path: root/2010/easycard-ccc2010/easycard.tex

% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $

\documentclass{beamer}

\usepackage{url}
\makeatletter
\def\url@leostyle{%
  \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
\makeatother
%% Now actually use the newly defined style.
\urlstyle{leo}


% This file is a solution template for:

% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.



% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice. 


\mode<presentation>
{
  \usetheme{Warsaw}
  % or ...

  \setbeamercovered{transparent}
  % or whatever (possibly just delete it)
}


\usepackage[english]{babel}
% or whatever

\usepackage[latin1]{inputenc}
% or whatever

\usepackage{times}
\usepackage[T1]{fontenc}
% Or whatever. Note that the encoding and the font should match. If T1
% does not look nice, try deleting the line with the fontenc.


\title{Reverse Engineering a real-world RFID payment system}

\subtitle
{How the EasyCard allows you to print your own digital money}

\author{Harald Welte}

\institute
{hmw-consulting.de\\gnumonks.org\\gpl-violations.org\\osmocom.org}
% - Use the \inst command only if there are several affiliations.
% - Keep it simple, no one is interested in your street address.

\date[27c3] % (optional, should be abbreviation of conference name)
{27th CCC Congress, December 2010, Berlin/Germany}
% - Either use conference name or its abbreviation.
% - Not really informative to the audience, more for people (including
%   yourself) who are reading the slides online

\subject{RFID Security}
% This is only inserted into the PDF information catalog. Can be left
% out. 



% If you have a file called "university-logo-filename.xxx", where xxx
% is a graphic format that can be processed by latex or pdflatex,
% resp., then you can add a logo as follows:

% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
% \logo{\pgfuseimage{university-logo}}



% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
%  \begin{frame}<beamer>{Outline}
%    \tableofcontents[currentsection,currentsubsection]
%  \end{frame}
%}


% If you wish to uncover everything in a step-wise fashion, uncomment
% the following command: 

%\beamerdefaultoverlayspecification{<+->}


\begin{document}

\begin{frame}
  \titlepage
\end{frame}

\begin{frame}{Outline}
  \tableofcontents[hideallsubsections]
  % You might wish to add the option [pausesections]
\end{frame}


% Structuring a talk is a difficult task and the following structure
% may not be suitable. Here are some rules that apply for this
% solution: 

% - Exactly two or three sections (other than the summary).
% - At *most* three subsections per section.
% - Talk about 30s to 2min per frame. So there should be between about
%   15 and 30 frames, all told.

% - A conference audience is likely to know very little of what you
%   are going to talk about. So *simplify*!
% - In a 20min talk, getting the main ideas across is hard
%   enough. Leave out details, even if it means being less precise than
%   you think necessary.
% - If you omit details that are vital to the proof/implementation,
%   just say so once. Everybody will be happy with that.

\begin{frame}{About the speaker}
\begin{itemize}
	\item Kernel / bootloader / driver / firmware development since 1999
	\item IT security expert, focus on network protocol security
	\item Core developer of Linux packet filter netfilter/iptables
	\item Board-level Electrical Engineering
	\item Always looking for interesting protocols (RFID, DECT, GSM)
	\item Open Source hardware/firmware/software for RFID: librfid, OpenPCD, OpenPICC
\end{itemize}
\end{frame}

\section{The EasyCard system}

\subsection{Introducing the EasyCard}

\begin{frame}{Travelling to Taipei}
Starting from 2006, I was doing a lot of freelancing work for companies in
Taiwan, resulting in numerous business trips to the capital Taipei.  As soon
as you use public transport, you notice they are using an RFID based system
called EasyCard.

This was just after having worked extensively on the {\bf OpenPCD} RFID
reader and {\bf OpenPICC} RFID tag simulator.

