0:00:00.000,0:00:19.150
36c3 preroll music
0:00:19.150,0:00:25.910
Herald: The following talk of Fabian and[br]Frederico will be about hacking NFC toys
0:00:25.910,0:00:32.010
with a chameleon mini. Also, we have[br]special guests here on stage! What is your
0:00:32.010,0:00:34.010
name?[br]Luna: Luna
0:00:34.010,0:00:36.800
Herald: and[br]Mila: Mila
0:00:36.800,0:00:45.880
Herald: Give them a warm round of applause
0:00:45.880,0:00:58.330
Fabian: Well, hello everyone! We have some[br]nice little toy for kids. It's, ehm, it's
0:00:58.330,0:01:05.031
a Tonie Box. You're putting a little[br]figurine on top of that, and then the box
0:01:05.031,0:01:15.380
starts playing a song or reads a story,[br]and the tags are using NFC to authenticate
0:01:15.380,0:01:24.140
themselves, more or less. And maybe luna[br]will show how it is supposed to work.
0:01:24.140,0:01:28.320
Luna, möchtest du das einmal vormachen?
0:01:28.320,0:01:41.670
Music
0:01:41.670,0:01:44.920
Fabian: Really good![br]Frederico: So, once you put in the the
0:01:44.920,0:01:50.530
figurine, it plays, and stops, and it[br]starts again with another one
0:01:50.530,0:02:01.969
Fabian: Yes that's fine! We got the[br]information from a forum where they just
0:02:01.969,0:02:08.880
tried to hack these things and they stated[br]that it was too difficult to do it with
0:02:08.880,0:02:13.440
the chameleon mini, and that was like a[br]challenge to us, since we are maintaining
0:02:13.440,0:02:21.829
the github repository, which is open[br]source, so we just did it yesterday and
0:02:21.829,0:02:29.540
the kids can play with it today. We[br]started by analyzing the communication by
0:02:29.540,0:02:37.760
inputting a sniffer. We just received the[br]communication from the box to the tag and
0:02:37.760,0:02:42.800
we looked at it what is actually a[br]incomprehensible authentication
0:02:42.800,0:02:54.881
happening. What we see here is the log of[br]the chameleon mini. This is ISO 15 693 and
0:02:54.881,0:03:04.850
the marked up part is some proprietary[br]commands. And from the forum, we knew that
0:03:04.850,0:03:11.220
it is ICODE-Tags, so we just looked it up[br]in the datasheet, and the command which we
0:03:11.220,0:03:19.480
are seeing here is "get random number". So[br]the tag responds with a 16… 16 bit random
0:03:19.480,0:03:21.489
number…[br]Frederico: …which is not shown here
0:03:21.489,0:03:27.329
because, sorry, it's only one-side[br]communication sniffing, so we have only
0:03:27.329,0:03:32.350
the commands that are given to the target[br]from the reader. So here we can see the
0:03:32.350,0:03:37.180
random part of it, and we'll just deal[br]with it later on, and we'll explain to you
0:03:37.180,0:03:40.680
how we broke it nonetheless.
0:03:41.760,0:03:46.340
Fabian: This is the normal ISO 15
0:03:46.340,0:03:54.250
inventory command that selects a tag and[br]expects the UID. But we are not
0:03:54.250,0:04:02.079
authenticated right now so the tag goes on[br]with the set password command. And that's
0:04:02.079,0:04:11.530
quite interesting: It is a 32-bit password[br]that is XORd with a random number. Twice.
0:04:11.530,0:04:21.769
So no real crypto here. And then we see[br]that we get selected, and here we see the
0:04:21.769,0:04:30.300
UID of the tag. So we can work on that. We[br]implemented the get random number command
0:04:30.300,0:04:40.120
and the set password but we just did not[br]send a random number back. So we just sent
0:04:40.120,0:04:50.599
zeros and that's when we get the password.[br]Then we emulated it, and let's take a look
0:04:50.599,0:04:55.710
at the log again.[br]Frederico: This is the full emulation log,
0:04:55.710,0:05:00.900
so when I finally have both transmission[br]and reception from the reader, so we are
0:05:00.900,0:05:07.979
receiving data from the reader, and we are[br]sending back transmission of – this is our
0:05:07.979,0:05:12.860
this random number which is a zero zero[br]zero zero. So we are sending all zeros.
