Advertisement

Blog

Looking Inside NFC Security: Eavesdropping Attack, Part 2a

The previous part of this series, Looking Inside NFC Security: Eavesdropping Attack, Part 1a, presented how easy it could be to eavesdrop into the NFC air interface. This second part continues digging into this subject by introducing SciLab and some basic digital signal processing (DSP) techniques.

NFC air interface signals can be decoded into data streams using several tools and approaches. It is not an excessively complex task using discrete analog and digital components, though interpreting the exchanged frames requires deep knowledge about several standards. There are a number of commercial products aimed at RFID standards compliance validation and RF debugging, but these tools are usually too expensive for the limited budget of one small startup. Some open source projects are also available.

It makes no sense to cover in depth the whole NFC-A air interface signals decoding process. I find more useful sharing a few, more generalized, thoughts and conclusions. These notes are taken partly from the procedure I used for debugging the air interface in a RFID emulator I worked on a few months ago.

Why SciLab? SciLab is an easy-to-learn free software package with a comprehensive set of documents and sample code. SciLab’s scripting language is mostly compatible with MatLab. With relatively little effort you can get up and running in just a few minutes.

Disclaimer

My proposal in the previous post was starting with one DSO for the data acquisition system, but I have to admit that it was not fair play. I used one LeCroy WaveRunner 6050A which is still a beautiful and powerful 4 Channel, 5.0 GSample/sec, 500.0 MHz Digital Oscilloscope. This DSO is an expensive instrument, definitively out of reach for most experimenters and small startups. It is built on top of Windows XP Embedded and supports the installation of custom-made signal processing modules using COM objects and MatLab scripts. A few years ago we installed VisualStudio on it and developed several modules using C#.

Just before starting experimentation

Signals-decoding in the digital domain constitutes one typical DSP application. For this and any DSP application we must start characterizing the input signal. This characterization provides essential information for designing the analog front end, the signal digitizing parameters, and the signal processing strategy.

The ISO/IEC-14443-2 standard constitutes the reference document for the NFC air interface. Recalling from the first part, in NFC-A mode PCD-to-PICC data transmission uses ASK with a carrier frequency of 13.56 MHz and PICC-to-PCD data transmission uses Manchester coded OOK, for the fc/128 bit rate, and BPSK NRZL for the higher bit rates. The relevant information comes modulating the carrier envelope. The drawing below depicts the theoretical spectrum at the reader antenna resulting from the Tag modulation.

Spectrum at the reader's antenna resulting from the load modulation.

Spectrum at the reader’s antenna resulting from the load modulation.

Parts 2b and 2c will follow.

9 comments on “Looking Inside NFC Security: Eavesdropping Attack, Part 2a

  1. Sachin
    May 7, 2014

    This article is interesting, thank you Lorenzo. It is true that there are many approaches and tools for decoding NFC air interface signals into data streams.  I also agree with you when it comes to the financial problems an individual can face in the process of RF debugging, in that these tools are expensive and are not worthy for a small set up. You also say that it requires deep knowledge during interpretation. My worry then is that I think data can be stolen from other device thus I wonder on the security of my data.

  2. etnapowers
    May 7, 2014

    I agree with SachinEE about matter of security of the data. For the diffusion of NFC technology into the market it is very important to protect the data set of the communication infrastructure from the attack of hackers. 

  3. Victor Lorenzo
    May 9, 2014

    @SanchinEE >> My worry then is that I think data can be stolen from other device thus I wonder on the security of my data .

    That's exactly the point on this article series, security should be a major concern from early project planning and system design phases.

    I'll cover it on the third part of the series.

  4. Victor Lorenzo
    May 9, 2014

    @SanchinEE >> (…)in that these tools are expensive .

    Hardware and software debugging tasks consume a remarkable amount of project execution time and this translates in direct proportion into project cost and in inverse proportion into customer satisfaction due to delays. Proper tools often help in reducing debug time and improve product quality.

  5. Victor Lorenzo
    May 9, 2014

    @etnapowers >> (…) it is very important to protect the data set of the communication infrastructure from the attack of hackers .

    I totaly agree with you on this. This idea must be applied to IoT devices and smart meters as well.

  6. yalanand
    May 10, 2014

    Despite the fact that NFC communication occurs between devices in close proximity, this type of attack is feasible. Interception of an NFC exchange doesn't always translate into theft of information. In some cases, the attack is meant to corrupt the information being exchanged, making it useless. The principal method to prevent eavesdropping is using a secure channel that has to be established between the NFC devices, usually implementing encryption methods; meanwhile, the proximity of the communication units is another deterrent for attack realization, but it does not eliminate the risks.

  7. Victor Lorenzo
    May 10, 2014

    @yalanand >>> In some cases, the attack is meant to corrupt the information being exchanged .

    You're right on that @yalanand. Eavesdropping is one simple passive attack. Some more aggressive attacks also exist. Man-in-the-middle attacks (MITMA) try to modify the information echanged between both channel endpoints. It also comprises an eavesdropping scenario combined with active communication channel manipulation.

  8. SunitaT
    June 30, 2014

    @Victor, How does the introduction of IoT will affect the NFC in mobile devices? The peer-to-peer mode of NFC will play any role in IoT concept?

  9. Victor Lorenzo
    June 30, 2014

    SunitaT0>> “How does the introduction of IoT will affect the NFC in mobile devices?

    In my oppinion we are already witnessing the era where mobile devices in general and mobile phones in particular start playing key roles in the IoT world. BTLE and WiFi serve mobile applications as antry points into sensor and actuator networks where users can control many home, building, garden and industrial automation devices. Specialised gateways route messages and ensure interoperation between different physical link implementations (WiFi, 6LoWPan, Bluetooth, ZigBee, SubGHz, Jennet-IP and many many others). NFC is another enabling technology in this IoT world, but with lower impact.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.