WEBVTT

00:00:00.000 --> 00:00:19.150
<i>36c3 preroll music</i>

00:00:19.150 --> 00:00:25.910
Herald: The following talk of Fabian and
Frederico will be about hacking NFC toys

00:00:25.910 --> 00:00:32.010
with a chameleon mini. Also, we have
special guests here on stage! What is your

00:00:32.010 --> 00:00:34.010
name?
Luna: Luna

00:00:34.010 --> 00:00:36.800
Herald: and
Mila: Mila

00:00:36.800 --> 00:00:45.880
Herald: Give them a warm round of applause

00:00:45.880 --> 00:00:58.330
Fabian: Well, hello everyone! We have some
nice little toy for kids. It's, ehm, it's

00:00:58.330 --> 00:01:05.031
a Tonie Box. You're putting a little
figurine on top of that, and then the box

00:01:05.031 --> 00:01:15.380
starts playing a song or reads a story,
and the tags are using NFC to authenticate

00:01:15.380 --> 00:01:24.140
themselves, more or less. And maybe luna
will show how it is supposed to work.

00:01:24.140 --> 00:01:28.320
Luna, möchtest du das einmal vormachen?

00:01:28.320 --> 00:01:41.670
<i>Music</i>

00:01:41.670 --> 00:01:44.920
Fabian: Really good!
Frederico: So, once you put in the the

00:01:44.920 --> 00:01:50.530
figurine, it plays, and stops, and it
starts again with another one

00:01:50.530 --> 00:02:01.969
Fabian: Yes that's fine! We got the
information from a forum where they just

00:02:01.969 --> 00:02:08.880
tried to hack these things and they stated
that it was too difficult to do it with

00:02:08.880 --> 00:02:13.440
the chameleon mini, and that was like a
challenge to us, since we are maintaining

00:02:13.440 --> 00:02:21.829
the github repository, which is open
source, so we just did it yesterday and

00:02:21.829 --> 00:02:29.540
the kids can play with it today. We
started by analyzing the communication by

00:02:29.540 --> 00:02:37.760
inputting a sniffer. We just received the
communication from the box to the tag and

00:02:37.760 --> 00:02:42.800
we looked at it what is actually a
<i>incomprehensible</i> authentication

00:02:42.800 --> 00:02:54.881
happening. What we see here is the log of
the chameleon mini. This is ISO 15 693 and

00:02:54.881 --> 00:03:04.850
the marked up part is some proprietary
commands. And from the forum, we knew that

00:03:04.850 --> 00:03:11.220
it is ICODE-Tags, so we just looked it up
in the datasheet, and the command which we

00:03:11.220 --> 00:03:19.480
are seeing here is "get random number". So
the tag responds with a 16… 16 bit random

00:03:19.480 --> 00:03:21.489
number…
Frederico: …which is not shown here

00:03:21.489 --> 00:03:27.329
because, sorry, it's only one-side
communication sniffing, so we have only

00:03:27.329 --> 00:03:32.350
the commands that are given to the target
from the reader. So here we can see the

00:03:32.350 --> 00:03:37.180
random part of it, and we'll just deal
with it later on, and we'll explain to you

00:03:37.180 --> 00:03:40.680
how we broke it nonetheless.

00:03:41.760 --> 00:03:46.340
Fabian: This is the normal ISO 15

00:03:46.340 --> 00:03:54.250
inventory command that selects a tag and
expects the UID. But we are not

00:03:54.250 --> 00:04:02.079
authenticated right now so the tag goes on
with the set password command. And that's

00:04:02.079 --> 00:04:11.530
quite interesting: It is a 32-bit password
that is XORd with a random number. Twice.

00:04:11.530 --> 00:04:21.769
So no real crypto here. And then we see
that we get selected, and here we see the

00:04:21.769 --> 00:04:30.300
UID of the tag. So we can work on that. We
implemented the get random number command

00:04:30.300 --> 00:04:40.120
and the set password but we just did not
send a random number back. So we just sent

00:04:40.120 --> 00:04:50.599
zeros and that's when we get the password.
Then we emulated it, and let's take a look

00:04:50.599 --> 00:04:55.710
at the log again.
Frederico: This is the full emulation log,

00:04:55.710 --> 00:05:00.900
so when I finally have both transmission
and reception from the reader, so we are

00:05:00.900 --> 00:05:07.979
receiving data from the reader, and we are
sending back transmission of – this is our

00:05:07.979 --> 00:05:12.860
this random number which is a zero zero
zero zero. So we are sending all zeros.

00:05:12.860 --> 00:05:17.640
Then, it means that the password that will
be sent by the reader to the tag will be

00:05:17.640 --> 00:05:24.139
XORd with only zeros. So, this is the
authentication command, and you can see,

00:05:24.139 --> 00:05:30.189
now we have the password in plain text.
Because they simply XORd it with the… with

00:05:30.189 --> 00:05:37.379
0. Now we finally have the password, so we
can also use it to read the other tags.

