yummy yummy fruit salad an analysis of apple pay
play

YUMMY YUMMY FRUIT SALAD: AN ANALYSIS OF APPLE PAY Image stolen - PowerPoint PPT Presentation

Oct 12, 2023 •225 likes •637 views

YUMMY YUMMY FRUIT SALAD: AN ANALYSIS OF APPLE PAY Image stolen from: https://scratch.mit.edu/projects/10813101/ $whoami Principle Consultant @ Payment Security Consulting Usually do PCI based work (hey, its a living) Enjoy

  1. YUMMY YUMMY FRUIT SALAD: AN ANALYSIS OF APPLE PAY Image stolen from: https://scratch.mit.edu/projects/10813101/

  2. $whoami  Principle Consultant @ Payment Security Consulting  Usually do PCI based work (hey, it’s a living)  Enjoy hardware stuff  Also enjoy poking at iOS applications  Did a silly badge this year for the Hardware Hacking Village – hope you got one!  Trying to encourage more people to break stuff.  See https://www.github.com/peterfillmore for some (badly) written code.

  3. Agenda  What is ApplePay exactly  Apple Pay Architecture  XPC – How the components communicate  Registering a card  Using a card  Remote wiping of cards  Issues  Tools developed and used  References

  4. ApplePay  Another in the long running examples of Apple “inventing” something  Nothing but a lot of existing technologies bolted together with a fancy façade!  Publicly available information is scant – people who work with the stuff are NDA’d heavily   Good thing I blew a grand on an iPhone 6

  5. ApplePay consists of (iPhone 6): AMS AS3923 Power Booster NXP 65v10 Secure PN548 Element

  6. Secure Element http://www.chipworks.com/about- chipworks/overview/blog/inside-the-iphone-6-and-iphone-6-plus

  7. Software Hardware Applications Frameworks Daemons Drivers nfcd PN548 Drivers Nearfield. Passkit PN548_HAL. framework dylib seld PN548_API. dylib PN548. Passkit. dylib passd PasskitUI Framework

  8. XPC Mach XPC Decode System Application Message Service and Call Resource  The primary method of inter-process communication in iOS  Client/Server Model  Designed to provide stability and privilege separation  Passes serialized messages via a MACH message call

  9. XPC Services used by ApplePay passd nfcd { … Label = "com.apple.nfcd"; { … MachServices = EnableTransactions = 1; { "com.apple.nfcd" = 1;}; Label = "com.apple.passd"; ProcessType = Interactive; …. Program = "/usr/libexec/nfcd"; MachServices = { UserName = mobile;} "com.apple.passd.aps" = 1; "com.apple.passd.bulletins" = 1; seld "com.apple.passd.in-app-payment" = 1; "com.apple.passd.library" = 1; "com.apple.passd.payment" = 1; }; {…Label = "com.apple.seld"; POSIXSpawnType = Adaptive; MachServices = { ProgramArguments = ( "com.apple.seld" = 1; "/System/Library/Frameworks/PassKit.frame "com.apple.seld.aps" = 1; }; work/passd" ); Program = "/usr/libexec/seld"; ThrottleInterval = 0; RunAtLoad = 1; UserName = mobile;} UserName = mobile;}

  10. Client Must have the correct entitlements to use an XPC Service NFCD SELD  com.apple.nfcd.se  com.apple.seld.debug  com.apple.nfcd.debug  com.apple.seld.cm  com.apple.nfcd.info

  11. Example calling an XPC Service Create Connection xpc_connection_t connection = xpc_connection_create_mach_service("com.apple.nfcd", NULL, 0); Set Handler xpc_connection_set_event_handler(connection, ^(xpc_object_t object) { Create XPC Object xpc_object_t msgobject = xpc_dictionary_create(NULL,NULL,0); xpc_object_t object = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_int64(msgobject, "Controller", 6); Send object and get result xpc_object_t reply = xpc_connection_send_message_with_reply_sync(connection, object);

  12. XPC Sum-up  Calling applications must have appropriate entitlements to use an XPC service.  XPC services run under a nominated account (“mobile” in the case of NFC components)  Harder to exploit from userland. Better people then I have looked at this stuff: References:  Ian Beer - http://googleprojectzero.blogspot.com.au/2015/ 09/revisiting-apple-ipc-1-distributed_28.html

