 Thanks for coming to my talk. I'm going to talk to you today about NFC and why besides my body odor you shouldn't stand too close to me. Okay, so who am I? So first one to hack iPhone G1 phone. I won this snazzy jacket. I wrote some books. Got some letters I can put after my name sometimes if I feel like it. And I'm still, even after yesterday's talk by Apple, not a member of the iOS developer program. So today what's on the agenda? So first I'll tell you why I did this project. Then I'll go through some basic stuff about NFC so that we all know what I'm talking about and can see what NFC is all about. And then the main part of the talk is basically how to fuzz NFC, NFC stacks on phones. And then I'll look beyond that at sort of applications that deal with NFC. And finally I'll have some like demos and if there are anything like my projector that will fail horribly. But I have backup videos because I've had too many talks totally bomb. So hopefully the videos at least will work. Okay, so why NFC? So I started looking at this like nine months ago and I was actually having lunch with Moxie Marlin Spike. And he told me that the code in the next corner looked really weak. And I was like, oh, okay, weak code. I like that. And NFC is sort of mobile phone related and I like phones. And you don't have to make the person touch anything. I like that. So a lot of things were kind of appealing. And while there's not that many phones right now that have NFC, supposedly if you believe Johnny Evans in the future there's going to be more. So maybe the next iPhone would have NFC who knows. I hope the last one would have it and it didn't. So all Nokia phones supposedly from now on are going to have NFC in them. The new Samsung phones have it. And then the Windows phone 8s are supposed to have it when they come up. So anyway, so Ethereum is going to be something that everyone's going to have in a couple years. So it's like, you know, pertinent to look at it now I think. And the thing I found out is it's actually really hard to test NFC. So all these things are sort of the reasons I did it. So I wanted to, you know, finding bugs is cool and really like that's what the end of the talk is about. It's like, wow, cool, check it out. I pop all these boxes and stuff. But really what this is about was giving away that people could test NFC implementation. So I have a bunch of code. You can download it and, you know, test the NFC on your phone or on the next phone that comes out and stuff. And what I'm really concerned about is like getting owned through NFC. So I don't really care about, you know, Google Wallet and credit card information or I shouldn't say I don't care, but I didn't look at that. So what I was concerned about is like can someone, you know, use this new chip in my phone to, you know, get a shell on my phone and steal all my contacts and all of my naked photos and stuff. So here's some, if you're interested, some other guys have done some like really cool research on like NFC related things. Like, you know, getting free gym memberships or, you know, snacks and vending machines and other like really cool stuff. But that's not what my talk is about. So check out those references if you're interested. As far as other people who have looked at this idea of can you use NFC as a way to attack a phone. Colin Molliner a few years ago looked into, you know, fuzzing NFC a little bit, but he didn't have a way to automate it. So it was more like ride a tag. But the tag by the phone, it didn't crash. Ride a tag for the phone. It didn't crash. And so he gave up after, you know, a couple hours. So a couple of these academic guys looked at the Nokia 6212 to see if they could find attacks against it and they did. And the attacks they found are kind of similar to what I'll talk about and the Nokia phone I looked at. And finally Dan Rosenberg found some bugs in the Lynx kernel stack. I think that this is what Max was looking at. But it turns out that this code is for hardware that doesn't really exist yet. So these are bugs in the NFC stack, but no one's using it yet. But it still just shows that bugs can exist in the NFC stack. And at least one of those bugs is really easy to exploit stack overflow with no canaries and stuff. It's really sweet. So he shouldn't have told anyone until the chip came out. So what's NFC all about? Well, it's basically based on RFID. And it runs at 13.56 megahertz, at least initially. And then the range for it is like four centimeters. So this is like, you know, the actual papers and stuff will say 10 centimeters, but I've never actually seen that. So in real life it's more like four centimeters or like that. And, you know, there's people who talk about building like bubble antennas and going across the room and stuff. But for me, it's just, you know, you just need to know that you have to be like really close but you don't have to touch. That's basically what it means. I have a very naughty thing to say just there, but I'm not going to say it. Okay, so, sorry, I'm really trying to be good. So the data rates for NFC is like quite slow. So you don't want to transfer like a bunch of data with it. And it's not really designed to do that. Okay, so how close do you really have to be? So here's like a couple of experiments just to give you an idea. So, let me pause this one. So on the right there's a hotel key, NFC card and a wallet and a pocket. And you can read it by like getting close to the pocket. On this one it's just like a NFC tag and a phone. And so you can see it's basically, you know, more than a thumbs width to read the tag. So that's how close you have to be. But then if you want to actually do something in real life, I thought I'd do a little experiment. So this is my co-worker, Todd Manning, who I understand is, he didn't know this was coming until black