-
36c3 preroll music
-
Herald: The following talk of Fabian and
Frederico will be about hacking NFC toys
-
with a chameleon mini. Also, we have
special guests here on stage! What is your
-
name?
Luna: Luna
-
Herald: and
Mila: Mila
-
Herald: Give them a warm round of applause
-
Fabian: Well, hello everyone! We have some
nice little toy for kids. It's, ehm, it's
-
a Tonie Box. You're putting a little
figurine on top of that, and then the box
-
starts playing a song or reads a story,
and the tags are using NFC to authenticate
-
themselves, more or less. And maybe luna
will show how it is supposed to work.
-
Luna, möchtest du das einmal vormachen?
-
Music
-
Fabian: Really good!
Frederico: So, once you put in the the
-
figurine, it plays, and stops, and it
starts again with another one
-
Fabian: Yes that's fine! We got the
information from a forum where they just
-
tried to hack these things and they stated
that it was too difficult to do it with
-
the chameleon mini, and that was like a
challenge to us, since we are maintaining
-
the github repository, which is open
source, so we just did it yesterday and
-
the kids can play with it today. We
started by analyzing the communication by
-
inputting a sniffer. We just received the
communication from the box to the tag and
-
we looked at it what is actually a
incomprehensible authentication
-
happening. What we see here is the log of
the chameleon mini. This is ISO 15 693 and
-
the marked up part is some proprietary
commands. And from the forum, we knew that
-
it is ICODE-Tags, so we just looked it up
in the datasheet, and the command which we
-
are seeing here is "get random number". So
the tag responds with a 16… 16 bit random
-
number…
Frederico: …which is not shown here
-
because, sorry, it's only one-side
communication sniffing, so we have only
-
the commands that are given to the target
from the reader. So here we can see the
-
random part of it, and we'll just deal
with it later on, and we'll explain to you
-
how we broke it nonetheless.
-
Fabian: This is the normal ISO 15
-
inventory command that selects a tag and
expects the UID. But we are not
-
authenticated right now so the tag goes on
with the set password command. And that's
-
quite interesting: It is a 32-bit password
that is XORd with a random number. Twice.
-
So no real crypto here. And then we see
that we get selected, and here we see the
-
UID of the tag. So we can work on that. We
implemented the get random number command
-
and the set password but we just did not
send a random number back. So we just sent
-
zeros and that's when we get the password.
Then we emulated it, and let's take a look
-
at the log again.
Frederico: This is the full emulation log,
-
so when I finally have both transmission
and reception from the reader, so we are
-
receiving data from the reader, and we are
sending back transmission of – this is our
-
this random number which is a zero zero
zero zero. So we are sending all zeros.
-
Then, it means that the password that will
be sent by the reader to the tag will be
-
XORd with only zeros. So, this is the
authentication command, and you can see,
-
now we have the password in plain text.
Because they simply XORd it with the… with
-
0. Now we finally have the password, so we
can also use it to read the other tags.
-
Because we actually need to authenticate
in the right way, with proper tags. And we
-
can read them and – if Mila… yeah… thanks
Lula! It should be emulating a real target
-
beeping from box
Music playing
-
Frederico: It's indeed emulating a real
target. So once you have the password ,
-
you can authenticate, read the data from
the from the tag, and reverse-engineer it.
-
But actually, it's not even needed.
Because somehow , the… the box is trusting
-
the UID itself. So once you have emulation
in place and you can read the UID from the
-
sniffer we had before, you already good to
go. You now have a perfect emulation and
-
the kids can now play without
incomprehensible toys
-
Fabian: The interesting thing here is that
we did not even start to read the tag, the
-
actual data on the tag. As you see below
here, we just sent back zeros and the tag
-
still plays. So it doesn't even care
what is written on the tag, they just
-
check the UID once you put the tag on top
of it and then you can just create a nice
-
little backup. If the kids are breaking
the toys or you exchange some figurines
-
with your friends and…
Frederico: No. No, that won't would be
-
legal. Who would do that?
Fabian: I won't do that, but Mila might!
-
Frederico: We speculate that the data in
the tag might be used to authenticate the
-
first time with the box. Because once you
buy a figurine it's linked to your account
-
and probably it's… that they have decided
it's used only the first time. So then
-
later on, the Box just stores your UID and
then it authenticates. And that's the
-
reason why the Box does not care about the
content, because it recognized the UID as
-
one, it's already saved inside the thing.
