1 00:00:00,167 --> 00:00:02,501 How's everyone doing today? 2 00:00:03,375 --> 00:00:04,501 Good. 3 00:00:04,501 --> 00:00:08,834 So now, let's come to our talk. 4 00:00:08,834 --> 00:00:13,959 And so MIFARE ULTRALIGHT system and ULTRALIGHT chips are used 5 00:00:13,959 --> 00:00:16,626 for communication. 6 00:00:17,584 --> 00:00:22,209 And in our country, they have been used especially 7 00:00:22,209 --> 00:00:27,209 for the transportation system like busses, Metro, and 8 00:00:27,209 --> 00:00:33,999 in the past there has been people who discovered some hacked the system 9 00:00:33,999 --> 00:00:38,918 of the communication between those chips. 10 00:00:38,918 --> 00:00:44,000 And so in 2008 the MIFARE classic which is a type 11 00:00:44,000 --> 00:00:48,999 of chip classic in 2011 two American made 12 00:00:48,999 --> 00:00:54,083 to exploit and to see ULTRALIGHT one which 13 00:00:54,083 --> 00:00:59,584 is the one I will be speaking about. 14 00:01:01,125 --> 00:01:04,125 In my country, so in Italy, it has been used 15 00:01:04,125 --> 00:01:06,999 for transportation systems. 16 00:01:06,999 --> 00:01:09,918 So, if you take a bus, you will take a ticket, 17 00:01:09,918 --> 00:01:14,417 multiple ride ticket which has MIFARE inside. 18 00:01:17,083 --> 00:01:21,417 So what is it? 19 00:01:23,999 --> 00:01:28,959 RFID chips are designed to work at target frequency 1356 megahertz 20 00:01:28,959 --> 00:01:33,584 frequency and a lot of times as I told you before. 21 00:01:33,584 --> 00:01:37,209 There is a MIFARE classic ULTRALIGHT a lot of types. 22 00:01:37,334 --> 00:01:39,167 And the ULTRALIGHT is cheap. 23 00:01:39,375 --> 00:01:40,999 But it has a problem. 24 00:01:40,999 --> 00:01:43,999 It is not it has no hardware encryption. 25 00:01:44,501 --> 00:01:49,959 So how we came to this hack? 26 00:01:50,292 --> 00:01:55,959 Well, we started studying NFC chips when from January 27 00:01:55,959 --> 00:02:02,999 the local transportation system in Turin updated their stamping 28 00:02:02,999 --> 00:02:10,834 machines and so it was possible to use those tickets to ride the bus 29 00:02:10,834 --> 00:02:14,209 or Metro or what else. 30 00:02:14,209 --> 00:02:24,209 And it had the same vulnerability I was telling you about before. 31 00:02:24,834 --> 00:02:27,417 But the point is we didn't know anything 32 00:02:27,417 --> 00:02:31,125 about the structure of this ticket. 33 00:02:31,125 --> 00:02:33,999 So we tried with that vulnerability but we failed. 34 00:02:34,125 --> 00:02:36,209 That was the point, we failed. 35 00:02:36,667 --> 00:02:41,959 We tried to and so you know, if you don't know what are you dealing 36 00:02:41,959 --> 00:02:46,959 with, it is, let's say it's tricky to solve it. 37 00:02:46,959 --> 00:02:51,209 So we decided to study better the kind of technology 38 00:02:51,209 --> 00:02:57,999 in case we discovered that we tried to make some little experiments 39 00:02:57,999 --> 00:03:03,459 and so we decided to stamp one ticket after the other 40 00:03:03,459 --> 00:03:09,459 and comparing the results we have an NFC reader and we read 41 00:03:09,459 --> 00:03:13,125 the dumps of those tickets. 42 00:03:13,125 --> 00:03:18,417 And we were comparing them to find if there were some similarities 43 00:03:18,417 --> 00:03:23,501 something similar to compare it and to find for example how does 44 00:03:23,501 --> 00:03:26,876 the data saved on the ticket. 45 00:03:27,083 --> 00:03:31,999 So we managed to get in empiric results of this. 46 00:03:38,125 --> 00:03:42,999 So assume that you know we're exactly the last time of the stamp 47 00:03:42,999 --> 00:03:46,125 of your ticket is being stored. 