>>So good afternoon it’s really great to you know meet you- meet you awesome people and to share my work here and uh my name’s Haoqui Shan and I’m a wireless and uh I’m a wireless hardware security researcher in uh in the team UnicornTeam and uh Qihoo 360 so which we’re located in China and uh initially I had a colleague I’m sorry one moment. Initially I have a co- I have a colleague uh to you know give presentations with me but he had an issue with his visa so he can’t make it really sorry about that.


Uh so now I need to stand here alone and make this presentation. So it’s my third time to give presentation here and share my team’s work and uh I hope someon- some of you can re- will remember me and just don’t blame me for my poor accent and poor explanation uh so uh I re- I’m sorry, yeah I will explain and demo situate the uh demo situate you guys how to build a NFC tool from scratch so uh in the end maybe some of you can get a skills and steal some with money from his credit card please don’t- please don’t tell anybody you learned it from here alright? Yeah [laughter]


So let’s just a step to the topic so here’s agenda of this presentation and uh I just draw a simple uh simple diagram so I will introduce my great team and uh lead you guys back to the old time when we trying to hack something some- some- eh- NFC cards, or some- something with RFID so uh that’s- and to get back to the old fashioned but powerful hacking tools we used to use okay? And uh uh then the details of the newest RFID hacking tools which is my tool uniproxy will be introduced uh so two demos will be showed by the video and uh uh I hope this one will work okay? So the presentation is about how to build uh too so I will focus on the- more of the idea and still on some hacking skills and uh hopefully won’t let you guys disappointment so uh so by the way this is the last- la- tr- last presentation of the day I think so uh I will try this fast and fun and uh I hope to won’t delay you guys I don’t know from this trip and uh


So here is the first demo of my hacking tool and I will let you guys have a simple impression of the uniproxy. So let’s just okay this won’t work oh so I will stop it in a moment and to give you explanation okay? So you can see on the table there are uh is this yeah oh there’s this ones uh so there are two hardware which uh you- you know is uniproxy and uh one cell phone to get notification, and one pos- POS machine and one credit card with tip- with chip and pin so now we just turn our hardware on and uh turn our POS machine on and uh choose how ma- how much money you want to spend so you can see we place one credit card just near the uh uniproxy maste- master part and now we just uh get the POS machine near to our uniproxy slave part.


So you can just uh tap it and then now just one moment he’s processing it. Now you’ve got a receipt so you don’t need to you know uh t- so- in this way you can just uh steal someone’s money with uh you know just uh tap his credit card and uh- if you want to steal someone’s money you know some credit card with chip and pin and then you just tap somewhere without password to present a pin with right so but if you want to try to steal money you don’t h- apparently you can’t just hold a giant POS machine to steal his money out or he will just call the cops right? So now you can just with a simple card to get around of him and just tap it now you can get the uh get money and uh maybe someone just want to ask um is there any security protocol using his credit card and how did you just you know use some- some- some other people’s uh credit card and use it to pay and uh yeah.


So here is the uh so that’s the uni- uniproxy to we just built um so uh I just want to introduce the team o- team of uh I just want to introduce my team and uh you should just know our name’s Unicorn team and uh we are a secu- internal security team researching team of Qihoo 360 and we also founded in 2014 so we focus on the wireless hardware harckin- hacking and defensing and uh we do a lot of security research and hardware development and also the pentest- to- uh w- and also the pentest. So we do have a serial uh wireless research uh published in the Def Con and the Black Hat and uh maybe some of you heard it before so it’s about the low-cost GPS spoofing and which presented in 3 years ago and uh also LTE redirection attack and which we present in here and last year so uh and also we do have a power communication attack on the Def Con last year and uh this year I don’t know have you guys heard it uh it’s about the ghost telephonist uh which you- we can just like hijack and uh spoof your your call your SMS even you are on the 4G LTE network so so that’s I think that’s a little bit cool and uh we also have some hardware developed and so uh we do have a lot of hacking tools and uh we do have the HackID uh but most of folks are on the RFID okay just some HackID, HackID Pro and etcetera so you can see all the details in our- I’m sorry yeah in our website. 