Fabian: Yes, and… but we did want to read
-
the tag anyway. Actually we cannot do it
with the Chameleon Mini right now, because
-
there are some missing implementations. So
we would like to join you to contribute
-
something on our GitHub project. We
quickly scripted something and I'm I'm…
-
I'm going back… in Python for another
reader, so we could read the tag and dump
-
it. But we did not upload it to the
Chameleon since we are already getting a
-
full emulation on the tag. So we just save
the time.
-
Frederico: It will be on my gist for the
time being I guess, because I need Python
-
script to read those tags which are not
totally supported by many readers now. You
-
have to go to the bare commands. There is
no read support really we made support for
-
phones or something like that once the tag
is in privacy mode.
-
Fabian: Well, we are already finished
Frederico: Yeah. We didn't have much to
-
say I guess.
Fabian: We'll just link the GitHub
-
repository that's where you can also ask
questions if you are playing with the
-
chameleon and don't know how it works or
getting stuck on something. We will be
-
also here around for questions and
answers, and if you want to buy a
-
chameleon you still can do. You just have
to find this man.
-
Frederico: The yellow guy
Fabian: At his parking spot which is up
-
there, A2. Well I just found him, he's
right in front of me. What a coincidence!
-
And
Frederico: That's it I guess.
-
Fabian: That's it.
-
Herald: Thank you Fabio and Frederico and
especially thanks to Luna and Mila! We
-
have time for some quick questions I
think. Are there any questions? One
-
question I see there. You were first.
-
Q: From the point of what you know now, do
-
you think it's possible that we have some
kind of repository where I can download
-
codes and play anything?
A: Yeah, it's already available in my own
-
fork of the repository, but we are
probably gonna merge it in the main one.
-
We will just tidy up the code and, it's a
bit hacky. We will do a pull request and
-
then we will merge it into the main GitHub
repository, in a couple of days . But
-
still, it's available as of now on my
GitHub repository.
-
Q: ok following question, on it there is a
function I think that people can use this
-
figures to record something, and this is
saved in the cloud. Is, could this be a
-
problem for privacy if I can technically
clone other recordings from random people?
-
Q2: Yes, if someone records his own
stuff, like secret messages, you can
-
download it.
A: It depends.
-
Q2: From my understanding yes, sorry
A: He's the owner of the Box!
-
Q2: From my understanding, yes, because
you can upload your own, say, private
-
discussion with your wife to one Tonie and
since it's all, it goes through their
-
cloud, and is stored on this box, if
someone can copy my UID, very likely he
-
can listen to what I was saying to my wife
on this Tonie box. Yeah, this could be
-
some privacy threat, while it's a bit far-
fetched in the end of the day that's
-
mostly children's music.
A: Well it would be nice if, if you want
-
to take a look at it, the code is online
and you can do so and tell us!
-
Q: Just a quick comment on that. As far as
I know, you can like, if you have this
-
Tonies where you can speak something on
them, you can enable others to take your
-
figurine and put it on their Tonie box, so
you can enable this function or you can
-
disable it. So even if you, as far as I
know, even if you cloned this UID, you
-
cannot necessarily put it on some other
Tonie box and listen to this private ones
-
at least. The other ones that would be
possible but the private ones, the ones
-
where you can put some music or some
speech on, these you can disable the
-
function to share them. That's what I
know.
-
A: Thanks
H: So, any more questions? One more
-
question or comment?
Q: I was just wondering since now many
-
kids will start going with the Chameleons
through the supermarket – which is
-
illegal! But most kids are too young to be
prosecuted, no? And then they would steal
-
several UIDs and, or maybe exchange them
with friends, I was wondering, where do we
-
collect the archive of valid UIDs and what
the content is, say with which I'm using
-
A: I'm not hosting it. I'm not hosting it.
Q: Oh you are only into backups, into say
-
a privacy backup
A: Well, er, we have a little… – strict
-
backup only! – comment within our source
code that we know which UID belongs to
-
which tag we worked with, but we will not
expand it.
-
Q: Okay so thank you, we have to collect
it somewhere, the criminal stuff. Thank
-
you!
A: On your servers, [name]!
-
36c3 postroll music
-
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!