48 00:03:46,125 --> 00:03:50,667 If you have an NFC form with an NFC reader and writer, 49 00:03:50,667 --> 00:03:54,999 you can actually change the field where the time 50 00:03:54,999 --> 00:03:58,792 of your last stamp is stored. 51 00:03:58,792 --> 00:04:01,999 And so that in this way, you can easily bypass the system 52 00:04:01,999 --> 00:04:07,959 of stamping, the stamping machine, you can stamp by yourself your ticket. 53 00:04:07,999 --> 00:04:15,209 And this is where we wanted to wanted to get. 54 00:04:15,542 --> 00:04:17,999 The point we were looking for. 55 00:04:18,292 --> 00:04:22,167 The problem is it is not so reliable the kind of thing, you have a reader 56 00:04:22,167 --> 00:04:24,709 and things to deal with. 57 00:04:27,584 --> 00:04:30,959 It is not the point. 58 00:04:30,959 --> 00:04:34,167 If you want to add something about that the point 59 00:04:34,167 --> 00:04:37,459 is that we managed to solve our problem 60 00:04:37,459 --> 00:04:42,584 because when we looked more in we pay more attention about how 61 00:04:42,584 --> 00:04:45,125 the ticket was made. 62 00:04:47,375 --> 00:04:52,292 We came to a solution and we found that 63 00:04:52,292 --> 00:05:00,876 the answer to hack the ticket and find a way to make it limited was 64 00:05:00,876 --> 00:05:03,999 in the log bites. 65 00:05:03,999 --> 00:05:09,501 Log bytes are a sector of the ticket and he will speak about that now. 66 00:05:10,999 --> 00:05:15,125 This is the ticket of my city. 67 00:05:15,334 --> 00:05:21,834 The 5 rides ticket so you can stamp it until five times and then it expires. 68 00:05:24,083 --> 00:05:30,501 We will look at the log bytes and OTP is the only security function 69 00:05:30,501 --> 00:05:33,999 in the ULTRALIGHT tickets. 70 00:05:34,250 --> 00:05:38,751 There are four bytes and by that four they are all set to zero. 71 00:05:38,999 --> 00:05:42,918 When you stamp the ticket, there is an operation that 72 00:05:42,918 --> 00:05:45,542 to turn one bit to one. 73 00:05:45,709 --> 00:05:48,083 So you can turn it back to zero. 74 00:05:48,667 --> 00:05:54,209 That's the only way you can stamp the ticket without any fraud. 75 00:05:54,292 --> 00:06:02,501 There are a number of possible rights on each ticket 76 00:06:02,501 --> 00:06:07,999 and we'll speak about later. 77 00:06:07,999 --> 00:06:09,334 The data sector. 78 00:06:23,751 --> 00:06:26,334 (Applause.) I saw one of your slides coming in, 79 00:06:26,334 --> 00:06:28,876 it's not going to be funny. 80 00:06:28,876 --> 00:06:32,584 (Laughter) We have decided to brand this spot the fed, this 81 00:06:32,584 --> 00:06:35,167 is now shot the n00b. 82 00:06:35,167 --> 00:06:36,167 Are you even 18? 83 00:06:36,167 --> 00:06:41,250 No, we're not. 84 00:06:41,250 --> 00:06:43,167 He's of legal drinking age in Italy. 85 00:06:43,167 --> 00:06:52,250 And this stage is actually technically part 86 00:06:52,250 --> 00:07:09,125 of Italy audience, raise your hand if it's your first DEF CON. 87 00:07:09,125 --> 00:07:17,375 You, sir, get up here. 88 00:07:17,375 --> 00:07:19,375 On stage somehow. 89 00:07:20,999 --> 00:07:24,999 To all the new people at DEF CON. 90 00:07:33,834 --> 00:07:34,959 Cheers! 91 00:07:34,999 --> 00:07:36,083 Okay. 92 00:07:36,209 --> 00:07:46,999 Where was I? 93 00:07:48,250 --> 00:07:49,626 Okay. 94 00:07:52,584 --> 00:07:54,083 They were strong. 95 00:07:57,542 --> 00:08:03,792 The data sector was used in the past attack, 2011 attack for rights. 96 00:08:03,792 --> 00:08:09,209 But the sector is readable, writable so you just swipe it 97 00:08:09,209 --> 00:08:12,501 and get a new ticket. 98 00:08:12,751 --> 00:08:18,626 But in they fixed it so in Turin it doesn't work any more. 99 00:08:18,999 --> 00:08:24,999 So for about just code time time stamp from the machine and reproduce it 100 00:08:24,999 --> 00:08:28,918 without touching the OTP sector. 