Advertisement

Blog

Looking Inside NFC Security: Eavesdropping Attack, Part 2c

Bitstream decoding
For decoding the symbol streams into bytestreams we must take into account the symbols generated by the encoding. The ISO/IEC-14443-2 standard also defines these symbols in sections “8.1.3 Bit representation and coding” for PCD and “8.2.5 Bit representation and coding” for PICC. The procedure for extracting the symbols and the exchanged bytes is very simple and does not require advanced programming skills, as shown below.

Bitstream as extracted from the symbols in the REQA-ATQA segment.

Bitstream as extracted from the symbols in the REQA-ATQA segment.

One thing to note from ISO/IEC-14443-2 is that the air interface supports several bitrates and bit encodings. For correct bitrates and encodings handling we must follow the specifications given in the ISO/IEC-14443-3&4 standards. The rest of the air interface interception procedure for extracting the command-response pairs exchanged by the reader and the tag is dependent on tag type.

Partial conclusions
The procedure described here is not new and has applications that go beyond debugging the NFC air interface. It is possible to combine tools like SciLab and MatLab with many different data acquisition front ends to create our own customized hardware debugging tool.

At this point we can arrive to another obvious conclusion: The NFC air interface is not only observable and analyzable with generally available tools. With relative ease an attacker can sniff into the air interface and extract the information that was exchanged between reader and tag. This corroborates our first conclusion from previous part: The NFC air interface must always be considered part of the unsecure region.

Is the previous statement conclusive enough to drive the decision of not integrating NFC technologies for wireless communications?

Do you find SciLab or MatLab useful for testing your data processing algorithms before going into hardware and software implementations?

What other uses you see for the possibility of downloading the digitized signal from the DSO?

7 comments on “Looking Inside NFC Security: Eavesdropping Attack, Part 2c

  1. Sachin
    May 7, 2014

    I think in many parts of Europe and Asia, NFC is becoming popular and it is being seen as the next big thing in the payment and data transfer fields. Like any other technological invention, we have to admit the fact that it has some disadvantages when it comes to security matters. It is true it involves a close range data transfer process between devices but this does not guarantee a complete protection. In case you are using this app on your Smartphone, then you should be careful on your security.

  2. Scott_B
    May 8, 2014

     Are you telling me that banks would not encrypt the credit card transaction going over the NFC air interface?  The Smart cards are encrypted.

  3. ippisl
    May 9, 2014

    How can we talk about attacks , when we haven't yet talked about the cryptography, which supposed to be the part that defends from them ?

  4. Victor Lorenzo
    May 9, 2014

    @SanchinEE >> It is true it involves a close range data transfer process between devices but this does not guarantee a complete protection .

    That's true, as mentioned on the post, some authors claim they have suceeded in intercepting the NFC signals from a relatively long distance.

    It is due to this reason I insist in that we should always consider the RF air interface as part of the unsecure region.

  5. Victor Lorenzo
    May 9, 2014

    @Scott_B >> Are you telling me that banks would not encrypt the credit card transaction going over the NFC air interface? 

    No, I simply point out one of several reasons that mandates the need to go into securing the communication channel. I will cover that on the third part of the series.

     

  6. Victor Lorenzo
    May 9, 2014

    @Scott_B >> The Smart cards are encrypted .

    Some smartcards use encripted communications while some others use plain text. Of course, using plain text like in some relatively old memory cards (SLE4443) is a realy bad idea and definitely a bad choice.

    Some cards like Mifare Classic do not warrant communication secrecy thought using encrypted communications. Some other more robust cards like DESFire EV2 and Cipurse V2 use stronger security strategies and make virtually impossible to decrypt the communication channel.

  7. Victor Lorenzo
    May 9, 2014

    @ippisl >> How can we talk about attacks , when we haven't yet talked about the cryptography, which supposed to be the part that defends from them ? .

    It could be a mater of who came first, the attack or the coutnermeasure (like chickens and eggs).

    While designing the system we have to foresee what security threads we are to be facing.

    Using communication channels encryption we are able to reduce the attack surface against eavesdropping attacks. It will be covered in the third part of the series.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.