cat. He was sitting in the audience and all of a sudden he saw his ass on the screen. But so here's a little video of me trying to read his hotel card key without him knowing. So here I'm in the green shirt. He's in the checker shirt. You can hear our idle chatter. There it is. I'm so subtle but I must admit that I was trained by the NSA. So, you know, a normal person might not be able to pull this off. So anyway, you can't see this but I looked and it didn't show up. I was like, what the hell? So I was like, well, I'll do it while he's moving. So this is a moving target. It's a little harder. Like I'm looking and it's like, damn it's not working. So, you know, I'm like, I'm just going to sit on his ass at this point. So that's the video. Thanks. So I was like, I can't believe this didn't work. Like this totally should have worked. What was the deal? So I filed him back to his room and he goes to get into his hotel room and he pulls the canvas front pocket. So I was like, oh, okay. So anyway, so that's one version of the, you know, what my bugs I'm going to talk about you could do is, you know, just follow around uncomfortably next to somebody. A sort of a more realistic attack is equivalent to ATM card skimmers or something where there would be an FC pay terminal or, you know, movie post or something and you would stick a tag on the side or you would, you know, replace the terminal with a fake one or, you know, whatever. So I mean tags are like pretty little. Like they're just stickers sometimes. Sometimes they're like classic cards or whatever. So you can imagine, you know, putting it in a situation where, you know, someone wants to use NFC. So that would be like a way easier attack than what I tried to do. All right. So speaking of that, so when is NFC on, right? It doesn't do any good if it's not on. So NFC basically is on when your phone is awake. So like, you know, this phone went to sleep so NFC is off. And then for newer versions of mobile operating systems, if you have a pass code it also has to be unlocked. So for the, for ice cream sandwich it's only on when it's unlocked and gingerbread it's on no matter what if the device is on. And for the Nokia phone I look at the low level stack is accessible if it's not, if it's locked, but the high level apps don't behave right unless it's unlocked. So basically, you know, the easy scenario is if the person is like talking on the phone or using the phone or has just finished using the phone and it's unlocked then you can do the things I want to talk about. And then the other thing is as long as they don't have a pass code on their phone you can actually wake up the phone and then turn NFC on and then use NFC. So like here's a little movie of this. So here's a Nokia N9 and the tag NFC reader isn't working because it's asleep. The phone is asleep. But this is my friend, the phone is in his pocket or something. I'm a text message and that wakes up the phone and then I just run up and give him a SWAT and then NFC is working. So I would have had, it would have been a two step process against my friend Todd Manning. I would have had to send him a text message while I was in the elevator with him. Okay. So that's basically how NFC, when NFC is available, how you, you know, a couple ways you can imagine trying to attack someone with an NFC phone. So now let's talk about NFC. So it's basically two modes to NFC. One is passive. So this is, you know, this scenario where you've got, you know, a phone, an active reading device, and you've got a tag. And tags are just like, I said, little stickers or something. So, you know, you just put it up there and then something happens. Right. So that's passive. In that case, the tags don't have a battery or power or anything. They just use the power provided by the initiator. So, and the other mode is peer-to-peer. So if you have two phones and you want to like share data between them, you just kind of get them close and NFC will let you share files that way. And the way that that works is both of them are powered devices. So it's a little different. And they have different protocols and stuff. So when I sat down to fuzz this, you know, this stack, I was like, okay. There's like 200 bytes on this card and I want to fuzz it. So it's probably not that complicated. And then I was like, I got this diagram and I was like, oh, shit. It's like super complicated. So there's lots and lots of specs. You know, you have to sit down and read them all. And I'll just run through them real quick. So at the very lowest level, you've got like, you know, radio waves and stuff. So here, this is the spec you would want. And this is, if you can kind of see it. So this is just a FFT plot I got from using a software to find radio. And then if you want to, you can actually see the radio waves and decode them into bits. And it's a real pain in the ass, but it's possible. So here's an example of one. Every time it crosses the line, you get a zero. Otherwise you get ones. I did it bigger here so you can see. And then there's some sort of decoding scheme where like you get a one. If there's two ones, unless it's five by one, in which case it's zero, one. So all these basic rules that allow you to convert this line crossing into actual bits. And then you can see that this waveform actually is someone sending hex 26. The hex 26 you read this spec is the send's rec command, which is basically like the wake up. Like NFC, here I am, wake up. Okay, so that was like super low level where the radio transmissions look like. I didn't fuzz at that level because it was super hard. And I'm lazy. Okay, so the next thing is initialization, anti-collision, stuff like that. So whenever a device enters or like say a tag enters the phone's RF range, then they start to have to work out some initial stuff. And that's what this layer