101 00:08:28,918 --> 00:08:33,209 So the rides remain the same but we can stamp it ourselves. 102 00:08:33,959 --> 00:08:39,999 We're not getting the point because of lack of NFC. 103 00:08:39,999 --> 00:08:41,125 We're poor. 104 00:08:41,501 --> 00:08:50,167 If you want stamps of our ticket, we'll give you at the Q&A session. 105 00:08:50,626 --> 00:08:52,334 No problem. 106 00:08:52,334 --> 00:08:57,999 These are some empirical results we can speak more later. 107 00:08:58,999 --> 00:09:00,334 Doesn't matter. 108 00:09:00,334 --> 00:09:04,375 Okay, lock ak sector, this is the most important part of our talk. 109 00:09:04,667 --> 00:09:07,876 This is the point we found solution. 110 00:09:08,250 --> 00:09:09,626 There are two bytes. 111 00:09:09,626 --> 00:09:12,999 First is red and second is orange. 112 00:09:12,999 --> 00:09:15,542 Okay, each bit of bytes can lock 113 00:09:15,542 --> 00:09:19,584 a sector and make it read only. 114 00:09:21,334 --> 00:09:29,999 So what we did is just lock the bit or lock bit sector that made read only 115 00:09:29,999 --> 00:09:32,542 the OTP data. 116 00:09:32,918 --> 00:09:37,918 Machine tries to do it but read only and I cannot. 117 00:09:41,167 --> 00:09:44,999 When we first made our test on the road. 118 00:09:44,999 --> 00:09:48,083 We found a little problem because it's not good 119 00:09:48,083 --> 00:09:52,999 by that your 5 rides ticket and then have always 5 rides when 120 00:09:52,999 --> 00:09:54,999 they test it. 121 00:09:54,999 --> 00:09:57,626 You forgot to took one of the rides. 122 00:09:59,876 --> 00:10:01,083 And so it was Not good. 123 00:10:01,083 --> 00:10:04,292 What are you going to say to the man who is going 124 00:10:04,292 --> 00:10:06,999 to check your ticket. 125 00:10:06,999 --> 00:10:12,167 Okay. 126 00:10:13,918 --> 00:10:15,459 How to fix it. 127 00:10:15,792 --> 00:10:19,501 The lock attack is quite easy to be fixed. 128 00:10:19,959 --> 00:10:26,083 Because you just need to check if the OTP bits is read only or not. 129 00:10:26,250 --> 00:10:29,834 And if it's read only refuse to validate. 130 00:10:29,959 --> 00:10:34,918 But the name problem is the time attack Yeah, the point 131 00:10:34,918 --> 00:10:40,999 is there are two vulnerabilities we found but we exploit just one 132 00:10:40,999 --> 00:10:44,292 because of lack of time and hardware 133 00:10:44,292 --> 00:10:47,501 as he explained before. 134 00:10:48,459 --> 00:10:52,375 The time for vulnerability is easy to exploit 135 00:10:52,375 --> 00:10:56,459 if we can actually decode the data. 136 00:10:56,876 --> 00:11:02,667 And what if if you know exactly how the data was encoded and where it 137 00:11:02,667 --> 00:11:08,167 is exactly located inside your ticket, it will be really easy 138 00:11:08,167 --> 00:11:13,209 to exploit this because if you have NFC reader, writer, 139 00:11:13,209 --> 00:11:18,501 you can write the data etch ooh team you want. 140 00:11:18,501 --> 00:11:22,501 You can put your ticket on your NFC phone and just stamp 141 00:11:22,501 --> 00:11:29,083 the actual data so the actual time if it is 5:15 then the you put your ticket 142 00:11:29,083 --> 00:11:35,501 over your phone and then you can write 5:15 each time you want. 143 00:11:35,584 --> 00:11:39,999 So you can bypass the validating system so you can still 144 00:11:39,999 --> 00:11:45,999 have four rides left and you're just adjusting the time. 145 00:11:46,292 --> 00:11:51,417 And that will be really hard to be fixed. 