Hacking in the Far East 7: Too-Near Field Communication

In this part, Paul Ziegler gets critical about the way near field communication technology is implemented in Japan, from a security person’s perspective.

NFC cards Next thing we’re going to look at is what I like to call the Too-Near Field Communication, which is kind of an international topic, because if you look at these couple of near-field communication cards (see right-hand image), the majority of those that are shown here are based on Sony FeliCa model.

NFC-enabled Visa card The Japanese have taken this concept of near field communication, and they’ve taken it to another completely different level. I would like to introduce you to what I think is the worst idea in human history: it’s the NFC-enabled Visa card (see left-hand image).

Now, this does not actually allow you to charge your Visa, but your card has a preset limit that you can set to whatever you want; you can set it to $200, and whenever your card empties, it will automatically charge another $200 to your card and will recharge the payment card that’s on it. In this case it’s Suica card that’s intergraded.

Cell phone with NFC technology built in If you try to convince anyone anywhere else in the world to use a credit card that is NFC-enabled that bills directly to your credit card, people will look at you and go: “Are you f**king nuts?” The reason why this works in Japan is because the same technology has already been around for years and it’s been integrated in cell phones, so these cell phones (see image to the right) have NFC technology in them, something that we’re just slowly seeing in other countries, and you can pay with them, and whatever you pay with them gets charged to your phone bill.

So, people are already really used to the concept of “Yeah, I have this unlimited bill that I can use with NFC, it’s really practical, because all I have to do is *BEEP*”

So, why is this a problem? First, it’s used virtually anywhere if you’re in Japan. There’s a couple of stores where you can’t even pay in cash, they only take NFC; a popular example are the trains. If you want to get on a train, you have to buy a ticket. In many stations only 2 out of 10 ticket gates will have real ticket slots; everything else only takes NFC, so you’re basically bound to carrying a Suica or FeliCa card with you.

Sony FeliCa reader You have this automatic recharging, and it’s actually accepted by a lot on online stores by now. And you need to get a reader like this one, it’s called FeliCa reader (see left-hand image), you can buy them on Amazon for about $10. They come with drivers, really easy to install. And the weird thing about the cards is that on the chip they will store your last 20-something transactions. This may be anything: this may be something you buy, or this may be a train you get on, or it may be the train you get off.

Data you can retrieve from someone’s card located nearby So, if you have this reader and you plug it into your PC, and you get anyone’s card in the near proximity of it, you can extract a view like this (right-hand image). And this is actually not a hacker tool; this tool comes with the reader.

You can buy stuff online using the access to someone else’s NFC card So, by now, what do we have? We get someone’s NFC data – their card, or their cell phone; we got location tracking and we got purchase tracking, which obviously leads to some problems down the road somewhere. But what really makes it bad is that if you look at Amazon.co.jp, you can see that you can actually pay with your Osaifu-Keitai card (image to the left), and all you need is the exact same reader, so you plug in your reader, you go to Amazon, you say: “Yeah, I want to buy this,” and they go: “Ok, what do you want to pay with?” “I want to pay with NFC” – “Cool”. Touch your card to the receiver attached to your computer, beep – and you’ve paid.

Obviously, what we can do with it is we can buy stuff on other people’s tabs. You open up Amazon on your laptop, you have some sort of cellular connection, you go to Pay, you take your reader, you walk up to some guy and do “BEEP”, because there’s no authentication, and you’ve just paid for it.

Now, I’ve taken a lot of crap for this particular point, because people always bring up the same defense, they say: “But Paul, the FeliCa standard particularly specifies that to prevent this we’re only going to allow this across millimeters with private readers.” So, they can do centimeters with commercial readers, but as an individual you can only get readers to allow you to read these cards from about 2 or 3 millimeters away, and you couldn’t possibly get that close to another person without him noticing. That’s just ridiculous.

Pretty typical scene with morning commute train in Tokyo Anyone who believes this has obviously never taken the morning commute train in Tokyo, because this is what it looks like, and this is not staged (see right-hand image). This is fairly common. This is a Tokyo line train, it’s a rapid commuter express. It only comes every 20 minutes, so if you miss it you’ll be late for work, and this is how they make sure that everyone gets on the train. Obviously, the inside pressure is still too high, so they need to get more people to be able to push in. So, anyone who wants to tell me that in this setting I couldn’t possibly get within 3 millimeters of this guy’s purse or wallet is trying to kid me. If you want to really shoot it off, have an emergency flight the next morning and carry two suitcases and try to get in there.

Alright, I think we’ve confirmed that with this technology and a little bit of evil spirit we can do location tracking, we can do purchase tracking, and we can buy stuff on other people’s tabs by simply abusing the rush hour in the morning.

Read previous: Hacking in the Far East 6: Wireless Insecurity and the SEED Encryption Algorithm

Read next: Hacking in the Far East 8: Summarizing the Most Striking Security Flaws

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: