Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Popl is a digital business card. The business cards contain NFC that allow someone to open a website so that you can connect with them later. The Popl app, used for setting up the electronic part of the business cards, has a $77 annual subscription fee.

To me, this is a classic "I own these and therefore I should be able to do what I want with them". The goal was to edit the NFC data on the card to whatever information that we wanted, since we do own it.

The author first tried playing around with the classic NFC Tools app to change the record information. The NFC card had a password write-protect feature (which can only be 4 bytes long). They tried the default passwords of 00000000 and FFFFFFFF but neither of these worked. Next, they tried the Unlock NTAG NFC action on the Flipper Zero to no avail. At this point, we know that the system is not using any default or easy-to-guess passwords.

They tried using an iCopy tool, which just wraps the Proxmark tool. Using this, they dumped all available page information from it. Apparently, the Proxmark can sometimes pull out the password from the card but it was unable to do it in this place. From crunching numbers, they claim it would take 27 years to brute force the stored code, making this unviable as well.

The iOS application for the business cards must communicate with the NFC chip to write the URL to it. If that's true, then the phone app must have access to the password! Since the password is required for writing and the app indeed does writes, we should be able to figure this out. Using the Proxmarks trace list command, we can see all commands for the card. In the output is an authentication command with the password in plaintext! There's the password, which is just the string test :)

With a known password, the author wanted to edit the card. Using the NFC Tools app, they were able to successfully authenticate using the Advanced Commands to send a raw packet. For whatever reason, the authentication would succeed but would fail whenever they tried to do any writes. Although this could probably be solved by writing a custom app to do this, they wanted something easier.

With NFC cards, it's possible to just remove the password! They tried to use the ProxMark for this and it worked! The password was removed. It should be noted (not in article) that NFC Tools will use the first 4 bytes of an MD5 hash of the password provided and not the actual bytes of it but there are other apps that will use the raw bytes, like NFC Read Write.

Finally, they were able to write their NFC card! This was a good write up that was fun to see real-world application of NFC. In my mind, there is no good way to secure this from unauthorized writes because the password can always be sniffed or reverse-engineered from the app. There are more secure authentication protocols in newer NFC cards (I think?) that could potentially be proxied to a server to prevent writes in the future. But, regardless, I'm happy this got cracked!