146 00:11:51,417 --> 00:11:54,999 Because all the data written inside the ticket 147 00:11:54,999 --> 00:12:01,626 is not encrypted hardware speaking so, if you're able to decode this, it 148 00:12:01,626 --> 00:12:06,999 will be hard to fix it while the lack attack so the exploit 149 00:12:06,999 --> 00:12:11,209 he was thinking about will be easy to be fixed 150 00:12:11,209 --> 00:12:17,999 because if the stamp machine checks if the lock bit is on or off, and then 151 00:12:17,999 --> 00:12:22,999 with feedback way, that stamp machine can immediately 152 00:12:22,999 --> 00:12:27,083 know if your ticket is fake or not. 153 00:12:27,584 --> 00:12:32,083 So now we are going to study more about those kind 154 00:12:32,083 --> 00:12:37,999 of tickets and try to decode data and if you'd like to help us, 155 00:12:37,999 --> 00:12:41,083 we are open minded we will give you 156 00:12:41,083 --> 00:12:46,834 the dumps and any help will be developed very well. 157 00:12:46,999 --> 00:12:48,999 Is that is the point. 158 00:12:48,999 --> 00:12:53,876 So we also thought about a solution for the time attack 159 00:12:53,876 --> 00:13:00,209 but it should require fine upgrade that enabled software encryption 160 00:13:00,209 --> 00:13:07,709 on the ticket because if you encrypt the ticket, you can just time stamp your 161 00:13:07,709 --> 00:13:10,959 ticket with your phone. 162 00:13:12,876 --> 00:13:16,417 But we spoke of that with our transport company and 163 00:13:16,417 --> 00:13:20,626 they say yeah, yeah, and never did anything. 164 00:13:20,626 --> 00:13:26,834 We're still waiting that our vulnerability is fixed on the ground we don't really 165 00:13:26,834 --> 00:13:29,083 know about that. 166 00:13:31,918 --> 00:13:32,999 Okay. 167 00:13:32,999 --> 00:13:37,125 We are working about tool that should do it 168 00:13:37,125 --> 00:13:40,999 everything automatically. 169 00:13:41,375 --> 00:13:47,751 And actually, it is written in Python and works on Linux computer. 170 00:13:50,959 --> 00:13:58,417 You need NFC, that is the tool we used for encoding 171 00:13:58,417 --> 00:14:02,999 and writing the tickets. 172 00:14:02,999 --> 00:14:05,999 It is a meter you can find anywhere cheap for $10 173 00:14:05,999 --> 00:14:11,792 on eBay or something like that and get free rides for your life. 174 00:14:14,542 --> 00:14:16,959 (Laughter) We started selling these. 175 00:14:27,542 --> 00:14:33,626 We're open for donation of the set but we have lack of money. 176 00:14:42,459 --> 00:14:45,959 So I think that's it. 177 00:14:46,083 --> 00:14:49,542 If you have questions about how we got into it 178 00:14:49,542 --> 00:14:53,459 but I think I don't know if you got the meaning 179 00:14:53,459 --> 00:14:56,999 of what we're speaking about. 180 00:14:57,167 --> 00:14:59,999 You know, it is a little difficult to speak 181 00:14:59,999 --> 00:15:05,167 in another language when you're outside and but we tried. 182 00:15:05,167 --> 00:15:09,417 And I think it has been a very good experience, I think, 183 00:15:09,417 --> 00:15:15,709 I hope you enjoyed this talk and I hope well, you got the clue for us, 184 00:15:15,709 --> 00:15:19,999 it was a very big not surprise but we were happy 185 00:15:19,999 --> 00:15:25,083 to fine something about this and to have been accepted here 186 00:15:25,083 --> 00:15:28,834 to explain you what we found. 187 00:15:29,209 --> 00:15:32,209 If you want to test the vulnerability on your city, 188 00:15:32,209 --> 00:15:35,999 we're glad to receive feedback and also invitation for lunch, dinner, 189 00:15:35,999 --> 00:15:38,083 coffee, everything. 190 00:15:38,083 --> 00:15:46,626 (Laughter) (Applause) I think speaking 191 00:15:46,626 --> 00:15:58,459 about things wouldn't be so appreciated by you. 192 00:15:58,459 --> 00:16:03,292 I don't know if you will appreciate to speak about the very detail 193 00:16:03,292 --> 00:16:08,667 of if you want in the Q&A, you can ask for further information 194 00:16:08,667 --> 00:16:12,375 and details about those tickets. 