Stay current!

Sign up for weekly

TOPICS cybersecurity
CERTIFICATIONS updates.
CYBERSECURITY Enter your
CAREERS work emailCONTRIBUTORS
VIDEOS here... Subscribe
ABOUT INFOSEC

Ethical
Hacking
Training
OUR STUDENTS HAVE THE HIGHEST
EXAM PASS RATE IN THE INDUSTRY!

LEARN MORE

Near Field Communication (NFC)

What's this?

Outsmart cybercrime with 400+ skill

Technology, Vulnerabilities and development and certi cation courses.

Start your free trial

Principal Attack Schema

POSTED IN GENERAL SECURITY ON JUNE 18, 2013

 SHARE

FREE TRAINING TOOLS

Introduction
Phishing Simulator

The Near Field Communication (NFC) is a set of standards for mobile devices Security Awareness

designed to establish radio communication with each other by being touched

together or brought within a short distance. The NFC standard regulates a radio
EDITORS CHOICE
technology that allows two devices to communicate when they are in close
proximity, usually no more than a few centimeters, allowing the secure exchange of
information.  Phishing simulations in 5 easy
steps — Free Phishing Training
NFC standards are based on different communications protocols and data exchange Kit
formats, and include also existing radio-frequency identification (RFID) standards
 Free online cyber security
such as the ISO/IEC 14443 specific for identification cards, proximity cards and training: Courses, hands-on
contactless integrated circuit cards. The coverage of various ISO standards ensures training, practice exams
for NFC technology the global interoperability that makes the technology usable in
 Active Directory series: SILVER
different areas. TICKET

 Ragnar Locker malware: what it

is, how it works and how to
prevent it | Malware spotlight

 Aqua 1: VulnHub Capture the

Flag (CTF) walkthrough

 PoetRAT malware: what it is,

how it works and how to
prevent it | Malware spotlight

 Top 7 must-have cybersecurity

books

 Grandoreiro malware: what it is,

how it works and how to
prevent it | Malware spotlight

Figure 1 – NFC standards

 Active Directory walkthrough
series: GOLDEN TICKET

 Top 8 tips for office security

From a technological perspective, NFC is also an extension also of the ECMA and when employees are working
ETSI standards, which describe the integration of a smart card with a terminal from home
device. NFC devices allow writing and reading of information at a high speed
 It’s October 1: VulnHub CTF
(424Kbis / s) when they are placed in close proximity, creating a wireless connection, walkthrough
which is also compatible with widely used technologies such as Wi-Fi and
 Microsoft certification update:
Bluetooth.
MCSA & MCSE certifications
retired
ETHICAL HACKING TRAINING – RESOURCES (INFOSEC)
 Online certification
opportunities: 4 vendors who
offer online certification exams
Earn your CEH, guaranteed!  BazarBackdoor malware: What
it is, how it works and how to
Complete the form below to receive course pricing. prevent it | Malware spotlight

RELATED BOOT CAMPS

FIRST NAME LAST NAME

* *
Information Security

Security Awareness
EMAIL PHONE
* * DoD 8140

Ethical Hacking

ORGANIZATION INTERESTED IN STUDENT FINANCING? Hacker Training Online

*
Security+

Computer Forensics
WHO WILL FUND YOUR TRAINING? TRAINING BUDGET
* *
CISA

CCNA

PMP
The NFC technology could be very effective in various areas. The main applications
that can benefit from its introduction are: Incident Response

Payment via mobile devices such as smartphone and tablets.

Electronic identity. MORE POSTS BY AUTHOR
Electronic ticketing for transportation.
Integration of credit cards in mobile devices. Top Cybersecurity
Data transfer between any types of devices such as digital cameras, mobile Predictions for 2020
phones, media players.
Holiday Season
P2P (peer to peer) connection between wireless devices for data transfer.
Cybersecurity Scams and
Loyalty and couponing/targeted marketing/location-based services How to Avoid Them
Device pairing
Cybercrime and the
Healthcare/patient monitoring
Underground Market
Gaming [Updated 2019]
Access control/security patrols/inventory control (tags and readers)

Figure 2 – NFC Application Fields

The possibility of integrating all of the above functionalities in a unique mobile

solution makes NFC very attractive to the telecommunication industry; Most of the
project is focused on the use of a single device that integrates multiple features
improving the user’s experience in various environments. On the user end, NFC
represents a true revolution; a mobile could be used to send micropayments or as an
access management device for dynamic identification. NFC devices can also
exchange data with existing card readers and ISO 14443 compliant units, such as
other NFC mobiles. This high level of integration of NFC technology represents a
point of strength making possible interaction with existing RFID infrastructures.

