Relay Attacks on Secure Element-Enabled Mobile Devices

Virtual Pickpocketing Revisited
  • Michael Roland
  • Josef Langer
  • Josef Scharinger
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 376)


Near Field Communication’s card emulation mode is a way to combine smartcards with a mobile phone. Relay attack scenarios are well-known for contactless smartcards. In the past, relay attacks have only been considered for the case, where an attacker has physical proximity to an NFC-enabled mobile phone. However, a mobile phone introduces a significantly different threat vector. A mobile phone’s permanent connectivity to a global network and the possibility to install arbitrary applications permit a significantly improved relay scenario. This paper presents a relay attack scenario where the attacker no longer needs physical proximity to the phone. Instead, simple relay software needs to be distributed to victims’ mobile devices. This publication describes this relay attack scenario in detail and assesses its feasibility based on measurement results.


Mobile Phone Near Field Communication Relay System Attack Scenario Secure Element 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Clark, S.: RIM releases BlackBerry NFC APIs. Near Field Communications World (May 2011),
  2. 2.
    Desmedt, Y., Goutier, C., Bengio, S.: Special Uses and Abuses of the Fiat-Shamir Passport Protocol (extended abstract). In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 21–39. Springer, Heidelberg (1988)Google Scholar
  3. 3.
    EMVCo: EMV Contactless Specifications for Payment Systems – Book A: Architecture and General Requirements, Version 2.1 (March 2011)Google Scholar
  4. 4.
    Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical NFC Peer-to-Peer Relay Attack Using Mobile Phones. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 35–49. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Gostev, A.: Monthly Malware Statistics: August 2011 (September 2011),
  6. 6.
    Hancke, G.P.: A Practical Relay Attack on ISO 14443 Proximity Cards (January 2005), (retrieved September 20, 2011)
  7. 7.
    Hancke, G.P., Mayes, K.E., Markantonakis, K.: Confidence in smart token proximity: Relay attacks revisited. Computers & Security 28(7), 615–627 (2009)CrossRefGoogle Scholar
  8. 8.
    Höbarth, S., Mayrhofer, R.: A framework for on-device privilege escalation exploit execution on Android. In: Proceedings of IWSSI/SPMU (June 2011)Google Scholar
  9. 9.
    Jeon, W., Kim, J., Lee, Y., Won, D.: A Practical Analysis of Smartphone Security. In: Smith, M.J., Salvendy, G. (eds.) HCII 2011, Part I. LNCS, vol. 6771, pp. 311–320. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Kfir, Z., Wool, A.: Picking Virtual Pockets using Relay Attacks on Contactless Smartcard. In: Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM 2005), pp. 47–58 (September 2005)Google Scholar
  11. 11.
    McLean, H.: Nokia: No mobile wallet support in current NFC phones. Near Field Communications World (July 2011),
  12. 12.
    RIM: Blackberry API 7.0.0: Package (2011),
  13. 13.
    Roland, M., Langer, J., Scharinger, J.: Practical Attack Scenarios on Secure Element-enabled Mobile Devices. In: Proceedings of the Fourth International Workshop on Near Field Communication (NFC 2012), Helsinki, Finland, p. 6 (March 2012)Google Scholar
  14. 14.
    Smart Card Alliance: Transit and Contactless Open Payments: An Emerging Approach for Fare Collection (November 2011),

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Michael Roland
    • 1
  • Josef Langer
    • 1
  • Josef Scharinger
    • 2
  1. 1.NFC Research Lab HagenbergUniversity of Applied Sciences Upper AustriaAustria
  2. 2.Department of Computational PerceptionJohannes Kepler UniversityLinzAustria

Personalised recommendations