RFID & NFC. Erik Poll. Digital Security Radboud University Nijmegen

Transcription

1 RFID & NFC Erik Poll Digital Security Radboud University Nijmegen 1

2 RFID tags RFID = Radio-Frequency IDentification RFID devices are called tags or transponders More powerful RFID tags also called contactless smartcards Inductive coupling is used for energy transfer to card transmission of clock signal data transfer simple tags are only support data transfer in one direction, from the tag to reader 2

3 Many kinds of RFID tags Animal identification RFID tags (ISO 11784, 11785) only transmit fixed id code Advanced transponders (ISO 14223) have more data and support writing & write-protection compatible with ISO Contactless smartcards close coupling: a few mm (ISO 10536) proximity: less than 10 cm (ISO 14443) vicinity: more than 10 cm (ISO 15693) Many of these tags are not very smart: memory cards instead of microprocessor cards 3

4 Many kinds of RFID tags Anti-theft systems (VDI 4470) only one bit of information Item management (ISO others) essentially RFID bar codes GTAG (Global Tag), joined effort of EAN (European Article Numbering Association) and UCC (Universal Code Council) Container identification (ISO 10374) active battery-operated transponder 4

5 ISO aka proximity tags Used in passports and many ID cards (incl. Dutch ID) contactless bank card many public transport cards Two types, A and B, with different RF modulation readers typically support both versions There are closely related industry standards: Mifare (similar to A), Calypso (similar to B), and Felica 5

6 read-only stupid memory tags ie tag just shouts its serial number communication one way only writable, no write-protection 1 byte to 64 Kbyte, in fixed blocks, eg 16 bit, 4 byte,.. no protection on writing writable, some write-protection password/key or more complicated authentication procedure possible offering segmented memory each memory segment with its own key important standard: MIFARE (Classic) others: DESfire, Calypso, ATMEL CryptoMemory, Legic, 6

7 smart microprocessor tags like normal smartcard, ie smart, but (also) wireless but with a lot less power ISO mw GSM mw ISO mw Hence: reduced resources for crypto & countermeasures Also: interaction time should ideally be very short (to prevent card tears, when card is moved away from reader) 7

8 Dual contact cards Dual contact cards have both contact and contactless interfaces eg your bank card Cards can expose different functionality via contact and contactless interface. Why would you want this? For security! Some early dual contact bank cards in UK & NL were misconfigured, to allow VERIFY PIN command not only over the contact interface, but also over the contactless interface 8

9 pros & cons of contact vs contactless? pros contactless ease of use no wear & tear of contacts on card and terminal less maintenance less susceptible to vandalism cons contactless easier to eavesdrop on communication? terminal communication easier to eavesdrop than tag communication communication possible without owner's consent for replay or relay man-in-the-middle attacks cheap tags have limited capabilities to provide security (eg amount of data, access control model, crypto) 9

10 passive vs active attacks on RFID passive attacks eavesdropping on communication between passport & reader possible from many meters if card is held to regular reader 18 meter reported by Engelhardt et al. active attacks unauthorised access to tag without owner's knowledge possible up to 50 cm activating RFID tag requires powerful field! aka virtual pickpocketing variant: relay attack [Engelhardt et al., Extending ISO/IEC Type A eavesdropping range using higher harmonics. In: SmartSysTech 2013] 10

11 Antenne for max. activation distance ISO14443 card can be used at 50 cm max, but width of gate at 80 cm works better. [Rene Habraken et al., An RFID Skimming Gate Using Higher Harmonics, RFIDSec 2015] 11

12 Anti-collision Additional complexity of contactless cards: several cards may be activated by reader anti-collision protocol needed for terminal to select one card to talk to: 1. tags report some number when actived 2. terminal chooses which number to talk to Note: this can be a privacy risk! most tags send out fixed number only few tags (eg most passports) report a random one You can check this using an NFC app on your smartphone. 12

13 NFC 13

14 NFC = Near Field Communication Implemented in mobile phones Compatible with ISO Phone can act as 1. reader (active mode) with an ISO tag 2. tag (passive mode) with an ISO tag 3. in NFC peer mode to talk to other NFC phone

15 Inside an NFC phone baseband processor Host CPU NFC controller, connected to phone s NFC antenna, determines which processor handles or can initiate NFC traffic, for each of the three modes embedded SE SIM NFC Controller Reader 15

16 inside an NFC phone NFC traffic can be handled by a. main processor (running say Android) b. embedded Secure Element (SE) in the phone c. SIM card using one of the unused ISO7816 contacts SIM is also a Secure Element, but removable one These processors offer very different security levels SEs (b&c) have smaller TCB and betterphysical protection Different parties control which software can be installed these processors: telco controls SIM phone manufacturer controls embedded SE less control over main processor, esp. when rooted 16

17 NFC modes & processor Possible combinations of modes & processors: Only main CPU can act as reader & NFC peer mode The SEs can only act in card mode this may even work without the phone s battery On some phones, the main processor can also act as card. This is called Host Card Emulation (HCE) Android has HCE since

18 Difference in solutions for mobile payments ING mobile payment uses HCE so only works with Android 4.4 or newer Rabo mobile payment uses either the phone s SE (only on some Samsung models) or a special KPN SIM, which can connect to the phone s NFC antenna What are the differences wrt security? 18

