██╗     ██╗      ███████╗██╗   ██╗███████╗███████╗███████╗██████╗ 
              ██║     ██║      ██╔════╝██║   ██║╚══███╔╝╚══███╔╝██╔════╝██╔══██╗
              ██║     ██║█████╗█████╗  ██║   ██║  ███╔╝   ███╔╝ █████╗  ██████╔╝
              ██║     ██║╚════╝██╔══╝  ██║   ██║ ███╔╝   ███╔╝  ██╔══╝  ██╔══██╗
              ███████╗███████╗ ██║     ╚██████╔╝███████╗███████╗███████╗██║  ██║
              ╚══════╝╚══════╝ ╚═╝      ╚═════╝ ╚══════╝╚══════╝╚══════╝╚═╝  ╚═╝

                   Authors: Chad Spensky ([email protected])
                              Hongyi Hu ([email protected])

================================================================================

LL-Fuzzer is a fuzzing framework built to fuzz NFC applications on android devices.

Dependencies

• NFCPy

• Sulley

• PyUSB

• Android Debug Bridge

Hardware Requirements

• PN532 Breakout Board
• FTDI Cable

Installation

To install all of the dependencies type:

$ ./install.sh

or follow the individual instructions below:

• If you're using a 64bit machine, you must install the 32 bit libraries:

  $ sudo apt-get install ia32-libs

• Some of the android stuff requires java:

  $ sudo apt-get install openjdk-7-jre

• NFCPy depends on libusb:

  $ sudo apt-get install python-pip

  $ sudo pip install pyusb

Usage

For general help try:

$ python fuzzer.py --help

An example of a real use case would be:

$ python fuzzer.py -r tty:usb:0 -s 4d001f274acd31cf -D fuzz-configs/ndef/ -o testing

Phone Setup

There are some settings on android that make fuzzing a much more pleasurable experience.

• Enable USB debugging through "Developer options" If you don't see this option go to "About phone" and tap the "Build number" a bunch of times.

• Enable "Stay awake" under "Developer options"

• Set "Screen Lock" to None under "Security"

Examples

Here are some example commands to test NFC functionality (All files in examples-nfc):

• Emulate an NFC tag:

  $ ./npp-test-client.py -b --mode=initiator --quirks=android < ndef

• Read data from an NFC tag:

  $ ./tagtool.py

Code Architecture

• RFID Reader / FrontEnd as named by nfcpy (e.g. Proxmark, Omnikey, PN532 board)

• LL-Fuzzer provides full control over what this sends over the RFID channel

• RFID Device (e.g. smartphone, tablet, etc.)

• Provides an abstraction to interaction with NFC-enabled devices

• RFID Message (e.g. NDEF, LLCP)

• LL-Fuzzer supports numerous NFC message types

• Generator

• Generates inputs for fuzzing

• Fuzzer

• Drives fuzzing operation
• Uses generator to generate fuzzed messages
• Tells RFID reader to transmit fuzzed messages
• Receives logs, etc. from RFID Device
• Controls RFID stack on RFID device to reset state

Mail

It might be useful to interface the fuzzer with e-mail for very long jobs.

$ sudo apt-get install sendmail

Complications

Unreliable RF Transmission

During our own fuzzing, we had a very difficult time getting reliable NFC communication. To facilitate this, we used a book with the reader placed inside and the phone tapped to the top to prevent it from moving.
A more elegant setup is certainly possible, but any reliable setup will need a way of tweaking the distance and then holding the reader and phone at that fixed distance for the duration of the fuzzing.

Citation

Please use this DOI number reference, published on Zenodo, when citing the software:

Disclaimer

This work is sponsored by the Defense Information Systems Agency under Air Force Contract #FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government.