So let’s just uh I believe you guys are not inexperienced in the near field communication uh hacking cause it’s wildly used in our life, right? So uh you’re credit card, your ID card, and your security card and uh it’s- it’s- it’s really inside uh around all of us so the NFC card don’t need power uh itself and it take the power of the reader so uh there are many protocols so you will see of the cards uh such as ISO14443 and uh ISO1566- uh 67 uh 3 and etcetera but now we only focus on our- our two on the ISO14443 okay? And uh uh just for example so this protocol is basically most popular protocol in NFC cards uh it supports many application so in- so in China the security card, the the your passport and uh your bank card- your bank card all based on this protocol so uh uh it’s the widely used these two a lot of taking measures you know even on the NFC card and the also I do that too.


So here is where we aiming uh why do we want to hack an NFC card so as we mentioned before we are hackers and of course we want to fake someone’s security card to enter some forbidden area and also some people might want to- want to use other people’s credit card just like me uh yeah instead of mine yeah which I highly recommend you don’t do that [chuckles] for me that’s- that’s- that is there is another story okay? [laughter] Uh my- the- my company has uh my company is a huge company in China so I had to situate a ruse to make sure uh the card- the the staff- the col- my college- uh my colleagues will you know to work and off work in time so everybody in my company has a unique security card and the the security system will log the time when you enter every days uh when you enter every room. And uh so that your boss will easily know you are late or not and uh so I was thinking maybe I can uh so- and also if you are late for work and your salary will lose alright. Yeah. So I was thinking maybe I can- I could build a tool uh to fake my ID card and to place it near some you know uh security code doors and with a reader so I don’t have to get up early every day yeah [laughter] but but it is but but the company is a security company and actually the security system is developed by my team [laughter] yeah [laughs] so this is awkward yeah so we use the HID card and uh apparently as our ID card so I don’t know any easy way to fake you- HID card so cause we can break the security protocol it’s really hard so that was just us thinking maybe I can just build a proxy tool to transfer the signal from the- between the reader and the card so that just let the near tens far away so I can I can spoof that. So I was- I was thinking I can use the same way on the credit card and with you know the chip and pins so you- you guys can do the you guys do have the chip and pins cards right? You can just buy something and uh just to tap somewhere and without password so you uh it also best on the [inaudible] attack so we are able to just hijack it so I’m sorry forgot to- to-


So the way we just use to hack is to have uh just like to have a quick review what we used to do okay? To- we used to use a proxmark III and we use it to uh Chameleonmini and this is- the proxmark III is the best RFID hacking tool I used to use uh yeah we- I also use it uh ChameleonMini and uh this- this tool are focused on the protocol so with the proxmark III you can just hack a high frequency and low frequency in both ways so you- it’s very powerful but uh with another one it’s just focused on the ISO14443 uh and uh you can just uh you can just uh clone a card if you can crack it but uh most mostly folks on the Mifare classic 1k or Mifare  classic 4k so there’s also another way just like us is a proxy tool they uh I think they are the data so it’s app, Android app and so you can Google it, uh you can Google it, download it, and then trust it uh and try it so it’s name’s NFCProxy and NFCGate but uh I use them they are not however maybe not fit in China’s environment but that’s okay the- this uh those tools are just inspired me how to build a proxy tool 


and uh so why not- why not we use a Proxmark III? So it is simple even though it’s supports many protocols and it’s powerful but it can’t hack a credit card at all I guess we got- we got us all rich now yeah so and why don’t we use the NFCGate or NFCProxy? Uh it’s based on Android and uh it’s uh it can be- it used modified firmware to relay your NFC data and 
Uh it can monitor transmitted data and uh uh but it relies on the WI-Fi so the delay on the wi-fi network is really huge and it can’t be tolerable.


