Konstantinos Markantonakis,Julia A. Meister,Iakovos Gurulian,Carlton Shepherd,Raja Naeem Akram,Sarah Hani Abu Ghazalah,Mumraiz Kasi,Damien Sauveron,Gerhard Hancke

DOI: https://doi.org/10.1109/access.2024.3479729

IF: 3.9

2024-10-25

IEEE Access

Abstract:Near-Field Communication (NFC) has enabled mobile devices to emulate contactless smart cards, which has also rendered them susceptible to relay attacks. Numerous countermeasures have been proposed that use ambient sensors as an anti-relay mechanism. However, there are concerns regarding their efficacy in time-critical scenarios, such as transport ticketing and contactless payments. This paper empirically and comprehensively evaluates whether ambient sensors are an effective anti-relay mechanism for such NFC-based contactless transactions. To this end, we examine 17 sensors available via the Android platform. Each sensor, where feasible, was used to record measurements in 1,000 contactless transactions with 252 users across four physical locations. We then conduct an extensive four-part evaluation using similarity metrics, traditional machine learning models, and deep learning methods used in existing work and beyond. We conclude that mobile ambient sensors are currently unsuitable for detecting relay attacks on NFC contactless transactions under realistic timing constraints, contrary to the suggestions and proposals made in existing work.

computer science, information systems,telecommunications,engineering, electrical & electronic

Raja Naeem Akram,Iakovos Gurulian,Carlton Shepherd,Konstantinos Markantonakis,Keith Mayes

DOI: https://doi.org/10.48550/arXiv.1601.07101

2016-01-26

Cryptography and Security

Abstract:Near Field Communication (NFC) has enabled mobile phones to emulate contactless smart cards. Similar to contactless smart cards, they are also susceptible to relay attacks. To counter these, a number of methods have been proposed that rely primarily on ambient sensors as a proximity detection mechanism (also known as an anti-relay mechanism). In this paper, we, for the first time in academic literature, empirically evaluate a comprehensive set of ambient sensors for their effectiveness as a proximity detection mechanism. We selected 15 out of a total of 17 sensors available via the Google Android platform for evaluation, with the other two sensors unavailable on widely-used handsets. In existing academic literature, only 5 sensors have been proposed with positive results as a potential proximity detection mechanism. Each sensor, where feasible, was used to record the measurements of 1000 contactless transactions at four different physical locations. A total of 252 random users, random sample of the university student population, were involved during the field trails. The analysis of these transactions provides an empirical foundation to categorically answer whether ambient sensors provide a strong proximity detection mechanism for security sensitive applications like banking, transport and high-security access control. After careful analysis, we conclude that no single evaluated mobile ambient sensor is suitable for such critical applications in realistic deployment scenarios. Lastly, we identify a number of potential avenues that may improve their effectiveness.

Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Gang Xu,Qian Zhang,Yanli Lu,Lei Liu,Daizong Ji,Shuang Li,Qingjun Liu

DOI: https://doi.org/10.1016/j.snb.2017.02.149

IF: 9.221

2017-01-01

Sensors and Actuators B Chemical

Abstract:Wireless, passive, low-cost and portable detection systems are in high demand for environment monitoring, food safety and health care diagnosis. Among them smartphone-based sensing systems are receiving special attention with the worldwide popularity of smartphones. Over the past decade, many devices, including a large number of smartphones in today's marketplace, are integrated with near field communication (NFC) modules. Leveraging the worldwide ubiquity of these devices, we developed wireless and passive NFC tag sensors based on flexible arid low-cost NFC tags for biochemical sensing. NFC-enabled smartphone was used to wirelessly power the sensors and receive the detection results through inductive coupling. By adopting rheostats in the resonant circuits of the sensors, we easily achieved accurate semi quantitative detection of different analytes constructed sensor arrays. The results demonstrated that the tag sensors could be used to discriminate gases at part-per-million concentrations and analytes in solution such as ions and bacteria in different concentration ranges. Thus, the wireless, passive, low-cost and flexible NFC tag sensors unfolded new dimensions for biochemical sensing with smartphones (C) 2017 Elsevier B.V. All rights reserved.

Zhao Wang,Zhigang Xu,Wei Xin,Zhong Chen

DOI: https://doi.org/10.1109/imccc.2012.40

2012-01-01

Abstract:NFC(near field communication) technology is a kind of technology to provide close RFID communication channel on mobile devices. Peer-to-Peer applications based on mobile equipment rely on NFC. The NFC system is facing a security problem that it is susceptible to a relay attack. This paper discusses the realization of relay attack on a legitimate peer-to-peer NFC. The attackers use mobile phones with the NFC function of the Android platform, and install the programs on the mobile phones, can finish the attack. While these attack programs only need to call the public NFC protocol API, without illegal intrusion to device memory. On this foundation, how the existing NFC protocol to avoid the above attack is discussed.