The short distances between terminals of communications make it more secure,

making really difficult data “sniffing.”

When NFC technology is mentioned, there is an immediate reference to mobile

communication and the possibility of extending the usage of mobile devices as
payment terminals. Major firms such as Nokia and Google are developing a lot of
projects using NFC; it must be considered that the technology could be adopted in
various areas, such as health care. NFC devices can operate mainly in three modes:

1. As card emulators, providing an alternative storage for information memorized

in a plastic card.
2. In peer-to-peer mode, allowing a connection to be made using a different
communications protocol such as Bluetooth or WiFi.
3. In card/tag reading and writing mode, where an NFC device can read or
change information stored in an RFID tag or contactless card.

Many U.S. corporations are planning to provide NFC devices and solutions. The list is
very long and includes device manufacturers such as Google and Apple, financial
services such as MasterCard and Visa, and also mobile operators, such as AT&T and
Verizon. Big enterprises are driving the growth of NFC demand and the markets are
investing in the technologies, attracting a multitude of minor firms that provide
development for a huge quantity of innovative services.

The killer application for the future is the one that will make it possible for multiple
card issuers and payment processors to share space on an NFC handset opening the
technology to a scenario rich in applications.

We are in front of one of the biggest business opportunities of our times. Several
international researchers have confirmed it with extraordinary figures; according to
the Deloitte firm:

In 2013, there may be as many as 300 million NFC smartphones and other
mobile devices.
1 in 6 users worldwide will have an NFC-enabled phone by 2014.
NFC-based mobile transactions are expected to reach nearly $50 billion
worldwide by 2014.
500 million people around the world will use their mobile devices as travel
tickets on metros, subways and buses by 2015; NFC will drive this growth.

The year of the consecration of NFC technology will be 2015, when over 50% of
smartphones will have NFC capability (Gartner Research), NFC technology will be
the most-used solution for mobile payment; and NFC will enable worldwide
transactions totaling about $151.7 billion (Frost & Sullivan); global mobile transactions
are predicted to grow to more than $1 trillion by 2015 (Yankee Group). It’s clear that
business related to the standards will grow to major dimensions.

The expected increase in the supply of NFC solutions has a collateral effect: Hackers
and cyber-criminals are focusing their attention on the technology, a growing
number of 0-day vulnerabilities will be found, and new exploit kits will be offered in
the black market. A flaw in the standard could affect several sectors with serious
consequences.

NFC Security Principles – the Tag

Security is an essential aspect of the success of NFC technology. The high

interoperability of the popular collection of standards must be integrated with
appropriate mechanisms to protect data.

Implementation of security mechanisms to a tag requires analysis of costs versus

benefits. There are various solutions that imply different economic and
computational costs, therefore it is crucial to understand exactly what information
has to be protected and which are the main threats.

Newer tags have security functionality built into the chip but are not a part of the
NFC tag specification; the principal objectives to pursue for data protection are:

Authenticity
Integrity
Confidentiality

Principal menaces are represented by an attacker’s ability to intercept and

manipulate the data without detection. In both cases, the above principles are
violated.

The confidentiality is achievable through the use of encryption algorithms, while

authenticity and integrity are obtainable through the adoption of signature
processes.

To meet authenticity and integrity requirements for the tags developers could refer
to NFC Forum Signature NDEF structure, as detailed in the document “NFC Forum
Signature Record Type Definition Technical Specification version 1.0.”

The technical specification “Specifies the format used when signing single or
multiple NDEF records. Defines the required and optional signature RTD fields, and
also provides a list of suitable signature algorithms and certificate types that can be
used to create the signature. Does not define or mandate a specific PKI or
certification system, or define a new algorithm for use with the Signature RTD.
Specification of the certificate verification and revocation process is out of scope.”

