Tip:
Highlight text to annotate it
X
>> We are talking about NFC, NFC Near Filed Communication and about MIFARE ULTRALIGHT
system and ULTRALIGHT chips are used for communication. And in our country, they have been used especially
for the transportation system like busses, Metro, and in the past there has been people
who discovered some hacked the system of the communication between those chips. And so
in 2008 the MIFARE classic which is a type of chip classic in 2011 two American made
to exploit and to see ULTRALIGHT one which is the one I will be speaking about. In my
country, so in Italy, it has been used for transportation systems. So, if you take a
bus, you will take a ticket, multiple ride ticket which has MIFARE inside.
So what is it? RFID chips are designed to work at target frequency 1356 megahertz frequency
and a lot of times as I told you before. There is a MIFARE classic ULTRALIGHT a lot of types.
And the ULTRALIGHT is cheap. But it has a problem. It is not ‑‑ it has no hardware
encryption. So how we came to this hack? Well, we started studying NFC chips when from
January the local transportation system in Turin updated their stamping machines and
so it was possible to use those tickets to ride the bus or Metro or what else. And it
had the same vulnerability I was telling you about before. But the point is we didn't know
anything about the structure of this ticket. So we tried with that vulnerability but we
failed. That was the point, we failed. We tried to ‑‑ and so ‑‑ you know, if
you don't know what are you dealing with, it is, let's say it's tricky to solve it.
So we decided to study better the kind of technology in case we discovered that we tried
to make some little experiments and so we decided to stamp one ticket after the other
and comparing the results we have an NFC reader and we read the dumps of those tickets. And
we were comparing them to find if there were some similarities something similar to compare
it and to find for example how does the data saved on the ticket. So we managed to get
in empiric results of this. So assume that you know we're exactly the last time of the
stamp of your ticket is being stored. If you have an NFC form with an NFC reader and writer,
you can actually change the field where the time of your last stamp is stored. And so
that in this way, you can easily bypass the system of stamping, the stamping machine,
you can stamp by yourself your ticket. And this is where we wanted to wanted to get.
The point we were looking for. The problem is it is not so reliable the kind of thing,
you have a reader and things to deal with. It is not the point. If you want to add something
about that ‑‑ the point is that we managed to solve our problem because when we looked
more in ‑‑ we pay more attention about how the ticket was made. We came to a solution
and we found that the answer to hack the ticket and find a way to make it limited was in the
log bites. Log bytes are a sector of the ticket and he will speak about that now.
>> This is the ticket of my city. The 5 rides ticket so you can stamp it until five times
and then it expires. We will look at the log bytes and OTP is the only security function
in the ULTRALIGHT tickets. There are four bytes and by that four they are all set to
zero. When you stamp the ticket, there is an operation that to turn one bit to one.
So you can turn it back to zero. That's the only way you can stamp the ticket without
any fraud. There are a number of possible rights on each ticket and we'll speak about
later. The data sector. (Applause.)
>> I saw one of your slides coming in, it's not going to be funny.
(Laughter) We have decided to brand this ‑‑ spot
the fed, this is now shot the n00b. >> Are you even 18?
>> No, we're not. >> He's of legal drinking age in Italy. And
this stage is actually technically part of Italy audience, raise your hand if it's your
first DEF CON. You, sir, get up here. On stage somehow.
To all the new people at DEF CON. Cheers! Okay. Where was I? Okay. They were strong.
>> The data sector was used in the past attack, 2011 attack for rights. But the sector is
readable, writable so you just swipe it and get a new ticket. But in ‑‑ they fixed
it so in Turin it doesn't work any more. So for about just code time time stamp from the
machine and reproduce it without touching the OTP sector. So the rides remain the same
but we can stamp it ourselves. We're not getting the point because of lack of NFC.
>> We're poor. >> If you want stamps of our ticket, we'll
give you at the Q&A session. No problem. These are some empirical results we can speak more
later. Doesn't matter. Okay, lock ak sector, this is the most important part of our talk.
This is the point we found solution. There are two bytes. First is red and second is
orange. Okay, each bit of bytes can lock a sector and make it read only. So what we did
is just lock the bit or lock bit sector that made read only the OTP data. Machine tries
to do it but read only and I cannot. When we first made our test on the road. We found
a little problem because it's not good by that your 5 rides ticket and then have always
5 rides when they test it. >> You forgot to took one of the rides. And
so it was ‑‑ >> Not good.
>> What are you going to say to the man who is going to check your ticket.
>> Okay. How to fix it. The lock attack is quite easy to be fixed. Because you just need
to check if the OTP bits is read only or not. And if it's read only refuse to validate.
But the name problem is the time attack ‑‑ >> Yeah, the point is there are two vulnerabilities
we found but we exploit just one because of lack of time and hardware as he explained
before. The time for vulnerability is easy to exploit if we can actually decode the data.