But too much delays to complete the- the whole payment procedure and uh that’s why I didn’t use it. So let’s just say I built another wheel so why do- why do I need this tool as I just mentioned before I want to- I want to sleep awhile and I want to you know earn money and uh I’m inspired by the mentioned brilliant hacking tools and but I want to make it faster so I was thinking uh my team can build a lot of hardware so let’s just focus on the pure hardware solution um and also uh this tool is completely self designed and modified so everything we can need is just produced by us so we don’t need to rely on reading some other source or uh to protect another hardware design we’ll just build our own.


So I just want to uh introduce what is UniProxy. So I believe you guys have a clear view now uh it’s a PN74 uh 6- 62AU based NFC proto- uh proxy tool so it’s a chipset which manufactured by the AXP. Uh currently this device is only support ISO14443A protocol now but it can easily to you know to exten- tend it for some other protocols as uh- as long as the chipset supports uh so now the device are targeting the QuickPass credit card so I don’t know if- uh if you guys uh the AMerican Quick version QuickPass name may be EMV or Visa Pay but it’s similar uh so the UniProxy contains two parts, the- the- the reader emulator and a ca- card emulator which I call them the master one and the slave one. So the payment transmit information will be transferred between the master and the slave uh where the 24L01 chipset which means it’s point to point wireless data transmission so as I just mentioned it’s easily to ex- uh adapt it to ISO14443B and uh 15693 standard NFC card so it’s- it’s another protocol but uh as you know it’s opened and uh you can just handle the chipset process so you can modify by yourself.


So here is the core of UniProxy uh we use PN chipsets as a core so it’s in- uh as I mentioned it’s an NXP chip and support for Mifare family of cards it’s it can read, it can write, and emulate a card, and quite a powerful. And it’s really real cheap used I- I think because uh the- this is a cause when our- when I tried to find some document it’s not easily to- it’s not easily to Google it so then it should say we didn’t buy the survey- Sevice uh service of NXP so we don’t have any official spo- support. So but we are hackers right so the the architecture of UniProxy is as I said on the screen, there’s another one, it’s simple and we use uh a simple electronic circuit design which uh slide modified by the NXP official recommendation so don’t worry about the hardware designs it’s not a big deal not a big issue so it’s chipset is highly integrated and very powerful this is uh also the reason we choose this one. 

So this is the front face of our UniProxy tool. So you can see the NFC antenna uh here- I’m sorry, yeah. So this is uh- this is antenna so sorry about that I use a pen on my ipad to- to mark this cause I’m not good at the powerpoint so this is the antenna with the team logo on it and uh in the left corner uh let’s see where is it, where is oh! Here the left corner uh you can see the power supplies occurred and uh this too is powered by lithium batteries so just so it’s also chargeable so you can take this outside uh and do something evil and uh without any notice so in the right side it’s you can see the uh see the 24L01 chipse- chip model we use- we use this chipset to communicate between the master and slave so I don’t know if you guys see the core chip it’s right on here uh yeah it’s a little bit dark it’s an xp chip on the end of the arrow mmm it’s a little bit dark so you can’t see the hardware of this hacking tool is quite simple it’s uh isn’t complicat- uh it’s not complica- uh complicated at all so we see official recommendation of everybody can draw their uh where’s the mouse? Oh there it is so with o- official recommendation everybody can draw and map their own device and uh build assemble one but uh um it’s quite easy so don’t don’t fret so this is the back side of the master part you can see there’s nothing arrows just antenna just a battery and uh after the hardware design I’d like to introduce the software design here uh so let’s step to the software processing of the- this hacking tool so actually my opinion so actually in my opinion I really want to- I really believe the source code can explain any- everything right? So when I got to make this presentation I thought let’s just make this open sourced and uh voila we can just I can just play around so but as I- as you see it’s a big company and it’s- my not my own work so uh it’s part of company property and uh that’s why I need to stand here and uh only to present a few source codes screen shots and uh then [inaudible] 


So just back to the topic. So firstly you need to uh you need to uh you need to read a library API and uh uh where- and there will be a loop to put our chip and the sniffer- sniffering moto and it will detect any RF-field to- with a protocol we want- we are aiming and around uh if it is the code we’re just go to the handshake stuff.