Dennis Giese,Kevin Liu,Michael Sun,Tahin Syed,Linda Zhang

DOI: https://doi.org/10.48550/arXiv.1904.10623

2019-04-24

Abstract:Near-Field Communication (NFC) is a modern technology for short range communication with a variety of applications ranging from physical access control to contactless payments. These applications are often heralded as being more secure, as they require close physical proximity and do not involve Wi-Fi or mobile networks. However, these systems are still vulnerable to security attacks at the time of transaction, as they require little to no additional authentication from the user's end. In this paper, we propose a method to attack mobile-based NFC payment methods and make payments at locations far away from where the attack occurs. We evaluate our methods on our personal Apple and Google Pay accounts and demonstrate two successful attacks on these NFC payment systems.

Cryptography and Security

Jing Li,Yabo Dong,Shengkai Fang,Haowen Zhang,Duanqing Xu

DOI: https://doi.org/10.3390/s20164446

IF: 3.9

2020-01-01

Sensors

Abstract:In modern cars, the Passive Keyless Entry and Start system (PKES) has been extensively installed. The PKES enables drivers to unlock and start their cars without user interaction. However, it is vulnerable to relay attacks. In this paper, we propose a secure smartphone-type PKES system model based on user context detection. The proposed system uses the barometer and accelerometer embedded in smartphones to detect user context, including human activity and door closing event. These two types of events detection can be used by the PKES to determine the car owner's position when the car receives an unlocking or a start command. We evaluated the performance of the proposed method using a dataset collected from user activity and 1526 door closing events. The results reveal that the proposed method can accurately and effectively detect user activities and door closing events. Therefore, smartphone-type PKES can prevent relay attacks. Furthermore, we tested the detection of door closing event under multiple environmental settings to demonstrate the robustness of the proposed method.

Fan Dang,Pengfei Zhou,Zhenhua Li,Yunhao Liu

DOI: https://doi.org/10.1109/infcomw.2017.8116391

2017-01-01

Abstract:Automated fare collection (AFC) systems have been widely applied to practical transportation due to their convenience. Although there are many potential threats of NFC such as eavesdropping, data modification, and relay attacks, NFC based AFC systems are considered secure, due to the limited 10cm communication distance. Nevertheless, the proliferation of NFC-equipped mobile phones make such system venerable. We introduce and implement an attack on AFC cards that permits an attacker to top up his smart card and get a refund. We also propose possible countermeasures to defend against these attacks.

Yafei Ji,Luning Xia,Jingqiang Lin,Qiongxiao Wang,Lingguang Lei,Li Song

DOI: https://doi.org/10.1007/978-3-030-14234-6_18

2018-01-01

Abstract:Near field communication (NFC) is an emerging and promising technology envisioned to support a large gamut of applications such as payment and ticketing applications. Unfortunately, there emerges a variety of vulnerabilities that could leave an unwitting user vulnerable to attacks along with the increase of NFC applications. One such potential devastating attack is relay attack, in which adversaries establish a transparently transferring channel between two distant NFC-enabled devices, thus break the assumption that NFC can only work within a rather near distance. In this paper, we propose Chord, an effective method for detecting relay attack. Via measuring the strength of received signal, i.e, the Received Signal Strength Indication (RSSI) during a time span, the two devices are expected to get the same “trace” of RSSI’s variation because of physical proximity. Therefore, the relay attack can be revealed if the peers get a different “trace” from each other, which implies that they do not communicate directly via NFC link. The results of our implementation show that our proposal works as intended, and exhibits an improvement of security with reasonable performance impact.

