and Frederico will be about hacking NFC toys with a chameleon mini. Also, we have special guests here on stage. What is your name? Mila. Give them a warm round of applause.

You shall stay. Well, hello, everyone. We have some nice little toy for the kids. It is a Tony box.

You are putting a little figurine on top of that, and then the box starts playing a song or reads a story, and the techs are using NFC to authenticate themselves, more or less. And maybe Luna will show how it is supposed to work.

Luna is a former student. Oh, my God. Are we done? Up.

Really good. Once you put in the figurine, you play and it stops, and it starts the game with another one. Yes, that's fine. We got the information from a forum where they just tried to hack these things,

and they stated that it was too difficult to do it with a chameleon mini, and that was a challenge to us since we are maintaining the GitHub repository, which is open source, so we just did it yesterday,

and the kids can play with it today. We started by analyzing the communication by inputting a sniffer. We just received the communication from the box to the tech, and we looked at it. What is actually read, or is there authentication happening?

What we see here is the lock of the chameleon mini. This is ISO 15693, and the markdown part is some proprietary commands,

and from the forum, we knew that it is an iCode tag, so we just looked it up in the data sheet, and the command we are seeing here is get random number, so the tag responds with a 16-bit random number.

Which is not shown here because, sorry, it is only a one-side communication sniffing, so we have only the commands that are given to the tag from the reader, so here we can see the random part of it, and we will just deal with it later on, and we will explain to you how we broke it nonetheless.

This is a normal ISO 15 inventory command that selects a tag and expects a UID, but we are not authenticated right now, so the tag goes on with the set password command,

and that's quite interesting. It is a 32-bit password that is XORed with a random number twice, so no real crypto here, and then we see that we get selected,

and here we see the UID of the tag, so we can work on that. We implemented the get random number command and the set password, but we just did not send a random number back, so we just sent zeros,

and that's when we get the password. Then we emulated it, and let's take a look at the log again. This is the full emulation log, so we now finally have both transmission and reception from the reader,

so we are receiving data from the reader, and we are sending back a transmission of... This is our random number, which is 0000, so we are sending all zeros. Then it means that the password that will be sent by the reader to the tag will be XORed with only zeros,

so this is the authentication command, and you can see now we have the password in plain text because they simply XORed it with the zero. Now we finally have the password, so we can also use it to read the other tags because we actually need to authenticate in the right way with proper tags,

and we can read them, and if Mila... Yeah, thanks, Luna. It should be emulating a real tag. It's indeed emulating a real tag. So once you have the password, you can authenticate, read the data from the tag,

and reverse engineer it, but actually it's not even needed because somehow the box is trusting the UID itself. So once you have emulation in place and you can read the UID from the sniff we had before,

you are already good to go. You now have a perfect emulation, and the kids can now play without the XOR losing their toys. The interesting thing here is that we did not even start to read the tag. The actual data on the tag, as you see below here, we just sent back zeros, and the tag still plays,

so it doesn't even care what it's written on the tag. They just check the UID. Once you put the tag on top of it, and then you can just create a nice little backup. If the kids are breaking the toys, or you exchange some figurines with your friends.

No, that one would be legal. I would do that, but Mila might. We speculate that the data in the tag might be used to authenticate the first time with the box,

because once you buy a figurine, it's linked to your account, and probably the data inside it, it's used only the first time. So then later on the box just stores your UID and then it authenticates, and that's the reason why the box

does not care about the content, because it recognizes the UID as one. It's already saved inside of it. Yes, but we did want to read the tag anyway. Actually, we cannot do it with the Chameleon Mini right now, because there are some missing implementations. So we would like to join you

to contribute something on our GitHub project. We quickly scripted something, and I'm going back in Python for another reader, so we could read the tag and dump it.

But we did not upload it to the Chameleon, since we are already getting a full emulation on the tag, so we just saved the time. It will be on my list for the time being, I guess, because I need Python script to read those tags, which are not theoretically supported by many readers.

You have to go to the bare commands. There is no really made support for phones or something like that once the tag is in privacy mode. Well, we are already finished. Yeah, didn't have much to say, I guess. Just link the GitHub repository.

That's where you can also ask questions. If you are playing with the Chameleon and don't know how it works or getting stuck on something, we'll be also here around for questions and answers. And if you want to buy a Chameleon, you still can do.

You just have to find this man, the yellow guy, at his parking spot, which is up there, A02. Well, I just found him. He's right in front of me. What a coincidence.

And that's it. So thank you, Fabio, Fabian, and Federico, and especially thanks to Luna and Mila. We have time for some quick questions, I think. Are there any questions? We killed them. One question I see there.

I think you were first. From the point of what you know now, do you think it's possible that we have some kind of repository where I can download codes and play anything? Yeah, it's already available

in my own fork of the repository, but we are probably gonna merge it in the main one. We'll just tidy up the code and do a pull request, and then we will merge it into the main GitHub repository. In a couple of days, but still it's available as of now on my GitHub repository. Okay, following question on that,

there's a function, I think, that people can use these figures to record something, and this is saved in the cloud. Could this be a problem for privacy if I can technically clone other recordings from random people?

From my understanding, yes. Sorry. He's the owner of the box. From my understanding, yes, because you can upload your own, say, private discussion with your wife to one Tony, and since it goes through their cloud

and is stored on this box, if someone can copy my UID, very likely he can listen to what I was saying to my wife on this Tony box. That could be some privacy threat while it's a bit far-fetched. At the end of the day, there's mostly children's music. Well, it would be nice if you want to take a look at it.

The code is online, and you can do so, and tell us. Just a quick comment on that. As far as I know, you can, like, if you have these Tonys where you can speak something on them, you can enable others to take your figurine and put it on their Tony box, so you can enable this function

or you can disable this. So even if you, as far as I know, even if you clone this UID, you cannot necessarily put it on some other Tony box and listen to these private guys, at least. The other ones that would be possible, but the private ones, the ones where you can put some music or some speech on, these, you can disable the function

to share them. That's what I know. Thanks. So, any more questions? One more question or comment? I was just wondering, since now many kids will start going with the chameleons through the supermarket,

which is illegal, but most kids are too young to be prosecuted now, and then they would steal several UIDs and, or maybe exchange them with friends. I was wondering, where do we collect the archive of valid UIDs and what the content is, say, with, with music? I'm not hosting it. Oh, you only, you are only into backups,

into, say, a privacy backup. We have a little strict backup only. Comment within our source code that we know which UID belongs to which tech we worked with, but we will not expand it. Okay. So thank you. We have to collect it somewhere.

It's the criminal stuff. Thank you.