195 00:16:12,709 --> 00:16:17,375 So you have any questions? 196 00:16:17,999 --> 00:16:19,250 Or? 197 00:16:19,250 --> 00:16:24,334 AUDIENCE: How do you find out what technology your mass transit 198 00:16:24,334 --> 00:16:26,876 system was using. 199 00:16:26,876 --> 00:16:32,334 Yeah, the advertising on the Web site. 200 00:16:38,083 --> 00:16:41,999 (Laughter) Google. 201 00:16:42,167 --> 00:16:44,501 AUDIENCE: That's convenient. 202 00:16:44,501 --> 00:16:47,083 There's a similar system in use the Bay Area. 203 00:16:47,167 --> 00:16:49,999 I'm interested in what you were talking 204 00:16:49,999 --> 00:16:54,083 about with the time stamp because the San Francisco system, 205 00:16:54,083 --> 00:16:58,542 the way it works is you swipe to get on the bus the first time 206 00:16:58,542 --> 00:17:03,417 and you have 90 minutes to be able to Like in Turin. 207 00:17:03,417 --> 00:17:05,918 AUDIENCE: So you have the same system there. 208 00:17:05,918 --> 00:17:06,542 So it just amounts to changing the time stamp 209 00:17:06,542 --> 00:17:10,167 on that and you change it to now and you get 90 minutes from now 210 00:17:10,167 --> 00:17:13,501 to be able to ride and you can do that. 211 00:17:13,501 --> 00:17:16,083 That's your free for life system. 212 00:17:16,083 --> 00:17:17,083 Is that correct? 213 00:17:17,083 --> 00:17:23,334 Yeah, there's the work in progress because just a second. 214 00:17:23,334 --> 00:17:24,334 Okay. 215 00:17:26,125 --> 00:17:29,751 If you're see, we are just guessing where 216 00:17:29,751 --> 00:17:36,209 the realtime stamp is stored because we didn't have an NFC phone. 217 00:17:36,209 --> 00:17:39,999 So going on the train with a computer five tickets and then 218 00:17:39,999 --> 00:17:42,999 an this, it's not so good. 219 00:17:42,999 --> 00:17:49,834 But -- There's nothing suspicious about that at all. 220 00:17:49,834 --> 00:17:50,999 It happens all the time. 221 00:17:51,125 --> 00:17:54,083 In San Francisco anyway, you see that stuff all the time. 222 00:17:54,083 --> 00:17:55,083 Okay. 223 00:17:55,083 --> 00:17:59,250 So, if you have invitation for San Francisco. 224 00:17:59,250 --> 00:18:15,584 AUDIENCE: Love to have you. 225 00:18:16,999 --> 00:18:20,417 We sent a mail to the company explaining that we 226 00:18:20,417 --> 00:18:23,083 found this vulnerability. 227 00:18:23,083 --> 00:18:24,083 Yesterday. 228 00:18:24,083 --> 00:18:38,083 (Laughter) (Applause) They are not geeks so they can't reply very fast. 229 00:18:38,083 --> 00:18:40,999 So we're waiting now for a reply. 230 00:18:40,999 --> 00:18:41,999 No. 231 00:18:41,999 --> 00:18:45,209 We are publishing a white paper about that and we send it to them. 232 00:18:45,209 --> 00:18:46,999 But I hope they won't fix on this. 233 00:18:46,999 --> 00:18:48,876 Because I take some ground very often. 234 00:18:48,876 --> 00:18:51,751 If you want to read our white paper, it will be available. 235 00:18:51,751 --> 00:18:52,918 We will share with you. 236 00:18:52,918 --> 00:18:54,459 Very bad written but it works. 237 00:18:54,459 --> 00:18:55,459 Anyone else? 238 00:18:55,459 --> 00:18:56,459 No invitation? 239 00:18:56,459 --> 00:18:57,626 (Laughter) Thank you. 240 00:18:57,626 --> 00:18:58,792 Thank you very much. 241 00:18:58,792 --> 00:18:59,999 There is information. 242 00:18:59,999 --> 00:18:59,999 If you won't send us invitation after the talk 243 00:18:59,999 --> 00:19:01,501 because our talk I don't know. 244 00:19:01,501 --> 00:19:03,375 Twitter mine is @ bughardy This is his. 245 00:19:03,375 --> 00:19:06,459 If you want to find us on Twitter, just thank you very much. 246 00:19:06,459 --> 00:19:08,959 If you have a question, just raise your hand. 247 00:19:08,959 --> 00:19:08,959 Don't come here so everyone can -- So I totally missed your talk, 248 00:19:08,959 --> 00:19:09,959 you ended earlier. 