is. There's almost no data exchanged, so I didn't fuzz this although I could have. And then I'll show you an example of this and you'll see what these bytes look like. And then sort of a more interesting layer is when you get a little higher. So then you get into, there's lots and lots of different kinds of tags. And each one speaks a slightly different protocol. And then at the bottom there's this LCP and that's the communications for peer-to-peer communication. So I'll just show you some details on a couple of those because these are the ones I actually fuzz. So one is called type 2 tags, also known as my fair ultralight. The actual commands that the device can send to the tag are things like read, write, stuff like that. And the stuff that the tag can send back is things like that. So first there's some metadata, it has things like serial numbers. And then there's this capability container and that contains information like version number, how much data to expect, stuff like that. And then there's the actual data itself. And then another type of tag is a type 4 tag called Desvire. So this one's a little different. Here it's like a little virtual file system. And the commands that the device can send are like select, read, and update. And so the important thing is just to know that there's this capability container file and then there's a file or files that contain the actual data that you want to send. So the way that it typically works is the phone will be like, okay, I want to read you. So then it selects the capability container file, then it reads the capability container file and that tells it where to find the data. So then it selects the data file and then it reads the data. So that's the back and forth communication between the phone and the tag. And then finally, if you have two peer devices we want to talk into each other, they send each other these things called PDUs. There's lots of different kinds of PDUs and this is more or less what they look like. So if you want to see an example exchange of, say, I want to share like the greatest coolest video with you, I would send this connect PDU with some parameters and like what service I want to connect to. Then I would, you would respond with a connection complete, a CC PDU. Then I'd send you an IPDU, I stands for information. You either send me back another information or an RR, which is just like an acknowledgement. And we just go back and forth send data back until one of us is done and sends a disconnect. And then unlike the tags, the LCP is more like a connection and then you have to say where you want to connect to. So there's different kinds of service end points that you can connect to. And all the like stuff I looked at, I only saw two. One was called MPP. And that was, I saw on the Android phones. And then another is Snap, which you see on like other phones like Okia's and stuff. Okay, so all that's left is, you know, so far it's just how to communicate data back and forth, but I haven't talked about the actual data. So the actual data is called, is stored, it can be anything, but it's normally stored in a format called end death. So this is just some binary data and it describes different things that it can contain, it can contain lots of different kinds of data. And I talked about it, I give this talk in Black Hat, except that talk was like a lot more expensive than this talk. So you guys are really getting your money's worth. So the Black Hat badge is at MSC and you could read the end death data and stuff off them. But anyway, so end death is just the format of the data that is typically exchanged. So, you know, I sit down and I read specs for, you know, three months and I'm about to blow my brains out. So I finally get an antenna and I actually look at the data and I, you know, because I want to use something like Wireshark, but they don't have it. So instead I look at this. So I get a Proxmark, you can sniff the traffic and see what it looks like. So this is what the traffic looks like between an NFC reader and a Type 2, my fair ultralight card. So I don't know if you can read it, but I'll just explain anyway. So the first reader is like, hey, wake up and then the card says, okay, I have a seven byte serial number. And then the reader says, cool, give it to me. And the reader says, okay, here's the first three bytes. And then the reader is like, okay, I got those three bytes. Are they these? And he's like, yep. And then he says, okay, send me more. And he says, okay, here's the rest. And he says, yep. So anyway, and the other thing that happens is at some point the tag said, by the way, I'm a Type 2 tag. So once they get to this point, they've done the initialization and they're ready to actually do the data and they know to use the Type 2 protocol. So he knows he can do read. So he reads column eight from that chart I showed you. The tag responds with much data. And then he reads the third one, which is that capability container stuff. So he reads, the card sends, the tag sends this data. And then he reads the actual end up data. So anyway, you can start thinking about what you want to fuzz, right? So you could fuzz like the serial number and stuff, but I didn't because it seemed like a waste. You can start to fuzz, you know, like the serial numbers and the memory stuff. And then down here you can fuzz the end up data. So there's stuff to fuzz, but not a ton. You can end up data out too and see what it looks like. So in this example, it starts with a three that just says, hey, it's end up. And then it says a link, so end up is basically type link value. So it's a length and then it says like, okay, I'm a D1, which says I'm a message begin, message end, which means I'm just a complete message. Short record, which means my links are one byte as opposed to four. And then I'm a well-known type. And