Abstract
NFC is a standardised technology providing short-range RFID communication channels for mobile devices. Peer-to-peer applications for mobile devices are receiving increased interest and in some cases these services are relying on NFC communication. It has been suggested that NFC systems are particularly vulnerable to relay attacks, and that the attacker’s proxy devices could even be implemented using off-the-shelf NFC-enabled devices. This paper describes how a relay attack can be implemented against systems using legitimate peer-to-peer NFC communication by developing and installing suitable MIDlets on the attacker’s own NFC-enabled mobile phones. The attack does not need to access secure program memory nor use any code signing, and can use publicly available APIs. We go on to discuss how relay attack countermeasures using device location could be used in the mobile environment. These countermeasures could also be applied to prevent relay attacks on contactless applications using ’passive’ NFC on mobile phones.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
ISO/IEC 18092 (ECMA-340), Information technology Telecommunications and information exchange between systems Near Field Communication Interface and Protocol (NFCIP-1) (2004), http://www.iso.org/ (cited March 31, 2010)
Bluetooth Core Specification Version 2.1. + EDR. Vol. 2 (July 2007)
Lin, G., Mikhak, A.A., Nakajima, L.T., Mayo, S.A., Rosenblatt, M.: Peer-to-peer Financial Transaction Devices and Methods. Apple Inc. Patent Application WO/2010/039337 (April 2010)
Hancke, G.P., Mayes, K.E., Markantonakis, K.: Confidence in Smart Token Proximity: Relay Attacks Revisited. Elsevier Computers & Security 28(7), 615–627 (2009)
Anderson, R.: RFID and the Middleman. In: Conference on Financial Cryptography and Data Security, pp. 46–49 (December 2007)
Kfir, Z., Wool, A.: Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems. In: Proceedings of IEEE/CreateNet SecureComm, pp. 47–58 (2005)
Sun Microsystems, JSR-000118 Mobile Information Device Profile 2.0, http://jcp.org/aboutJava/communityprocess/final/jsr118/index.html .
ISO/IEC 21481 (ECMA-352), Information technology Telecommunications and information exchange between systems Near Field Communication Interface and Protocol (NFCIP-2) (2005), http://www.iso.org/ (cited March 31, 2010)
ISO/IEC 14443, Identification cards Contactless integrated circuit cards Proximity cards, http://www.iso.org/ (cited March 31, 2010)
ISO/IEC 15693, Identification cards – Contactless integrated circuit cards – Vicinity cards, http://www.iso.org/ (cited March 31, 2010)
FeliCa, http://www.sony.net/Products/felica/ (cited March 31, 2010)
European Technical Standards Institute (ETSI), Smart Cards; UICC-Terminal interface; Physical and logical characteristics (Release 7), TS 102 221 V7.9.0 (2007-07), http://www.etsi.org/ (cited March 31,2010)
Third Generation Partnership Project, Specification of the Subscriber Identity Module-Mobile Equipment (SIM - ME) interface (Release 1999), TS 11.11 V8.14.0 (2007-06), http://www.3gpp.org/
Third Generation Partnership Project, Characteristics of the Universal Subscriber Identity Module (USIM) application (Release 7), TS 31.102 V7.10.0 (2007-09), http://www.3gpp.org/
Third Generation Partnership Project 2 (3GPP2), Removable User Identity Module (RUIM) for Spread Spectrum Systems, 3GPP2 C.S0023-C V1.0 (May 26, 2006), http://www.3gpp2.org/
SD Card Association, http://www.sdcard.org/ (cited March 31, 2010)
Candidate Technical Specification: Signature Record Type Definition. NFC Forum (October 2009)
Near Field Communication (NFC) Forum, http://www.nfc-forum.org (cited March 31, 2010)
Sun Microsystems, Java Card Platform Specification v2.2.1, http://java.sun.com/products/javacard/specs.html (cited March 31, 2010)
NXP, Java Card Open Platform, http://www.nxp.com/ (cited March 31, 2010)
Global Platform, Card Specification v2.1.1, http://www.globalplatform.org (cited March 31, 2010)
NXP Semiconductor: Mifare Standard Specification, http://www.nxp.com/acrobat_download/other/identification/ (cited March 31, 2010)
Francis, L., Hancke, G.P., Mayes, K.E., Markantonakis, K.: Potential Misuse of NFC Enabled Mobile Handsets with Embedded Security Elements as Contactless Attack Platforms. In: Proceedings of the 1st Workshop on RFID Security and Cryptography (RISC 2009), in conjunction with the International Conference for Internet Technology and Secured Transactions (ICITST 2009), , pp. 1–8 (November 2009)
Mayes, K.E., Markantonakis, K. (eds.): Smart Cards, Tokens, Security and Applications. Springer, Heidelberg (2008), ISBN: 978-0-387-72197-2
Sun Microsystems: JSR-000257 Contactless Communication API 1.0, http://jcp.org/aboutJava/communityprocess/final/jsr257/index.html