00:05:37.379 --> 00:05:41.909
Because we actually need to authenticate
in the right way, with proper tags. And we

00:05:41.909 --> 00:05:49.749
can read them and – if Mila… yeah… thanks
Lula! It should be emulating a real target

00:05:49.749 --> 00:05:52.950
<i>beeping from box</i>
<i>Music playing</i>

00:05:52.950 --> 00:05:58.610
Frederico: It's indeed emulating a real
target. So once you have the password ,

00:05:58.610 --> 00:06:03.919
you can authenticate, read the data from
the from the tag, and reverse-engineer it.

00:06:03.919 --> 00:06:13.870
But actually, it's not even needed.
Because somehow , the… the box is trusting

00:06:13.870 --> 00:06:19.120
the UID itself. So once you have emulation
in place and you can read the UID from the

00:06:19.120 --> 00:06:25.120
sniffer we had before, you already good to
go. You now have a perfect emulation and

00:06:25.120 --> 00:06:27.659
the kids can now play without
<i>incomprehensible</i> toys

00:06:27.659 --> 00:06:33.430
Fabian: The interesting thing here is that
we did not even start to read the tag, the

00:06:33.430 --> 00:06:39.710
actual data on the tag. As you see below
here, we just sent back zeros and the tag

00:06:39.710 --> 00:06:45.199
still plays. So it doesn't even care
what is written on the tag, they just

00:06:45.199 --> 00:06:55.060
check the UID once you put the tag on top
of it and then you can just create a nice

00:06:55.060 --> 00:07:06.249
little backup. If the kids are breaking
the toys or you exchange some figurines

00:07:06.249 --> 00:07:09.770
with your friends and…
Frederico: No. No, that won't would be

00:07:09.770 --> 00:07:15.639
legal. Who would do that?
Fabian: I won't do that, but Mila might!

00:07:15.639 --> 00:07:20.400
Frederico: We speculate that the data in
the tag might be used to authenticate the

00:07:20.400 --> 00:07:29.159
first time with the box. Because once you
buy a figurine it's linked to your account

00:07:29.159 --> 00:07:34.819
and probably it's… that they have decided
it's used only the first time. So then

00:07:34.819 --> 00:07:40.200
later on, the Box just stores your UID and
then it authenticates. And that's the

00:07:40.200 --> 00:07:44.439
reason why the Box does not care about the
content, because it recognized the UID as

00:07:44.439 --> 00:07:49.719
one, it's already saved inside the thing.
Fabian: Yes, and… but we did want to read

00:07:49.719 --> 00:07:57.290
the tag anyway. Actually we cannot do it
with the Chameleon Mini right now, because

00:07:57.290 --> 00:08:03.289
there are some missing implementations. So
we would like to join you to contribute

00:08:03.289 --> 00:08:12.090
something on our GitHub project. We
quickly scripted something and I'm I'm…

00:08:12.090 --> 00:08:18.789
I'm going back… in Python for another
reader, so we could read the tag and dump

00:08:18.789 --> 00:08:26.189
it. But we did not upload it to the
Chameleon since we are already getting a

00:08:26.189 --> 00:08:30.460
full emulation on the tag. So we just save
the time.

00:08:30.460 --> 00:08:37.190
Frederico: It will be on my gist for the
time being I guess, because I need Python

00:08:37.190 --> 00:08:42.360
script to read those tags which are not
totally supported by many readers now. You

00:08:42.360 --> 00:08:47.500
have to go to the bare commands. There is
no read support really we made support for

00:08:47.500 --> 00:08:50.580
phones or something like that once the tag
is in privacy mode.

00:08:50.580 --> 00:08:56.440
Fabian: Well, we are already finished
Frederico: Yeah. We didn't have much to

00:08:56.440 --> 00:08:59.530
say I guess.
Fabian: We'll just link the GitHub

00:08:59.530 --> 00:09:05.970
repository that's where you can also ask
questions if you are playing with the

00:09:05.970 --> 00:09:12.210
chameleon and don't know how it works or
getting stuck on something. We will be

00:09:12.210 --> 00:09:18.161
also here around for questions and
answers, and if you want to buy a

00:09:18.161 --> 00:09:25.100
chameleon you still can do. You just have
to find this man.

00:09:25.100 --> 00:09:30.070
Frederico: The yellow guy
Fabian: At his parking spot which is up

00:09:30.070 --> 00:09:39.350
there, A2. Well I just found him, he's
right in front of me. What a coincidence!

00:09:39.350 --> 00:09:42.220
And
Frederico: That's it I guess.

00:09:42.220 --> 00:09:46.400
Fabian: That's it.