19 Exit hardware security? NFC payment solution that use HCE no longer involves some smartcard-like secure hardware key material stored in main memory, not on embedded SE or SIM Security risks mitigated using white-box crypto, ie obfuscating key in memory one-shot keys: a key can only be used for one transaction, after which phone requests a new one The online key server will still use secure hardware, but a Hardware Security Module (HSM) rather than a smartcard 19

20 Re-enter hardware security? Phones can provide hardware security for main processor for storage and/or processing Secure Key Storage hardware for storing & using keys eg Android Secure Key Storage but Android still in the TCB for access control to key store TEE (Trusted Execution Environment) hardware support in the main CPU to segregate trusted and untrusted applications TEE can provide a trusted path for I/O to the user, via screen & keyboard/touch screen, unlike a smartcard eg ARM TrustZone which is used by Samsung KNOX Android no longer in the TCB for access control or I/O 20

21 MIFARE Classic & Ultralight 21

22 MIFARE widely used proprietary standard by NXP (formerly Philips) closely related to and basis for - ISO14443 A several versions, incl. MIFARE Ultralight, provides only memory with some write restrictions (locking) MIFARE Classic, also provides authentication and encryption by proprietary CRYPTO-1 algorithm Crypto-1 has been logically reverse-engineered & broken. [Flavio Garcia et al., Dismantling MIFARE Classic, ESORICS 2008] [Carlo Meijer & Roel Verdult, Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards, CCS 2015] 22

23 or google for MIFARE & youtube 23

24 People still choosing crappy crypto The RFID card used for authentication at a EV (Electric Vehicle) charge points is... a Mifare Classic Worse still, it simply uses the card's UID for identification. There is no authentication with some challenge-response protocol using a crypto key 24

25 Other RFID tags with (broken) propietary crypto Investigated & broken by Radboud cryptanalysis team: Flavio Garcia, Gerhard de Koning Gans, and Roel Verdult ATMEL SecureMemory, CryptoMemory and CryptoRF HID iclass, iclass Elite Hitag2 (used in car keys) Megamos crypto (used in car immobilisers) Moral of the story: don t use proprietary crypto, obviously 25

26 Common weakness, irrespective of crypto used 75% of MIFARE RFID applications use default (transport) keys or keys used in examples in documentation [Lukas Grunwald, DEFCON14, 2007] A0A1A2A3A4A5 is an initial transport key that many tags ship with. Googling for A0A1A2A3A4A5 produces links to documentation with other example keys to try! 26

27 MIFARE Ultralight No keys or crypto to protect memory access Relies on read-only and write once memory for security Memory organised in 16 pages of 4 bytes first part is read-only includes 7 byte serial number second part is One Time Programmable (OTP) you can write 1's, not 0's includes data for locking third part is readable & writable NB security only provided by OTP, by locking pages, and having signed/encrypted data in pages, where crypto is done by terminals, not the tag 27

28 Fundamental weakness No way to protect against spoofing of tags. Ghost device for spoofing RFID signals 28

29 MIFARE Ultralight memory layout read only read/ write Page byte 0 byte 1 byte 2 byte 3 0 sn0 sn1 sn2 checksum 1 sn3 sn4 sn5 sn6 2 checksum??? lock 0 lock1 3 OTP 0 OTP 1 OTP 2 OTP serial no OTP application data

30 MIFARE ultralight memory access control 2 bytes for locking: 12 bits to lock data pages : L i 1 bit to lock OTP area (page 3) : L opt 3 bits to block locking of OTP, pp 4-9 and 10-15: All these bites are OTP BL OTP, BL 4-9, BL L 7 L 6 L 5 L 4 L OTP BL BL 4-9 BL OTP L 15 L 14 L 13 L 12 L 11 L 10 L 9 L 8 30

31 OV card MIFARE Ultralight for disposable tickets lock bytes initially 0x00F0, locking pages data in pages can still be read lock bytes set to 0xF8FF to invalidate card two bytes of the OTP used as counter in unary style, eg means one ride left pages 4-7 and 8-11 used to record last two transactions meaning of certain bits clear 000=purchase, 001=check in, 010=check out, 110=transfer pages used for unknown card-specific data [Source "Security Evaluation of the disposable OV chipkaart", by UvA students Pieter Siekerman and Maurits van der Schee, 2007] 31

32 flaw 1 lock bytes initially 0x00F0, set to 0xF8FF to invalidate tag We can change an invalid tag so that some terminals fail to recognize it as invalid; can you guess the flaw? remaining 3 lock bits can still be set to one, so that lock bytes become 0xFFFF flaw in terminals: tags with lock bytes 0xF8FF are recognized as invalid, but tags with 0xFFFF are not Can you guess the terminal code that causes this? enables easy experiments with "invalid" cards 32

33 flaw 2 on check-in, counter is incremented and transaction info written to pages 4-7 on check-out, transaction info written to pages 9-11 Can you guess how a ticket could be used for multiple checkouts? by rewriting the transaction info (which is not write protected), we can use the same card to check-out again How could you prevent this flaw? 33

34 flaw 3 More serious, and reportedly fixed Attack found purchase single/multiple ride ticket back-up data in page 4-11 (incl. purchase transaction) use card, checking in (which increases the OTP counter) and checking out (which does not) rewrite content of page 4-11, overwriting check-in and check-out transactions with purchase transaction card can now be used again, but OTP counter is not increased: infinite number of free rides Cause?? Counter not checked & increased if purchase transaction is found in memory? Or: counter is not increased but given a fixed value 1 if purchase transaction is found? 34