249 00:19:09,959 --> 00:19:12,375 We got another 20 minutes so we're going to do Q&A. 250 00:19:12,375 --> 00:19:12,375 I missed the talk so I don't have any questions but I hear it has to do 251 00:19:12,375 --> 00:19:13,459 with NFC technology. 252 00:19:13,459 --> 00:19:14,459 You? 253 00:19:14,459 --> 00:19:15,459 Maybe? 254 00:19:15,459 --> 00:19:16,459 It's okay. 255 00:19:16,459 --> 00:19:17,876 So what's your talk about? 256 00:19:17,876 --> 00:19:18,876 Again, okay. 257 00:19:18,876 --> 00:19:19,876 It was about NFC. 258 00:19:19,876 --> 00:19:20,999 Use the microphone. 259 00:19:20,999 --> 00:19:21,999 Sorry. 260 00:19:21,999 --> 00:19:23,125 We have another drink. 261 00:19:23,125 --> 00:19:24,125 Another drink. 262 00:19:24,125 --> 00:19:25,125 Yes! 263 00:19:25,125 --> 00:19:26,125 Yes. 264 00:19:26,125 --> 00:19:27,999 This is your first DEF CON, isn't it? 265 00:19:27,999 --> 00:19:28,999 Yes! 266 00:19:28,999 --> 00:19:28,999 So, if you do have any questions, you can feel to come in and get 267 00:19:28,999 --> 00:19:31,083 in line here because I didn't see the talk. 268 00:19:31,083 --> 00:19:32,083 Okay. 269 00:19:32,083 --> 00:19:34,584 So we are waiting for some questions if you have. 270 00:19:34,584 --> 00:19:36,375 We just run a little bit with our talk. 271 00:19:36,375 --> 00:19:37,375 Okay. 272 00:19:37,375 --> 00:19:38,959 I can see we spent 32 minutes. 273 00:19:38,959 --> 00:19:40,999 Yahoo So we've made this mistake before. 274 00:19:40,999 --> 00:19:42,209 We'd like to apologize. 275 00:19:42,209 --> 00:19:44,876 What the picture says is not what it represented. 276 00:19:44,876 --> 00:19:46,459 So yes, you actually have an hour. 277 00:19:46,459 --> 00:19:47,459 Bonus. 278 00:19:47,459 --> 00:19:47,459 So we're going on and let's say there 279 00:19:47,459 --> 00:19:48,459 is a question here. 280 00:19:48,459 --> 00:19:48,459 You said OTP but I don't know what One 281 00:19:48,459 --> 00:19:49,501 time programmable. 282 00:19:49,501 --> 00:19:51,918 Could you get a little bit deeper into that? 283 00:19:51,918 --> 00:19:53,667 Yeah, an explanation, of course. 284 00:19:53,667 --> 00:19:55,999 OTP section is made up is composed by 4 bytes. 285 00:19:55,999 --> 00:19:55,999 And each one of those is when the ticket is new, brand new, they are 286 00:19:55,999 --> 00:19:58,083 all set to zero, all the bits are set to zero. 287 00:19:58,083 --> 00:19:58,083 So when you stamp your ticket and the validator machine checks how 288 00:19:58,083 --> 00:20:00,999 many zeroes are in your OTP or in target section of the OTP. 289 00:20:00,999 --> 00:20:02,999 Did you say you need another drink? 290 00:20:02,999 --> 00:20:04,417 Yeah, of course, we need it. 291 00:20:04,417 --> 00:20:04,417 So the stamp machine checks how many zeroes are left and then 292 00:20:04,417 --> 00:20:04,417 the stamp machines knows how many tickets are left 293 00:20:04,417 --> 00:20:05,999 in your multiple ride ticket. 294 00:20:05,999 --> 00:20:05,999 When you stamp your ticket the machine turns the bits 295 00:20:05,999 --> 00:20:06,999 from zero to 1. 296 00:20:06,999 --> 00:20:08,626 This operation is irreversible. 297 00:20:08,626 --> 00:20:10,751 So you can't turn them back to zero again. 298 00:20:10,751 --> 00:20:10,751 Because actually, when you attempt to write something on the OTP section, 299 00:20:10,751 --> 00:20:13,459 you are ordering all the bits, bit wise or they are old. 300 00:20:13,459 --> 00:20:13,459 So you know that an or operation will not give you back a zero if one 301 00:20:13,459 --> 00:20:15,209 of the two You want another drink. 