Yuanchao Shu,Yu Gu,Jiming Chen

DOI: https://doi.org/10.1109/MASS.2012.6502522

2012-01-01

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges can not be transferred among trusted users. In this work, we introduce a sensory-data-enhanced authentication for access control systems. By combining sensory-data obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss and stolen. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with simple sensor data and empirically demonstrate simple rotations can increase key space by more than 30, 000 times with an authentication accuracy of 95%. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Yuyi Sun,Swarun Kumar,Shibo He,Jiming Chen,Zhiguo Shi

DOI: https://doi.org/10.48550/arXiv.2001.08143

2020-01-21

Abstract:Imagine when you line up in a store, the person in front of you can make you pay her bill by using a passive wearable device that forces a scan of your credit card without your awareness. An important assumption of today's Near-field Communication (NFC) enabled cards is the limited communication range between the commercial reader and the NFC cards -- a distance below 5~cm. Previous approaches to attacking this assumption effectively use mobile phones and active relays to enlarge the communication range, in order to attack the NFC cards. However, these approaches require a power supply at the adversary side, and can be easily localized when mobile phones or active relays transmit NFC signals. We propose ReCoil, a system that uses wearable passive relays to attack NFC cards by expanding the communication range to 49.6 centimeters, a ten-fold improvement over its intended commercial distance. ReCoil is a magnetically coupled resonant wireless power transfer system, which optimizes the energy transfer by searching the optimal geometry parameters. Specifically, we first narrow down the feasible area reasonably and design the ReCoil-Ant Colony Algorithm such that the relays absorb the maximum energy from the reader. In order to reroute the signal to pass over the surface of human body, we then design a half waist band by carefully analyzing the impact of the distance and orientation between two coils on the mutual inductance. Then, three more coils are added to the system to keep enlarging the communication range. Finally, extensive experiment results validate our analysis, showing that our passive relays composed of common copper wires and tunable capacitors expand the range of NFC attacks to 49.6 centimeters.

Cryptography and Security,Signal Processing

Weili Han,Chang Cao,Hao Chen,Dong Li,Zheran Fang,Wenyuan Xu,X. Sean Wang

DOI: https://doi.org/10.1109/tdsc.2017.2768536

2020-01-01

Abstract:Sensors are widely used in modern mobile devices (e.g., smartphones, watches) and may gather abundant information from environments as well as about users, e.g., photos, sounds and locations. The rich set of sensor data enables various applications (e.g., health monitoring) and personalized apps as well. However, the powerful sensing abilities provide opportunities for attackers to steal both personal sensitive data and commercial secrets like never before. Unfortunately, the current design of smart devices only provides a coarse access control on sensors and does not have the capability to audit sensing. We argue that knowing how often the sensors are accessed and how much sensor data are collected is the first-line defense against sensor data breach. Such an ability is yet to be designed. In this paper, we propose a framework that allows users to acquire sensor data usages. In particular, we leverage a hook-based track method to track sensor accesses. Thus, with no need to change the source codes of the Android system and applications, we can intercept sensing operations to graphic sensors, audio sensors, location sensors, and standard sensors, and audit them from four aspects: flow audit, frequency audit, duration audit and invoker audit. Then, we implement a prototype, referred to as senDroid, which visually shows the quantitative usages of these sensors in real time at a performance overhead of [0.04-8.05] percent. senDroid allows Android users to audit the applications even when they bypass the Android framework via JNI invocations or when the malicious codes are dynamically loaded from the server side. Our empirical study on 1,489 popular apps in three well-known Android app markets shows that 26.32 percent apps access sensors when the apps are launched, and 11.01 percent apps access sensors while the apps run in the background. Furthermore, we analyze the relevance between sensor usage patterns and third-party libraries, and reverse-engineering on suspicious third-party libraries shows that 77.27 percent apps access sensors via third-party libraries. Our results call attentions to address the users' privacy concerns caused by sensor access.

Manmeet Mahinderjit Singh,Ku Aina Afiqah Ku Adzman,Rohail Hassan

DOI: https://doi.org/10.14419/ijet.v7i4.31.23385

2018-12-09

Abstract:Nowadays; the adoption of Internet of things (IoT) technologies and applications in everyday is rising. IoT technology such as Near Field Communication (NFC) is vastly adopted due to its short range frequencies, making it a good candidate for token based security access control applications such as door systems and attendance systems. However, due to the miniature size of NFC tags; its clear text contents and unprotected communication channel between tag-reader-database; NFC technology is prone to security attacks such as the man in the middle; denial of services (DOS) and etc. These attacks lead to leakage of user critical data which could impact any organization adopting NFC applications and technologies. In this paper; NFC vulnerability, causing both security and privacy attacks studies in depth. By focusing on attacks such as DOS and data corruptions; existing risk assessment models are evaluated using Analytical Hierarchy Process (AHP) approach. Best practice in mitigating these attacks is presented as well. A case study on an existing NFC access control application is then used to demonstrate the effectiveness of best practice solutions proposed.  Â

