Advertisement

Blog

Looking Inside NFC Security: Eavesdropping Attack, Part 2b

Meeting with real-world signals
The next figure dissects one anti-collision segment (REQA-ATQA) captured at a 500 MHz sampling rate using the handmade antenna shown in part 1. The lower part shows the corresponding Fast Fourier Transform FFT for the PCD-to-PICC REQA command and the PICC-to-PCD ATQA response. One thing to note on this figure is the relatively high level obtained for the backscatter signal (load modulation). It was possible by adjusting the antennas arrangement for best results.

Real-world REQA-ATQA command/response signal segment.

Real-world REQA-ATQA command/response signal segment.

For estimating the signal’s bandwidth we can use the results from the FFT. The SciLab script snipped below calculates and displays the FFT for the PICC-to-PCD segment shown in the above figure. The variable segREQA.PICCtoPCD.Data was previously loaded with the appropriate data vector. The data vector was extracted from the data set downloaded from the DSO.

Code snipped: FFT calculation example.

Code snipped: FFT calculation example.

Another useful tool for estimating the time-frequency behavior of signals is baudline. This free and open source Linux tool uses digital signal processing techniques for signals spectrogram calculation and visualization. See below the calculated spectrogram for the signal segment shown above. It was calculated using the Kaiser Window and a transform size of 4,096 points. Several harmonics are clearly visible too.

Spectrogram for the REQA-ATQA segment as calculated and displayed using baudline.

Spectrogram for the REQA-ATQA segment as calculated and displayed using baudline.

Air interface signal demodulation
One clear advantage we have in NFC-A air interface signals processing is all the information comes in the carrier’s amplitude. For extracting the PCD-to-PICC baseband signal and the PICC-to-PCD sub-carrier we can simply use the classical ASK demodulation approach: Rectification + Band-pass filtering + Thresholding .

See below for some results. Note the usage of a leaky pick detector with independent attack and decay constants for generating the binarization threshold. These constants can be fine adjusted to reduce the effect introduced by the overshoot peak.

REQA-ATQA segment as obtained after rectification and low-pass filtering.

REQA-ATQA segment as obtained after rectification and low-pass filtering.

A similar procedure (High-pass filter + Rectification + Low-pass filtering + Thresholding ) can be used for extracting the PICC-to-PCD signal when encoded in Manchester OOK like depicted below. The encoded bit stream is shown in red color. Note this method needs some modifications for higher bit rates (fc/64, and above) where BPSK/NRZ-L encoding is used. Looking at “Figure 2: Example PICC to PCD communication signals for Type A and Type B interfaces ” in ISO/IEC-14443-2 you will surely find the solution.

Encoded PICC-to-PCD bit stream.

Encoded PICC-to-PCD bit stream.

4 comments on “Looking Inside NFC Security: Eavesdropping Attack, Part 2b

  1. Sachin
    May 7, 2014

    It is interesting the way Baudline is working being a time-frequency browser designed for scientific visualization of the spectral domain.  It is also amazing how Signal analysis is performed leading to a creation of colorful spectrograms with vibrant detail. What surprises me most is how the baudline signal analyzer works, the way it combines fast digital signal processing, its versatile high speed displays, and its constant capture tools operation on signal characteristics. I think this is an amazing tool for estimating time-frequency behavior of signals.

  2. Victor Lorenzo
    May 9, 2014

    @SanchinEE >> It is interesting the way Baudline is working .

    Yes, it is.

    MatLab and SciLab provide all primitives we need to create colorfull spectrograms, but Baudline takes it boyond visualization. Baudline can also work in realtime.

    Baudline authors publish a very interesting section in their website called Mystery Signal. They introduce it with “We've got signal, but what the heck is it? That's your mission.  Analyze this bébé.

  3. yalanand
    May 10, 2014

    In order to estimate the bandwidth of a signal, we have to know what its rise time is. If we only know the clock frequency, we have to guess the rise time. If we want to sound like we have put some more thought into it, we can say, estimate or if we want to sound like we really know what we are doing, we can say, extrapolate the rise time. My question is, what percent of the period is the rise time?

  4. Victor Lorenzo
    May 10, 2014

    @yalanand >> (…) what percent of the period is the rise time?

    ISO14443-2 standard defines several modulation parameters for Type A and Type B. The FeLiCa standard also defines them (shared by NFC too). These parameters include the modulation depth, overshoots, rise/fall times and others.

    In practice the real bandwidth is highly dependent on hardware implementation (reader IC and PCB) and proper output EMI and bandpass filtering is used as part of the reader antenna interface.

    The signal I've used for this article series was captured from one commercial reader (OEM) and one commercial tag (DESFire D40). It was sampled at 500MHz with a 200MHz 2nd order lowpass anti-aliasing filter. From the Baudline analysis results in my oppinion it is very close to have EMI problems due to high order harmonics.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.