“Borrow” Payment Cards with NFC Proxy Hardware

Contactless payments are growing in popularity. Often the term will bring to mind the ability to pay by holding your phone over a reader, but the system can also use NFC tags embedded in credit cards, ID card, passports, and the like. NFC is a reasonably secure method of validating payments as it employs encryption and the functional distance between client and reader is in the tens of centimeters, and often much less. [Haoqi Shan] and the Unicorn team have reduced the security of the distance component by using a hardware proxy to relay NFC interactions over longer distances.

The talk, give on Sunday at DEF CON, outlined some incredibly simple hardware: an NFC antenna connected to a PN7462AU, an NRF24L01 wireless transceiver, and some power regulation. The exploit works by using a pair of these hardware modules. A master interfaces with the NFC reader, and a slave reads the card. The scenario goes something like this: a victim NFC card is placed near the slave hardware. The master hardware is placed over a payment kiosk as if making a normal payment. As the payment kiosk reader begins the process to read an NFC card, all of the communications between it and the actual card are forwarded over the 24L01 wireless connection.

The demo video during the talk showed a fast-food purchase made on the Apple Pay network while the card was still at a table out in the dining area (resting on the slave hardware module). The card used was a QuickPass contactless payment card from China UnionPay. According to a 2016 press release from the company, over two billion of these cards had been issued at the time. With that kind of adoption rate there is a huge incentive to find and patch any vulnerabilities in the system.

The hardware components in this build aren’t really anything special. We’ve seen these Nordic wireless modules used in numerous projects over they years, and the NXP chip is just NFC build around an ARM core. The leaps that tie this together are the speed-ups to make it work. NFC has tight timing and a delay between the master and slave would invalidate the handshake and subsequent interactions. The Unicorn team found some speedups by ensuring the chip was waking from suspend mode (150 µS) and not a deeper sleep. Furthermore, [Haoqi] mentioned they are only transmitting “I/S/R Block Data” and not the entirety of the interaction to save on time transmitting over the 24L01 wireless link. He didn’t expand on that so if you have details about what those blocks actually consist of please let us know in the comments below.

To the card reader, the emulated payment card is valid and the payment goes through. But one caveat to the system is that [Haoqi] was unable to alter the UID of the emulator — it doesn’t spoof the UID of the payment card being exploited. Current readers don’t check the UID and this could be one possible defense against this exploit. But to be honest, since you need close physical proximity of the master to the reader and the slave to the payment card simultaneously, we don’t see mayhem in the future. It’s more likely that we’ll see hacker cred when someone builds a long-range link that lets you leave your NFC cards at home and take one emulator with you for wireless door access or contactless payments in a single device. If you want to get working on this, check out the talk slides for program flow and some sourcecode hints.

Making a Wearable NFC Bus Pass

[Stephen Cognetta] is trying to get the total number of things he owns down below 115, and he’s always looking for ways to streamline his life.

Toward this goal he dissolved his SF Transit Clipper Card in acetone to get at the NFC tag embedded inside. The tag consists of a tiny chip attached to an antenna the size of the card itself. It took about three days (video below the break) for the layers to separate and [Stephen] was able to extricate the tag.

He ended up trying a few different ways of storing the delicate chip and antenna, including a lump of Sugru as well as a waterproof aspirin band, pictured to the right.

One supposes the transit pass idea might save you a little time, but what would really simplify your life would be having a single wearable tag that unlocked a bunch of things. Also it should be noted that, un-coolly, damaging a card violates SF Transit’s terms of service…

HaD has covered NFC wearables before, including the phone-unlocking NFC ring as well as the NFC ring box. This NFC-controlled infinity mirror makes great use of the technology.