Another possibility for developing it is by defining a proprietary method of signature

and associating the signature with a data record.

To employ authenticity/integrity requirements, the tags developer needs to encrypt

the payload using standard encryption algorithms, such as TDES, AES, or RSA.

NFC Attack Methods

Although the communication range of NFC is limited to a few centimeters, the

standard does not ensure secure communications and various types of attacks are
already known in literature. The current ISO standard doesn’t actually address
countermeasures against NFC attack methods; for example, the technology is
attackable with one of the classic offensive scheme, the man in the middle attack,
but no protection is offered against eavesdropping, making exchanged data
vulnerable to data modifications.

The principal methods of attack against NFC technologies are:

Eavesdropping

In an eavesdropping scenario, the attacker uses an antenna to record

communication between NFC devices. Despite the fact that NFC communication
occurs between devices in close proximity, this type of attack is feasible. Interception
of an NFC exchange doesn’t always translate into theft of information. In some cases,
the attack is meant to corrupt the information being exchanged, making it useless.
The principal method to prevent eavesdropping is using a secure channel that has
to be established between the NFC devices, usually implementing encryption
methods; meanwhile, the proximity of the communication units is another deterrent
for attack realization, but it does not eliminate the risks.

Figure 3 – NFC attack scenario

Data Modification

In this attack scenario, the data being exchanged is captured and modified by an
attacker’s radio frequency device. The attacker’s device is able to inhibit the NFC data
exchange briefly, but long enough to alter the binary coding. This type of attack is
very difficult to implement but the data modification is realizable in rare cases,
especially for active mode transmission of NFC information. The most common way
to interfere with the NFC data exchange is to use an RFID jammer; Data
modification could be detected, introducing code in the NFC source device that
measures the strength of frequencies, thus choosing the one that is truly the closest
and most likely valid. Checking the RF field during transmission allows the sender to
detect this type of attack. Another possibility is to modify the data in such a way that
it appears to be valid to the receiver; the attacker has to deal with the single bits of
the RF signal. The feasibility of this attack depends on various factors, such as the
strength of the amplitude modulation. As described in the in the paper “Security in
Near Field Communication (NFC) – Strengths and Weaknesses” by the authors Ernst
Haselsteiner and Klemens Breitfuß, transferring data with modified Miller coding
and a modulation of 100%, only certain bits can be modified, while transmitting
Manchester-encoded data with a modulation ratio of 10% permits a modification
attack on all the bits.

Relay Attack

A relay attack exploits the ISO/IEC14443 protocol compliance of NFC; the attacker
has to forward the request of the reader to the victim and relay back its answer to
the reader in real time in order to carry out a task by pretending to be the owner of
the victim’s smart card.

This attack technique focuses on the extension of the range between the NFC token
(e.g., a card) and the reader to implement it two NFC enabled devices are necessary,
one acting as a reader and one acting as a card emulator. The access victim system
will not able to detect the attack because it will think a card is actually in front of it.

In the attack scenario the attacker holds the NFC reader near the victim’s card and
relays the data over another communication channel to a second NFC reader placed
in proximity to the original reader that will emulate the victim’s card.

Figure 4 – Relay attack scheme

The attack is constrained by a timing issue: Because of the physical distance

between the two NFC devices, the packets that are relayed will take longer to be
transferred to the destination.

RFID technology has some constraints on the time range between a challenge
and response, named frame waiting time (FWT); exceeding this limit will cause
the failure of the attack. Principal countermeasures to prevent relay attacks are:

Faraday cages—This is the simplest measure. It consists in shielding the card at

the user’s side with a box that is called a Faraday cage.
Signing of the data would result in more security, but a determinant factor is
the computational power of the cards used and the ability to verify the signer
is a reasonable time.
Adoption of distance bounding protocols of the RFID system, so that the
reader knows whether the card is presented inside the electromagnetic held,
or a relay attack is being performed.

Case study –Google Wallet Relay Attack

Roland used the following components for the attack:

A reader device, called a mole or leech, located in close proximity to the card
under attack.
A card emulator device, called the proxy or ghost, used to communicate with
the actual reader
A fast communication channel between these two devices.

