In our previous blog RFID & NFC Enabling Solutions: a Closer Look several colleagues commented about the risk of losing sensitive information when using NFC/RFID for wireless communications. Many comments relating NFC security weaknesses focused on NFC communications eavesdropping feasibility. Entering into the IoT world without paying a good deal of attention to communications security and data integrity can be seen almost like a suicide step. Eavesdropping attacks can effectively compromise data confidentiality if communications secrecy is not properly addressed.
NFC communication interception could comprise three main steps: air interface signals capture, communication channels decoding, and captured data analysis. This first part in the series will look into demonstrating how easy it is to capture the NFC air interface signals. The second part will cover some data analysis we can do over the captured signals for extracting the exchanged data streams. The third part will introduce some basic concepts about turning the communication channels into secure-encrypted communication channels to overcome the air interface's intrinsic lack of security.
For the sake of simplicity and ease of reproduction, I will concentrate on NFC/RFID interfaces working in the 13.56 MHz band according to ISO/IEC-14443-Type A standard (NFC-A). It could be extrapolated to other standards like ISO/IEC-14443-Type B (NFC-B), FeLiCa, ISO/IEC-15693, and others.
The energy transference between the HF RFID reader and tag antennas is based on magnetic coupling. By design it is a near field interaction, constrained to the reader’s vicinity for minimizing far field emissions. Simplifying things to the extreme, the reader and tag antennas could be seen like windings in one transformer.
Communication between the reader and tag is half duplex though, using different channels for sending information. In NFC-A mode, the reader-to-tag channel (PCD-to-PICC) sends information modulating the 13.56 MHz carrier with 100% amplitude shift keying (ASK) and modified Miller encoding at the bit rate of fc/128. For higher bit rates ASK is used with different parameters. Tag-to-reader communication channel (PICC-to-PCD) uses load modulation with an 848 KHz (fc/16) subcarrier frequency. On-off keying (OOK) is used at the bit rate of fc/128 and binary shift keying (BPSK) at the bit rates of fc/64, fc/32 and fc/16. Detailed information and diagrams can be found in Section 8 of ISO/IEC-14443-2.
Magnetic coupling poses practical limits on how far the reader’s signal can reach. This also limits the maximum distance from which the interceptor’s antenna can receive the signal, but should never be considered an effective security enhancement. Some authors claim they have succeeded in reliably capturing HF RFID communications at a distance of five meters.