Looking Inside NFC Security: Eavesdropping Attack, Part 1b

Eavesdropper setup
RFID eavesdropping attacks rely on receiving, amplifying, processing, and decoding leaked signals from the reader-to-tag air interface.

Visualizing the air interface signal with a simple wire antenna.

Visualizing the air interface signal with a simple wire antenna.

The communication interception setup comprises the reception antenna, the analog front-end with amplifiers and demodulators, the signals decoding modules, and data analysis. As full real-time operation is not required, most functions can be implemented offline in the digital domain with basic DSP functions.

Main eavesdropping system components.

Main eavesdropping system components.

Quite a number of front-ends are available with capabilities for capturing NFC signals, ranging from very decent open hardware/software platforms to highly valued commercial products. As it could be foreseen, one standard DSO provides most functions needed for starting experimentation.

For the reception antenna, three to five turns of wire will do the job (see picture below), although for long distances a better design is required. It should be said that this setup is very useful for observing isolated events occurring in the air interface. For an effective eavesdropping attack, the DSO should support sampling at 100 MHz (minimum) during the whole time it takes to complete the transaction. For analyzing communications at high bit rates (424 kbps and above) a higher sampling rate (150/200 MHz) gives better results.

Handmade antenna with three wire turns. It is fixed on a rigid paper for convenience.

Handmade antenna with three wire turns. It is fixed on a rigid paper for convenience.

Next graph shows a segment taken from the ISO14443A anti-collision loop as captured using this setup. In the close-up shown in the lower part of the figure, both communication channel activities can be clearly identified.

Fragment from a captured anti-collision loop.

Fragment from a captured anti-collision loop.

Partial Conclusions
One fact that emerges as an obvious conclusion is: in terms of security, the NFC air interface, as well as almost any other air interface, must always be considered part of the unsecured region, since it can be observed and manipulated by an attacker.

Can we do something to prevent an attacker who tries to eavesdrop on the air interface? Is it worth doing something about it?

I propose this engineering exercise for our novel colleagues: Is it possible to alter this signal with a few passive components so we can digitize it at a much lower sampling frequency?

For the next part in this series I will introduce SciLab and some DSP basic concepts through their use for decoding NFC air interface captured signals.

2 comments on “Looking Inside NFC Security: Eavesdropping Attack, Part 1b

  1. SunitaT
    May 10, 2014

    Coaxial RF attenuators, readily available from electronic parts distributors, can be used on the transmitter antenna jack to reduce the radiated signal. These attenuators are available in a wide variety of values to apply a specific amount of attenuation. Improvements in the receiver antenna, or placing it in close proximity to the transmitter, allows even greater attenuation of the transmitter output power while still allowing the wireless system to work inside the room.

  2. etnapowers
    May 12, 2014

    I guess that the effectiveness of the wireless system is very sensitive to the positioning of the attenuators.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.