then it's like type link, payload link, type, blah, blah. So once you know that the type is T for text, then you look at that spec and see how text data looks like and eventually you break it out to some text and then you're done. So you can extract this data and you can imagine like fuzzing these things and there's some link values. And so there's some potential for some coolness. But then you got to. So at this point I read the specs. I understood like everyone has room now. So we're all NFC experts. And how, you know, where are the bugs going to be? So if you look at, say, the software stack on like this for NFC. You've got the kernel. There's some driver in the kernel that is talking to the hardware and the actual NFC chip. And then there's an Android service that deals with all the NFC data. And then there's applications that consume the data afterwards. So in this picture, the driver's native code, inside the service are some native code libraries, but mostly the service is written in Java. And likewise this tags application that handles the end of data is written in Java. So if you're looking for member corruption bugs, like you're kind of limited, right, to just these native code dudes. The Mego, which is the other phone I looked at, Nokia N9 running Mego, which was the reason I chose these two phones, by the way, is like last fall they were more or less the only phones I could get my hand on that had NFC. And then the Mego had the advantage of being kind of Linux-y, which is something that I like. Turns out, at least in the U.S., there's not many people with Nokia N9s, but there's a few people. I saw Travis Goodspeed has one the other night. So I'm going to totally own his ass. And then I heard H.C. Moore might have one too. So I want to see those guys on the phone. I'm going to be like all over them. All right, so the Mego stack basically looks like the Android stack, the biggest difference, so there's kernel, driver, service, and then applications that consume the data. The difference is here, everything's native code. So it seems there's at least a potential for some more bugs. So I already kind of mentioned this, but when you sit back and say, okay, where are the bugs? Well, there could be bugs in the actual NFC-specific code, like the thing that's parsing and Fs or parsing capability containers or something. Or there could be bugs in the applications like tags that are actually processing the data afterwards. We want to look for bugs in both those spots. So the first thing I want to do is fuzz the low level stuff. Because that's the whole, you know, when you're hammer, everything looks like a nail. So I do fuzzing and so everything I want to do starts with fuzzing. So fuzzing on M.C. is a little hard. It took me like six months to get this fuzzer running. So the first thing you do is you create data and then you want to present it to the phone and then you want to monitor the phone for crashes and stuff. So the test case generation is really pretty simple. I used two approaches. The first one was what they called dumb fuzzing, mutation-based fuzzing. So I just got some valid data and did some bitflipping, added some bits, stuff like that. So valid data for like, these are like PVUs, these are capability containers, these are end-ups. So, you know, just got a bunch of data and then started flipping it. And then I also, at least for the end-ups, used Soli to create some fuzzed end-ups, you know, so that you could have like very long strings, but everything else is right. Like, you know, the links are right and stuff like that. So I tried both approaches and I generated like, something like 50,000 test cases for each of the phones. So then the question, the hard part was easy. The hard part is like getting the test cases to the phone. So like, NFC is basically designed to be like, some dude has a phone, he puts it near some other phone and then he takes the phone away, right? But I want to just like, leave it running overnight. And I only have, you know, there's only so many interns who will just do this all day. So, like I mentioned before, Collin and Mona originally did this by hand and then realized that was kind of silly. So I had to figure out a way to automate this. So the first thing I thought is I'll just get some off the shelf NFC readers and have them, there's a mode called card emulation, which means like pretend to be a card, a tag. And then if you go to read it, you know, the phone has no any difference. But the problem is there's like tons of different kinds of NFC hardware. They all kind of claim, you know, in some vague way that they do card emulation. But then when you buy it, they don't. And, you know, the help support dudes are like, oh yeah, we didn't actually do that. We can sort of do that. And then there's lots of different software that you can try for each of the pieces of hardware. So for a long time, I couldn't get any of them to actually do card emulation. So then the next approach I looked at was using a USRP. So here you can do everything, you know, from the very bottom up. You can pretend to do the radio signals and be a card or be up here and do everything. And the advantage is you can fuzz everything too. But then I started writing code and you know, there's getting these waveforms and decoding waveforms and having to send out more waves and yeah, it wasn't working very well. So I'm not a signal analyst apparently. And the best I could get is I could decode this way, but it took like six seconds. And it turns out that you have to respond in like 0.001 seconds. So I was too slow. So I gave up on that. And then Kyle Mulner at SummerCon this year released an Android injection framework that would theoretically allow you to inject data into the NFC daemon. So it would think that you had just presented a tag. But I don't think