During the attack the mole is brought in proximity to the card under attack;
meanwhile, the card emulator is located in proximity of a reader device (POS
terminal, access control reader, etc.)

Every command that the card emulator receives from the actual reader is forwarded
to the mole that forwards the command to the victim card and the card’s response
is sent back by the mole to the actual reader through the card emulator.

Figure 5 – Attack Scenario

The limit on a relay attack is the necessity for an attacker to stay in physical proximity
(less than one meter) to the device under attack. Recent research demonstrated the
possibility of substituting mole hardware with a software application installed on
victim’s device.

A new possible attack scenario based on software has the following components:

A mobile phone (under control of its owner/legitimate user).

Relay software (under control of the attacker).
A card emulator (under control of the attacker).
A reader device (e.g., at a point-of-sale terminal or at an access control gate).

Researcher Michael Roland designed Trojan relay software that is able to receive
payment commands OTA thru a relay server and use the credentials from Google’s
embedded secure element for a live payment transaction. In recent versions of
Google Wallet (till June 2012), it was possible to communicate with the credit card
applets in the secure element through the wired interface without asking the user
for his PIN.

On the POS side, a touchatag reader is used to simulate a tag (this could also be
down with a BlackBerry or an Android running CyangenMod 9.1, see details). The
transaction is relayed over a wireless network (WiFi/GSM/UTMS). Although the round-
trip times are longer, the EMV terminal does not recognize the delay, as EMV does
not define timing constraints on the terminal for transaction processing.

After Michael presented the POC, Google quickly responded by providing fixes in
more recent versions of Google Wallet.

Figure 6 – Proof of concept Video

Data Corruption

A data corruption attack is essentially a form of the denial of service (DoS) attack, in
which an attacker interferes with data transmission, disturbing or blocking data flow
such that the receiver is not able to decipher the information. The attacker does not
need to access the transmitted data, he just needs to transmit radio signals to
reduce the signals to random noises destroying the information content of the
communication.

A common countermeasure implemented in NFC devices is the check for RF signal

during data transmission; because the power to corrupt data is bigger than the
power used sending the data, the sending device is able to detect the attack and
stop the data transmission automatically.

“Data corruption can be achieved by transmitting valid frequencies of the data

spectrum at a correct time. The correct time can be calculated if the attacker has a
good understanding of the used modulation scheme and coding.”

Spoofing

In a spoofing attack, a third party pretends to be another entity to induce a user to

tap its device against the tag. This is possible if an attacker compromised an NFC tag
(e.g., a smart poster) with a malicious tag that could force a user to execute a
malicious code, aided by the fact that some mobile devices are configured to
execute commands received from NFC tags automatically

The principal countermeasure against this type of attack is to properly configure the
device to prompt a message before executing commands through NFC (e.g.,
opening a URL).

Man in the Middle attack

Despite the NFC standard that requires proximity of devices during the data transfer,
it is theoretically susceptible to MITM attacks. An attacker can intercept the
information, possibly manipulate it, and relay it to the receiving device. Another
factor that makes the implementation of MITM attacks difficult is the use of
encryption mechanisms such as AES for secure communication.

Figure 7 – MITM attack scenario

Is it really possible to conduct a MITM attack against NFC? Let’s look at the following
cases:

Assume that Alice uses active mode and Bob is in passive mode. Alice
generates the RF field and sends data to Bob. An attacker in proximity to Alice
could eavesdrop on the information and at the same time has to block
transmission to Bob. A possible problem for the attacker is the fact that Alice
could detect the disturbance and stop transmission. Assume that Alice does
detect the disturbance; Eve needs to send data to Bob, but this is a problem
because of the concomitant presence of the RF field generated by Alice that
causes two RF fields to be active at the same time. Because it is impossible to
perfectly align the two RF fields, Bob cannot interpret data sent by Eve.
Assume that both Alice and Bob use active mode. Alice sends some data to
Bob. Eve can capture the data and disturb the transmission to prevent Bob
from receiving the data. Once again, Alice could detect the disturbance done
by Eve and stop the protocol. Assuming that Alice does not detect the field,
Eve would need to send data to Bob. The problem also is that Alice is listening
as she is expecting an answer from Bob, but instead she will receive the data
sent by Eve and is able to detect a problem in the protocol and stop the
communication. For Eve, it is not possible to send data either to Alice or Bob
and to make sure that this data is not received by Bob or Alice, respectively.