And what if ‑‑ if you know exactly how the data was encoded and where it is exactly
located inside your ticket, it will be really easy to exploit this because if you have NFC
reader, writer, you can write the data etch ooh team you want. You can put your ticket
on your NFC phone and just stamp the actual data so the actual time if it is 5:15 then
the ‑‑ you put your ticket over your phone and then you can write 5:15 each time you
want. So you can bypass the validating system so you can still have four rides left and
you're just adjusting the time. And that will be really hard to be fixed. Because all the
data written inside the ticket is not encrypted hardware speaking so, if you're able to decode
this, it will be hard to fix it while the lack attack so the exploit he was thinking
about will be easy to be fixed because if the stamp machine checks if the lock bit is
on or off, and then with feedback way, that stamp machine can immediately know if your
ticket is fake or not. So now we are going to study more about those kind of tickets
and try to decode data and if you'd like to help us, we are open minded we will give you
the dumps and any help will be developed very well. Is that is the point. So we also thought
about a solution for the time attack but it should require fine upgrade that enabled software
encryption on the ticket because if you encrypt the ticket, you can just time stamp your ticket
with your phone. But we spoke of that with our transport company and they say yeah, yeah,
and never did anything. We're still waiting that our vulnerability is fixed on the ground
we don't really know about that. Okay. We are working about tool that should do it everything
automatically. And actually, it is written in Python and works on Linux computer. You
need ‑‑ NFC, that is the tool we used for encoding and writing the tickets. It is
a meter you can find anywhere cheap for $10 on eBay or something like that and get free rides
for your life. (Laughter)
We started selling these. We're open for donation of the set ‑‑ but we have lack of money.
So I think that's it. If you have questions about how we got into it ‑‑ but I think
I don't know if you got the meaning of what we're speaking about.
You know, it is a little difficult to speak in another language when you're outside and
‑‑ but we tried. And I think it has been a very good experience, I think, I hope you
enjoyed this talk and I hope ‑‑ well, you got the clue for us, it was a very big
not surprise but we were happy to fine something about this and to have been accepted here
to explain you what we found. >> If you want to test the vulnerability on
your city, we're glad to receive feedback and also invitation for lunch, dinner, coffee,
everything. (Laughter)
(Applause)
>> I think speaking about things wouldn't be so appreciated by you. I don't know if
you will appreciate to speak about the very detail of if you want in the Q&A, you can
ask for further information and details about those tickets. So you have any questions?
Or? >> AUDIENCE: How do you find out what technology
your mass transit system was using. >> Yeah, the advertising on the Web site.
(Laughter) >> Google.
>> AUDIENCE: That's convenient. There's a similar system in use the Bay Area. I'm interested
in what you were talking about with the time stamp because the San Francisco system, the
way it works is you swipe to get on the bus the first time and you have 90 minutes to
be able to ‑‑ >> Like in Turin.
>> AUDIENCE: So you have the same system there. So it just amounts to changing the time stamp
on that and you change it to now and you get 90 minutes from now to be able to ride and
you can do that. That's your free for life system. Is that correct?
>> Yeah, there's the work in progress because ‑‑ just a second. Okay.
If you're ‑‑ see, we are just guessing where the realtime stamp is stored because
we didn't have an NFC phone. So going on the train with a computer five tickets and then
an ‑‑ this, it's not so good. But -- >> There's nothing suspicious about that at
all. It happens all the time. In San Francisco anyway, you see that stuff all the time.
>> Okay. So, if you have invitation for San Francisco.
>> AUDIENCE: Love to have you. >> We sent a mail to the company explaining
that we found this vulnerability. >> Yesterday.
(Laughter) (Applause)
>> They are not geeks so they can't reply very fast. So we're waiting now for a reply.
No. We are publishing a white paper about that and we send it to them. But I hope they
won't fix on this. Because I take some ground very often. If you want to read our white
paper, it will be available. We will share with you.
>> Very bad written but it works. Anyone else? No invitation?
(Laughter) Thank you.
>> Thank you very much. >> There is information. If you won't send
us invitation after the talk because our talk ‑‑ I don't know. Twitter mine is @ bughardy
This is his. >> If you want to find us on Twitter, just
‑‑ thank you very much. >> If you have a question, just raise your
hand. Don't come here so everyone can -- >> So I totally missed your talk, you ended
earlier. We got another 20 minutes so we're going to do Q&A. I missed the talk so I don't
have any questions but I hear it has to do with NFC technology. You? Maybe? It's okay.
So what's your talk about? Again, okay. >> It was about NFC.
>> Use the microphone. >> Sorry.
>> We have another drink. Another drink. >> Yes! Yes. This is your first DEF CON, isn't
it? >> Yes! So, if you do have any questions,
you can feel to come in and get in line here because I didn't see the talk.
