I know that if I load up the info, I can create wifi tags which allow me to let people on my wifi network without giving them a code.
Would it be possible to create a temporary code so that people don't have permanent access to my wifi network?
I don't think this is possible, the only way to give them access to your Wi-Fi for a limited time is to change the password.
Sent from my Nexus 7 using xda app-developers app
Pretty sure you can put an expiration on them the way that hotels do for NFC room keys so that the tag pretty much wipes its data after a certain amount of time.
Hotel keys don't wipe themselves. The hotel key system invalidates the tags when the guest checks out. I'm "pretty sure" there is no way to program a tag to expire itself.
Related
Hi
Here at the university we use a NFC card to check in. Is it possible to copy the tag to my phone so I don't have to carry my student card around?
Depends
Sent from my LS670 using XDA
Shark_On_Land said:
Depends
Sent from my LS670 using XDA
Click to expand...
Click to collapse
Wow, helpful much?
I'd like to know this too.
thx
arjun rajput
+1
I like to know this to.
(Here at the university we use a NFC card to check in. Is it possible to copy the tag to my phone so I don't have to carry my student card around?)
Hi Samuel
I believe this is not possible right now, as there are security measures in place to prevent fraudulent use, but give it a couple of months there will be apps you can download , to copy re-writeable NFC tags to your phone, making your phone work as an emulator of some sort.
virus007 said:
(Here at the university we use a NFC card to check in. Is it possible to copy the tag to my phone so I don't have to carry my student card around?)
Hi Samuel
I believe this is not possible right now, as there are security measures in place to prevent fraudulent use, but give it a couple of months there will be apps you can download , to copy re-writeable NFC tags to your phone, making your phone work as an emulator of some sort.
Click to expand...
Click to collapse
To emulate cards with your NFC phone, you have to have full control of the secure element. In the Nexus phones, access to the secure element is restricted to Google - only they have the codes to access it. In non-Nexus phones like the SGS2, they don't even have built-in secure elements and therefore have to rely on SIMs, which are in turn controlled by operators. Without access to the secure element, you won't be able to emulate another card. So, no, even in a few months you won't be able to copy a tag and emulate it from your phone. Unless Google opens up the secure element to, which is unlikely.
To OP: Even if you could actually copy the contents of the card and then emulate it, this might not be enough. Many schools use just the UID of the card to associate it with your account on their system. This means that there's a good chance that your card actually has no data on it. Furthermore, phones aren't currently able to emulate UIDs. You're out of luck.
LoveNFC said:
To emulate cards with your NFC phone, you have to have full control of the secure element. In the Nexus phones, access to the secure element is restricted to Google - only they have the codes to access it. In non-Nexus phones like the SGS2, they don't even have built-in secure elements and therefore have to rely on SIMs, which are in turn controlled by operators. Without access to the secure element, you won't be able to emulate another card. So, no, even in a few months you won't be able to copy a tag and emulate it from your phone. Unless Google opens up the secure element to, which is unlikely.
To OP: Even if you could actually copy the contents of the card and then emulate it, this might not be enough. Many schools use just the UID of the card to associate it with your account on their system. This means that there's a good chance that your card actually has no data on it. Furthermore, phones aren't currently able to emulate UIDs. You're out of luck.
Click to expand...
Click to collapse
Clearly, a direction NFC will follow. There's no way users will allow something like that to remain as neutered as it currently is. It just (seemingly) has not worked that way in the past.
thanks
thanks
DroidSheep is an Android application that demonstrates security weaknesses (not using https) and is capturing facebook, twitter, linkedin , yahoo, and other accounts.
PS> this is NOT my work, nor do i intend it to be taken as my work, I just wanted to share with the community!
NOTE FROM THE GERMAN DEVELOPER:
DroidSheep was developed as a tool for testing the security of your accounts.
This software is neither made for using it in public networks, nor for hijacking any other persons account.
It should only demonstrate the poor security properties network connections without encryption have.
So do not get DroidSheep to harm anybody or use it in order to gain unauthorized access to any account you do not own! Use this software only for analyzing your own security!
So do not get DroidSheep to harm anybody or use it in order to gain unauthorized access to any account you do not own! Use this software only for analyzing your own security!
Now>
WHAT DO YOU NEED?
1. A rooted phone (no, it will for sure not work without root)
2. The App installed on the phone (latest build attached to the present post)
3. A WIFI network to test it on
How do you use it?
DroidSheeps main intention is to demonstrate how EASY it can be, to take over nearly any internet account. Using DroidSheep any user – even without technical experience – can check if his websession can be attacked or not. For these users it is hard to determine, if the data is sent using HTTPS or not, specially in case of using apps. DroidSheep makes it easy to check this.
This video demonstrates what DroidSheep can do:
http://droidsheep.de/?page_id=14
How does it work?
As already announced DroidsSheep supports almost every website – also “big” webservices like facebook and Yahoo.
How does that work this simple?
There are many users that do not known that air is the transmission medium when using WiFi. Therefore information is not only transfered to its receiver but also to any other party in the network within the range of the radio waves.
Usually nothing special happens because the WiFi users discard packets that are not destined to themselves. DroidSheep does not do this. It reads all the packets looking at their contents.
Is a website sending a clear recognition feature within a message’s content, which can identify a user (“SessionID”), then DroidSheep is able to read it although it is not intended to external users. Moreover DroidSheep can use this token to use it as its own. The server can’t decide whether the authorized user or DroidSheep has sent the request.
http://droidsheep.de/?page_id=424
How can I protect myself?
The only satisfying answer is: SSL respectively HTTPS.
Many providers already offer HTTPS, even facebook, however it must often be enabled in the settings first.