  13. Enrolling a card – Step 1 Authentication Passbook Server Send “card to authorise” details to apple Uses Secure Element Identifier and AppleToken for authentication https://nc-pod2-smp-device.apple.com/broker/v2/devices/<seID>/cards JSON of AID, card identifier, sanitized PAN and URL for the terms and conditions

  14. Enrolling a card – Step 2 Authentication Passbook Server Retrieve “Terms and Conditions” from provided URL https://nc-pod2-smp-device.apple.com/broker/v1/assets/<t&c version> XML of terms and conditions

  15. Enrolling a card – Step 3 Authentication Passbook Server Send authorization details: CVV2, Device Name, Location, Phone Number https://nc-pod2-smp-device.apple.com/broker/v2/devices/ <seID>/cards/<identifier>/enable URL of generated pass

  16. Enrolling a card – Step 4 Authentication Passbook Server Retreive the generated PassKit pass https://nc-pod2-smp-device.apple.com/broker/v1/passes/ paymentpass.com.apple/<generateURL> Zipped package containing: Images, JSON containing pass details and the signature

  17. Enrolling a card – Step 5 Authentication securityd Server Verify certificates using OCSP http://ocsp.apple.com/ocsp03-wwdr02/<hash of cert> OCSP response (check with openssl: Openssl ocsp – respin <response> -text

  18. Enrolling a card – Step 6 Authentication seld Server Retrieve commands to run on the Secure Element, contains certificates, supported cards and secure element Id. http://nc-pod2-smp-device.apple.com/tsm/ <seId>/get_pending_commands List of EMV commands to execute on the secure element.

  19. Enrolling a card – Step 7 Authentication Passbook Server Retrieve a list of the authentication methods supported https://nc-pod2-smp-device.apple.com/broker/v2/devices/ passes/paymentpass.com.apple/<providedURL>/activationMethods JSON of authentication method data. e.g email, SMS or phone call

  20. Enrolling a card – Step 8 Authentication Passbook Server Send selected method identifer https://nc-pod2-smp-device.apple.com/broker/v2/devices/ passes/paymentpass.com.apple/<providedURL>/sendActivationMethod Confirm Response

  21. Enrolling a card – Step 9 seld Authentication Server Send results of EMV command execution from the secure element http://nc-pod2-smp-device.apple.com/tsm/ <seId>/get_pending_commands Confirm Response

  22. Enrolling a card – Step 10 Authentication Passbook Server Send activation code https://nc-pod2-smp-device.apple.com/broker/v2/devices/ passes/paymentpass.com.apple/<providedURL>/activationCode Provide URL to generated PassKit Pass

  23. Enrolling a card – Step 11 Authentication Passbook Server Retreive the generated PassKit pass https://nc-pod2-smp-device.apple.com/broker/v2/devices/ passes/paymentpass.com.apple/<providedURL>/ Zipped package containing: Images, JSON containing pass details and the signature

  24. Enrolling a card – Step 12 passd Authentication Server Register device PAN with VISA https://vntnotificationservice.visa.com/TxnHist/1/1/devices/ <something>/registrations/dpan/<generated DPAN> Authentication token

  25. Enrolling a card – Step 13 Authentication Passbook Server Get transactions from VISA https://vntnotificationservice.visa.com/TxnHist/1/1/devices/ <something>/dpan/<generated DPAN>/transactions HTTP Code 304 – no content

  26. Using a card

  27. Remote Wiping of a Card

  28. What is right  Secure element provides a highly limited attack surface. – all sensitive information is loaded encrypted  Tokenization means that your personal account number is not stored or used by the device (I haven’t found anything but a sanitized version)  Issuer of the card can deactivate the token remotely (has happened to me twice so far)  Applications which use ApplePay must have the correct entitlements to use it.  You have to authenticate to use ApplePay

  29. Bad verification of the cardholders http://www.nytimes.com/2015/03/17/business/banks-find-fraud-abounds-in-apple-pay.html?_r=0  Verification methods and back end are chosen by the card issuers/bank  In the case of Wells Fargo the verification code can be sent through email, text or call to them.  Banks were skipping verification checks – allowing for the ability to load stolen cards onto devices with minimal verification

