Professional Documents
Culture Documents
Ethical
Hacking
Training
OUR STUDENTS HAVE THE HIGHEST
EXAM PASS RATE IN THE INDUSTRY!
LEARN MORE
SHARE
Introduction
Phishing Simulator
The Near Field Communication (NFC) is a set of standards for mobile devices Security Awareness
Security Awareness
EMAIL PHONE
* * DoD 8140
Ethical Hacking
Computer Forensics
WHO WILL FUND YOUR TRAINING? TRAINING BUDGET
* *
CISA
CCNA
PMP
The NFC technology could be very effective in various areas. The main applications
that can benefit from its introduction are: Incident Response
Many U.S. corporations are planning to provide NFC devices and solutions. The list is
very long and includes device manufacturers such as Google and Apple, financial
services such as MasterCard and Visa, and also mobile operators, such as AT&T and
Verizon. Big enterprises are driving the growth of NFC demand and the markets are
investing in the technologies, attracting a multitude of minor firms that provide
development for a huge quantity of innovative services.
The killer application for the future is the one that will make it possible for multiple
card issuers and payment processors to share space on an NFC handset opening the
technology to a scenario rich in applications.
We are in front of one of the biggest business opportunities of our times. Several
international researchers have confirmed it with extraordinary figures; according to
the Deloitte firm:
In 2013, there may be as many as 300 million NFC smartphones and other
mobile devices.
1 in 6 users worldwide will have an NFC-enabled phone by 2014.
NFC-based mobile transactions are expected to reach nearly $50 billion
worldwide by 2014.
500 million people around the world will use their mobile devices as travel
tickets on metros, subways and buses by 2015; NFC will drive this growth.
The year of the consecration of NFC technology will be 2015, when over 50% of
smartphones will have NFC capability (Gartner Research), NFC technology will be
the most-used solution for mobile payment; and NFC will enable worldwide
transactions totaling about $151.7 billion (Frost & Sullivan); global mobile transactions
are predicted to grow to more than $1 trillion by 2015 (Yankee Group). It’s clear that
business related to the standards will grow to major dimensions.
The expected increase in the supply of NFC solutions has a collateral effect: Hackers
and cyber-criminals are focusing their attention on the technology, a growing
number of 0-day vulnerabilities will be found, and new exploit kits will be offered in
the black market. A flaw in the standard could affect several sectors with serious
consequences.
Newer tags have security functionality built into the chip but are not a part of the
NFC tag specification; the principal objectives to pursue for data protection are:
Authenticity
Integrity
Confidentiality
To meet authenticity and integrity requirements for the tags developers could refer
to NFC Forum Signature NDEF structure, as detailed in the document “NFC Forum
Signature Record Type Definition Technical Specification version 1.0.”
The technical specification “Specifies the format used when signing single or
multiple NDEF records. Defines the required and optional signature RTD fields, and
also provides a list of suitable signature algorithms and certificate types that can be
used to create the signature. Does not define or mandate a specific PKI or
certification system, or define a new algorithm for use with the Signature RTD.
Specification of the certificate verification and revocation process is out of scope.”
Eavesdropping
Data Modification
In this attack scenario, the data being exchanged is captured and modified by an
attacker’s radio frequency device. The attacker’s device is able to inhibit the NFC data
exchange briefly, but long enough to alter the binary coding. This type of attack is
very difficult to implement but the data modification is realizable in rare cases,
especially for active mode transmission of NFC information. The most common way
to interfere with the NFC data exchange is to use an RFID jammer; Data
modification could be detected, introducing code in the NFC source device that
measures the strength of frequencies, thus choosing the one that is truly the closest
and most likely valid. Checking the RF field during transmission allows the sender to
detect this type of attack. Another possibility is to modify the data in such a way that
it appears to be valid to the receiver; the attacker has to deal with the single bits of
the RF signal. The feasibility of this attack depends on various factors, such as the
strength of the amplitude modulation. As described in the in the paper “Security in
Near Field Communication (NFC) – Strengths and Weaknesses” by the authors Ernst
Haselsteiner and Klemens Breitfuß, transferring data with modified Miller coding
and a modulation of 100%, only certain bits can be modified, while transmitting
Manchester-encoded data with a modulation ratio of 10% permits a modification
attack on all the bits.
Relay Attack
A relay attack exploits the ISO/IEC14443 protocol compliance of NFC; the attacker
has to forward the request of the reader to the victim and relay back its answer to
the reader in real time in order to carry out a task by pretending to be the owner of
the victim’s smart card.