However, work kept me too busy to ever have a look at the EasyCard until 2010.
\end{frame}

\begin{frame}{What is this EasyCard?}
  \begin{figure}[h]
  \centering
  \includegraphics[width=100mm]{easycard_wikipedia.png}
  \end{figure}
\end{frame}

\begin{frame}{EasyCard}{One of Asia's most popular electronic payment systems}
\begin{itemize}
	\item EasyCard is used in Taiwan, mostly in the capital Taipei
	\item Originally deployed in 2001
	\item More than 18 million issued cards
	\item Initially a payment system for public transport
	\begin{itemize}
		\item Taipei metro (MRT)
		\item Taipei public bus
	\end{itemize}
	\item Similar to many other systems like Oystercard
\end{itemize}
\end{frame}

\subsection{EasyCard for Public Transport}

\begin{frame}{EasyCard as payment in public transport}
  \begin{figure}[h]
  \centering
  \includegraphics[width=100mm]{easycard_transport.png}
  \end{figure}
\end{frame}

\begin{frame}{EasyCard sale, recharge and refund}
\begin{itemize}
	\item Cards are purchased at vending machines located in every subway station
	\begin{itemize}
		\item Price is 500 NTD: 400 NTD value, 100 NTD deposit
		\item Payment is made in cash
		\item Thus, no credit card / account number linking a person to a card
	\end{itemize}
	\item Full refund of the account balance and the deposit can be made at a cashier
	\item Adding value to the card is made by the same machines that sell the cards
\end{itemize}
\end{frame}

\begin{frame}{Threat analysis / Fraud potential}
\begin{itemize}
	\item It is publicly known that EasyCard uses NXP MiFARE
	\item MiFARE {\em Classic} has been broken in various ways before, ranging from eavesdropping attacks to card-only attacks.
	\item However, the card itself is only one element in the security chain
	\item EasyCard using MiFARE does not by itself mean that the EasyCard system is broken
\end{itemize}
\end{frame}

\begin{frame}{Online or Offline validation}
\begin{itemize}
	\item EasyCard could have been a relatively safe system, if
	\begin{itemize}
		\item the value was not stored on the card but in the back-end
		\item all transactions would inquire the back-end and not only the card
	\end{itemize}
	\item I never really bothered to do much analysis, considering that all you could get is fraudulent free rides for public transport (which are cheap anyway)
\end{itemize}
\end{frame}


\subsection{April 2010: EasyCard as means of payment}

\begin{frame}{EasyCard for payment in stores}
\begin{itemize}
	\item In 2009, the government creates laws for stored-value cards as means of payment
	\item In early 2010, use of the EasyCard is extended beyond public transport
	\begin{itemize}
		\item you can store up to 10,000 NTD (~ 240 EUR) on the card
		\item the card is accepted at lots of stores (mostly big brands)
	\end{itemize}
	\item The attack incentive is much higher: Not only free metro rides, but suddenly you can buy basically any goods available in the largest department stores
\end{itemize}
\end{frame}


\begin{frame}{EasyCard as payment in stores}
  \begin{figure}[h]
  \centering
  \includegraphics[width=100mm]{easycard_stores.png}
  \end{figure}
\end{frame}

\section{Analyzing the EasyCard}

\begin{frame}{What is MiFARE classic?}
\begin{itemize}
	\item A 13.56 MHz RFID card system based on ISO 14443 (1,2,3)
	\item 1024 or 4096 bits of storage, divided in sectors and blocks
	\item Uses proprietary 48bit cipher (CRYPTO1)
	\item Manufacturer and customers {\em really believed} in Security by obscurity ?!?
	\item Nobody should ever have used it for any application requiring security
	\item Weaknesses first published at 24C3 by Henryk Ploetz and Karsten Nohl
\end{itemize}
\end{frame}