anyone's ever used that to fuzz yet. And also it turns out the bugs, I'm going to tell you about a lot of them are related to timing issues and so you won't get those either. So there's some reasons you wouldn't want to do this. But it's at least a possibility. So finally I found, after I did all that stuff and gave up, I eventually went back and actually found some hardware that worked. So if you get this reader and use that software or this reader and that software, you're in business. So you can plug those in and they'll pretend to be cards and you can read them. So now with those combinations of hardware and software, I can fuzz the parts of the spec that are this like ugly green color. So it's like roughly half or something. So there's still lots of work that you guys can do if you want. This is what I did. So let's start talking about how I did it. So the top level fuzz and NFC was pretty easy. So I already had a bunch of fuzz and NFC. I just had to get them to the phone. And the NFC comes with a little program that basically does exactly that. It takes in a binary file and presents that as an NFC to the phone. So that part was easy. Then if I wanted to fuzz this part, the purple part, then I want to fuzz the sort of low level type 2 transactions. And so what I did there is I just made some modifications to the NFC to allow me to modify these bytes that weren't the metadata bytes. So the things like capability container. So it just changed up that program and then it was working pretty good. Pretty much the same thing for type 4 fuzzing. So if I want to do the low level stuff, all I did was instead of fuzzing the NF data, which is what the NFC wants you to do, I just changed the NFC to instead allow me to supply a capability container file. And then finally fuzzing LLCP, so the peer-to-peer communication. I just again modified this time the NFC PY to allow me to change the connecting information PVUs. Okay, so that was cool. So what I could do at that point was I could emulate the tag, I could put the phone down and it would read the tag. And those tags could have like crazy messed up fields. But then I need to like do that a lot, right? And again, my interns started quitting after a couple hours. So I had to figure out a way to automate that. And so basically what I would do is I would just turn off NFC, I would change the tag to be something new, and then I would turn on NFC and that would be sort of the equivalent of presenting the tag. And then I would, once that was done, then I would turn off NFC, change the tag, turn on NFC, so forth. And there's a couple ways here that you can turn off or turn on NFC. Hey, you're leaving my talk? The demos are still coming. The cool part is at the end. This is the painful part where you learn to appreciate the hard work I did before the whizbang demos. So he's going to leave me be like, man, that talk was so boring. It was just a lot of specs and shit. So anyway, so then I needed a way that it turns out NFC readers aren't designed to emulate 10,000 tags in a day. So after a little bit they just freeze up. And the way, the support people say, the way you fix it is you just unplug it and plug it back in and everything's great, hard reset. I was like, well, I don't know if that's actually better than doing this with the phone if I'm doing this with the USB. So I got this, I found this USB hub that I could control the power on and software I could turn the power off and then back on. And so it was kind of like plugging it and unplugging it. And he also knows like, a lot of people come up to me and be like, Charlie, like how do you find time to do all this research? And I say, well, I totally, I don't do any household chores at all. And so you can see like total water damage in my wall. It's like, eh, how to set up my puzzle right next to it. So the final part of the puzzle is looking for crashes. And then Android, it's super easy. They have Logcat, which basically tells you anytime anything crashes. And on Amigo, no one's really ever looked at that operating system. So it turns out they have GDB though. So I just GDB attached to the server or the service. And then I, and in case other things crash, I just did basically a PS before and after sending the end up and looked to see if anything significant had changed. And then finally, like I wanted to make sure NFC was still working. So between every Fuzz test case, I would send a valid test case, a valid, you know, end of file or something. And then I would just make sure that that worked. And if not, I would kind of restart everything. So an Android tags puts things in a SQLite database. You can just check to make sure the thing you just sent shows up there. And Amigo, if you start the NFC daemon with this extra, you know, verbosity setting, it actually shows you the end defs that it's reading and syslogs. You can look to make sure everything's working great. All right, so here is like super boring videos, but it took me six months to make, so you're going to watch it. So here's a Nokia N9. So this is like the valid test case. This is the invalid test case. It can't read it. And this is the valid test case. I would send it like a random number. And this is the invalid test case. And here is a NEXUS S. Go. Go NEXUS S. There we go. So I'll even turn it up. There it is, beauty. So this one is a valid test case. And then there's an invalid test case that doesn't even show up. And then there is another valid test case. And so if you lived in my house, you would just hear like in the background all day, all night. So it's pretty annoying, but you know, that's what I do for science. And then the other thing that happened in my house is that one stupid reader, the big one, in some weird situations it would just start like making this huge loud noise. I was like, eh, eh, eh, eh, like