1 00:00:00,000 --> 00:00:19,150 *36c3 preroll music* 2 00:00:19,150 --> 00:00:25,910 Herald: The following talk of Fabian and Frederico will be about hacking NFC toys 3 00:00:25,910 --> 00:00:32,010 with a chameleon mini. Also, we have special guests here on stage! What is your 4 00:00:32,010 --> 00:00:34,010 name? Luna: Luna 5 00:00:34,010 --> 00:00:36,800 Herald: and Mila: Mila 6 00:00:36,800 --> 00:00:45,880 Herald: Give them a warm round of applause 7 00:00:45,880 --> 00:00:58,330 Fabian: Well, hello everyone! We have some nice little toy for kids. It's, ehm, it's 8 00:00:58,330 --> 00:01:05,031 a Tonie Box. You're putting a little figurine on top of that, and then the box 9 00:01:05,031 --> 00:01:15,380 starts playing a song or reads a story, and the tags are using NFC to authenticate 10 00:01:15,380 --> 00:01:24,140 themselves, more or less. And maybe luna will show how it is supposed to work. 11 00:01:24,140 --> 00:01:28,320 Luna, möchtest du das einmal vormachen? 12 00:01:28,320 --> 00:01:41,670 *Music* 13 00:01:41,670 --> 00:01:44,920 Fabian: Really good! Frederico: So, once you put in the the 14 00:01:44,920 --> 00:01:50,530 figurine, it plays, and stops, and it starts again with another one 15 00:01:50,530 --> 00:02:01,969 Fabian: Yes that's fine! We got the information from a forum where they just 16 00:02:01,969 --> 00:02:08,880 tried to hack these things and they stated that it was too difficult to do it with 17 00:02:08,880 --> 00:02:13,440 the chameleon mini, and that was like a challenge to us, since we are maintaining 18 00:02:13,440 --> 00:02:21,829 the github repository, which is open source, so we just did it yesterday and 19 00:02:21,829 --> 00:02:29,540 the kids can play with it today. We started by analyzing the communication by 20 00:02:29,540 --> 00:02:37,760 inputting a sniffer. We just received the communication from the box to the tag and 21 00:02:37,760 --> 00:02:42,800 we looked at it what is actually a *incomprehensible* authentication 22 00:02:42,800 --> 00:02:54,881 happening. What we see here is the log of the chameleon mini. This is ISO 15 693 and 23 00:02:54,881 --> 00:03:04,850 the marked up part is some proprietary commands. And from the forum, we knew that 24 00:03:04,850 --> 00:03:11,220 it is ICODE-Tags, so we just looked it up in the datasheet, and the command which we 25 00:03:11,220 --> 00:03:19,480 are seeing here is "get random number". So the tag responds with a 16… 16 bit random 26 00:03:19,480 --> 00:03:21,489 number… Frederico: …which is not shown here 27 00:03:21,489 --> 00:03:27,329 because, sorry, it's only one-side communication sniffing, so we have only 28 00:03:27,329 --> 00:03:32,350 the commands that are given to the target from the reader. So here we can see the 29 00:03:32,350 --> 00:03:37,180 random part of it, and we'll just deal with it later on, and we'll explain to you 30 00:03:37,180 --> 00:03:40,680 how we broke it nonetheless. 31 00:03:41,760 --> 00:03:46,340 Fabian: This is the normal ISO 15 32 00:03:46,340 --> 00:03:54,250 inventory command that selects a tag and expects the UID. But we are not 33 00:03:54,250 --> 00:04:02,079 authenticated right now so the tag goes on with the set password command. And that's 34 00:04:02,079 --> 00:04:11,530 quite interesting: It is a 32-bit password that is XORd with a random number. Twice. 35 00:04:11,530 --> 00:04:21,769 So no real crypto here. And then we see that we get selected, and here we see the 36 00:04:21,769 --> 00:04:30,300 UID of the tag. So we can work on that. We implemented the get random number command 37 00:04:30,300 --> 00:04:40,120 and the set password but we just did not send a random number back. So we just sent 38 00:04:40,120 --> 00:04:50,599 zeros and that's when we get the password. Then we emulated it, and let's take a look 39 00:04:50,599 --> 00:04:55,710 at the log again. Frederico: This is the full emulation log, 40 00:04:55,710 --> 00:05:00,900 so when I finally have both transmission and reception from the reader, so we are 41 00:05:00,900 --> 00:05:07,979 receiving data from the reader, and we are sending back transmission of – this is our 42 00:05:07,979 --> 00:05:12,860 this random number which is a zero zero zero zero. So we are sending all zeros. 