Wolfgang Issovits,Michael Hutter

DOI: https://doi.org/10.1109/rfid-ta.2011.6068658

2011-09-01

Abstract:RFID and NFC are widely spread contactless communication systems and are commonly used in security-critical applications such as payment and keyless-entry systems. Relay attacks pose a serious threat in this context that are not addressed by most of the RFID applications in use today. The attacks circumvent application-layer security and they cannot be prevented by the usual cryptographic primitives. In this paper, we will present a practical implementation of a relay attack based on systems using the widely used ISO/IEC 14443 standard. We use an off-the-shelf mobile phone and a self-developed RFID-tag emulator that can forward RFID communication over a Bluetooth channel. We will show that the attack succeeded and discuss various methods how to exploit certain mechanisms of the ISO protocol to increase the chance for a successful attack. We will also give recommendations to protect against relay attacks in practice while still complying to the ISO standard which is not considered by most of the proposed countermeasures given in literature.

Fan Dang,Pengfei Zhou,Zhenhua Li,Ennan Zhai,Aziz Mohaisen,Qingfu Wen,Mo Li

DOI: https://doi.org/10.1109/INFOCOM.2017.8057219

2017-01-01

Abstract:Automated Fare Collection (AFC) systems have been globally deployed for decades, particularly in public transportation. Although the transaction messages of AFC systems are mostly transferred in plaintext, which is obviously insecure, system operators do not need to pay much attention to this issue, since the AFC network is well isolated from public network (e.g., the Internet). Nevertheless, in recent years, the advent of Near Field Communication (NFC)-equipped smartphones has bridged the gap between the AFC network and the Internet through Host-based Card Emulation (HCE). Motivated by this fact, we design and practice a novel paradigm of attack on modern distance-based pricing AFC systems, enabling users to pay much less than actually required. Our constructed attack has two important properties: 1) it is invisible to AFC system operators because the attack never causes any inconsistency in the backend database of the operators; and 2) it can be scalable to large number of users (e.g., 10,000) by maintaining a moderate-sized AFC card pool (e.g., containing 150 cards). Based upon this constructed attack, we developed an HCE app, named LessPay. Our real-world experiments on LessPay demonstrate not only the feasibility of our attack (with 97.6% success rate), but also its low-overhead in terms of bandwidth and computation.

Steffen Klee,Alexandros Roussos,Max Maass,Matthias Hollick

DOI: https://doi.org/10.48550/arXiv.2008.03913

2020-08-10

Abstract:Near-Field Communication (NFC) is being used in a variety of security-critical applications, from access control to payment systems. However, NFC protocol analysis typically requires expensive or conspicuous dedicated hardware, or is severely limited on smartphones. In 2015, the NFCGate proof of concept aimed at solving this issue by providing capabilities for NFC analysis employing off-the-shelf Android smartphones. In this paper, we present an extended and improved NFC toolkit based on the functionally limited original open-source codebase. With in-flight traffic analysis and modification, relay, and replay features this toolkit turns an off-the-shelf smartphone into a powerful NFC research tool. To support the development of countermeasures against relay attacks, we investigate the latency incurred by NFCGate in different configurations. Our newly implemented features and improvements enable the case study of an award-winning, enterprise-level NFC lock from a well-known European lock vendor, which would otherwise require dedicated hardware. The analysis of the lock reveals several security issues, which were disclosed to the vendor.

Cryptography and Security

Paul Staat,Kai Jansen,Christian Zenger,Harald Elders-Boll,Christof Paar

DOI: https://doi.org/10.48550/arXiv.2202.06554

2022-04-04

Abstract:Today, we use smartphones as multi-purpose devices that communicate with their environment to implement context-aware services, including asset tracking, indoor localization, contact tracing, or access control. As a de-facto standard, Bluetooth is available in virtually every smartphone to provide short-range wireless communication. Importantly, many Bluetooth-driven applications such as Phone as a Key (PaaK) for vehicles and buildings require proximity of legitimate devices, which must be protected against unauthorized access. In earlier access control systems, attackers were able to violate proximity-verification through relay station attacks. However, the vulnerability of Bluetooth against such attacks was yet unclear as existing relay attack strategies are not applicable or can be defeated through wireless distance measurement. In this paper, we design and implement an analog physical-layer relay attack based on low-cost off-the-shelf radio hardware to simultaneously increase the wireless communication range and manipulate distance measurements. Using our setup, we successfully demonstrate relay attacks against Bluetooth-based access control of a car and a smart lock. Further, we show that our attack can arbitrarily manipulate Multi-Carrier Phase-based Ranging (MCPR) while relaying signals over 90 m.