that loud. And I was like, well, this isn't ideal. So at first I tried, I put a pillow on it and it could still hear it. So that's why I moved eventually to my basement. That's all flooded up. All right, so finally, I did the actual fuzzing. So like I said, it was like, oh, I'm going to do this. I'm going to do this. I'm going to do this. I'm going to do this. I'm going to do this. I'm going to do this. I'm going to do this. So I did the actual fuzzing. So like I said, it was like 50,000 test cases. I fuzzed against the latest OS that was available at the time last fall, which was 2-3-3 for Gingerbread and 1.2 for the Nokia's. And as you saw in the video, each test case would take around, you know, 5 or 10 seconds. So it was a very, very slow process. So as soon as you start fuzzing, you'll basically start to see things crashing and stuff. So the first thing that you'll see crash is tags. Tags, like, crash is super easy, but the problem is, is that you're going to be in Java, so it's not very exciting. So it's just Java exceptions. You can't really do anything with that. Keep fuzzing, and eventually the CD will start dying. In this case, again, it's a Java exception, so not super cool. But at least it's good to know your fuzzer is working. And then, finally, you get some native code crashes. So that's cool. Here's one. It's a no pointer reference, so it's still not so exciting, but at least, again, it's like, wow, at least it crashed in native code. I'm getting there. I'm getting there. I'm getting there. I'm getting there. At least it crashed in native code. I'm getting there. So this is an example of if you send a connection complete, PDU before you establish a connection, and the reference is a no pointer. All right. And then, finally, some actual bugs. And this is in the 223 Gingerbread NFC stack. So the key is to look at this thing. LCP, check LCP. So this showed up in the logs, and then it crashed in a log from free. So this is the source code for that, so the cool thing about Android is you can look at the source code. So if you look here, it's doing, you know, it's checking LCP, blah, blah, blah, it allocates a buffer. And then if things don't work out right, there's dot, dot, dot here. So something happens, and then if things don't work out, it prints that thing which you saw in the log, and then it frees the buffer, cool. And then it goes to down here, and it frees the buffer which is not cool. So this is a double free, you know, if with some work you could maybe write an exploit for it. And so the cool thing about this exploit, if you wrote it, which I didn't, would be, you know, basically you present a tag to a phone, and you get a shell, right? So that would be like pretty exciting, I think. But anyway, this would be, this would give you code access as the NFC daemon, which does not have internet access, but does have internet access as well. So what about this? Well being the responsible researcher I am, Google actually found it without me because I didn't report it. So it's fixed though in ice cream sandwich, which is cool. The bad thing is that even though it's fixed in ice cream sandwich and of course jelly bean, most people still run gingerbread devices, so there's still some guys out there you can get close to in the elevator and maybe get a shell. Where I wasted so much time, it's not even funny. So it turns out I found a bunch of these other really awesome memory corruption bugs in the gingerbread stack, but I could never replicate them in any reasonable fashion. So I suspect I have to do with timing issues because if I ran the same thousand test cases, I would always get these same crashes and the same number of them more or less, but they weren't ever in the same spot, so I couldn't really replicate it. But anyway, here are some super cool memory history. So here's one that crashes in DL malloc, calls abort, and that usually happens when there's memory corruption. Here's one that happens in DL free, calls abort, and that happens a lot in memory corruption. Here's one that crashes in free when it's trying to unlink a chunk where the back pointer is screwed up. That's memory corruption for sure. And then here's one more. So anyway, a bunch of crashes I found, never hunted down, re-ran the test cases so many times it took like four days. So many times that it's insane. But anyway, so the moral of the story is that Google had a decent tool chain for me to use. There would be like maybe four more bugs I would have not reported to them. Okay, so I'm just kidding. I'm a very responsible person. If any reporters are here, I never do anything bad. Thank you. So that's the NSE stack. So found some bugs in gingerbread. Some are fixed, some may not be fixed. And then there's, I didn't find any bugs in the N9 stack. So that means either their code, which is all native code, is perfect or there was something wrong with my fuzzer. So please fix my fuzzer for me. So now the question is fine. The lower, I've looked at the low level NFC code and that was like pretty good. There weren't too many bugs. But what about the higher level stuff, right? So it turns out that Nokia and Google did a job at parsing 200 bytes on an NFC tag. That's what NFC basically is. But what about these other apps? Can they do that? So at first glance you look at what happens when you present a tag to NFC and it's super boring. So gingerbread, it just, you know, if they can screw up, you know, printing a string to a screen, like that's pretty bad, but they didn't. So here's a string, here's a string, here's a string. So super boring, nothing exciting going on. But then they added features. Starting in an ice cream sandwich, Android has this thing called Beam. Nokia has this equivalent thing called Content Sharing and also this Bluetooth pairing thing. So if you start to look at these