xNTi Tag Security

"Passwords are like underwear: you don't let people see it, you should change it very often and you shouldn't share it with strangers"
- Chris Pirillo

Please note that this is an extract graciously provided by the manufacturer, Amal Graafstra at Dangerous Things.

The xNT uses the NTAG216 chip from NXP, which was designed for use in more typical NFC applications such as smart posters, labels, and other disposable use cases where the memory contents would typically be written and then locked so it could not be changed. This is done using built-in “lock bytes” which are OTP (one time programmable). That means that once the lock bytes are turned on to protect memory blocks, they can never be unlocked. Once any memory block is locked, it will forever be read-only, which is not ideal for the xNT. Many NFC applications offer ways to “lock” or “protect” your tag, which will end up locking the tag read-only.

In addition to lock bytes, the NTAG216 offers a 32bit password protection function. Regardless of what some NFC smartphone apps indicate, it is not possible to remove or disable the password. It is only possible to set the password to the default value of FF FF FF FF. If the password is set to the default value, then anyone could easily authenticate, change the password, then write data or change protection options for your tag, and either permanently lock the tag or just change the password to some unknown value. Because it is also possible to protect memory blocks from unauthenticated reads using a password, this could make the tag completely useless by not allowing any memory blocks to even be read.

Finally, many of the critical configuration bytes used by the NTAG216 chip are stored in the last few memory pages of the tag. This means that it may be possible for an NFC application that does not properly detect or honor the xNT’s memory schema to accidentally attempt to write NDEF record data (the data you’re trying to store on the tag) overtop of the configuration bytes. For example, if the data you are attempting to write is longer than the user memory blocks available, the remainder of the data might be written overtop of configuration bytes, which contain settings that are potentially dangerous to modify such as the config lock byte. The configuration lock byte is not possible to disable, so accidentally writing to that byte could result in your configuration being irreversibly locked.

To help our customers protect their tag from accidental modification or malicious attack, we have developed Dangerous NFC for Android. Our DNFC app allows customers to secure their tag by doing the following things;

  • Disable lock bytes so they cannot be used to lock any memory blocks as read-only
  • Update the password block with a custom, non-default password value
  • Update the memory protection option to write-only protection
  • Update the memory protection range to protect the configuration bytes

This approach allows the entire user memory space to be written to/updated, while at the same time protecting the configuration bytes and password values at the bottom end of the xNT memory space. This means an application cannot accidentally write data unintentionally to any configuration bytes. It also means the password of the xNT cannot be updated without first authenticating. This means you will need the current password in order to update or change the password. Without updating the dynamic memory protection range, it would technically be possible to just write a new password without first knowing the old password.

The Resources

Ultimately, once secured by Dangerous NFC, you are free to use any other NFC app to write data to the tag and not need to be afraid of accidentally locking the tag, or changing the configuration bytes, or someone maliciously locking your tag or changing your password. We suggest using NXP’s TagWriter app.