  30. Depends on existing contactless standards  Same attacks are possible on ApplePay  This is because it is the issuers that control the transaction – not Apple  And because reasons it has to support these broken modes  US market is still heavily invested in MagStripe – and this means broken contactless modes as  Proper EMV rollout in the US is not going as quick as thought (In a month there in 2015 I they my EMV chip two times …)  See my talk from last year (Crash & Pay)

  31. Cloning Demo!

  32. Transactions are logged and stored unencrypted • Located in /var/mobile/Library/passes/passes23.sqlite • Contains amounts, (accurate) locations, merchant location etc • Make sure you remote wipe your ApplePay device if lost!

  33. SQL Dump Demo

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Join us Saturday, August 4 th , from 8-11 am to learn more about STEM while having fun too! There

Join us Saturday, August 4 th , from 8-11 am to learn more about STEM while having fun too! There

This Photo by Unknown Author is licensed under CC BY-SA Join us Saturday, August 4 th , from 8-11 am to learn more about STEM while having fun too! There will be an introducHon with a few guest speakers while the girls get to enjoy some yummy

118 views • 10 slides
Juice with different flavors ( Apple , Guava, Mango and Cocktail ) And other flavors are

Juice with different flavors ( Apple , Guava, Mango and Cocktail ) And other flavors are

Juice with different flavors ( Apple , Guava, Mango and Cocktail ) And other flavors are available upon request Fruit Concentration : 25% Fruit Concentrate 50% Fruit Concentrate Percentage of 12 x 200ml 12 x 250 ml 12 x 300 ml 6 x 1 Liter

367 views • 4 slides
Review of Canadian Apple Market &amp; Trends 2015 Mid-Summer Meeting- Canadian Apple Industry

Review of Canadian Apple Market &amp; Trends 2015 Mid-Summer Meeting- Canadian Apple Industry

Review of Canadian Apple Market &amp; Trends 2015 Mid-Summer Meeting- Canadian Apple Industry Wolfville, NS August 4 th , 2015 Farid Makki Sector Development &amp; Analysis Directorate Agriculture and Agri-Food Canada Significance of Apple

645 views • 28 slides
www.fruitflyhotel.com www.pcm-global.com EVER HAD: Pesky Fruit Fly insurgence around your

www.fruitflyhotel.com www.pcm-global.com EVER HAD: Pesky Fruit Fly insurgence around your

www.fruitflyhotel.com www.pcm-global.com EVER HAD: Pesky Fruit Fly insurgence around your household Unwanted Fruit Fly guests at social gatherings Fruit Flies endlessly diving into your wine glass Fruit Flies feasting on your fruit, vegetables

332 views • 18 slides
Corporate Campaign Presentation By : Blaise Meyer, Ryan Garn, and Emily Gong History of Apple Inc.

Corporate Campaign Presentation By : Blaise Meyer, Ryan Garn, and Emily Gong History of Apple Inc.

Corporate Campaign Presentation By : Blaise Meyer, Ryan Garn, and Emily Gong History of Apple Inc. Apple Inc. Apples Involvement In Music Situational Analysis SWOT Analysis Of Apple Music Strengths Weakness Cross-platform compatibility

349 views • 34 slides
Ronald Wayne, The Third Founder of Apple Drew first Apple logo Wrote the Apple I manual

Ronald Wayne, The Third Founder of Apple Drew first Apple logo Wrote the Apple I manual

Ronald Wayne, The Third Founder of Apple Drew first Apple logo Wrote the Apple I manual Sold 10% of Apple for $2300 because of concern over a legal risk that could easily have been resolved Sells stamps from his home

702 views • 20 slides
Marketing Strategy of Apple Published by : www.studymarketing.org 1 Introducing Apple Steve

Marketing Strategy of Apple Published by : www.studymarketing.org 1 Introducing Apple Steve

Marketing Strategy of Apple Published by : www.studymarketing.org 1 Introducing Apple Steve Jobs is the brain behind the very famous and very Popular Apple Company. Apple creates and designs desktop computers, Mac laptops, iTunes, iPods, the

833 views • 48 slides
Menu Day Week 1 Week 2 Week 3 Week 4 Monday +Pork and Apple Casserole or +Meat Loaf or Lamb