302 00:20:15,209 --> 00:20:16,209 Here you go. 303 00:20:16,209 --> 00:20:19,876 If one of the two bits is set to 1, it is impossible to get back to zero. 304 00:20:19,876 --> 00:20:20,999 Is he still talking. 305 00:20:20,999 --> 00:20:21,999 3, 2, 1, go! 306 00:20:21,999 --> 00:20:22,999 (Applause) Okay. 307 00:20:22,999 --> 00:20:22,999 So when all the bits when all the bits are turned to 1, 308 00:20:22,999 --> 00:20:22,999 the stamp machine is aware that your ticket has run 309 00:20:22,999 --> 00:20:23,999 out of rides. 310 00:20:23,999 --> 00:20:23,999 And so the stamp machine says your ticket 311 00:20:23,999 --> 00:20:24,999 is empty now. 312 00:20:24,999 --> 00:20:24,999 So our vulnerability exploits the system because if you freeze 313 00:20:24,999 --> 00:20:24,999 the actual number of rides left, the machine cannot turn those bits 314 00:20:24,999 --> 00:20:27,999 from 0 to 1 and locking forever the status of your rides left. 315 00:20:27,999 --> 00:20:27,999 So, if you can make this section read only, the machine won't be able any 316 00:20:27,999 --> 00:20:29,209 more to turn those to one. 317 00:20:29,209 --> 00:20:32,459 And so you have none, three rides, four rides, locked forever. 318 00:20:32,459 --> 00:20:32,459 So your ticket will be four rides and no one will change it the number 319 00:20:32,459 --> 00:20:33,459 of rides left. 320 00:20:33,459 --> 00:20:34,542 And that is the point. 321 00:20:34,542 --> 00:20:34,542 That is -- So, if you lock the car like that, 322 00:20:34,542 --> 00:20:36,999 what effect does that have then on the time stamp. 323 00:20:36,999 --> 00:20:36,999 If you verified your card, will the not it not have 324 00:20:36,999 --> 00:20:39,209 a time stamp from the first time you used it? 325 00:20:39,209 --> 00:20:40,918 Can you repeat the question? 326 00:20:40,918 --> 00:20:42,751 Sure, you have two attacks, right? 327 00:20:42,751 --> 00:20:42,751 Your attack is locking the card so you can't remove rides 328 00:20:42,751 --> 00:20:42,751 from it and the other is modifying the time of th-- e but, if you lock 329 00:20:42,751 --> 00:20:44,417 the card, does it not lock the time? 330 00:20:44,417 --> 00:20:45,417 No. 331 00:20:45,417 --> 00:20:46,876 It doesn't lock the time? 332 00:20:46,876 --> 00:20:49,834 No, because the time stamp is stored in the data sector. 333 00:20:49,834 --> 00:20:51,501 The rights is stored in OTP sector. 334 00:20:51,501 --> 00:20:51,501 So we can lock only OTP sector and the left data sector read only 335 00:20:51,501 --> 00:20:52,501 and writable. 336 00:20:52,501 --> 00:20:52,501 You said that you used C and C++ to write the code and I'd 337 00:20:52,501 --> 00:20:54,375 like to know which library did you use. 338 00:20:54,375 --> 00:20:56,209 Actually, it's written in Python. 339 00:20:56,209 --> 00:20:56,209 we plan to import it to C. 340 00:20:56,209 --> 00:20:56,209 In python we're using a standard tool called NFC tool, 341 00:20:56,209 --> 00:20:56,209 which is open source, you can find it on Google code or 342 00:20:56,209 --> 00:20:59,375 on but remember you can compile it for Linux and totally free. 343 00:20:59,375 --> 00:20:59,375 For C and C++, there is a C that is also open source, we'll use it when 344 00:20:59,375 --> 00:21:01,501 in the few weeks, I hope to have a new tool. 345 00:21:01,501 --> 00:21:02,501 Okay. 346 00:21:02,501 --> 00:21:02,501 Could you could you tell me a good book for study the protocol 347 00:21:02,501 --> 00:21:04,167 and NFC protocol or you don't know? 348 00:21:04,167 --> 00:21:05,250 Well, I don't know. 349 00:21:05,250 --> 00:21:07,083 Okay, just research on Internet. 350 00:21:07,083 --> 00:21:08,083 Okay. 351 00:21:08,083 --> 00:21:08,083 They look at first vulnerability of 2011 and then we do empirical 352 00:21:08,083 --> 00:21:10,751 results and we start to study on the vertical tool. 353 00:21:10,751 --> 00:21:12,584 So we didn't have book or just Google. 