So in our master part as you know uh re emulator will try to run the handshake and uh a handshake routine with the- with the card which just falls the RF run of it and after the handshake our master card will get the parameters of the card and set a timeout. So then it’ll be able to pack and transfer all the raw data- uh raw data to the card emulator immediately than the uh the master will just wait to receive the data which comes back from the slave and uh before its timed out. So if everything okay the whole routine will just start the block transmission. So you can just uh download the- uh the- the- pd- the pdf and you can see the uh source code detail. 


So this is a block transmit- uh transmission routine and also the last routine of the- uh of the master part so when it’s start to transmit I- transmit block data and uh it will just wait a response from the card emulator before before it’s time out and then just forward and spreads data uh to the to the real card so and uh through- uh yeah. And the waited response of the real card. So if there is something wrong with the real card and they didn’t get a response before timeout the master will notify the slave and the communication is ended. 


Or our- com- uh or our emulator will just get i-block. The I-block data uh is real data so you can just process it and you can directly responds to a reoccur so it don’t need to pack the- you don’t need to pack the data you don’t need to transfer the data so uh it will directly to- uh respond uh when it’s finished the directory response is in our case the direct uh the data will direct forward to the card emulator so that’s from our loop so until the- until the whole procedure is ended. So this is the front of our slave part of our hacking tools so now you can notice the hardware is almost- is exactly the same so you nee- you do- you can build one and one for master one for slave you don’t need to- you know to- to build a different different part they are same hardware design but software is the most different.


So the process of our slave part is just uh you know just uh corresponds- corresponded to the master one uh we can call it master and slave right? So after the start up of the hardware the program will just init the card emulate function and try to receive the ISO14443A parameters and uh from the 27 yeah from the- from the UR- as we described it before it’s coming from our read emulator so once it gets the parameters and does the slave one we just send a successful- uh success command response and back to the master- master part and notified it.


So here is the second part of the slave uh slave software design. The slave will start integration with the read emulator and the init the card emulator so what you received the the uh uh we we’ve received the parameters so if there is a real card reader nearby so the slave part uh which also you know is our card emulator will start the communication between the real card and will receive the parameters. So then it will act like a card- uh a real- a real- car- a real card to make handshake with a real card a real reader so then the corresponding to our uh master part start the block transmission.


So the- the card emulation is just uh more complicated than the card emulator to the software design uh so after the start of the block transmission uh the card emulator will receive data from a real one so if the data is not I-block data the- the slave will detect that if it is deselect command and if it is just forward to the reader emulator and the uh send this command to a real- real reader. So this process will just save time.


So if there is a S-Block instead uh car- bu- uh instead of R-Block data uh so the com- card emulator will just process it by itself. So back to the upper level mmm a card emulator will just forward the data to a car- uh to a card emulator and send it delay command to the half time waiting and this is action we’ll also level to the success rate cause uh it’s uh a success- a re- uh a rate of every efficiency cause there will be always be some unexpected delays so then the slave and the uh so then the slave part will receive data from reader emulator and then forwarded to a real reader and all the actions would uh would form a loop and uh will cooperate with a reader and uh read emulator and finally finish the whole transmission. 


So in the end of- in the end you can just uh uh uh complete uh [inaudible] transmission procedure so the principal I just described is very simple but uh I will let you know- I would like you to know there was a lot of issues that occurred in the development so I would like you to- to you know the impression that you have when you start in the- you know if you want to make new proxy tool. 


Okay so first the chipment- the chip set we just used can’t - can not change the first byte of UID so uh it’s it’s burned in the firmware so it can’t change the UI- uh the first byte of UID of your chipset so it’s uh it will always be zero byte uh it’s but uh luckily if you want to fake a credit card uh the credit card reader won’t uh verify the- fir- uh verify the UID to- uh through wo- wo won’t verify your credit card via UID and uh um and we didn’t find way to modify the in a you know a long time test but uh uh i- cause most money related application wouldn’t check the identity of the card with the UID and the other hand I think it’s a good way to prevent this kind of attack.