43 00:05:12,860 --> 00:05:17,640 Then, it means that the password that will be sent by the reader to the tag will be 44 00:05:17,640 --> 00:05:24,139 XORd with only zeros. So, this is the authentication command, and you can see, 45 00:05:24,139 --> 00:05:30,189 now we have the password in plain text. Because they simply XORd it with the… with 46 00:05:30,189 --> 00:05:37,379 0. Now we finally have the password, so we can also use it to read the other tags. 47 00:05:37,379 --> 00:05:41,909 Because we actually need to authenticate in the right way, with proper tags. And we 48 00:05:41,909 --> 00:05:49,749 can read them and – if Mila… yeah… thanks Lula! It should be emulating a real target 49 00:05:49,749 --> 00:05:52,950 *beeping from box* *Music playing* 50 00:05:52,950 --> 00:05:58,610 Frederico: It's indeed emulating a real target. So once you have the password , 51 00:05:58,610 --> 00:06:03,919 you can authenticate, read the data from the from the tag, and reverse-engineer it. 52 00:06:03,919 --> 00:06:13,870 But actually, it's not even needed. Because somehow , the… the box is trusting 53 00:06:13,870 --> 00:06:19,120 the UID itself. So once you have emulation in place and you can read the UID from the 54 00:06:19,120 --> 00:06:25,120 sniffer we had before, you already good to go. You now have a perfect emulation and 55 00:06:25,120 --> 00:06:27,659 the kids can now play without *incomprehensible* toys 56 00:06:27,659 --> 00:06:33,430 Fabian: The interesting thing here is that we did not even start to read the tag, the 57 00:06:33,430 --> 00:06:39,710 actual data on the tag. As you see below here, we just sent back zeros and the tag 58 00:06:39,710 --> 00:06:45,199 still plays. So it doesn't even care what is written on the tag, they just 59 00:06:45,199 --> 00:06:55,060 check the UID once you put the tag on top of it and then you can just create a nice 60 00:06:55,060 --> 00:07:06,249 little backup. If the kids are breaking the toys or you exchange some figurines 61 00:07:06,249 --> 00:07:09,770 with your friends and… Frederico: No. No, that won't would be 62 00:07:09,770 --> 00:07:15,639 legal. Who would do that? Fabian: I won't do that, but Mila might! 63 00:07:15,639 --> 00:07:20,400 Frederico: We speculate that the data in the tag might be used to authenticate the 64 00:07:20,400 --> 00:07:29,159 first time with the box. Because once you buy a figurine it's linked to your account 65 00:07:29,159 --> 00:07:34,819 and probably it's… that they have decided it's used only the first time. So then 66 00:07:34,819 --> 00:07:40,200 later on, the Box just stores your UID and then it authenticates. And that's the 67 00:07:40,200 --> 00:07:44,439 reason why the Box does not care about the content, because it recognized the UID as 68 00:07:44,439 --> 00:07:49,719 one, it's already saved inside the thing. Fabian: Yes, and… but we did want to read 69 00:07:49,719 --> 00:07:57,290 the tag anyway. Actually we cannot do it with the Chameleon Mini right now, because 70 00:07:57,290 --> 00:08:03,289 there are some missing implementations. So we would like to join you to contribute 71 00:08:03,289 --> 00:08:12,090 something on our GitHub project. We quickly scripted something and I'm I'm… 72 00:08:12,090 --> 00:08:18,789 I'm going back… in Python for another reader, so we could read the tag and dump 73 00:08:18,789 --> 00:08:26,189 it. But we did not upload it to the Chameleon since we are already getting a 74 00:08:26,189 --> 00:08:30,460 full emulation on the tag. So we just save the time. 75 00:08:30,460 --> 00:08:37,190 Frederico: It will be on my gist for the time being I guess, because I need Python 76 00:08:37,190 --> 00:08:42,360 script to read those tags which are not totally supported by many readers now. You 77 00:08:42,360 --> 00:08:47,500 have to go to the bare commands. There is no read support really we made support for 78 00:08:47,500 --> 00:08:50,580 phones or something like that once the tag is in privacy mode. 79 00:08:50,580 --> 00:08:56,440 Fabian: Well, we are already finished Frederico: Yeah. We didn't have much to 80 00:08:56,440 --> 00:08:59,530 say I guess. Fabian: We'll just link the GitHub 81 00:08:59,530 --> 00:09:05,970 repository that's where you can also ask questions if you are playing with the 82 00:09:05,970 --> 00:09:12,210 chameleon and don't know how it works or getting stuck on something. We will be 83 00:09:12,210 --> 00:09:18,161 also here around for questions and answers, and if you want to buy a 84 00:09:18,161 --> 00:09:25,100 chameleon you still can do. You just have to find this man. 85 00:09:25,100 --> 00:09:30,070 Frederico: The yellow guy Fabian: At his parking spot which is up 86 00:09:30,070 --> 00:09:39,350 there, A2. Well I just found him, he's right in front of me. What a coincidence! 87 00:09:39,350 --> 00:09:42,220 And Frederico: That's it I guess. 