0:05:12.860,0:05:17.640
Then, it means that the password that will[br]be sent by the reader to the tag will be
0:05:17.640,0:05:24.139
XORd with only zeros. So, this is the[br]authentication command, and you can see,
0:05:24.139,0:05:30.189
now we have the password in plain text.[br]Because they simply XORd it with the… with
0:05:30.189,0:05:37.379
0. Now we finally have the password, so we[br]can also use it to read the other tags.
0:05:37.379,0:05:41.909
Because we actually need to authenticate[br]in the right way, with proper tags. And we
0:05:41.909,0:05:49.749
can read them and – if Mila… yeah… thanks[br]Lula! It should be emulating a real target
0:05:49.749,0:05:52.950
beeping from box[br]Music playing
0:05:52.950,0:05:58.610
Frederico: It's indeed emulating a real[br]target. So once you have the password ,
0:05:58.610,0:06:03.919
you can authenticate, read the data from[br]the from the tag, and reverse-engineer it.
0:06:03.919,0:06:13.870
But actually, it's not even needed.[br]Because somehow , the… the box is trusting
0:06:13.870,0:06:19.120
the UID itself. So once you have emulation[br]in place and you can read the UID from the
0:06:19.120,0:06:25.120
sniffer we had before, you already good to[br]go. You now have a perfect emulation and
0:06:25.120,0:06:27.659
the kids can now play without[br]incomprehensible toys
0:06:27.659,0:06:33.430
Fabian: The interesting thing here is that[br]we did not even start to read the tag, the
0:06:33.430,0:06:39.710
actual data on the tag. As you see below[br]here, we just sent back zeros and the tag
0:06:39.710,0:06:45.199
still plays. So it doesn't even care[br]what is written on the tag, they just
0:06:45.199,0:06:55.060
check the UID once you put the tag on top[br]of it and then you can just create a nice
0:06:55.060,0:07:06.249
little backup. If the kids are breaking[br]the toys or you exchange some figurines
0:07:06.249,0:07:09.770
with your friends and…[br]Frederico: No. No, that won't would be
0:07:09.770,0:07:15.639
legal. Who would do that?[br]Fabian: I won't do that, but Mila might!
0:07:15.639,0:07:20.400
Frederico: We speculate that the data in[br]the tag might be used to authenticate the
0:07:20.400,0:07:29.159
first time with the box. Because once you[br]buy a figurine it's linked to your account
0:07:29.159,0:07:34.819
and probably it's… that they have decided[br]it's used only the first time. So then
0:07:34.819,0:07:40.200
later on, the Box just stores your UID and[br]then it authenticates. And that's the
0:07:40.200,0:07:44.439
reason why the Box does not care about the[br]content, because it recognized the UID as
0:07:44.439,0:07:49.719
one, it's already saved inside the thing.[br]Fabian: Yes, and… but we did want to read
0:07:49.719,0:07:57.290
the tag anyway. Actually we cannot do it[br]with the Chameleon Mini right now, because
0:07:57.290,0:08:03.289
there are some missing implementations. So[br]we would like to join you to contribute
0:08:03.289,0:08:12.090
something on our GitHub project. We[br]quickly scripted something and I'm I'm…
0:08:12.090,0:08:18.789
I'm going back… in Python for another[br]reader, so we could read the tag and dump
0:08:18.789,0:08:26.189
it. But we did not upload it to the[br]Chameleon since we are already getting a
0:08:26.189,0:08:30.460
full emulation on the tag. So we just save[br]the time.
0:08:30.460,0:08:37.190
Frederico: It will be on my gist for the[br]time being I guess, because I need Python
0:08:37.190,0:08:42.360
script to read those tags which are not[br]totally supported by many readers now. You
0:08:42.360,0:08:47.500
have to go to the bare commands. There is[br]no read support really we made support for
0:08:47.500,0:08:50.580
phones or something like that once the tag[br]is in privacy mode.
0:08:50.580,0:08:56.440
Fabian: Well, we are already finished[br]Frederico: Yeah. We didn't have much to
0:08:56.440,0:08:59.530
say I guess.[br]Fabian: We'll just link the GitHub
0:08:59.530,0:09:05.970
repository that's where you can also ask[br]questions if you are playing with the
0:09:05.970,0:09:12.210
chameleon and don't know how it works or[br]getting stuck on something. We will be
0:09:12.210,0:09:18.161
also here around for questions and[br]answers, and if you want to buy a
0:09:18.161,0:09:25.100
chameleon you still can do. You just have[br]to find this man.
0:09:25.100,0:09:30.070
Frederico: The yellow guy[br]Fabian: At his parking spot which is up
0:09:30.070,0:09:39.350
there, A2. Well I just found him, he's[br]right in front of me. What a coincidence!
0:09:39.350,0:09:42.220
And[br]Frederico: That's it I guess.
0:09:42.220,0:09:46.400
Fabian: That's it.