Cryptography and Security

Chalee Thammarat

DOI: https://doi.org/10.3390/sym12101649

2020-10-09

Symmetry

Abstract:The standard protocol of near field communication (NFC) has concentrated primarily on the speed of communication while ignoring security properties. Message between an NFC-enabled smartphone and a point of sale are exchanged over the air (OTA), which is a message considered an authentication request for payment, billing, ticketing, loyalty services, identification or access control. An attacker who has an antenna can intercept or manipulate the exchanged messages to take advantage of these. In order to solve this problem, many researchers have suggested authentication methods for NFC communications. However, these remain inadequate transaction security and fairness. In this paper, we will propose a technique that ensures mutual authentication, security properties, and strong fairness. Mutual authentication is a security property that prevents replay attacks and man-in-the-middle attacks. Both fair exchange and transaction security are also significant issues in electronic transactions with regards to creating trust among the parties participating in the transaction. The suggested protocol deploys a secure offline session key generation technique to increase transaction security and, importantly, make our protocol lightweight while maintaining the fairness property. Our analysis suggests that our protocol is more effective than others regarding transaction security, fairness, and lightweight protocol. The proposed protocol checks robustness and soundness using Burrows, Abadi and Needham (BAN) logic, the Scyther tool, and automated validation of internet security protocols and applications (AVISPA) that provide formal proofs for security protocols. Furthermore, our protocol can resolve disputes in case one party misbehaves.

Pedro Peris-Lopez,Julio C. Hernandez-Castro,Christos Dimitrakakis,Aikaterini Mitrokotsa,Juan M. E. Tapiador

DOI: https://doi.org/10.48550/arXiv.0906.4618

2009-06-25

Cryptography and Security

Abstract:The vast majority of RFID authentication protocols assume the proximity between readers and tags due to the limited range of the radio channel. However, in real scenarios an intruder can be located between the prover (tag) and the verifier (reader) and trick this last one into thinking that the prover is in close proximity. This attack is generally known as a relay attack in which scope distance fraud, mafia fraud and terrorist attacks are included. Distance bounding protocols represent a promising countermeasure to hinder relay attacks. Several protocols have been proposed during the last years but vulnerabilities of major or minor relevance have been identified in most of them. In 2008, Kim et al. [1] proposed a new distance bounding protocol with the objective of being the best in terms of security, privacy, tag computational overhead and fault tolerance. In this paper, we analyze this protocol and we present a passive full disclosure attack, which allows an adversary to discover the long-term secret key of the tag. The presented attack is very relevant, since no security objectives are met in Kim et al.'s protocol. Then, design guidelines are introduced with the aim of facilitating protocol designers the stimulating task of designing secure and efficient schemes against relay attacks. Finally a new protocol, named Hitomi and inspired by [1], is designed conforming the guidelines proposed previously.

Fan Dang,Ennan Zhai,Zhenhua Li,Pengfei Zhou,Aziz Mohaisen,Kaigui Bian,Qingfu Wen,Mo Li

2018-01-01

Abstract:Automated Fare Collection (AFC) systems have been globally deployed for decades, particularly in the public transportation network where the transit fee is calculated based on the length of the trip (a.k.a., distance-based pricing AFC systems). Although most messages of AFC systems are insecurely transferred in plaintext, system operators did not pay much attention to this vulnerability, since the AFC network is basically isolated from the public network (e.g., the Internet)—there is no way of exploiting such a vulnerability from the outside of the AFC network. Nevertheless, in recent years, the advent of Near Field Communication (NFC)-equipped smartphones has opened up a channel to invade into the AFC network from the mobile Internet, i.e., by Host-based Card Emulation (HCE) over NFC-equipped smartphones. In this paper, we identify a novel paradigm of attacks, called LessPay, against modern distance-based pricing AFC systems, enabling users to pay much less than what they are supposed to be charged. The identified attack has two important properties: 1) it is invisible to AFC system operators because the attack never causes any inconsistency in the back-end database of the operators; and 2) it can be scalable to affect a large number of users (e.g., 10,000) by only requiring a moderate-sized AFC card pool (e.g., containing 150 cards). To evaluate the efficacy of the attack, we developed an HCE app to launch the LessPay attack; and the real-world experiments demonstrate not only the feasibility of the LessPay attack (with 97.6% success rate) but also its low cost in terms of bandwidth and computation. Finally, we propose, implement and evaluate four types of countermeasures, and present security analysis and comparison of these countermeasures on defending against the LessPay attack.