00:09:46.400 --> 00:09:54.410
Herald: Thank you Fabio and Frederico and
especially thanks to Luna and Mila! We

00:09:54.410 --> 00:10:00.344
have time for some quick questions I
think. Are there any questions? One

00:10:00.344 --> 00:10:04.907
question I see there. You were first.

00:10:08.357 --> 00:10:10.930
Q: From the point of what you know now, do

00:10:10.930 --> 00:10:16.780
you think it's possible that we have some
kind of repository where I can download

00:10:16.780 --> 00:10:21.510
codes and play anything?
A: Yeah, it's already available in my own

00:10:21.510 --> 00:10:25.910
fork of the repository, but we are
probably gonna merge it in the main one.

00:10:25.910 --> 00:10:30.390
We will just tidy up the code and, it's a
bit hacky. We will do a pull request and

00:10:30.390 --> 00:10:35.370
then we will merge it into the main GitHub
repository, in a couple of days . But

00:10:35.370 --> 00:10:37.910
still, it's available as of now on my
GitHub repository.

00:10:37.910 --> 00:10:46.430
Q: ok following question, on it there is a
function I think that people can use this

00:10:46.430 --> 00:10:52.510
figures to record something, and this is
saved in the cloud. Is, could this be a

00:10:52.510 --> 00:11:00.580
problem for privacy if I can technically
clone other recordings from random people?

00:11:00.580 --> 00:11:05.240
Q2: Yes, if someone records his own
stuff, like secret messages, you can

00:11:05.240 --> 00:11:07.240
download it.
A: It depends.

00:11:07.240 --> 00:11:10.300
Q2: From my understanding yes, sorry
A: He's the owner of the Box!

00:11:10.300 --> 00:11:14.660
Q2: From my understanding, yes, because
you can upload your own, say, private

00:11:14.660 --> 00:11:20.550
discussion with your wife to one Tonie and
since it's all, it goes through their

00:11:20.550 --> 00:11:26.050
cloud, and is stored on this box, if
someone can copy my UID, very likely he

00:11:26.050 --> 00:11:30.550
can listen to what I was saying to my wife
on this Tonie box. Yeah, this could be

00:11:30.550 --> 00:11:34.420
some privacy threat, while it's a bit far-
fetched in the end of the day that's

00:11:34.420 --> 00:11:39.510
mostly children's music.
A: Well it would be nice if, if you want

00:11:39.510 --> 00:11:45.370
to take a look at it, the code is online
and you can do so and tell us!

00:11:45.370 --> 00:11:50.470
Q: Just a quick comment on that. As far as
I know, you can like, if you have this

00:11:50.470 --> 00:11:56.290
Tonies where you can speak something on
them, you can enable others to take your

00:11:56.290 --> 00:12:00.430
figurine and put it on their Tonie box, so
you can enable this function or you can

00:12:00.430 --> 00:12:06.140
disable it. So even if you, as far as I
know, even if you cloned this UID, you

00:12:06.140 --> 00:12:10.610
cannot necessarily put it on some other
Tonie box and listen to this private ones

00:12:10.610 --> 00:12:15.300
at least. The other ones that would be
possible but the private ones, the ones

00:12:15.300 --> 00:12:20.570
where you can put some music or some
speech on, these you can disable the

00:12:20.570 --> 00:12:23.390
function to share them. That's what I
know.

00:12:23.390 --> 00:12:29.740
A: Thanks
H: So, any more questions? One more

00:12:29.740 --> 00:12:36.610
question or comment?
Q: I was just wondering since now many

00:12:36.610 --> 00:12:40.880
kids will start going with the Chameleons
through the supermarket – which is

00:12:40.880 --> 00:12:45.760
illegal! But most kids are too young to be
prosecuted, no? And then they would steal

00:12:45.760 --> 00:12:51.160
several UIDs and, or maybe exchange them
with friends, I was wondering, where do we

00:12:51.160 --> 00:12:57.110
collect the archive of valid UIDs and what
the content is, say with which I'm using

00:12:57.110 --> 00:13:01.480
A: I'm not hosting it. I'm not hosting it.
Q: Oh you are only into backups, into say

00:13:01.480 --> 00:13:04.950
a privacy backup
A: Well, er, we have a little… – strict

00:13:04.950 --> 00:13:10.350
backup only! – comment within our source
code that we know which UID belongs to

00:13:10.350 --> 00:13:17.430
which tag we worked with, but we will not
expand it.

00:13:17.430 --> 00:13:22.000
Q: Okay so thank you, we have to collect
it somewhere, the criminal stuff. Thank

00:13:22.000 --> 00:13:24.000
you!
A: On your servers, [name]!

00:13:24.000 --> 00:13:26.840
<i>36c3 postroll music</i>

00:13:26.840 --> 00:13:51.820
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!