SLIDE 1
Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The - - PowerPoint PPT Presentation
Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The - - PowerPoint PPT Presentation
Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target brendangates The Target Meriac (2010), Churchill Legacy ICLASS Introduced in 2007 Broken in 2010 Master key on every reader Security
SLIDE 2
SLIDE 3
The Target
brendangates
SLIDE 4
The Target
Meriac (2010), Churchill
SLIDE 5
Legacy ICLASS
- Introduced in 2007
- Broken in 2010
- Master key on every
reader
- Security of card reader
broken
- Protocol reverse
engineered
- New version of iCLASS
released, but many still use Legacy iCLASS
- Uses ISO15693
Meriac (2010), Inside Contactless (2004)
SLIDE 6
Nexus S
- Introduced in 2010
- One of earliest to support NFC, including ISO15693
- Android source code available
- Cheap
SLIDE 7
Nexus S
Android Application libnfc Library Kernel Driver NFC Controller
- Try Android app first
- Transceive raw bytes
- CRC added automatically,
but we don’t want a CRC
- Not added by libraries
- Not added by kernel
- Must be added by NFC
controller chip
SLIDE 8
PN544
- Separate from Nexus S CPU
- Powered by host or external field
- Supports ISO 15693, Mifare, FeliCa
- Supports firmware upgrades
- Uses 80C51MX Processor
NXP (2010), Wharton (1980)
DATA CODE
SLIDE 9
Investigating the PN544
SLIDE 10
Firmware Recovery
- PHDNLD_CMD_READ
- Pull from update file
- Code signing
- Protected with SHA1 and RSA-1024
- Introduced after first devices shipped
- Need a device never updated past Gingerbread
Libnfc-nxp
SLIDE 11
FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 12
Reverse Engineering
There aren’t any. They don’t exist. No help.
- Look for strings.
- Look for CRC constants.
- Look for usage of the XOR instruction.
- Just start reversing until we find something
useful.
SLIDE 13
FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 14
Reverse Engineering
- Reverse commonly called functions
- Find switch function
- Find command switching
- Trace known command IDs through code
SLIDE 15
Reverse Engineering
Libnfc-nxp
SLIDE 16
Problem:
FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 17
Problem: Missing Code
??? FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 18
Problem: Missing Code
KERNEL_CODE FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 19
Kernel Recovery
- We understand and can modify FW_CODE
- FW_CODE doesn’t have access to kernel
- We can modify PATCH_CODE
- Don’t know how to trigger PATCH_CODE
- Want to maximize chances of executing our
code
SLIDE 20
Kernel Recovery
PATCH_CODE
SLIDE 21
Kernel Recovery
PATCH_CODE
SLIDE 22
Kernel Recovery
SLIDE 23
Problem: Missing Code
KERNEL_CODE FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 24
Problem: Missing Code
KERNEL_CODE FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 25
Reverse Engineering Kernel Reverse Engineering
Still aren’t any. Still don’t exist. No help.
- Look for strings.
- Look for CRC constants.
- Look for usage of the XOR instruction.
- CRC creation is done by hardware
- Still not impossible, but we need a new approach
SLIDE 26
Wireless Protocols
SLIDE 27
SDR Setup
Antenna Upconverter Radio Signal Source
SLIDE 28
SDR Setup
<s> 10 01 10 00 01 00 00 00…
SLIDE 29
Transfer Speed
- ISO15693 has two modes:
- Slow (1.65 kbps)
- Fast (26.48 kbps)
- Nexus S uses slow mode
- ICLASS only uses fast mode
Inside Contactless (2004)
SLIDE 30
Problem: Transfer Speed
- Capability probably
exists, but is unused.
- Find transmission code
- Loads settings from
EEPROM/CFG
- Only uses one set of
values
- Swap around values in
EEPROM/CFG
- Fast mode!
SLIDE 31
Mifare
Libnfc-nxp
SLIDE 32
Problem: Checksum Generation
FW_CODE Command Handler RF Transmit MIFARE Setup (CRC) MIFARE Setup (No CRC) ISO15693 Setup (CRC) Android Find differences here Apply difference here
SLIDE 33
Patching the Kernel
KERNEL_CODE FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 34
Exploitation
SLIDE 35
Patching Checksum Generation
KERNEL_CODE FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 36
SLIDE 37
Putting It All Together
KERNEL_CODE FW_CODE PATCH_TABLE PATCH_CODE EEPROM/CFG
SLIDE 38
Demo
SLIDE 39
Demo
SLIDE 40
Future Research What can be done with a hacked NFC controller?
- Surreptitiously read a badge
- Information storage
- Information exfiltration
SLIDE 41
Future Research
- What other embedded systems do we carry
everywhere?
- Bluetooth
- USB controller
- Baseband radio
- Camera
- Fingerprint reader
- What could you make these systems do?
SLIDE 42
The End
Keegan Ryan Keegan.Ryan@nccgroup.trust @inf_0_
SLIDE 43
Bypassing Firmware Signing?
doSecureDownload(); if (*flag == 0xa55a) doInsecureDownload(); else
SLIDE 44
Bibliography
- Brendangates. “Badge reader.” Licensed under a Creative Commons
Attribution 2.0 Generic (CC BY-NC-ND 2.0). Accessed 11 June 2017. https://www.flickr.com/photos/brendangates/2384518688. Churchill, Sam. “nfc.phone.” Licensed under a Creative Commons Attribution 2.0 Generic (CC BY 2.0). Accessed 11 June 2017. https://www.flickr.com/photos/samchurchill/5181496553 Inside Contactless. "Datasheet PicoPass 2KS." Rapport technique (2004). Libnfc-nxp Library. Accessed June 11, 2017. https://android.googlesource.com/platform/external/libnfc-nxp. Meriac, Milosch. "Heart of darkness-exploring the uncharted backwaters of hid iclass (TM) security." In 27th Chaos Communication Congress. 2010.
- NXP. “NXP NFC controller PN544 for mobile phones and portable