things, get a little more interesting. So what's Android Beam? Basically it's a way for you and your friend who both have Android phones to like share files and pictures and stuff like that. Or I guess in this case really web pages. So how does it work now that you guys understand all that? This sentence will make sense to you when it wouldn't have an hour ago. They use LLCP with snap and they fall back to LLCP and MPP. See like what you learned. And the interesting thing is you can see here I'm beaming this game called Crime City which is like a fun game, you should get it. But to beam it I have to press a button, but the guy on the receiving side just gets beamed and they can't do anything, it just shows up. Sort of the opposite of what you might want to design if you were in security. So how is this implemented? Like it's designed for two phones to be close to each other, but the way it's implemented is because most things in Android with intense. That means as long as it gets an intent it doesn't matter if it came via another phone or a tag. So you can still get it to do things like open up a web page just by getting a tag close to it. So, you know, if I get close to Todd being on the elevator, I can make his phone open up a web page to a URL I specified which is not probably what would be good. So here's an example of just to show you how web pages get opened up. You get to the tag and look it goes to a website. So before, you know, I trusted as much as I distrust vendors I can trust them to parse 200 bytes, right? But now I have to trust them to parse what browser parses, right? And I don't trust that. So, you know, HTML, movies, videos, images, silence, fonts. So now you can get to all this stuff through MSC. Okay, so now it's time for a demo. I've got to thank Josh, J-Duck, Drake, and I Giorg Wichurski. So they wrote this exploit for with me, I should say, but they did most of the work. It's an Android browser exploit, but, you know, you can get to through MSC, so let me show you this and see if it works. And I have a backup movie if it doesn't work. So, hey, look, I have a project meeting today. Okay, so here's an exploit. So here in this window, I have a Netcat listener. Here I have a phone. So this is an Android phone running 401. So this particular web, it's a fixed in 404, but it's still kind of cool. So anyway, here's a phone, right? I'm talking on the phone in a busy subway and some pervert comes up to me and is like, hey, Charlie, look at this. Oh, look, there's something. Oh, wait, it's gone. What happened? And then over here is a shell. Anyway, it's pretty awesome. So touch a tag, get a shell. Okay, here's the movie if you didn't believe it was going to work. But it of course worked. Okay, so the point of that is it's not that, wow, there's another WebKit bug, right? The point is that while you thought the NSC attack service was, you know, the 200 bytes of end death data, really the NSC attack service is the browser, right? And the browser, you know, I mean, the good news is that Google fixed that WebKit bug that was in 401. So now the browser is secure. Okay, so that was Android. Travis Goodspeed's phone. The Nokia N9. So it has something just like Android Beam which allows you to share, you know, images and files and stuff like that. Again, without user interaction. And the thing that's interesting is they have, so in Android it's, NSC's either on or off. And on the N9 it's on or off and you get this extra security option called confirm sharing and connecting. So you would think if you turned that on, then if I tried to push you a video confirm, but it doesn't. So it actually does something else which I'll talk about in a minute. So here is an example of on a Nokia N9. So you can check Bluetooth is off so I'm not doing anything with Bluetooth. So I touch it near to another N9 and then I just sit back and wait and it's like, well, probably nothing bad is going to happen. Oh, it turned on my Bluetooth. Oh, it's downloading something. Well, it's just downloading. Oh shit, it's rendering it. So anyway, so the point is without user interaction you can push things like PDFs and Word documents and Excel spreadsheets and stuff to a phone without the person doing anything. So again, it's just like this much larger attack service than you would have imagined. So instead of the attack service being this little guy that prints a string it's actually, you can't do a webpage on Nokia, but you can do basically everything else. So what kind of bugs could there possibly be? Well, if you're lazy and you just want to use public bugs you can do that. But that's pretty lame. So there's libpng for example ships on the latest Nokia N9 which is running version 1.3. It has libpng1242 and there's at least two critical vulnerabilities reported on that. But you guys are too good to use public bugs. So I turned on my fuzzer for a little bit to see what I could find. And I found this invalid free in PowerPoints and this invalid write in PDF. So here look, dear Google, look I'm using Valgrind on my phone. See how cool that is? Maybe you should do that for Android. Or if you want to use those bugs here's another bug I found, which is pretty awesome. So this bug is in the way they parse Word documents and it's also turns out to be a zero-day in K-Office too. For your friends who think they're secure because they use Linux you can just ship them this Word document and own them. So basically the way this bug works is it allocates a buffer called Group Grub X or something based on some number you gave it. And then it reads in this other value short from the data stream you're providing and then it loops that number of times it just read and writes into your allocated buffer Grub X whatever it reads. You have the choice of how big the allocation is how much data you want to copy and