What are NFC cards and how are they protected?

Ever since I posted an initial article “Hack NFC Door Locks” I see a steady stream of people that come with queries like “what’s the protection of an NFC card” and “how do you hack a protected NFC card”. Obviously, there is something out there interesting enough for people to begin inquiring.

What is an “NFC card”? As opposed to an “NFC device”, an NFC card is simply a contactless smart card. The NFC protocol allows for a great flexibility in choosing what you may name an NFC card and nearly anything in the vicinity and proximity card world can be termed an NFC card.

Most of the time though you will be dealing with the good old Type A and Type B cards from the ISO 14443 standard. Unless you are in Asia and then the chances are high you will be facing a Sony FeliCa card. There is nothing NFC about any of them except the new name. They are all good old contactless smart cards.

Now, to the question that actually interests most of the people seeking enlightenment, the protection of those smart cards can vary. What kind of protection is used depends more on the system that specified what kind of a card will be used there. So if we are talking about door locks we are likely to see the cheapest MiFare cards that can actually be broken comparatively easily. When we are in some banking applications, we are likely to see high-end smart cards with seriously mean security features.

Since NFC cards are “just” smart cards, you must be looking for the information on how to deal with the smart cards and all of that will be applicable to the NFC cards. The low end is fairly simple, often the system does not use encryption, the cards may be read out and copied with very little effort. In more serious systems the cards usually do not let themselves to investigation erasing the content at the least suspicion of a break-in.

The protection mechanisms may include (and this is not an exhaustive list, just off the top of my head):

  • Constant time execution of all routines
  • Checks of the execution state at regular intervals and at critical operation beginning and end
  • Encryption of all of the memory content or sensitive areas like key storage
  • Encryption of input and output, sometimes double encryption
  • No debug and error output, just lock up in case of an error
  • Sensors for temperature, light, voltage, current
  • Protective mesh over and in between layers of the chip with cut sensors
  • Stabilizers of current consumption and noise generators
  • Scrambled and encrypted buses and memory content
  • Parallel execution to compare results against tampering
  • Randomized circuit layout

Basically, there are two things there: (1) protection of the hardware against tampering and side channel analysis and (2) protection of the software against induced faults and side channel analysis. Typically, the designers work hard to make sure you have to defeat both to get any meaningful results. So to get a go at the smart card security, you are better off to search for a security lab that does smart card security evaluations and ask them to work for you.

I always assumed there are tons of literature on the subject although right now a quick search on Amazon proved me wrong, there is only a handful of books. Maybe I should write more on smart card security?..

Ignoring security is not a good idea…

 

HTC One X @ MWC 2012I see that HTC got finally whacked over the head for the lack of security in their Android smartphones. I will have to contain myself here and will leave aside the inherent issues surrounding Android, its security and model of operation that will hurt … Ok, ok, I stop now. So, HTC got dragged into a court in US for improper implementation of software that allows remote attackers to steal various data from your smartphone. Big news. Problem is they settled and are not likely to actually do something about it. Anyway, that’s not interesting.

The interesting thing is that the regulators complained that HTC did not provide security training to the staff and did not perform adequate security testing:

The regulator said in a statement that HTC America “failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities (and) failed to follow well-known and commonly accepted secure coding practices.”

Most companies ignore security hoping that the problem never comes. This shortsighted view is so widespread I feel like Captain Obvious by repeatedly talking about it. But I suppose it bears repeating. The security risks are usually discarded because they are of low probability. However, their impact is usually undervalued and the resulting risk analysis is not quite what it should be. The security problems prevalent in software are usually of such magnitude that they can easily cost even a large business dearly.

Ignoring security is not a good idea. This is like ignoring a possibility of human death by being trapped in an elevator for an elevator company. An elevator company will do all it can to prevent even a remote chance of this happening because if something like that happens they can be easily out of business in no time. Quite the same approach should be taken for granted by software companies, and the sooner, the better. A security problem can put a company out of business. Be forewarned.

Car software security

I stumbled across an article on car software viruses. I did not see anything unexpected really. The experts “hope” to get it all fixed before the word gets out and things start getting messy. Which tells us that things are in a pretty bad shape right now. The funny thing is though that the academic group that did the research into vehicle software security was disbanded after working for two years and publishing a couple of damning papers, demonstrating that “the virus can simultaneously shut off the car’s lights, lock its doors, kill the engine and release or slam on the brakes.” An interesting side note is that the car’s system is available to “remotely eavesdrop on conversations inside cars, a technique that could be of use to corporate and government spies.” This goes in stark contrast to what car manufactures are willing to disclose: “I won’t say it’s impossible to hack, but it’s pretty close,” said Toyota spokesman John Hanson. Basically, all you can hope for is that they are “working hard to develop specifications which will reduce that risk in the vehicle area.” I don’t know, mate, I think I better stay with the good old trustworthy mechanic stuff. I guess I know too much about software security for my own good. I kinda feel they will be inevitably hacked. Scared? If there is a manual override for everything – not so much but… The second-hand car market suddenly starts looking very appealing by comparison…