< Return to Video

36C3 Wikipaka WG: Hacking an NFC toy with the ChameleonMini

  • 0:00 - 0:19
    36c3 preroll music
  • 0:19 - 0:26
    Herald: The following talk of Fabian and
    Frederico will be about hacking NFC toys
  • 0:26 - 0:32
    with a chameleon mini. Also, we have
    special guests here on stage! What is your
  • 0:32 - 0:34
    name?
    Luna: Luna
  • 0:34 - 0:37
    Herald: and
    Mila: Mila
  • 0:37 - 0:46
    Herald: Give them a warm round of applause
  • 0:46 - 0:58
    Fabian: Well, hello everyone! We have some
    nice little toy for kids. It's, ehm, it's
  • 0:58 - 1:05
    a Tonie Box. You're putting a little
    figurine on top of that, and then the box
  • 1:05 - 1:15
    starts playing a song or reads a story,
    and the tags are using NFC to authenticate
  • 1:15 - 1:24
    themselves, more or less. And maybe luna
    will show how it is supposed to work.
  • 1:24 - 1:28
    Luna, möchtest du das einmal vormachen?
  • 1:28 - 1:42
    Music
  • 1:42 - 1:45
    Fabian: Really good!
    Frederico: So, once you put in the the
  • 1:45 - 1:51
    figurine, it plays, and stops, and it
    starts again with another one
  • 1:51 - 2:02
    Fabian: Yes that's fine! We got the
    information from a forum where they just
  • 2:02 - 2:09
    tried to hack these things and they stated
    that it was too difficult to do it with
  • 2:09 - 2:13
    the chameleon mini, and that was like a
    challenge to us, since we are maintaining
  • 2:13 - 2:22
    the github repository, which is open
    source, so we just did it yesterday and
  • 2:22 - 2:30
    the kids can play with it today. We
    started by analyzing the communication by
  • 2:30 - 2:38
    inputting a sniffer. We just received the
    communication from the box to the tag and
  • 2:38 - 2:43
    we looked at it what is actually a
    incomprehensible authentication
  • 2:43 - 2:55
    happening. What we see here is the log of
    the chameleon mini. This is ISO 15 693 and
  • 2:55 - 3:05
    the marked up part is some proprietary
    commands. And from the forum, we knew that
  • 3:05 - 3:11
    it is ICODE-Tags, so we just looked it up
    in the datasheet, and the command which we
  • 3:11 - 3:19
    are seeing here is "get random number". So
    the tag responds with a 16… 16 bit random
  • 3:19 - 3:21
    number…
    Frederico: …which is not shown here
  • 3:21 - 3:27
    because, sorry, it's only one-side
    communication sniffing, so we have only
  • 3:27 - 3:32
    the commands that are given to the target
    from the reader. So here we can see the
  • 3:32 - 3:37
    random part of it, and we'll just deal
    with it later on, and we'll explain to you
  • 3:37 - 3:41
    how we broke it nonetheless.
  • 3:42 - 3:46
    Fabian: This is the normal ISO 15
  • 3:46 - 3:54
    inventory command that selects a tag and
    expects the UID. But we are not
  • 3:54 - 4:02
    authenticated right now so the tag goes on
    with the set password command. And that's
  • 4:02 - 4:12
    quite interesting: It is a 32-bit password
    that is XORd with a random number. Twice.
  • 4:12 - 4:22
    So no real crypto here. And then we see
    that we get selected, and here we see the
  • 4:22 - 4:30
    UID of the tag. So we can work on that. We
    implemented the get random number command
  • 4:30 - 4:40
    and the set password but we just did not
    send a random number back. So we just sent
  • 4:40 - 4:51
    zeros and that's when we get the password.
    Then we emulated it, and let's take a look
  • 4:51 - 4:56
    at the log again.
    Frederico: This is the full emulation log,
  • 4:56 - 5:01
    so when I finally have both transmission
    and reception from the reader, so we are
  • 5:01 - 5:08
    receiving data from the reader, and we are
    sending back transmission of – this is our
  • 5:08 - 5:13
    this random number which is a zero zero
    zero zero. So we are sending all zeros.
  • 5:13 - 5:18
    Then, it means that the password that will
    be sent by the reader to the tag will be
  • 5:18 - 5:24
    XORd with only zeros. So, this is the
    authentication command, and you can see,
  • 5:24 - 5:30
    now we have the password in plain text.
    Because they simply XORd it with the… with
  • 5:30 - 5:37
    0. Now we finally have the password, so we
