36c3 preroll music Herald: The following talk of Fabian and Frederico will be about hacking NFC toys with a chameleon mini. Also, we have special guests here on stage! What is your name? Luna: Luna Herald: and Mila: Mila Herald: Give them a warm round of applause Fabian: Well, hello everyone! We have some nice little toy for kids. It's, ehm, it's a Tonie Box. You're putting a little figurine on top of that, and then the box starts playing a song or reads a story, and the tags are using NFC to authenticate themselves, more or less. And maybe luna will show how it is supposed to work. Luna, möchtest du das einmal vormachen? Music Fabian: Really good! Frederico: So, once you put in the the figurine, it plays, and stops, and it starts again with another one Fabian: Yes that's fine! We got the information from a forum where they just tried to hack these things and they stated that it was too difficult to do it with the chameleon mini, and that was like a challenge to us, since we are maintaining the github repository, which is open source, so we just did it yesterday and the kids can play with it today. We started by analyzing the communication by inputting a sniffer. We just received the communication from the box to the tag and we looked at it what is actually a incomprehensible authentication happening. What we see here is the log of the chameleon mini. This is ISO 15 693 and the marked up part is some proprietary commands. And from the forum, we knew that it is ICODE-Tags, so we just looked it up in the datasheet, and the command which we are seeing here is "get random number". So the tag responds with a 16… 16 bit random number… Frederico: …which is not shown here because, sorry, it's only one-side communication sniffing, so we have only the commands that are given to the target from the reader. So here we can see the random part of it, and we'll just deal with it later on, and we'll explain to you how we broke it nonetheless. Fabian: This is the normal ISO 15 inventory command that selects a tag and expects the UID. But we are not authenticated right now so the tag goes on with the set password command. And that's quite interesting: It is a 32-bit password that is XORd with a random number. Twice. So no real crypto here. And then we see that we get selected, and here we see the UID of the tag. So we can work on that. We implemented the get random number command and the set password but we just did not send a random number back. So we just sent zeros and that's when we get the password. Then we emulated it, and let's take a look at the log again. Frederico: This is the full emulation log, so when I finally have both transmission and reception from the reader, so we are receiving data from the reader, and we are sending back transmission of – this is our this random number which is a zero zero zero zero. So we are sending all zeros. Then, it means that the password that will be sent by the reader to the tag will be XORd with only zeros. So, this is the authentication command, and you can see, now we have the password in plain text. Because they simply XORd it with the… with 0. Now we finally have the password, so we can also use it to read the other tags. Because we actually need to authenticate in the right way, with proper tags. And we can read them and – if Mila… yeah… thanks Lula! It should be emulating a real target beeping from box Music playing Frederico: It's indeed emulating a real target. So once you have the password , you can authenticate, read the data from the from the tag, and reverse-engineer it. But actually, it's not even needed. Because somehow , the… the box is trusting the UID itself. So once you have emulation in place and you can read the UID from the sniffer we had before, you already good to go. You now have a perfect emulation and the kids can now play without incomprehensible toys Fabian: The interesting thing here is that we did not even start to read the tag, the actual data on the tag. As you see below here, we just sent back zeros and the tag still plays. So it doesn't even care what is written on the tag, they just check the UID once you put the tag on top of it and then you can just create a nice little backup. If the kids are breaking the toys or you exchange some figurines with your friends and… Frederico: No. No, that won't would be legal. Who would do that? Fabian: I won't do that, but Mila might! Frederico: We speculate that the data in the tag might be used to authenticate the first time with the box. Because once you buy a figurine it's linked to your account and probably it's… that they have decided it's used only the first time. So then later on, the Box just stores your UID and then it authenticates. And that's the reason why the Box does not care about the content, because it recognized the UID as one, it's already saved inside the thing. Fabian: Yes, and… but we did want to read the tag anyway. Actually we cannot do it with the Chameleon Mini right now, because there are some missing implementations. So we would like to join you to contribute something on our GitHub project. We quickly scripted something and I'm I'm… I'm going back… in Python for another reader, so we could read the tag and dump it. But we did not upload it to the Chameleon since we are already getting a full emulation on the tag. So we just save the time. Frederico: It will be on my gist for the time being I guess, because I need Python script to read those tags which are not totally supported by many readers now. You have to go to the bare commands. There is no read support really we made support for phones or something like that once the tag is in privacy mode. Fabian: Well, we are already finished Frederico: Yeah. We didn't have much to say I guess. Fabian: We'll just link the GitHub repository that's where you can also ask questions if you are playing with the chameleon and don't know how it works or getting stuck on something. We will be also here around for questions and answers, and if you want to buy a chameleon you still can do. You just have to find this man. Frederico: The yellow guy Fabian: At his parking spot which is up there, A2. Well I just found him, he's right in front of me. What a coincidence! And Frederico: That's it I guess. Fabian: That's it. Herald: Thank you Fabio and Frederico and especially thanks to Luna and Mila! We have time for some quick questions I think. Are there any questions? One question I see there. You were first. Q: From the point of what you know now, do you think it's possible that we have some kind of repository where I can download codes and play anything? A: Yeah, it's already available in my own fork of the repository, but we are probably gonna merge it in the main one. We will just tidy up the code and, it's a bit hacky. We will do a pull request and then we will merge it into the main GitHub repository, in a couple of days . But still, it's available as of now on my GitHub repository. Q: ok following question, on it there is a function I think that people can use this figures to record something, and this is saved in the cloud. Is, could this be a problem for privacy if I can technically clone other recordings from random people? Q2: Yes, if someone records his own stuff, like secret messages, you can download it. A: It depends. Q2: From my understanding yes, sorry A: He's the owner of the Box! Q2: From my understanding, yes, because you can upload your own, say, private discussion with your wife to one Tonie and since it's all, it goes through their cloud, and is stored on this box, if someone can copy my UID, very likely he can listen to what I was saying to my wife on this Tonie box. Yeah, this could be some privacy threat, while it's a bit far- fetched in the end of the day that's mostly children's music. A: Well it would be nice if, if you want to take a look at it, the code is online and you can do so and tell us! Q: Just a quick comment on that. As far as I know, you can like, if you have this Tonies where you can speak something on them, you can enable others to take your figurine and put it on their Tonie box, so you can enable this function or you can disable it. So even if you, as far as I know, even if you cloned this UID, you cannot necessarily put it on some other Tonie box and listen to this private ones at least. The other ones that would be possible but the private ones, the ones where you can put some music or some speech on, these you can disable the function to share them. That's what I know. A: Thanks H: So, any more questions? One more question or comment? Q: I was just wondering since now many kids will start going with the Chameleons through the supermarket – which is illegal! But most kids are too young to be prosecuted, no? And then they would steal several UIDs and, or maybe exchange them with friends, I was wondering, where do we collect the archive of valid UIDs and what the content is, say with which I'm using A: I'm not hosting it. I'm not hosting it. Q: Oh you are only into backups, into say a privacy backup A: Well, er, we have a little… – strict backup only! – comment within our source code that we know which UID belongs to which tag we worked with, but we will not expand it. Q: Okay so thank you, we have to collect it somewhere, the criminal stuff. Thank you! A: On your servers, [name]! 36c3 postroll music Subtitles created by c3subtitles.de in the year 2021. Join, and help us!