Menu Day Week 1 Week 2 Week 3 Week 4 Monday +Pork and Apple Casserole or +Meat Loaf or Lamb

Menu Day Week 1 Week 2 Week 3 Week 4 Monday +Pork and Apple Casserole or +Meat Loaf or Lamb Steaklet +Savoury Flan with Salad +Grilled sausage and Lamb Steak and Kidney Pie +Rice Pudding or or Roast Pork casserole +Jelly of Chocolate

548 views • 3 slides
What is single-cell RNA-Seq, and why is it useful? S IN GLE-CELL RN A-S EQ W ORK F LOW S IN R

What is single-cell RNA-Seq, and why is it useful? S IN GLE-CELL RN A-S EQ W ORK F LOW S IN R

What is single-cell RNA-Seq, and why is it useful? S IN GLE-CELL RN A-S EQ W ORK F LOW S IN R Fanny Perraudeau Senior Data Scientist, Whole Biome Milkshake or fruit salad?. SINGLE-CELL RNA-SEQ WORKFLOWS IN R scRNA-Seq could revolutionize

676 views • 25 slides
Apple LLVM GPU Compiler: Embedded Dragons Charu Chandrasekaran, Apple Marcello Maggioni, Apple

Apple LLVM GPU Compiler: Embedded Dragons Charu Chandrasekaran, Apple Marcello Maggioni, Apple

Apple LLVM GPU Compiler: Embedded Dragons Charu Chandrasekaran, Apple Marcello Maggioni, Apple 1 Agenda How Apple uses LLVM to build a GPU Compiler Factors that affect GPU performance The Apple GPU compiler Pipeline passes

1.1k views • 71 slides
Not Your Mamas Mediterranean Meal Theme Meal by Patricia, Madeline, Irene, Christina, and

Not Your Mamas Mediterranean Meal Theme Meal by Patricia, Madeline, Irene, Christina, and

Not Your Mamas Mediterranean Meal Theme Meal by Patricia, Madeline, Irene, Christina, and Micaela The Menu SALAD STARCH Quinoa Tabbouleh Salad Lemon Herb Potatoes Chopped Kale Greek Salad Greek Rice SOUP VEGETABLE Chicken &amp; Shrimp

383 views • 23 slides
Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem

Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem

Faster, Stronger C++ Analysis with the Clang Static Analyzer George Karpenkov, Apple Artem Dergachev, Apple Agenda Introduction to Clang Static Analyzer Using coverage-based iteration order Improved C++ constructor and destructor

789 views • 40 slides
APPLE TV FOR THE CLASSROOM Leslie Markley UNM Language Learning Center WHAT IS AN APPLE TV?

APPLE TV FOR THE CLASSROOM Leslie Markley UNM Language Learning Center WHAT IS AN APPLE TV?

APPLE TV FOR THE CLASSROOM Leslie Markley UNM Language Learning Center WHAT IS AN APPLE TV? Small, portable box that can be connected to the instructor station. Used to project any Apple device: phone, laptop, iPad, etc. HOW DO YOU

495 views • 11 slides
Apple File System Slack Analysis and Detection of Hidden Data Axel Koolhaas Woudt van

Apple File System Slack Analysis and Detection of Hidden Data Axel Koolhaas Woudt van

Apple File System Slack Analysis and Detection of Hidden Data Axel Koolhaas Woudt van Steenbergen Introduction to Apple File System (APFS) 2016 Filesystem released, replacing HFS+ 2017 K. H. Hansen &amp; F. Toolan: Decoding the APFS

625 views • 24 slides
mission on. our our fruit fruit farm farm program. program. we invite media, customers and

mission on. our our fruit fruit farm farm program. program. we invite media, customers and

fruit on a a mission on. our our fruit fruit farm farm program. program. we invite media, customers and influencers in the public sphere to join us on fruit farm trip. we do this to tell our story and communicate our belief in trade not

130 views • 12 slides
Compiler-assisted Performance Analysis Adam Nemet Apple anemet@apple.com Hotspot User

Compiler-assisted Performance Analysis Adam Nemet Apple anemet@apple.com Hotspot User

Compiler-assisted Performance Analysis Adam Nemet Apple anemet@apple.com Hotspot User Bottleneck Compiler Optimization X, Y 2 Hotspot Hotspot Legality User Compiler Bottleneck Cost Model Compiler Optimization Some Optimizations?