Continue reading “Making a Wearable NFC Bus Pass”

Skin Bling: Wearable Electronics from Golden Temporary Tattoos

MIT Media Lab and Microsoft have teamed up to take wearable devices one step further — they’ve glued the devices directly to the user’s skin. DuoSkin is a temporary tattoo created with gold leaf. Metallic “Flash” temporary fashion tattoos have become quite popular recently, so this builds on the trend. What the team has done is to use them to create user interfaces for wearable electronic devices.

weeding-gold-leaf-temporary-tattooGenerally speaking, gold leaf is incredibly fragile. In this process to yield the cleanest looking leaf the gold is not actually cut. Instead, the temporary tattoo film and backer are cut on a standard desktop vinyl cutter. The gold leaf is then applied to the entire film surface. The cut film/leaf can then be “weeded” — removing the unwanted portions of film which were isolated from the rest by the cutting process — to complete the temporary tattoo. The team tested this method and found that traces 4.5 mm or more thick were resilient enough to last the entire day on your skin.

The gold leaf tattoos make excellent capacitive touch sensors. The team was able to create sliders, buttons, and even 2 dimensional diamond grids. These controls were used to move a cursor on a computer or phone screen. They were even able to create a wearable NFC tag. The gold leaf is the antenna, and the NFC chip itself is mounted on the temporary tattoo backer.

These devices all look great, but with the exception of the NFC chip, we’re not seeing the electronics driving them. Capacitive touch sensors used as a UI for a phone will have to have a Bluetooth radio and a battery somewhere. We’re that’s all hidden under the arm of the user. You can see what we’re taking about in the video after the break. That said, the tools and materials are ubiquitous and easy to work with. Take a quick read through the white paper (PDF) and you can be making your own version of this today.

Continue reading “Skin Bling: Wearable Electronics from Golden Temporary Tattoos”

Hacklet 117 – NFC Projects

Near Field Communication (NFC) is something we take for granted these days. Nearly all smartphones have it. We even have NFC interfaces for all our favorite development boards. NFC’s history goes back all the way to 1997, when an early version was used in Star Wars special edition toys. Radio Frequency Identification (RFID), which NFC builds on, goes back even further. The patent citation trail leads all the way back to 1983 in a patent awarded to [Charles Walton]. NFC is much more than RFID though. The idea of two way communication between devices opens up tons of possibilities for projects and hacks. This week on the Hacklet we’re checking out some of the best NFC projects on Hackaday.io!

ctrl0We start with [Patrick] and Ctrl-O. Somewhere in the hackerspace bible there is a clause that states “Thou shalt build an electronic access control system”. In [Patrick’s] case, a door lock became a complex membership subscription management database. Members who have paid can use an NFC tag to gain access to the hackerspace. The system consists of a Raspberry Pi with an NFC interface. A relay allows the Pi to control the door lock. The Pi can be manually configured through a web interface. It connects to Paypal to verify that each user’s membership has actually been paid. Of course a project like this is never done. The last we heard from [Patrick], he was planning future upgrades such as startup company memberships with multiple people.

keyduinoNext up is [Pierre Charlier] and KeyDuino. KeyDuino is an Arduino compatible board with all the NFC hardware baked right in. The board is based upon the Arduino Leonardo, with an ATmega32u4 processor. [Pierre] must be on to something, because the KeyDuino had a successful Kickstarter back in 2015. It’s also open source hardware, so you can build your own whenever you want. The real gem is checking out [Pierre’s] other projects. He’s documented all his KeyDuino example projects right on Hackaday.io. These include an NFC Controlled infinity mirror coffee table, a locking wooden gift box, and NFC controlled car door locks, just to name a few.

nfcringNext we have [John McLear] with 2016 NFC Ring. [John] jumped into wearable technology with one of the toughest form factors imaginable – a ring. Between the tiny amount of space and the lack of batteries, you might think there isn’t much you can do with a ring. Undaunted, [John] managed to fit two NXP NFC chips and their antennas inside a standard ring. This is the upgraded 2016 version of the ring. [John] was nice enough to supply several hundred of the earlier models to hackers at the Hackaday Supercon back in 2015. [John’s] rings would be hard for the average hacker to reproduce. [Sean Hodgins] comes to the rescue here with his own project, DIY NFC Bentwood Ring.

pressureFinally, we have [CaptMcAllister] with RFID air pressure sensor. As the name implies, this sensor measures air pressure. It could be in open air, a tire, or even a football used by the New England Patriots. Sure, cars all have Tire Pressure Monitoring Systems (TPMS) sensors which do something similar. [CaptMcAllister’s] design has one important difference – it has no batteries. The heart of the system is a Texas Instruments RF430FRL15X, a device with the NFC radio and a low power MSP430 microcontroller in one chip. The system is energy harvesting, being powered by an external reader. As you can imagine, tuning the antenna was critical to this design. You can read all about it in [CaptMcAllister’s] 24 project logs.