\subsection{Recovering the MiFARE keys}

\begin{frame}{Analyzing the EasyCard}
\begin{itemize}
	\item First step: Verify it it indeed MIFARE classic
	\begin{itemize}
		\item Can be done by applying ISO1443-1/2 air interface and ISO14443-3 anti-collision procedure and checking the result values
	\end{itemize}
	\item Next step: Recovering the keys
	\begin{itemize}
		\item many cards have one ore more sectors using the default manufacturer keys
		\item if one sector key is known, breaking the other keys is fast/easy by means of a publicized existing attack
		\item EasyCard uses custom keys for all sector, no success
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Recovering the keys}
\begin{itemize} 
	\item As all keys are unknown, the card-only {\em Dark Side} attack (Nicolas T. Courtios) was used
	\item Open Source {\tt MFCUK} (MiFare Classic Universal toolKit) program implements the attack
	\item All hardware required is a RFID reader supported by libnfc (EUR 30)
	\item All A and B keys for all sectors have been recovered within 3 hours
	\begin{itemize}
		\item Attack time could be much shorter if proxmark with very tight timing control was used
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Understanding card content}

\begin{frame}{Extracting raw content}
\begin{itemize} 
	\item Once the keys are known, the full data content of the card can be dumped
	\item Free Software {\tt nfc-mfclassic} program (part of {\tt libnfc}) was used
	\item All hardware required is a RFID reader supported by libnfc (EUR 30)
\end{itemize}
\end{frame}

\begin{frame}{Re-engineering the data format}
\begin{itemize} 
	\item The raw card content is not of much use unless it can be interpreted
	\item Individual transactions need to be made, raw card dumps acquired before/after each transaction
	\item Analysis of modifications caused by single transaction allow conclusions on data format
	\item Repeat this with transactions like
	\begin{itemize}
		\item entering a metro station
		\item leaving a metro station
		\item recharging the card
		\item purchasing something using the card
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{EasyCard data format}

\begin{frame}{Sector 2: EasyCard balance}
\begin{itemize}
	\item MIFARE value blocks are intended for counters that can be incremented/decremented by different keys
	\item The actual counter value is stored three times (inverted/non-inverted) for safety
	\item EasyCard uses MIFARE value block in sector 2
	\item The value 1:1 represents the account balance of the card in NTD
\end{itemize}
\end{frame}

\begin{frame}{Sectors 3 through 5: Transaction Log}
\begin{itemize}
	\item Each 16-byte block in sectors 3 through 5 contains one transaction log record
	\item Each record contains
	\begin{itemize}
		\item Transaction ID, Cost, Remaining Balance, MRT Station code, RFID reader ID
		\item Transaction Type (Entering/leaving MRT, re-entering / connecting MRT, purchase, recharge
		\item Timestamp is a 32bt unix time() format (seconds since January 1st 1970). However, it refers to CST instead of UTC
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{How to decode the MRT Station Code}
\begin{itemize}
	\item Transaction log record contains MRT station code
	\item How to know which station name corresponds to the numeric code?
	\begin{itemize}
		\item Option A: visit each of them and take a EasyCard raw dump
		\item Option B: visit the MRT homepage, point mouse at a specific station on the map and look at the URL: It contains the same ID!
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{EasyCard MRT station codes}
  \begin{figure}[h]
  \centering
  \includegraphics[width=105mm]{easycard_mrt_station_number.png}
  \end{figure}
\end{frame}


\begin{frame}{Sector 7: Last MRT entry/exit record}
\begin{itemize}
	\item Block 2 (Offset 0x1e0) contains a record describing the last MRT station that was entered
	\begin{itemize}
		\item Byte 4 contains the MRT station code
		\item Bytes 9..12 contain a timestamp
	\end{itemize}
	\item Block 1 (Offset 0xd0) contains a similar record describing the last MRT station that was left
	\item It is assumed that this information is used to compute the distance (and thus fee) to be paid for the current ride, as well as the discount that is made when switching from MRT to bus.
\end{itemize}
\end{frame}

\begin{frame}{Sector 15: Maximum daily spending}
\begin{itemize}
	\item Block 2 (offset 0x3e0) contains a record keeping track of the amount of money spent on a single day
	\begin{itemize}
		\item Bytes 0..10 are unknown (all zero)
		\item Byte 11 contains the day of the month
		\item Byte 12 contains an unknown value (0x3d on all tested cards)
		\item Byte 13..14 contains the sum of all purchases on the indicated day
	\end{itemize}
	\item This is used to impose a daily spending limit of NTD 3,000.
\end{itemize}
\end{frame}