This attack technique focuses on the extension of the range between the NFC token
(e.g., a card) and the reader to implement it two NFC enabled devices are necessary,
one acting as a reader and one acting as a card emulator. The access victim system
will not able to detect the attack because it will think a card is actually in front of it.
In the attack scenario the attacker holds the NFC reader near the victim’s card and
relays the data over another communication channel to a second NFC reader placed
in proximity to the original reader that will emulate the victim’s card.
RFID technology has some constraints on the time range between a challenge
and response, named frame waiting time (FWT); exceeding this limit will cause
the failure of the attack. Principal countermeasures to prevent relay attacks are:
A reader device, called a mole or leech, located in close proximity to the card
under attack.
A card emulator device, called the proxy or ghost, used to communicate with
the actual reader
A fast communication channel between these two devices.
During the attack the mole is brought in proximity to the card under attack;
meanwhile, the card emulator is located in proximity of a reader device (POS
terminal, access control reader, etc.)
Every command that the card emulator receives from the actual reader is forwarded
to the mole that forwards the command to the victim card and the card’s response
is sent back by the mole to the actual reader through the card emulator.
The limit on a relay attack is the necessity for an attacker to stay in physical proximity
(less than one meter) to the device under attack. Recent research demonstrated the
possibility of substituting mole hardware with a software application installed on
victim’s device.
A new possible attack scenario based on software has the following components:
Researcher Michael Roland designed Trojan relay software that is able to receive
payment commands OTA thru a relay server and use the credentials from Google’s
embedded secure element for a live payment transaction. In recent versions of
Google Wallet (till June 2012), it was possible to communicate with the credit card
applets in the secure element through the wired interface without asking the user
for his PIN.
On the POS side, a touchatag reader is used to simulate a tag (this could also be
down with a BlackBerry or an Android running CyangenMod 9.1, see details). The
transaction is relayed over a wireless network (WiFi/GSM/UTMS). Although the round-
trip times are longer, the EMV terminal does not recognize the delay, as EMV does
not define timing constraints on the terminal for transaction processing.
After Michael presented the POC, Google quickly responded by providing fixes in
more recent versions of Google Wallet.
Data Corruption
A data corruption attack is essentially a form of the denial of service (DoS) attack, in
which an attacker interferes with data transmission, disturbing or blocking data flow
such that the receiver is not able to decipher the information. The attacker does not
need to access the transmitted data, he just needs to transmit radio signals to
reduce the signals to random noises destroying the information content of the
communication.
Spoofing
The principal countermeasure against this type of attack is to properly configure the
device to prompt a message before executing commands through NFC (e.g.,
opening a URL).
Despite the NFC standard that requires proximity of devices during the data transfer,
it is theoretically susceptible to MITM attacks. An attacker can intercept the
information, possibly manipulate it, and relay it to the receiving device. Another
factor that makes the implementation of MITM attacks difficult is the use of
encryption mechanisms such as AES for secure communication.
Is it really possible to conduct a MITM attack against NFC? Let’s look at the following
cases:
Assume that Alice uses active mode and Bob is in passive mode. Alice
generates the RF field and sends data to Bob. An attacker in proximity to Alice
could eavesdrop on the information and at the same time has to block
transmission to Bob. A possible problem for the attacker is the fact that Alice
could detect the disturbance and stop transmission. Assume that Alice does
detect the disturbance; Eve needs to send data to Bob, but this is a problem
because of the concomitant presence of the RF field generated by Alice that
causes two RF fields to be active at the same time. Because it is impossible to
perfectly align the two RF fields, Bob cannot interpret data sent by Eve.
Assume that both Alice and Bob use active mode. Alice sends some data to
Bob. Eve can capture the data and disturb the transmission to prevent Bob
from receiving the data. Once again, Alice could detect the disturbance done
by Eve and stop the protocol. Assuming that Alice does not detect the field,
Eve would need to send data to Bob. The problem also is that Alice is listening
as she is expecting an answer from Bob, but instead she will receive the data
sent by Eve and is able to detect a problem in the protocol and stop the
communication. For Eve, it is not possible to send data either to Alice or Bob
and to make sure that this data is not received by Bob or Alice, respectively.
Another category of attacks against NFC is based on techniques for fuzzing the NFC
protocol stack analyzing the software that is built on top of the NFC stack for victims’
devices. An attacker can force some mobile devices to parse images, videos,
contacts, office documents, and even any other content without user interaction.
In specific cases, the attacker can completely take control of the phone via NFC,
including stealing data on a mobile (e.g., photos and documents), even making
phone calls or sending text messages.