If you want to see more NFC projects and hacks, check out our new near field communication projects list. See a project I might have missed? Don’t be shy, just drop me a message on Hackaday.io. That’s it for this week’s Hacklet, As always, see you next week. Same hack time, same hack channel, bringing you the best of Hackaday.io!

Which Wireless Tech is Right For You?

It seems these days all the electronics projects are wireless in some form. Whether you choose WiFi, Bluetooth Classic, Bluetooth Low Energy, ZigBee, Z-Wave, Thread, NFC, RFID, Cell, IR, or even semaphore or carrier pigeon depends a lot on the constraints of your project. There are a lot of variables to consider, so here is a guide to help you navigate the choices and come to a conclusion about which to use in your project.

We can really quickly reduce options down to the appropriate tech with just a few questions.

Continue reading “Which Wireless Tech is Right For You?”

Robotic Pets Test an Automatic Pet Door

Lots of people get a pet and then hack solutions that help them care for their new friend, like an automatic door to provide access to the great outdoors. Then again, some people build the pet door first and then build the pets to test it.

It’s actually not quite as weird as it sounds. [Amir Avni] and his wife attended a recent GeekCon and entered the GeekCon Pets event. GeekCon is a cooperative rather than competitive hackathon that encourages useless builds as a means to foster community and to just have some fun. [Amir] and his wife wanted to build a full-featured automatic pet door, and succeeded – with NFC and an ESP8266, the stepper-powered door worked exactly as planned. But without any actual animal companions to test the system, they had to hack up a few volunteers. They came up with a 3D-printed dog and cat perched atop wireless cars, and with NFC tags dangling from their collars, the door was able to differentiate between the wandering ersatz animals. The video below the break shows the adorable plastic pals in action.

It’s clear from all the pet doors and automatic waterers and feeders we’ve seen that hackers love their pets, but we’re pretty sure this is the first time the pet itself was replaced by a robot. That’s fine for the test environment, but we’d recommend the real thing for production.

Continue reading “Robotic Pets Test an Automatic Pet Door”

GuardBunny Active RFID Protection Going Open Hardware

There are two sides to every coin. Instead of swiping or using a chip reader with your credit card, some companies offer wireless cards that you hold up to a reader for just an instant. How convenient for you and for anyone who might what to read that data for their own use. The same goes for RFID enabled passports, and the now ubiquitous keycards used for door access at businesses and hotels. I’m sure you can opt-out of one of these credit cards, but Gerald in human resources isn’t going to issue you a metal key — you’re stuck hauling around that RFID card.

It is unlikely that someone surreptitiously reading your card will unlock your secrets. The contactless credit cards and the keylock cards are actually calculating a response based on a stored key pair. But you absolutely could be tracked by the unique IDs in your cards. Are you being logged when passing by an open reader? And other devices, like public transit cards, may have more information stored on them that could be harvested. It’s not entirely paranoid to want to silence these signals when you’re not using them.

One solution is to all of this is to protect your wallet from would-be RFID pirates. At this point all I’m sure everyone is thinking of a tin-foil card case. Sure, that might work unless the malicious reader is very powerful. But there’s a much more interesting way to protect against this: active RFID scrambling with a project called GuardBunny. It’s a card that you place next to whatever you want to protect. It’s not really RFID — I’ll get that in a moment — but is activated the same way and spews erroneous bits back at any card reader. Kristin Paget has been working on GuardBunny for several years now. As of late she’s had less time for active development, but is doing a great thing by letting version 1 out into the world for others to hack on. In her talk at Shmoocon 2016 she walked through the design, demonstrated its functionality, and shared some suggestions for further improvement.

Continue reading “GuardBunny Active RFID Protection Going Open Hardware”