Both scenarios are therefore not feasible.

NFC Protocol Stack Fuzzing

Assuming that the attacker is in proximity to a legitimate NFC payment terminal or

uses some kind of antenna to do it, an attacker could exploit ordinary operations
such as paying for a drink, a metro ticket, or a cab.

Another category of attacks against NFC is based on techniques for fuzzing the NFC
protocol stack analyzing the software that is built on top of the NFC stack for victims’
devices. An attacker can force some mobile devices to parse images, videos,
contacts, office documents, and even any other content without user interaction.

In specific cases, the attacker can completely take control of the phone via NFC,
including stealing data on a mobile (e.g., photos and documents), even making
phone calls or sending text messages.

Android NFC Stack Bug

Popular hacker Charlie Miller published an interesting proof of concept on NFC

attacks titled “Exploring the NFC Attack Surface,” in which the researcher
demonstrated how to exploit NFC stack bugs shown earlier in Android to get control
of the NFC Service. A method usable by an attacker to steal data over the Internet
without permission is possible by exploiting the NFC Service that does have
BLUETOOTH and BLUETOOTH_ADMIN.

Miller used for the test a Nokia N9 with NFC enabled. This mobile doesn’t have
“Confirm sharing and connecting,” so if attacker presents it a Bluetooth pairing
message, it will automatically pair with the device in the message without user
confirmation, even if Bluetooth is disabled.

An example of such an NDEF message is

[0000] d4 0c 27 6e 6f 6b 69 61 2e 63 6f 6d 3a 62 74 01 ..’nokia.com:bt.

[0010] 00 1d 4f 92 90 e2 20 04 18 31 32 33 34 00 00 00 ..O… ..1234…

[0020] 00 00 00 00 00 00 00 00 00 0c 54 65 73 74 20 6d ……….Test m

[0030] 61 63 62 6f 6f 6b acbook

“In this message, a PIN is given as “1234”, a Bluetooth address, and a name of the
device are also provided. Once paired, it is possible to use tools such as obexfs,
gsmsendsms, or xgnokii to perform actions with the device. Basically, if a user just
enables NFC and makes no other changes to the device, it can be completely
controlled by an attacker if the attacker can get it read an NFC tag.” Miller wrote in
the paper.

Critical vulnerabilities in mobile software could allow the access to information

stored on the mobile.

“The code responsible for parsing NFC transmissions begins in kernel drivers,
proceeds through services meant to handle NFC data, and eventually ends at
applications which act on that data. ”

Conclusions
According to many experts, near field technology will have a meaningful impact on
the usability of mobile devices in various contexts; on one hand, it will facilitate a
user’s experience by making it possible to access infinite services with a single
devices, but as a side effect it also has a potentially dramatic impact on users’
privacy.

Personal information, credit cards, and sensitive data that are stored on NFC devices
will become targets for hackers and cyber-criminals. Fortunately, the
telecommunications industry is aware of the incoming cyber-threats and is
sustaining the definition/adoption of security recommendations that will follow a
mobile device during the entire life cycle, from design to disposal. Developing NFC
technology, researchers need to account for the trade-off of some aspects such as
cost, usability, and level of security, for the reasons explained.

NFC technology will become omnipresent in our lives; many devices around us will
implement the standards, from the mobile phone to the access management
system of our office. Payments, access, sites visited,—all this information can be
acquired by monitoring an NFC device that is associated with our identity.

Anyway, we must consider that NFC usage could be extended to several sectors,
from private business to the military. For this reason, security and privacy are the
most concerning issues. Several studies indicate that most consumers do not
understand the current risks and are not diligent about the security of their mobile
devices.

“The risks to personal privacy must be addressed,” say the authors of Near Field
Communications; Privacy, Regulation & Business Models. “This is not only to protect
against surveillance, but it is essential to ensure that there is confidence in the
marketplaces that may yet emerge with widespread use of NFC.”