    can also use it to read the other tags.
  • 5:37 - 5:42
    Because we actually need to authenticate
    in the right way, with proper tags. And we
  • 5:42 - 5:50
    can read them and – if Mila… yeah… thanks
    Lula! It should be emulating a real target
  • 5:50 - 5:53
    beeping from box
    Music playing
  • 5:53 - 5:59
    Frederico: It's indeed emulating a real
    target. So once you have the password ,
  • 5:59 - 6:04
    you can authenticate, read the data from
    the from the tag, and reverse-engineer it.
  • 6:04 - 6:14
    But actually, it's not even needed.
    Because somehow , the… the box is trusting
  • 6:14 - 6:19
    the UID itself. So once you have emulation
    in place and you can read the UID from the
  • 6:19 - 6:25
    sniffer we had before, you already good to
    go. You now have a perfect emulation and
  • 6:25 - 6:28
    the kids can now play without
    incomprehensible toys
  • 6:28 - 6:33
    Fabian: The interesting thing here is that
    we did not even start to read the tag, the
  • 6:33 - 6:40
    actual data on the tag. As you see below
    here, we just sent back zeros and the tag
  • 6:40 - 6:45
    still plays. So it doesn't even care
    what is written on the tag, they just
  • 6:45 - 6:55
    check the UID once you put the tag on top
    of it and then you can just create a nice
  • 6:55 - 7:06
    little backup. If the kids are breaking
    the toys or you exchange some figurines
  • 7:06 - 7:10
    with your friends and…
    Frederico: No. No, that won't would be
  • 7:10 - 7:16
    legal. Who would do that?
    Fabian: I won't do that, but Mila might!
  • 7:16 - 7:20
    Frederico: We speculate that the data in
    the tag might be used to authenticate the
  • 7:20 - 7:29
    first time with the box. Because once you
    buy a figurine it's linked to your account
  • 7:29 - 7:35
    and probably it's… that they have decided
    it's used only the first time. So then
  • 7:35 - 7:40
    later on, the Box just stores your UID and
    then it authenticates. And that's the
  • 7:40 - 7:44
    reason why the Box does not care about the
    content, because it recognized the UID as
  • 7:44 - 7:50
    one, it's already saved inside the thing.
    Fabian: Yes, and… but we did want to read
  • 7:50 - 7:57
    the tag anyway. Actually we cannot do it
    with the Chameleon Mini right now, because
  • 7:57 - 8:03
    there are some missing implementations. So
    we would like to join you to contribute
  • 8:03 - 8:12
    something on our GitHub project. We
    quickly scripted something and I'm I'm…
  • 8:12 - 8:19
    I'm going back… in Python for another
    reader, so we could read the tag and dump
  • 8:19 - 8:26
    it. But we did not upload it to the
    Chameleon since we are already getting a
  • 8:26 - 8:30
    full emulation on the tag. So we just save
    the time.
  • 8:30 - 8:37
    Frederico: It will be on my gist for the
    time being I guess, because I need Python
  • 8:37 - 8:42
    script to read those tags which are not
    totally supported by many readers now. You
  • 8:42 - 8:48
    have to go to the bare commands. There is
    no read support really we made support for
  • 8:48 - 8:51
    phones or something like that once the tag
    is in privacy mode.
  • 8:51 - 8:56
    Fabian: Well, we are already finished
    Frederico: Yeah. We didn't have much to
  • 8:56 - 9:00
    say I guess.
    Fabian: We'll just link the GitHub
  • 9:00 - 9:06
    repository that's where you can also ask
    questions if you are playing with the
  • 9:06 - 9:12
    chameleon and don't know how it works or
    getting stuck on something. We will be
  • 9:12 - 9:18
    also here around for questions and
    answers, and if you want to buy a
  • 9:18 - 9:25
    chameleon you still can do. You just have
    to find this man.
  • 9:25 - 9:30
    Frederico: The yellow guy
    Fabian: At his parking spot which is up
  • 9:30 - 9:39
    there, A2. Well I just found him, he's
    right in front of me. What a coincidence!
  • 9:39 - 9:42
    And
    Frederico: That's it I guess.
  • 9:42 - 9:46
    Fabian: That's it.
  • 9:46 - 9:54
    Herald: Thank you Fabio and Frederico and
    especially thanks to Luna and Mila! We
  • 9:54 - 10:00
    have time for some quick questions I