\section{Tampering with the EasyCard}

\begin{frame}{Tampering with the EasyCard}
\begin{itemize}
	\item After recovering keys + understanding the format, tampering with the card is easy
	\item Testing purchases with tampered card permits validation of the offline vs. online question
	\item Possible manipulations
	\begin{itemize}
		\item Decreasing the value on the card
		\item Increasing the value on the card
		\item Bypassing the daily spending limit
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Decreasing the value of the card}

\begin{frame}{Decreasing the value of the card}
\begin{itemize}
	\item Make a purchase in a store that accepts the EasyCard
	\item Find the transaction log entry and increase the cost of the purchase
	\item Decrement the value block storing the card balance by the same amount
	\begin{itemize}
		\item Make sure you get the value block modifications right (inverted, non-inverted, backup copy)
	\end{itemize}
	\item Alter the {\em amount spent per day} (Sector 15) to reflect increased amount
\end{itemize}
\end{frame}

\begin{frame}{Decreasing the value of the card}
\begin{itemize}
	\item A card was manipulated accordingly
	\item The card behaved like expected, i.e.
	\begin{itemize}
		\item it had less value remaining
		\item it was still possible to use it in stores and public transport
		\item the artificially removed money could not be spent
		\item the card could still be re-charged at recharge machines, without ever recovering the artificially removed amount
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Increasing the value of the card}

\begin{frame}{Increasing the value of the card}
\begin{itemize}
	\item Make a purchase in a store that accepts the EasyCard
	\item Find the transaction log entry and {\bf decrease} the cost of the purchase
	\item Increment the value block storing the card balance by the same amount
	\begin{itemize}
		\item Make sure you get the value block modifications right (inverted, non-inverted, backup copy)
	\end{itemize}
	\item Alter the {\em amount spent per day} (Sector 15) to reflect reduced amount
\end{itemize}
\end{frame}

\begin{frame}{Increasing the value of the card}
\begin{itemize}
	\item A card was manipulated accordingly
	\item The card behaved like expected, i.e.
	\begin{itemize}
		\item it had more value remaining
		\item it was possible to use it in stores and public transport
		\item the artificially removed money could all be spent (!)
		\item the card could still be re-charged at recharge machines, without ever loosing the artificially added amount
	\end{itemize}
\end{itemize}
{\bf NOTE:} The artificially added money was immediately added by recharging the card at a recharge machine. The amount stored on the card has been reduced by the previously added amount.  No fraud was committed!
\end{frame}

\subsection{easytool}

\begin{frame}{Introducing {\tt easytool}}
\begin{itemize}
	\item Information regarding the data format of the card implemented as C header file / structs
	\item C program {\tt easytool} created to decode cards contents
	\item Later, code to decrement/increment amount was added
	\item Tool has not been released publicly
	\item Read-only version of the tool might be released soon
\end{itemize}
\end{frame}


\begin{frame}{Summary}
\begin{itemize}
	\item Using MIFARE classic or any RFID system based on security by obscurity is irresponsible
	\item Extending a MIFARE classic based public transport payment system to general payment system in the year 2010 is nothing but ignorant, clueless and a sign of gross negligence
	\item Government regulartors should mandate the use of publicly and independently audited and reviewed security technology.  Security by obscurity is not an answer to any problem.
\end{itemize}
\end{frame}

\begin{frame}{Thanks}
I would like to express my thanks to
\begin{description}[Henryk Ploetz, Karsten Nohl, starbug]
	\item[Brita and Milosch Meriac] for OpenPCD and OpenPICC
	\item[Henryk Ploetz, Karsten Nohl, starbug] for their work on CRYPTO1
	\item[Jonathan Westhues] for his work on Proxmark
	\item[Nethemba] for implementing the nested key attack in MFOC
	\item[Roel Verdult] for libnfc
	\item[Nicolas T. Courtois] for his {\em darkside} paper
	\item[Andrei Costin] for his MFCUK implementation of the {\em darkside} paper
\end{description}
\end{frame}

\end{document}