Miller used for the test a Nokia N9 with NFC enabled. This mobile doesn’t have
“Confirm sharing and connecting,” so if attacker presents it a Bluetooth pairing
message, it will automatically pair with the device in the message without user
confirmation, even if Bluetooth is disabled.
[0000] d4 0c 27 6e 6f 6b 69 61 2e 63 6f 6d 3a 62 74 01 ..’nokia.com:bt.
[0020] 00 00 00 00 00 00 00 00 00 0c 54 65 73 74 20 6d ……….Test m
[0030] 61 63 62 6f 6f 6b acbook
“In this message, a PIN is given as “1234”, a Bluetooth address, and a name of the
device are also provided. Once paired, it is possible to use tools such as obexfs,
gsmsendsms, or xgnokii to perform actions with the device. Basically, if a user just
enables NFC and makes no other changes to the device, it can be completely
controlled by an attacker if the attacker can get it read an NFC tag.” Miller wrote in
the paper.
“The code responsible for parsing NFC transmissions begins in kernel drivers,
proceeds through services meant to handle NFC data, and eventually ends at
applications which act on that data. ”
Conclusions
According to many experts, near field technology will have a meaningful impact on
the usability of mobile devices in various contexts; on one hand, it will facilitate a
user’s experience by making it possible to access infinite services with a single
devices, but as a side effect it also has a potentially dramatic impact on users’
privacy.
Personal information, credit cards, and sensitive data that are stored on NFC devices
will become targets for hackers and cyber-criminals. Fortunately, the
telecommunications industry is aware of the incoming cyber-threats and is
sustaining the definition/adoption of security recommendations that will follow a
mobile device during the entire life cycle, from design to disposal. Developing NFC
technology, researchers need to account for the trade-off of some aspects such as
cost, usability, and level of security, for the reasons explained.
NFC technology will become omnipresent in our lives; many devices around us will
implement the standards, from the mobile phone to the access management
system of our office. Payments, access, sites visited,—all this information can be
acquired by monitoring an NFC device that is associated with our identity.
Anyway, we must consider that NFC usage could be extended to several sectors,
from private business to the military. For this reason, security and privacy are the
most concerning issues. Several studies indicate that most consumers do not
understand the current risks and are not diligent about the security of their mobile
devices.
“The risks to personal privacy must be addressed,” say the authors of Near Field
Communications; Privacy, Regulation & Business Models. “This is not only to protect
against surveillance, but it is essential to ensure that there is confidence in the
marketplaces that may yet emerge with widespread use of NFC.”
There is no doubt that NFC will be a revolution in various sectors, offering the
possibility of having an “all in one” device integrable in a simple and practical way in
every architectural solution.
Let’s close the article with the declaration of Debbie Arnold, director of the NFC
Forum, that demonstrates the high interest in the security of NFC solutions:
“The NFC Forum recognizes that NFC security is of utmost importance and supports
an active, dedicated Security Working Group to address security issues and
opportunities. Our role is to develop interface specifications to enable the use of NFC
in a wide range of applications, rather than to define the requirements (including
security) of the applications that use the NFC interface.”
“All of these activities and mechanisms work hand-in-hand. NFC solution providers
may add security measures to their applications as they see fit, including both
required and optional user actions to enable or disable functions.”
References
http://media.blackhat.com/bh-us-
12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf
http://kas.economia.ihned.cz/gallery/2/847-
06_rosa_raiffeisenbank_bezpecnost_mobilnich_zarizeni.pdf
https://media.blackhat.com/bh-us-
12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_Slides.pdf
http://ece.wpi.edu/~dchasaki/papers/Security%20in%20NFC.pdf
http://news.cnet.com/8301-1009_3-57480233-83/researcher-uses-nfc-to-attack-
android-nokia-smartphones/
http://www.nfcworld.com/2012/08/01/317100/forum-responds-to-black-hat-
presentation-on-nfc-vulnerabilities/
http://eprint.iacr.org/2011/618.pdf
http://www.youtube.com/watch?v=_R2JVPJzufg
http://sisainfosec.com/blog/new-milestone-in-payment-industry/
http://www.slideshare.net/RazorfishTechnology/razorfish-nfc-technologies-
presentation-2013-17172026
http://www.mobilemarketingstrategy.biz/security-aspects.html
http://www.blankchapters.com/2012/08/08/nfc-future-possibilities-and-
considerations/
Tweet Share 2
Like
2 responses to “Near Field Communication (NFC) Technology, Vulnerabilities and Principal Attack Schema”
Tinolle1955 says:
June 20, 2013 at 9:32 am
A very good slide ,excellent presentation !
Reply
Comment
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
eight − =
Post Comment