2019年Hitcon上分享的议题, 有关于Android平台NFC协议栈
摘要 🔗
Android system has been investigated for a decade, and fewer attack surfaces survive the crowded bug hunters. NFC is one of the lucky untapped areas until recently. In this topic, our team will share our recent study of Android NFC attack surface, together with some lore and related knowledge.
As a start, basic information about NFC and its protocol stack on Android will be briefed. Then, we will enumerate the attack surfaces related to NFC, explaining the value and difficulty of each and show why and how we pick the targets we focus on. Before looking into details, we will illustrate a few concepts critical to comprehend the code. We will show why we prefer auditing to fuzzing on this topic. Proxmark 3 is an excellent toolkit for snooping RFIDs. To make Proofs-of-Concept for vulnerabilities we find, we do modifications to Proxmark 3 and extend its card emulation feature to act as the attacker. Along with all these, we will explain three representative vulnerabilities found in three different modules, the Host-based Card Emulation module, the Reader/Writer Module and the nfa module, each with substantial details.
The contents are organized with the hope that both novice and seasoned researchers can get their benefits. We only skim over the basics but key parts will get a detailed explanation.