0:09:46.400,0:09:54.410
Herald: Thank you Fabio and Frederico and[br]especially thanks to Luna and Mila! We
0:09:54.410,0:10:00.344
have time for some quick questions I[br]think. Are there any questions? One
0:10:00.344,0:10:04.907
question I see there. You were first.
0:10:08.357,0:10:10.930
Q: From the point of what you know now, do
0:10:10.930,0:10:16.780
you think it's possible that we have some[br]kind of repository where I can download
0:10:16.780,0:10:21.510
codes and play anything?[br]A: Yeah, it's already available in my own
0:10:21.510,0:10:25.910
fork of the repository, but we are[br]probably gonna merge it in the main one.
0:10:25.910,0:10:30.390
We will just tidy up the code and, it's a[br]bit hacky. We will do a pull request and
0:10:30.390,0:10:35.370
then we will merge it into the main GitHub[br]repository, in a couple of days . But
0:10:35.370,0:10:37.910
still, it's available as of now on my[br]GitHub repository.
0:10:37.910,0:10:46.430
Q: ok following question, on it there is a[br]function I think that people can use this
0:10:46.430,0:10:52.510
figures to record something, and this is[br]saved in the cloud. Is, could this be a
0:10:52.510,0:11:00.580
problem for privacy if I can technically[br]clone other recordings from random people?
0:11:00.580,0:11:05.240
Q2: Yes, if someone records his own[br]stuff, like secret messages, you can
0:11:05.240,0:11:07.240
download it.[br]A: It depends.
0:11:07.240,0:11:10.300
Q2: From my understanding yes, sorry[br]A: He's the owner of the Box!
0:11:10.300,0:11:14.660
Q2: From my understanding, yes, because[br]you can upload your own, say, private
0:11:14.660,0:11:20.550
discussion with your wife to one Tonie and[br]since it's all, it goes through their
0:11:20.550,0:11:26.050
cloud, and is stored on this box, if[br]someone can copy my UID, very likely he
0:11:26.050,0:11:30.550
can listen to what I was saying to my wife[br]on this Tonie box. Yeah, this could be
0:11:30.550,0:11:34.420
some privacy threat, while it's a bit far-[br]fetched in the end of the day that's
0:11:34.420,0:11:39.510
mostly children's music.[br]A: Well it would be nice if, if you want
0:11:39.510,0:11:45.370
to take a look at it, the code is online[br]and you can do so and tell us!
0:11:45.370,0:11:50.470
Q: Just a quick comment on that. As far as[br]I know, you can like, if you have this
0:11:50.470,0:11:56.290
Tonies where you can speak something on[br]them, you can enable others to take your
0:11:56.290,0:12:00.430
figurine and put it on their Tonie box, so[br]you can enable this function or you can
0:12:00.430,0:12:06.140
disable it. So even if you, as far as I[br]know, even if you cloned this UID, you
0:12:06.140,0:12:10.610
cannot necessarily put it on some other[br]Tonie box and listen to this private ones
0:12:10.610,0:12:15.300
at least. The other ones that would be[br]possible but the private ones, the ones
0:12:15.300,0:12:20.570
where you can put some music or some[br]speech on, these you can disable the
0:12:20.570,0:12:23.390
function to share them. That's what I[br]know.
0:12:23.390,0:12:29.740
A: Thanks[br]H: So, any more questions? One more
0:12:29.740,0:12:36.610
question or comment?[br]Q: I was just wondering since now many
0:12:36.610,0:12:40.880
kids will start going with the Chameleons[br]through the supermarket – which is
0:12:40.880,0:12:45.760
illegal! But most kids are too young to be[br]prosecuted, no? And then they would steal
0:12:45.760,0:12:51.160
several UIDs and, or maybe exchange them[br]with friends, I was wondering, where do we
0:12:51.160,0:12:57.110
collect the archive of valid UIDs and what[br]the content is, say with which I'm using
0:12:57.110,0:13:01.480
A: I'm not hosting it. I'm not hosting it.[br]Q: Oh you are only into backups, into say
0:13:01.480,0:13:04.950
a privacy backup[br]A: Well, er, we have a little… – strict
0:13:04.950,0:13:10.350
backup only! – comment within our source[br]code that we know which UID belongs to
0:13:10.350,0:13:17.430
which tag we worked with, but we will not[br]expand it.
0:13:17.430,0:13:22.000
Q: Okay so thank you, we have to collect[br]it somewhere, the criminal stuff. Thank
0:13:22.000,0:13:24.000
you![br]A: On your servers, [name]!
0:13:24.000,0:13:26.840
36c3 postroll music
0:13:26.840,0:13:51.820
Subtitles created by c3subtitles.de[br]in the year 2021. Join, and help us!