When using HTTPS the data are still sent to alle participants in the WiFi-network, too, but because the data has been encrypted it is impossible for DroidSheep to decrypt the contect of a message - remaining only a complete mess of letters, with which an attacker can’t do anything.
The real problem is that not every website provides SSL. What to do when you are in a public network (hotel, airport, etc.), you also want to use this and the site does not offer HTTPS though?
You can use a VPN-connection
For this the computer sets up an encrypted channel to a confidential computer which again transfers the data to the website.
You can also install DroidSheep Guard from the Market:
https://play.google.com/store/apps/details?id=de.trier.infsec.koch.droidsheep.guard.free&hl=en
A very interesting feature is the possibility to save cookies!!
Source> http://droidsheep.de
Imagine the possibilities....
This isn't good dude.
And 'air' isn't the 'transmission medium' for WiFi. We figured that out when we discarded the ether hypothesis around a century ago.
backfromthestorm said:
This isn't good dude.
And 'air' isn't the 'transmission medium' for WiFi. We figured that out when we discarded the ether hypothesis around a century ago.
Click to expand...
Click to collapse
-what exactly "isn´t good" ?
Ok you are correct, yes, WIFI (as any other electromagnetic wave) can also be transmitted through vacuum, so yes there is no need of "air"
Re-ported to a MOD I don't think this should be shown or talked about on XDA this isn't an hacking site like you might think for taking advantage of other peoples accounts.
XDA is a hacking community for the good like Rooting.
This app has been on XDA for quite a while http://forum.xda-developers.com/showthread.php?t=1593990
Even a portal article about it http://www.xda-developers.com/android/droidsheep-undresses-network-security-and-shows-how-its-done/
Please use the main thread to discuss this app, not this one.
@ shankly1985, we appreciate your concern, but people need to know how insecure important accounts can be. Thus enabling them to make the changes to fix them.
Thread Closed.
When your out traveling you often connect to different wifi spots(restaurants, hotel,...) and you never know how what happens behind.
Is there a way to use your phone on Internet in a safe way? Like a switch on your home screen you can turn the it on/off easly? I guess you need an app, a vpn or a server of some sort??
What do you mean with "in a safe way" ?
For example gmail uses a cripted (SSL) channel to read/send email. Is SSL "enough" safe for you ?
Using a "public" hotspot is not less "safe" than acecss your online backing form a pc at office. Is it possible for the "neworking guy" to see that you are accessing an online bank? Yes, for sure. Could he read your PIN/passwd and steal your money ? If your bank has a decent website (HTTPS) probably not (or not so easily..).
Do you wnat to be "safe" to read an online newspaper for last headnews?
Tor, private VPN
Sent from my i9250
kliw said:
For example gmail uses a cripted (SSL) channel to read/send email. Is SSL "enough" safe for you ?
Click to expand...
Click to collapse
With the easy availability of Jasager routers and how simple SSL-stripping is, no, SSL isn't safe enough on a public wifi.
As bk said, either use Orbot (TOR's Android implimentation) or a private VPN that provides endpoint-to-endpoint encryption.
I usually tend not to do any super personal stuff over public wifi - that means access gmail, google drive, etc.
I tend to stick to browsing websites for reading and that's it.
Chances are, if it's in a known location of a big business you probably have nothing to worry about.
A mom-and-pop coffee shop, or a crummy hotel wifi access point I'd be skeptical of the security enforced.
Here you go..
http://forum.xda-developers.com/showthread.php?t=1350941
akira02rex said:
Chances are, if it's in a known location of a big business you probably have nothing to worry about.
Click to expand...
Click to collapse
Actually, a big business's wifi is probably less safe. Anyone who wants a large number of targets at once just needs a Jasager router, the ability to launch a de-auth attack (not difficult at all), and a local Starbucks.
At work I have access to a Nexus 7 which is shared between 7 members of our team.
I would like to be able to issue each potential user a uniquely-coded NFC keyfob that they can use to unlock the Nexus' screen and maybe set it up in particular ways.
Is this even possible? I know I can run apps once the device is unlocked, but I need to use NFC to get into it in the first place.
Yea I would say it is possible. The N7 supports various user profiles. You should be able to use Tasker to read the UID from each Tag and log into a specific profile.
You will need a custom rom/kernel because by default, NFC is off when the screen is off. A custom kernel allows NFC on all the time which can start taking commands and wake up.
I haven't messed with Tasker or Profiles. I would say it would just be a matter of logic "Read NFC and IF UID=1818181818181 then Load Profile 1" stuff.
I used NFC's coded with a URL with a unique ID to load a web page and pass the ID variable in to the server, which recorded your login and submissions. Pretty cool stuff. Just make sure you get good NFC's because the cheap ones aren't as powerful and becomes a chore trying to scan it.
The sweet spot seems to be the "N" of Nexus on the back.
Double post
lets say a nfc/rfid card for a job or apt is disactivated. Is there a way you can reprogram the card in anyway for it to be able to gain access again to those places?
bump
q-live said:
lets say a nfc/rfid card for a job or apt is disactivated. Is there a way you can reprogram the card in anyway for it to be able to gain access again to those places?
Click to expand...
Click to collapse
Afaik, there is no 'activation' or 'deactivation' on nfc.
Afaik, again, the readers interpret what the card has written on it. Let's take opening a door. On the card you have an unique ID, the reader goes through a list of authorized IDs, and if yours is in there, it opens the door.
Via an NFC reader app you should be able to replicate any card you like, and I also think reprogramming is possible. If your ID is not allowed to cross a gate anymore, you would have to scan a tag which can and emulate it. This goes without saying, don't do anything illegal.
Also, there could (should) be some more layers of protection, like encryption of the data on the tag, which could prevent advanced editing.
Of course, these are my two cents, I may be ridiculously wrong.
Sent from my XT1068 using XDA Free mobile app
Wow