Conway, J.H.: On Numbers and Games. Academic Press, London (1976)
Desmedt, Y., Goutier, C., Bengio, S.: Special Uses and Abuses of the Fiat-Shamir Passport Protocol. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, p. 21. Springer, Heidelberg (1988)
Hu, Y.C., Perrig, A., Johnson, D.B.: Wormhole Attacks in Wireless Networks. IEEE Journal on Selected Areas in Communications (JSAC), 370–380 (2006)
Hancke, G.P., Kuhn, M.G.: An RFID Distance Bounding Protocol. In: Proceedings of IEEE/CreateNet SecureComm, pp. 67–73 (September 2005)
Hancke, G.P.: Practical Attacks on Proximity Identification Systems. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 328–333 (May 2006) (short paper)
Libnfc.org, Public Platform Independent Near Field Communication (NFC) Library, http://www.libnfc.org/documentation/examples/nfc-relay (cited March 31, 2010)
RFID IO Tools, rfidiot.org (cited March 31, 2010)
Sun Microsystems: JSR-000082 Java API for Bluetooth 2.1, http://jcp.org/aboutJava/communityprocess/final/jsr082/index.html (cited March 31, 2010)
Sun Microsystems: Java Code Signing for J2ME, http://java.sun.com/ (cited March 31, 2010)
Nokia Forum, Java Security Domains, http://wiki.forum.nokia.com/index.php/Java_Security_Domains (cited March 31, 2010)
Nokia Forum, MIDP 2.0 API Access Rights, http://wiki.forum.nokia.com/index.php/MIDP_2.0_API_access_rights (cited March 31, 2010)
Nokia Forum, MIDP 2.1 API Access Rights, http://wiki.forum.nokia.com/index.php/MIDP_2.1_API_access_rights (cited March 31, 2010)
Nokia Forum, Nokia 6131 API Access Rights, http://wiki.forum.nokia.com/index.php/API_access_rights_on_phones,_Series_40_3rd_FP1 (cited March 31, 2010)
Nokia Forum, Nokia 6212 API Access Rights, http://wiki.forum.nokia.com/index.php/API_access_rights_on_phones,_Series_40_5th_FP1 (cited March 31, 2010)
Brands, S., Chaum, D.: Distance Bounding Protocols. Advances in Cryptology. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994)
Clulow, J., Hancke, G.P., Kuhn, M.G., Moore, T.: So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks. In: Buttyán, L., Gligor, V.D., Westhoff, D. (eds.) ESAS 2006. LNCS, vol. 4357, pp. 83–97. Springer, Heidelberg (2006)
Hancke, G.P., Kuhn, M.G.: Attacks on Time-of-Flight Distance Bounding Channels. In: Proceedings of the First ACM Conference on Wireless Network Security (WISEC 2008), pp. 194–202 (March 2008)
Rasmussen, K.B., Čapkun, S.: Implications of Radio Fingerprinting on the Security of Sensor Networks. In: Proceedings of IEEE SecureComm. (2007)
Danev, B., Heydt-Benjamin, T.S., Čapkun, S.: Physical-layer Identification of RFID Devices. In: Proceedings of USENIX Security Symposium (2009)
Anderson, R.J., Bond, M.: The Man-in-the-Middle Defense. Presented at Security Protocols Workshop (March 2006), http://www.cl.cam.ac.uk/~rja14/Papers/Man-in-the-Middle-Defence.pdf
Stajano, F., Wong, F.L., Christianson, B.: Multichannel Protocols to Prevent Relay Attacks. In: Conference on Financial Cryptography and Data Security (January 2010)
Boukerche, A., Oliveira, H.A.B., Nakamura, E.F., Loureiro, A.A.F.: Secure Localization Algorithms for Wireless Sensor Networks. IEEE Communications Magazine 46(4), 96–101 (2008)
Google Maps: Google Inc., http://www.googlemaps.com/ (cited March 31, 2010)
Saroiu, S., Wolman, A.: Enabling New Mobile Applications with Location Proofs. In: Proceedings of the 10th Workshop on Mobile Computing Systems and Applications, HotMobile 2009, Santa Cruz, California, February 23 - 24, pp. 1–6. ACM, New York (2009)
Luo, W., Hengartner, U.: Proving your Location without giving up your Privacy. In: Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, HotMobile 2010, Annapolis, Maryland, February 22 - 23, pp. 7–12. ACM, New York (2010)
Hu, Y.C., Perrig, A., Johnson, D.B.: Packet leashes: A Defense Against Wormhole Attacks in Wireless Networks. In: Proceedings of INFOCOM, pp. 1976–1986 (April 2003)
Tippenhauer, N.O., Rasmussen, K.B., Pöpper, C., Capkun, S.: Attacks on Public WLAN-based Positioning. In: Proceedings of the ACM/Usenix International Conference on Mobile Systems, Applications and Services, MobiSys (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Francis, L., Hancke, G., Mayes, K., Markantonakis, K. (2010). Practical NFC Peer-to-Peer Relay Attack Using Mobile Phones. In: Ors Yalcin, S.B. (eds) Radio Frequency Identification: Security and Privacy Issues. RFIDSec 2010. Lecture Notes in Computer Science, vol 6370. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16822-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-16822-2_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16821-5
Online ISBN: 978-3-642-16822-2
eBook Packages: Computer ScienceComputer Science (R0)