    think. Are there any questions? One
  • 10:00 - 10:05
    question I see there. You were first.
  • 10:08 - 10:11
    Q: From the point of what you know now, do
  • 10:11 - 10:17
    you think it's possible that we have some
    kind of repository where I can download
  • 10:17 - 10:22
    codes and play anything?
    A: Yeah, it's already available in my own
  • 10:22 - 10:26
    fork of the repository, but we are
    probably gonna merge it in the main one.
  • 10:26 - 10:30
    We will just tidy up the code and, it's a
    bit hacky. We will do a pull request and
  • 10:30 - 10:35
    then we will merge it into the main GitHub
    repository, in a couple of days . But
  • 10:35 - 10:38
    still, it's available as of now on my
    GitHub repository.
  • 10:38 - 10:46
    Q: ok following question, on it there is a
    function I think that people can use this
  • 10:46 - 10:53
    figures to record something, and this is
    saved in the cloud. Is, could this be a
  • 10:53 - 11:01
    problem for privacy if I can technically
    clone other recordings from random people?
  • 11:01 - 11:05
    Q2: Yes, if someone records his own
    stuff, like secret messages, you can
  • 11:05 - 11:07
    download it.
    A: It depends.
  • 11:07 - 11:10
    Q2: From my understanding yes, sorry
    A: He's the owner of the Box!
  • 11:10 - 11:15
    Q2: From my understanding, yes, because
    you can upload your own, say, private
  • 11:15 - 11:21
    discussion with your wife to one Tonie and
    since it's all, it goes through their
  • 11:21 - 11:26
    cloud, and is stored on this box, if
    someone can copy my UID, very likely he
  • 11:26 - 11:31
    can listen to what I was saying to my wife
    on this Tonie box. Yeah, this could be
  • 11:31 - 11:34
    some privacy threat, while it's a bit far-
    fetched in the end of the day that's
  • 11:34 - 11:40
    mostly children's music.
    A: Well it would be nice if, if you want
  • 11:40 - 11:45
    to take a look at it, the code is online
    and you can do so and tell us!
  • 11:45 - 11:50
    Q: Just a quick comment on that. As far as
    I know, you can like, if you have this
  • 11:50 - 11:56
    Tonies where you can speak something on
    them, you can enable others to take your
  • 11:56 - 12:00
    figurine and put it on their Tonie box, so
    you can enable this function or you can
  • 12:00 - 12:06
    disable it. So even if you, as far as I
    know, even if you cloned this UID, you
  • 12:06 - 12:11
    cannot necessarily put it on some other
    Tonie box and listen to this private ones
  • 12:11 - 12:15
    at least. The other ones that would be
    possible but the private ones, the ones
  • 12:15 - 12:21
    where you can put some music or some
    speech on, these you can disable the
  • 12:21 - 12:23
    function to share them. That's what I
    know.
  • 12:23 - 12:30
    A: Thanks
    H: So, any more questions? One more
  • 12:30 - 12:37
    question or comment?
    Q: I was just wondering since now many
  • 12:37 - 12:41
    kids will start going with the Chameleons
    through the supermarket – which is
  • 12:41 - 12:46
    illegal! But most kids are too young to be
    prosecuted, no? And then they would steal
  • 12:46 - 12:51
    several UIDs and, or maybe exchange them
    with friends, I was wondering, where do we
  • 12:51 - 12:57
    collect the archive of valid UIDs and what
    the content is, say with which I'm using
  • 12:57 - 13:01
    A: I'm not hosting it. I'm not hosting it.
    Q: Oh you are only into backups, into say
  • 13:01 - 13:05
    a privacy backup
    A: Well, er, we have a little… – strict
  • 13:05 - 13:10
    backup only! – comment within our source
    code that we know which UID belongs to
  • 13:10 - 13:17
    which tag we worked with, but we will not
    expand it.
  • 13:17 - 13:22
    Q: Okay so thank you, we have to collect
    it somewhere, the criminal stuff. Thank
  • 13:22 - 13:24
    you!
    A: On your servers, [name]!
  • 13:24 - 13:27
    36c3 postroll music
  • 13:27 - 13:52
    Subtitles created by c3subtitles.de
    in the year 2021. Join, and help us!
Title:
36C3 Wikipaka WG: Hacking an NFC toy with the ChameleonMini
Description:

more » « less
Video Language:
English
Duration:
13:52

English subtitles

Revisions