There is no doubt that NFC will be a revolution in various sectors, offering the
possibility of having an “all in one” device integrable in a simple and practical way in
every architectural solution.

Let’s close the article with the declaration of Debbie Arnold, director of the NFC
Forum, that demonstrates the high interest in the security of NFC solutions:

“The NFC Forum recognizes that NFC security is of utmost importance and supports
an active, dedicated Security Working Group to address security issues and
opportunities. Our role is to develop interface specifications to enable the use of NFC
in a wide range of applications, rather than to define the requirements (including
security) of the applications that use the NFC interface.”

“All of these activities and mechanisms work hand-in-hand. NFC solution providers
may add security measures to their applications as they see fit, including both
required and optional user actions to enable or disable functions.”

References

http://media.blackhat.com/bh-us-
12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf

http://kas.economia.ihned.cz/gallery/2/847-
06_rosa_raiffeisenbank_bezpecnost_mobilnich_zarizeni.pdf

https://media.blackhat.com/bh-us-
12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_Slides.pdf

http://ece.wpi.edu/~dchasaki/papers/Security%20in%20NFC.pdf

http://news.cnet.com/8301-1009_3-57480233-83/researcher-uses-nfc-to-attack-
android-nokia-smartphones/

http://www.nfcworld.com/2012/08/01/317100/forum-responds-to-black-hat-
presentation-on-nfc-vulnerabilities/

http://eprint.iacr.org/2011/618.pdf

http://www.youtube.com/watch?v=_R2JVPJzufg

http://sisainfosec.com/blog/new-milestone-in-payment-industry/

http://www.slideshare.net/RazorfishTechnology/razorfish-nfc-technologies-
presentation-2013-17172026

http://www.mobilemarketingstrategy.biz/security-aspects.html

http://www.blankchapters.com/2012/08/08/nfc-future-possibilities-and-
considerations/

Tweet Share 2
Like

reddit

Pierluigi Paganini is CTO at Cybaze Enterprise SpA

Pierluigi is member of the ENISA (European Union
Agency for Network and Information Security) Threat
Landscape Stakeholder Group, member of Cyber G7
Workgroup of the Italian Ministry of Foreign Affairs and
International Cooperation, Professor and Director of the
Master in Cyber Security at the Link Campus University.
He is also a Security Evangelist, Security Analyst and
Freelance Writer. Editor-in-Chief at "Cyber Defense
AUTHOR
Magazine", Pierluigi is a cyber security expert with over
Pierluigi 20 years experience in the field, he is Certified Ethical
Paganini Hacker at EC Council in London. The passion for writing
and a strong belief that security is founded on sharing
and awareness led Pierluigi to find the security blog
"Security Affairs" recently named a Top National Security
Resource for US. Pierluigi is a member of the "The
Hacker News" team and he is a writer for some major
publications in the field such as Cyber War Zone, ICTTF,
Infosec Island, Infosec Institute, The Hacker News
Magazine and for many other Security magazines.

Active Directory Ragnar Locker

Aqua 1: VulnHub PoetRAT malware:
series: SILVER malware: what it is,
Capture the Flag… what it is, how…
TICKET …

   
2 responses to “Near Field Communication (NFC) Technology, Vulnerabilities and Principal Attack Schema”

Tinolle1955 says:
June 20, 2013 at 9:32 am
A very good slide ,excellent presentation !
Reply

Pierluigi Paganini says:

June 22, 2013 at 12:46 am
Hi Tinolle … it’s a pleasure
Thank you!
Reply
Leave a Reply
Your email address will not be published. Required fields are marked *

Comment
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
eight  −   =  
Post Comment

About Infosec Connect with us Join our newsletter

At Infosec, we believe knowledge is the most Stay up to date with Infosec Get the latest news, updates & offers straight
powerful tool in the fight against cybercrime. to your inbox.
Like 352 Follow @infosecedu
We provide the best certification and skills
development training for IT and security ENTER YOUR EMAIL SUBSCRIBE
professionals, as well as employee security
awareness training and phishing simulations.
Learn more at infosecinstitute.com.

© INFOSEC RESOURCES 2020