88 00:09:42,220 --> 00:09:46,400 Fabian: That's it. 89 00:09:46,400 --> 00:09:54,410 Herald: Thank you Fabio and Frederico and especially thanks to Luna and Mila! We 90 00:09:54,410 --> 00:10:00,344 have time for some quick questions I think. Are there any questions? One 91 00:10:00,344 --> 00:10:04,907 question I see there. You were first. 92 00:10:08,357 --> 00:10:10,930 Q: From the point of what you know now, do 93 00:10:10,930 --> 00:10:16,780 you think it's possible that we have some kind of repository where I can download 94 00:10:16,780 --> 00:10:21,510 codes and play anything? A: Yeah, it's already available in my own 95 00:10:21,510 --> 00:10:25,910 fork of the repository, but we are probably gonna merge it in the main one. 96 00:10:25,910 --> 00:10:30,390 We will just tidy up the code and, it's a bit hacky. We will do a pull request and 97 00:10:30,390 --> 00:10:35,370 then we will merge it into the main GitHub repository, in a couple of days . But 98 00:10:35,370 --> 00:10:37,910 still, it's available as of now on my GitHub repository. 99 00:10:37,910 --> 00:10:46,430 Q: ok following question, on it there is a function I think that people can use this 100 00:10:46,430 --> 00:10:52,510 figures to record something, and this is saved in the cloud. Is, could this be a 101 00:10:52,510 --> 00:11:00,580 problem for privacy if I can technically clone other recordings from random people? 102 00:11:00,580 --> 00:11:05,240 Q2: Yes, if someone records his own stuff, like secret messages, you can 103 00:11:05,240 --> 00:11:07,240 download it. A: It depends. 104 00:11:07,240 --> 00:11:10,300 Q2: From my understanding yes, sorry A: He's the owner of the Box! 105 00:11:10,300 --> 00:11:14,660 Q2: From my understanding, yes, because you can upload your own, say, private 106 00:11:14,660 --> 00:11:20,550 discussion with your wife to one Tonie and since it's all, it goes through their 107 00:11:20,550 --> 00:11:26,050 cloud, and is stored on this box, if someone can copy my UID, very likely he 108 00:11:26,050 --> 00:11:30,550 can listen to what I was saying to my wife on this Tonie box. Yeah, this could be 109 00:11:30,550 --> 00:11:34,420 some privacy threat, while it's a bit far- fetched in the end of the day that's 110 00:11:34,420 --> 00:11:39,510 mostly children's music. A: Well it would be nice if, if you want 111 00:11:39,510 --> 00:11:45,370 to take a look at it, the code is online and you can do so and tell us! 112 00:11:45,370 --> 00:11:50,470 Q: Just a quick comment on that. As far as I know, you can like, if you have this 113 00:11:50,470 --> 00:11:56,290 Tonies where you can speak something on them, you can enable others to take your 114 00:11:56,290 --> 00:12:00,430 figurine and put it on their Tonie box, so you can enable this function or you can 115 00:12:00,430 --> 00:12:06,140 disable it. So even if you, as far as I know, even if you cloned this UID, you 116 00:12:06,140 --> 00:12:10,610 cannot necessarily put it on some other Tonie box and listen to this private ones 117 00:12:10,610 --> 00:12:15,300 at least. The other ones that would be possible but the private ones, the ones 118 00:12:15,300 --> 00:12:20,570 where you can put some music or some speech on, these you can disable the 119 00:12:20,570 --> 00:12:23,390 function to share them. That's what I know. 120 00:12:23,390 --> 00:12:29,740 A: Thanks H: So, any more questions? One more 121 00:12:29,740 --> 00:12:36,610 question or comment? Q: I was just wondering since now many 122 00:12:36,610 --> 00:12:40,880 kids will start going with the Chameleons through the supermarket – which is 123 00:12:40,880 --> 00:12:45,760 illegal! But most kids are too young to be prosecuted, no? And then they would steal 124 00:12:45,760 --> 00:12:51,160 several UIDs and, or maybe exchange them with friends, I was wondering, where do we 125 00:12:51,160 --> 00:12:57,110 collect the archive of valid UIDs and what the content is, say with which I'm using 126 00:12:57,110 --> 00:13:01,480 A: I'm not hosting it. I'm not hosting it. Q: Oh you are only into backups, into say 127 00:13:01,480 --> 00:13:04,950 a privacy backup A: Well, er, we have a little… – strict 128 00:13:04,950 --> 00:13:10,350 backup only! – comment within our source code that we know which UID belongs to 129 00:13:10,350 --> 00:13:17,430 which tag we worked with, but we will not expand it. 130 00:13:17,430 --> 00:13:22,000 Q: Okay so thank you, we have to collect it somewhere, the criminal stuff. Thank 131 00:13:22,000 --> 00:13:24,000 you! A: On your servers, [name]! 132 00:13:24,000 --> 00:13:26,840 *36c3 postroll music* 133 00:13:26,840 --> 00:13:51,820 Subtitles created by c3subtitles.de in the year 2021. Join, and help us!