354 00:21:12,584 --> 00:21:13,584 Okay, nice. 355 00:21:13,584 --> 00:21:14,584 Next? 356 00:21:14,584 --> 00:21:15,667 Any other questions? 357 00:21:15,667 --> 00:21:16,667 Maybe there. 358 00:21:16,667 --> 00:21:17,667 No question. 359 00:21:17,667 --> 00:21:17,667 The proximal, we plan to use it for attack because if we can't, 360 00:21:17,667 --> 00:21:17,667 the code data because it's somewhere encrypted, 361 00:21:17,667 --> 00:21:17,667 software encrypted, we can still sniff the data 362 00:21:17,667 --> 00:21:19,999 because the communication is totally clear. 363 00:21:19,999 --> 00:21:19,999 And the stamp using the so we stamp only 364 00:21:19,999 --> 00:21:19,999 the data sector without the OTP sector and so also, 365 00:21:19,999 --> 00:21:22,709 if you encrypt the data sector we can have free rides. 366 00:21:22,709 --> 00:21:24,918 So yes, the ULTRALIGHT is totally broken. 367 00:21:24,918 --> 00:21:25,918 Turin, Italy. 368 00:21:25,918 --> 00:21:29,125 You want to come and have a visit of Turin we offer free booth rides. 369 00:21:29,125 --> 00:21:30,125 Cheap 1 with the bus. 370 00:21:30,125 --> 00:21:31,918 I think Bologna but I'm not sure. 371 00:21:31,918 --> 00:21:31,918 And I think Milan is going to upgrade system to NFC 372 00:21:31,918 --> 00:21:34,334 but at the moment I only know of Turin and Bologna. 373 00:21:34,334 --> 00:21:35,999 The point is that the I'm sorry. 374 00:21:35,999 --> 00:21:36,999 The question? 375 00:21:36,999 --> 00:21:36,999 The point is the transportation system is using 376 00:21:36,999 --> 00:21:40,083 the MIFARE ULTRALIGHT because cheaper than other NFC chips. 377 00:21:40,083 --> 00:21:40,083 It is cheaper because it is hardware encrypted and that's 378 00:21:40,083 --> 00:21:42,250 the problem of the NFC MIFARE ULTRALIGHT. 379 00:21:42,250 --> 00:21:42,250 But the corporation systems do not realize that and they're still using those 380 00:21:42,250 --> 00:21:43,959 chips even if they are cheaper. 381 00:21:43,959 --> 00:21:44,999 So that's the point. 382 00:21:44,999 --> 00:21:45,999 Any other questions? 383 00:21:45,999 --> 00:21:49,125 An card is different type of NFC chips, they're MIFARE plastic. 384 00:21:49,125 --> 00:21:50,999 They're broken like six years ago. 385 00:21:50,999 --> 00:21:51,999 They are less fun. 386 00:21:51,999 --> 00:21:52,999 Anyone else? 387 00:21:52,999 --> 00:21:55,334 If you want some stamps, we're just outside. 388 00:21:55,334 --> 00:21:56,334 We can give them. 389 00:21:56,334 --> 00:21:57,999 Thank you very much, once again. 390 00:21:57,999 --> 00:21:59,626 And I hope you enjoyed this talk. 391 00:21:59,626 --> 00:22:00,626 And Okay. 392 00:22:00,626 --> 00:22:03,083 You made us happy to explain you all those things. 393 00:22:03,083 --> 00:22:05,125 And I think it was a very good experience. 394 00:22:05,125 --> 00:22:06,375 So thank you once again. 395 00:22:06,375 --> 00:22:07,375 Okay. 396 00:22:07,375 --> 00:22:08,375 Yeah. 397 00:22:08,375 --> 00:22:08,375 The next speaker I'm going to go grab him if you're here 398 00:22:08,375 --> 00:22:11,459 for what you thought was a 30 minute talk is actually an hour. 399 00:22:11,459 --> 00:22:11,459 If you read your pamphlet there, you'll see in the bottom 400 00:22:11,459 --> 00:22:13,459 in parens that the other starts at 1600. 401 00:22:13,459 --> 00:22:14,918 So so excuse me for a second. 402 00:22:14,918 --> 00:22:15,918 There we go. 403 00:22:15,918 --> 00:22:16,918 That's better. 404 00:22:16,918 --> 00:22:19,626 So let me go get him and we'll get him started up for you. 405 00:22:19,626 --> 00:22:22,083 And we'll get him settled in and then get it going. 406 00:22:22,083 --> 00:22:23,083 Okay.