restrictions? Card answers processing Select Applications Manage Risk Completed Transaction Get Data Terminal -> Actions Authenticate Data Card -> Actions

10 Tokenization Process

11 Tokenization Process

12 Secure Element(SE) & Host Card Emulation(HCE)

13 SE & HCE Secure Element More than 20 years of development Smart Card Restricted Access Self Encryption Host Card Emulation Limited use keys Tokenization process Cloud cryptogram Transaction risk analysis

14 NFC - Fraud Vector

15 Motivations Low limits/but higher in other countries No additional cardholder verification From banks perspective, fraud considered an accepted risk NFC embedded in many IoT devices

16 Attacks in the Wild

17 Previous Work

18 Replay Attack(MasterCard)

19 Replay Attack(Visa) f f Turn the magstripe bit on (set AIP bytes to 0x0080) f

20 Previous Work DEFCON 20: NFC Hacking: The Easy Way 2 Android phones 1 Special System(Cyanogen) Communicating with WiFi Lag - > depending on network

21 Previous Work DEFCON 25: Man in the NFC 2 Boards(Client & Server) SDR Support Private Prototype Special Design

22 NFC Emulation

23 NFC Emulation + Acr122u (PN532)

24 NFC Emulation

25 NFC Emulation RFIDIOt Library:

26 NFC Emulation

27 Replay Attack

28 NF C Replay Attack Tok en

29 NFCopy Project

30 NFCopy Project

31 NFCopy Project

32 NFCopy Project Raspberry Pi Zero Acr122 USB NFC Reader LiPo 3.7v 500mAh ZERO-LiPO

33 NFCopy Characteristics Portable NFC Reader/Emulator WiFi Connectivity Customizable

34 Replay - Demo

35 Relay Attack APDUer

36 Relay Scenario

37 Relay Attack Inconvenients: Delays and Timeouts FDT = Frame Delay Time FWT = Frame Waiting Time WTX = Frame Waiting Time Extension EMV specifies a limit of 500ms per transaction as a whole. However, a payment terminal is not required to interrupt a transaction if it takes longer.

38

39 Centinelas Project Raspberry Pi ZERO-LiPO Acr122 USB NFC Reader LiPo 3.7v 500mAh ZERO-LiPO CC1101 Transceiver

40 Relay Attack: CC1101 Transceiver Price: $5 Frequencies(MHz): Modulations: GFSK(Default) MSK OOK

41 Relay Attack: CC1101 & Raspberry Pi Dependencies: WiringPi( Library:

42 Relay Attack: CC1101 & Raspberry Pi

43 Preparing a Relay Attack APDUs on Radio

44 Preparing Packet Payloads f f c ba 9f f 4a a f f 6c d f 9f 6e f = Length 200 Chunks <= 60 bytes f f c ba 9f f 4a a0 Payload f Payload f 6c d f 9f 6e 04 Payload f Payload 4

45 Centinelas Characteristics 2 x NFC Readers/Emulators WiFi Connectivity Customizable Cheap SDR Support

46 Relay - Demo

47 Extracting Data from a Chip-And-Pin Card with NFC

48

49

50 Extracting Chip-&-Pin EMV Data with NFC

51 Extracting Chip-&-Pin EMV Data with NFC Raspberry Pi LiPo 3.7v 500mAh USB Smart Card Reader SCR3310V2 ZERO-LiPO CC1101 Transceiver

52 Extracting Chip-&-Pin EMV Data with NFC

53 Extracting EMV Data with NFC Demo

54 Relay for Replay(RFR)

55 NFC Fitbit Ionic Transaction (SE) 1/2 PoS: 00A404000E E E #Select (PPSE)2PAY.SYS.DDF01 Fitbit: 6f5d840e e e a54bbf0c48611a4f07a f2a f a4f07a f2a f e4f09a PoS: 00A A #Select AID Fitbit: 6f4f8407a a5449f381b9f66049f02069f03069f1a f2a029a039c01 9f37049f4e14bf0c179f4d f f5a a

56 NFC Fitbit Ionic Transaction (SE) 2/2 PoS: 80A B CAEE #Get processing Fitbit: f b9f2608e631e8efb623e1a49f10201f4a f6c d f9f6e f PoS: 00B2011C00 #Read SFI(Short File Identifier) file Fitbit: 70375f f0702c0809f f f241d #Payment Account Reference (PAR)

57 Relay for Replay(RFR) Challenge? Saved Cryptogram APDUer Wrong!

58 Relay for Replay(RFR) f3602XXXX9f2608XXXXXXXXXXXXXXXX9F10 201F4A F6C D The ATC and Cryptogram are the only tags that change in each transaction

59 Relay for Replay(RFR) f3602ATC9f2608Cryptogram9F10201F4A F6C D ATC/Cryptogram 20 Bytes Smart Relay: transmitting the new ATC and Cryptogram only

60 Relay for Replay(RFR) Step 1: Sniffed transaction Step 2: Smart Relay ATC/Cryptogram 20 Bytes

61 Saved Transaction - Centinela 1 RFRFITBIT = [ '6F23840E E E A511BF0C0E610C4F07A ', '6F468407A A53B9F381B9F66049F02069F03069F1A F2A029A039C019 F37049F4E14BF0C0D9F4D F5A B ', ' f3602', '9F10201F4A F6C D ', '70375F F0702C0009F F F241D ']

62 First Phase PPSE? Computer 1 AID Challenge? Visa AID? SFI... Challenge? Yes Second Phase Computer 2 Challenge? SE ATC/Cryptogram Check SFI Get Cryptogram & Transmit it No ATC/Cryptogram PoS

63 Relay for Replay(RFR) Demo

64 New Technology

65

66

67

68 Could Affect New Technology??

69 Countermeasures

70 Countermeasures Introduce additional form of cardholder verification to determine proximity to PCD Distance bounding-protocols Timing delay restrictions through existing protocols

71 Distance-Bounding Protocols Terminal Card Transaction Initialization Attacker

72 Conclusions An attacker does not need specialized/sophisticated hardware or software to make fraudulent transactions. A mobile phone can be used as a simple sniffer, but a cheap device can be created to carry out a relay attack that could affect not only payment systems but the new NFC implementations in other areas. If companies keep designing their products without proper protections against relay/replay attacks, new implementations of NFC are likely to be affected for years to come.

73 Credits Adam Laurie Dr. Michael Roland Peter Fillmore Timur Yunusov Leigh-Anne Galloway

74 salmg.net