>> Okay. So we are waiting for some questions if you have. We just run a little bit with
our talk. Okay. I can see we spent 32 minutes. Yahoo
>> So we've made this mistake before. We'd like to apologize. What the picture says is
not what it represented. So yes, you actually have an hour. Bonus.
>> So we're going on and let's say there is a question here.
>> You said OTP but I don't know what ‑‑ >> One time programmable.
>> Could you get a little bit deeper into that?
>> Yeah, an explanation, of course. OTP section is made up ‑‑ is composed by 4 bytes.
And each one of those is ‑‑ when the ticket is new, brand‑new, they are all set to zero,
all the bits are set to zero. So when you stamp your ticket and the validator machine
checks how many zeroes are in your OTP or in target section of the OTP.
>> Did you say you need another drink? >> Yeah, of course, we need it. So the stamp
machine checks how many zeroes are left and then the stamp machines knows how many tickets
are left in your multiple ride ticket. When you stamp your ticket the machine turns the
bits from zero to 1. This operation is irreversible. So you can't turn them back to zero again.
Because actually, when you attempt to write something on the OTP section, you are ordering
all the bits, bit wise or they are old. So you know that an or operation will not give
you back a zero if one of the two ‑‑ >> You want another drink. Here you go.
>> If one of the two bits is set to 1, it is impossible to get back to zero.
>> Is he still talking. >> 3, 2, 1, go!
(Applause) Okay. So when all the bits when all the bits
are turned to 1, the stamp machine is aware that your ticket has run out of rides. And
so the stamp machine says your ticket is empty now. So our vulnerability exploits the system
because if you freeze the actual number of rides left, the machine cannot turn those
bits from 0 to 1 and locking forever the status of your rides left. So, if you can make this
section read only, the machine won't be able any more to turn those to one. And so you
have ‑‑ none, three rides, four rides, locked forever. So your ticket will be four
rides and no one will change it ‑‑ the number of rides left. And that is the point.
That is -- >> So, if you lock the car like that, what
effect does that have then on the time stamp. If you verified your card, will the not it
not have a time stamp from the first time you used it?
>> Can you repeat the question? >> Sure, you have two attacks, right? Your
attack is locking the card so you can't remove rides from it and the other is modifying the
time of th-- e but, if you lock the card, does it not lock the time?
>> No. >> It doesn't lock the time?
>> No, because the time stamp is stored in the data sector. The rights is stored in OTP
sector. So we can lock only OTP sector and the left data sector read only and writable.
>> You said that you used C and C++ to write the code and I'd like to know which library
did you use. >> Actually, it's written in Python. we plan
to import it to C. In python we're using a standard tool called NFC tool, which is open
source, you can find it on Google code or on ‑‑ but remember you can compile it
for Linux and totally free. For C and C++, there is a C that is also open source, we'll
use it when ‑‑ in the few weeks, I hope to have a new tool.
>> Okay. Could you ‑‑ could you tell me a good book for study the protocol and NFC
protocol or you don't know? >> Well, I don't know.
>> Okay, just research on Internet. Okay. >> They look at first vulnerability of 2011
and then we do empirical results and we start to study on the vertical tool. So we didn't
have book or just Google. Okay, nice. Next? Any other questions? Maybe
there. No question. >> The proximal, we plan to use it for attack
because if we can't, the code data because it's somewhere encrypted, software encrypted,
we can still sniff the data because the communication is totally clear. And the stamp using the
‑‑ so we stamp only the data sector without the OTP sector and so also, if you encrypt
the data sector we can have free rides. So yes, the ULTRALIGHT is totally broken. Turin,
Italy. You want to come and have a visit of Turin we offer free booth rides. Cheap 1 with
the bus. I think Bologna but I'm not sure. And I think Milan is going to upgrade system
to NFC but at the moment I only know of Turin and Bologna.
>> The point is that the ‑‑ I'm sorry. The question? The point is the transportation
system is using the MIFARE ULTRALIGHT because cheaper than other NFC chips. It is cheaper
because it is hardware encrypted and that's the problem of the NFC MIFARE ULTRALIGHT.
But the corporation systems do not realize that and they're still using those chips even
if they are cheaper. So that's the point. Any other questions? An card is different
type of NFC chips, they're MIFARE plastic. They're broken like six years ago. They are
less fun. Anyone else? >> If you want some stamps, we're just outside.
We can give them. Thank you very much, once again. And I hope you enjoyed this talk. And
Okay. You made us happy to explain you all those things. And I think it was a very good
experience. So thank you once again. >> Okay. Yeah. The next speaker I'm going
to go grab him if you're here for what you thought was a 30 minute talk is actually an
hour. If you read your pamphlet there, you'll see in the bottom in parens that the other
starts at 1600. So ‑‑ so ‑‑ excuse me for a second. There we go. That's better.
So let me go get him and we'll get him started up for you. And we'll get him settled in and
then get it going. Okay.