1.19k views • 90 slides
A Microservices Journey Susanne Kaiser @suksr CTO at Just Software @JustSocialApps Each

A Microservices Journey Susanne Kaiser @suksr CTO at Just Software @JustSocialApps Each

A Microservices Journey Susanne Kaiser @suksr CTO at Just Software @JustSocialApps Each Journey is Different People try to copy Netflix, but they can only copy what they see. They copy the results, not the process. Adrian Cockcroft,

628 views • 45 slides
Unreliable Publish/Subscribe Protocols Georgios Bouloukakis 1,3 , Ajay Kattepur 2 , Nikolaos

Unreliable Publish/Subscribe Protocols Georgios Bouloukakis 1,3 , Ajay Kattepur 2 , Nikolaos

Queueing Network Modeling Patterns for Reliable and Unreliable Publish/Subscribe Protocols Georgios Bouloukakis 1,3 , Ajay Kattepur 2 , Nikolaos Georgantas 3 &amp; Valrie Issarny 3 New York, USA, November 2018 15th EAI International Conference

422 views • 14 slides
Modern CDCL SAT Solvers SAT / SMT Summer School 12. June 2012 Fondazione Bruno Kessler Trento,

Modern CDCL SAT Solvers SAT / SMT Summer School 12. June 2012 Fondazione Bruno Kessler Trento,

Modern CDCL SAT Solvers SAT / SMT Summer School 12. June 2012 Fondazione Bruno Kessler Trento, Italy Armin Biere Institute for Formal Models and Verification Johannes Kepler University, Linz, Austria

992 views • 83 slides
NP-Completeness Concluded 20-0 Yes/No Problems Easier? We have established

NP-Completeness Concluded 20-0 Yes/No Problems Easier? We have established

Griffith University 3130CIT Theory of Computation (Based on slides by Harald Sndergaard of The University of Melbourne) NP-Completeness Concluded 20-0 Yes/No Problems Easier? We have established that

411 views • 16 slides
Large-scale Cloud-based clusters using Boxgrinder, Condor, Panda, and APF John Hover OSG

Large-scale Cloud-based clusters using Boxgrinder, Condor, Panda, and APF John Hover OSG

Large-scale Cloud-based clusters using Boxgrinder, Condor, Panda, and APF John Hover OSG All-Hands Meeting 2013 Indianapolis, Indiana John Hover 13 Mar 2013 1 Outline Rationale In general... OSG-specific Dependencies/Limitations

439 views • 32 slides
Data Acquisition Corso di Sistemi e Architetture per Big Data A.A. 2016/17 Valeria Cardellini

Data Acquisition Corso di Sistemi e Architetture per Big Data A.A. 2016/17 Valeria Cardellini

Universit degli Studi di Roma Tor Vergata Dipartimento di Ingegneria Civile e Ingegneria Informatica Data Acquisition Corso di Sistemi e Architetture per Big Data A.A. 2016/17 Valeria Cardellini The reference Big Data stack

241 views • 22 slides
Semantic Information Broker for Smart Spaces: Value Offering Deployment Options Kick-off talk for

Semantic Information Broker for Smart Spaces: Value Offering Deployment Options Kick-off talk for

Petrozavodsk State University Department of Computer Science Dmitry G. Korzun, Aleksandr A. Lomov, Ivan V. Galov Semantic Information Broker for Smart Spaces: Value Offering Deployment Options Kick-off talk for FRUCT Smart Spaces &amp; IoT WG

240 views • 6 slides
RUNNING MYSQL IN K8S Version: 03.10.19 Mykola Marzhan Has been developing deployment, update

RUNNING MYSQL IN K8S Version: 03.10.19 Mykola Marzhan Has been developing deployment, update

RUNNING MYSQL IN K8S Version: 03.10.19 Mykola Marzhan Has been developing deployment, update and monitoring systems since 2004. WHAT IS AN OPERATOR? OPERATORS WHAT IF IT FAILS? PRESSLABS OPERATOR PRESSLABS OPERATOR MYSQL OPERATOR MYSQL

514 views • 35 slides

More recommend