So secondly the waiting and the wakeup time is a real issue when you developing uh a proxy tool. So oh this it. When you be uh wh- wh- wh it’s a real issue when you want to develope a safe proxy tool so as you know the apps they ca- the card it doesn’t carry a power right? So uh it’ll use a power from reader and if the rea- if the card haven’t received any response from reader and you lose power and turn off so apparently the whole attacking proc- uh progress is just failed so please remember to modify and uh wake up a time and when you’re programming so remember the hacking tool NFCGate which I just used uh in my- in my experiment and uh uh it’s it’s that’s that’s the same reason I said okay I don’t want to use this tool because it didn’t modify the wake time and it also used the wi-fi network it also increased the delay time so uh just remember to modify the wake up time okay?


Uh thirdly, oh okay, mmm thirdly in order to fasten the whole pr- uh progress we don’t need to transfer all kind of data between the reader emulator and the card emulator. So we just need to transfer I-Block data and s- directly tran- progress S or R block uh block data to responser in real time so it’s also mentioned in ISO14443A part 4 so please just read it carefully and uh also the power supply might also cause the corrupt of the- of the chipset so if you want to design the hardware of the cir- of the power circuit you can just uh you can just use a regular don’t try to use any tricks okay?


So uh let’s just see another demo video of our- in our real environment which I use someone’s credit card to buy a big mac in McDonald’s. [chuckles] So you can see we turn on the master one and slave one so you can see someone’s wallet. Just place here and go somewhere else and of course I didn’t steal someone’s money it’s it’s my credit card [laughter]
Confirm the payment. Start preparing and uh use Apple Pay or QuickPass, place it and uh just grab your food. [applause] thank you. Thank you. 


So uh we just described how to attack a credit card right? So this is how we defend it. Uh I don’t know I I saw a lot of people use er pr- a blocking sleeve to protect the card and also there is a RFID wallet to prevent this kind and it’s just there are also the coolest and you can use it and also we have the RFID Jammer which I- of course I built it uh I- we design and manufacture one but uh um yeah we sell it and uh that’s ours and uh GuardBunny you can us- uh you- er- [inaudible] I think you can just buy a blocking sleeve and RFID wallet or just GuardBunny it’s really high in efficiency I recommend that you t- have a try.


So uh here’s a summary and what we learned in this development. So you need to read a protocol and you need to re- read the protocol and document well and it’s a lot of tricks inside so um better not to develop it without official support because when we are using the NXP chipsets it’s it’s really a waste of time cause we are stuck in some uh some weird mistakes and we just can’t read the document as there is no official support and we developed this but uh using I think 6 months and uh if we used official support I think this could be done in 2 months. 


So furthermore I’d like to uh said what we want to improve. So we want to improve the transmission range up to 100 meters now currently we can use these master and slave such as about uh more than 50 minutes uh fif- I’m sorry 50 meters so you can- I can just stand here and Runu- my partner will stand about 50 meters away and to steal your- your- your informations, steal your money. Yeah. But uh withou- with some kind of amplifier we can just level up the the range to 100 meters it’s as easy but uh we need to do that. And also we as I just said my my initial point is to fake my security ID card but uh you know the the range between my home and to my company is about 6 kilometers away so I need to fix- I need to fix this issue [laughter] right? Yeah. And also I want to make this uh self-com- uh compatibility because one- it uh now it’s just attacking one- uh ISO you know uh 14443A and uh I want to make it uh adapted to HID adapted to uh 15693 and I want to let uh let it to you know know which protocol it is using and uh want to make it so the rest is how and uh I just want to make this fast and uh uh published on the network so everybody can you know everybody can learn and everybody can build their own proxy tools. 


So we re- here is our reference and I want to really thank them and uh also the hardware division of my team and uh uh the NFC tools which inspired me a lot. 


So any question? [applause].