what data you copy. So it's a classic heap overflow bug. So I didn't write an exploit for this one either but I'll show you that it's pretty easy to exploit. So here's an example of a data stream I made the length big and then I put some data. So it crashes, here's the backtrace it crashes at some address that isn't mapped. Or it crashed. It loaded a value from R3 and then it from where R3 is pointing and then it branched to that value and turned out I controlled R3. So if I would just pointed it to some other data I controlled I would have gotten control. So basically this is pretty easy to exploit bug and again you would get it just by getting one N9 close to another N9 you could make it open up the Word document and own them. So the final thing I want to show you is this. It turns out that if you google Nokia N9 9MC you come across like 10,000 versions of this video. So the guys listen to his music he's jamming out and then he gets his phone close to the speakers and then all of a sudden the whole room is jamming out to his music. And I was like how did that happen? What just happened? He's on his phone and now all of a sudden the speakers on his phone. Where there's magic there's security problems. So I bought I bought one of these speakers right and I'll show you how it works I think except it's kind of whoa someone totally hacked my N9 because I went to my talk yesterday I think. Oh here we go. So now I got one of these speakers I got out my N9 and I downloaded some free music and I was like okay let's see what's going to happen. Right here. Is it going to work? Give me one more second. See I get the shell to work in the demo but I can't get like the actual music player to work. One check real quick and then I will move on. It should work. Okay let's try it again. Is the thing on? The speaker has to be on. It's a piece of crap. Oh wait it's working I think. Yeah. Something magical again. Oh this is crap. Anyway it was just like the dude with the little music symbols floating out of his phone it was going to look just like that but it's not working. Anyway the point is I got this thing and I was like how the hell are these talking to each other and I didn't do anything so I looked into it some. Oh look. I had the sharing option on. That's what happened so now I don't know if it worked but who cares. Oh it's working. That time I did do something but you'll see in a second. So like I said before and then it turned off each press again where I'm going to unplug it in about one second. So there's this oh no it's got a battery. I unplugged it but it didn't stop. So now we're back to this thing about confirmed sharing. So if you have the confirmed sharing set which isn't on by default then it actually would prompt you before you do the magical speaker thing but if you just don't touch your NFC settings then it just magically happens like in the video. And so the way that magic behind the curtain behind the magic is this end def. So if you send it this end def data what you send it is a bluetooth address a pin that you've made up that it's going to then know and then a name. So it turns out like I grew up in the old days and my whole life was a root shell. But it turns out what I really wanted was this thing. Bluetooth. So here's a video. So here's a bluetooth tag. So you can see bluetooth is off. Cool. And then I'm going to present the tag to the phone. So you imagine like I'm running up hey how's it going? Swat on the butt. And then nothing happened on the phone. The phone made that little blue thing and screwed. So anyway it pairs. You can't see where I'm pointing. So this thing showed that it just paired with me. And I didn't need to know the pin or anything like that because I told it the pin to use. And then I can mount the file system on the phone and read all of its files and on the phone there's nothing going on. So thanks. So I can see all their files and then so you can see things like pictures they've taken with their camera JPEGs that they just happened to have downloaded music that song I was just playing for you you know like document. So basically anything you want you can just download and I think you can write to it too although I never bothered. But you know files are one thing I want to actually like use the phone right. This is what makes this cooler than the root shell. So now I'm going to send a text message with the phone. So send the text message. Wait for it, wait for it, wait for it. Let's over here. So there's my phone. It showed up. If I turned this on you would have actually heard it show up. But anyway so trust me that text message is really sent. And then you can do things like read their contacts. And these are the contacts that are stored on the file system as well as the SIM card. So you can see in a second here that's fast forward. So anyway here's their contacts and then finally super and all money shot is then you can actually just like dial their phone for them. And I put the camera on so you don't see my phone number so you don't call me. I'm very clever that way. And then I wait, wait, wait. Okay it's dialing. And then it shows up over here. Compliments of AT&T. Thank you. So anyway the thing is if you don't change that setting if I just present a tag to you I own your phone. So if you do have that setting set though you get this nice thing and I have to then push you a Word document that owns your phone. So just to wrap things up quickly, so NFC is like a whole new way to own people's phones server side. It's hard to test them but I'm releasing tools that will let you test them. Vendors should let you say okay before people can push Word documents and web pages to you. Code, tiny URL, NFC dash files and here's all the people that helped me while I was doing this including CyrofastTrack which funded part of this work. Thank you.