Building a safe NFC ticketing system

Presented at 30C3 (2013), Dec. 29, 2013, 12:15 p.m. (30 minutes)

NFC technology is becoming more and more relevant in our lives. One of its major uses is in ticketing solutions. However, most of companies use bad implementations of NFC technology. By this talk we will explain a complete solution, analyzing security challenges and outlining the best practices and implementation choices. Most of NFC ticketing solutions are based on MIFARE ULTRALIGHT chips. The main topic of our talk is why and how these implementations are vulnerable. The whole talk will be divided in two main sections: The first one we're going to deal with is about the vulnerabilities which may occur if you do not pay enough attention to security topics. We're focusing on 3 areas in which frauds are possible: I. Bad use of GPS and internet protocol to apply fees. II. Correct use of OTP sector in ULTRALIGHT chips. III. Correct data stamping on tickets. In the second part we will show a proof of concept of a validation machine which uses a secure way to validate tickets. The machine is based on an Arduino Uno device, and we're going to use MIFARE ULTRALIGHT as kind of NFC chips to keep the whole solution low cost. All source code will be made available as opensource just after the talk to let everyone use it to create secure solutions in the world.

Presenters:

  • Matteo Collura / Eagle1753 as Eagle1753
    I'm a student at Politecnico of Turin, Electronic Engineering. I'm studying wireless networks and NFC with a friend of mine. I was a speaker at DEFCON 21 (OTP it won't save you from free rides) I'm attending the first year at Politecnico of Turin, studying Electronic Engineering, however my secret love is for Physics. Who knows, maybe I will study it after my degree. So I'm just a student right now. I'm fond of wireless networks, and I'm studying them with a friend of mine, a teammate. This year (2013) we spoke at DEFCON 21 (here it is the clip ----> http://www.youtube.com/watch?v=ranQUZVchHk ) about how we exploited a bug in Mifare Ultralight tickets used in our city. We have some projects for the future, as making some research on NFC payments, but we lack of money and of hardware too, as a result. We accept any kind of donation, even Bitcoins 1G7d6Bdw8pesHvGVjrQoSHDLQ3WEuHrU4K
  • Matteo Beccaro / bughardy as bughardy
    Italian student, in love with IT and information security. Actually working for SecureNetwork. Brought a talk at DEFCON in 2013 and wrote some articles about (in)secure NFC system, most in transport systems.

Links:

Similar Presentations: