Advertisement

Blog

Looking Inside NFC Security: Eavesdropping Attack, Part 1a

In our previous blog RFID & NFC Enabling Solutions: a Closer Look several colleagues commented about the risk of losing sensitive information when using NFC/RFID for wireless communications. Many comments relating NFC security weaknesses focused on NFC communications eavesdropping feasibility. Entering into the IoT world without paying a good deal of attention to communications security and data integrity can be seen almost like a suicide step. Eavesdropping attacks can effectively compromise data confidentiality if communications secrecy is not properly addressed.

NFC communication interception could comprise three main steps: air interface signals capture, communication channels decoding, and captured data analysis. This first part in the series will look into demonstrating how easy it is to capture the NFC air interface signals. The second part will cover some data analysis we can do over the captured signals for extracting the exchanged data streams. The third part will introduce some basic concepts about turning the communication channels into secure-encrypted communication channels to overcome the air interface's intrinsic lack of security.

For the sake of simplicity and ease of reproduction, I will concentrate on NFC/RFID interfaces working in the 13.56 MHz band according to ISO/IEC-14443-Type A standard (NFC-A). It could be extrapolated to other standards like ISO/IEC-14443-Type B (NFC-B), FeLiCa, ISO/IEC-15693, and others.

Background concepts
The energy transference between the HF RFID reader and tag antennas is based on magnetic coupling. By design it is a near field interaction, constrained to the reader’s vicinity for minimizing far field emissions. Simplifying things to the extreme, the reader and tag antennas could be seen like windings in one transformer.

Communication between the reader and tag is half duplex though, using different channels for sending information. In NFC-A mode, the reader-to-tag channel (PCD-to-PICC) sends information modulating the 13.56 MHz carrier with 100% amplitude shift keying (ASK) and modified Miller encoding at the bit rate of fc/128. For higher bit rates ASK is used with different parameters. Tag-to-reader communication channel (PICC-to-PCD) uses load modulation with an 848 KHz (fc/16) subcarrier frequency. On-off keying (OOK) is used at the bit rate of fc/128 and binary shift keying (BPSK) at the bit rates of fc/64, fc/32 and fc/16. Detailed information and diagrams can be found in Section 8 of ISO/IEC-14443-2.

ISO/IEC-14443 Type A air interface operation.

ISO/IEC-14443 Type A air interface operation.

Magnetic coupling poses practical limits on how far the reader’s signal can reach. This also limits the maximum distance from which the interceptor’s antenna can receive the signal, but should never be considered an effective security enhancement. Some authors claim they have succeeded in reliably capturing HF RFID communications at a distance of five meters.

11 comments on “Looking Inside NFC Security: Eavesdropping Attack, Part 1a

  1. Netcrawl
    May 7, 2014

    @Victor thanks for a great post, Its true NFC has a very serious security issue, NFC is just a platform for establishing communication exchnage between two devices, its doesn't come loaded with any built-in security measures, which mean that it does not completely protect users from having their sensitive information stolen.

    I think we can prevent eavesdropping, its all about range. In order to intercept NFC signal a hacker would have accomplish few critical things, they need to be close enough to grab an NFC signals. NFC is extremely sensitive when it comes to direction.  

  2. Davidled
    May 8, 2014

    I think that max reading range is about 10 [cm] to read the Tag information. Reducing reading range could supplement the security.  To do that, signal modulation sending data could be changed.

  3. Victor Lorenzo
    May 9, 2014

    @Netcrawl >> NFC (…) doesn't come loaded with any built-in security measures .

    Exactly. It must be implemented at a higher level than parts 3/4 of ISO14443. But it does provide the foundation to create a very robust and highly secure system.

    >> I think we can prevent eavesdropping, its all about range .

    I disagree on that. We could even forget about eavesdropping when using suitable security schemes. Range reduction does not improve security, it improves some other aspects like power consumption and simplifies some usage scenarios.

  4. Victor Lorenzo
    May 9, 2014

    @DaeL >> Reducing reading range could supplement the security. To do that, signal modulation sending data could be changed .

    The modulation could be changed to reduce further reader and tag AFE complexity. But obfuscation proved ineffective for securing communications.

  5. Davidled
    May 9, 2014

    13.56 MHz is unlicensed radio frequency ISM band.  I wonder whether NFC needs to keep 13.56 MHz. Modulation could be developed based on Manchester coding and Miller coding.

  6. eafpres
    May 14, 2014

    I have to agree with our author–NFC/RFID systems have been evolving to longer ranges for applications like dock-door readers at warehouses monitoring what is loaded onto a given truck.  I have personally seen read demonstrations of 100s of tags at several meters distance.

  7. SunitaT
    June 30, 2014

    @Netcrawl, yes  devices must be fairly close to send signals, the criminal has a limited range to work in for intercepting signals. Along with that there is a need for secure channels. When a secure channel is established, the information is encrypted and only an authorized device can decode it and NFC users should ensure that the companies they do business with use secure channels.

  8. SunitaT
    June 30, 2014

    @Daej, there is no ethical concern with respect to 13.56MHz frequency. In mobile devices 13.56MHz frequency limits the range at the distance of a touch.

  9. Victor Lorenzo
    June 30, 2014

    @SunitaT0>> “(…)there is a need for secure channels “, you're absolutely right about that. In part 3 you will find some security concepts related with this.

  10. Victor Lorenzo
    June 30, 2014

    SunitaT0>> “In mobile devices 13.56MHz frequency limits the range at the distance of a touch “. An appropriate antenna design ensures best near field magnetic coupling and lowest far field emissions.

  11. Davidled
    July 1, 2014

    ->In mobile device 13.56MHz frequency limits the range at the distance of a touch.

    Range of distance could be determined by signal amplifier with antenna design including analog circuit related to these two main components.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.