Looking Inside NFC Security: Eavesdropping Attack, Part 3

In previous parts of this series I covered one attack that compromises security in NFC/RFID enabled devices. The same techniques can be applied to obtain information from other wired and wireless communication interfaces. In cases like Ethernet, WiFi, ZigBee, and Bluetooth it is even easier to accomplish with standard and low-cost hardware running on readily available security evaluation Linux distributions.

When dealing with communications security it is important to pay special attention to all kinds of vulnerabilities, especially when creating devices for a globally connected IoT world. It is a good strategy to assume that all physically accessible communication interfaces are exposed to Data Interception and Data Corruption/Manipulation attacks. Even the processor memory could get exposed when using the appropriate set of tools. It is mandatory for a secure system to implement at least one additional layer of security on top of the communication interface. This particularly holds true for payment applications involving RFID/NFC communications.

For adding robustness against these kinds of security threats it is necessary to accomplish these main goals:

  • Ensure the authenticity of the device at the other end of the channel. Multi-pass mutual authentication procedures are used for proving that both devices are in possession of the same secret key. True random generators, secure memory storage, and strong encryption algorithms play key roles in this procedure.
  • Exchange sensitive information using encrypted messages. There are several symmetrical and asymmetrical data encryption methods, algorithms, and standards in use today for securing smartcards, RFID, and NFC communications. Some, like AES and RSA, provide very high levels of security. DES and 3DES proved vulnerable to several types of attacks.
  • Check the authenticity and integrity of exchanged messages. Man in the middle (MITM) attacks focus on intercepting and modifying the exchanged messages. Using an encrypted messages scheme does not fully protect the system against these kinds of attacks. Exchanged messages can still be altered, stored, and replayed by an attacker. It is necessary to implement additional checks to detect it and act accordingly. Messages signing, cyclic redundancy codes (CRC), messages indexing, and variable channel encryption keys can improve security against MITM attacks.

The following are not as obvious as the above.

  • Use one-time keys or at least keys valid for only one session, obtained using random number generators and diversified keys.
  • Use diversified keys for each device. If an attacker somehow obtains this key it will not compromise the whole system.
  • Master keys should never be used globally and should never leave the secure area (e.g., one SAM module or one HSM). The rationale: If an attacker can read the memory by any means he/she could obtain the keys.
  • Code defensively, making extensive use of static and dynamic code analyzing tools when writing the firmware code.
  • Be humble and consider very seriously that communications security has always been a strategic research area with many talented teams and individuals working on it. Most real hackers and security analysts are highly skilled and, depending on the target system, highly motivated.
  • Test your product to comply with the highest applicable standards.
  • More things to add to this list? That’s for sure. Give it a try and send us some more.

RFID/NFC interfaces can be used as a proximity wireless communications enabling technology. It is up to the designer to implement the most appropriate security scheme.

For those interested on RFID/smartcards security I would recommend reading about how MIFARE Classic’s security was cracked and the vulnerabilities that made it possible and how the MIFARE DESFire D40 security was compromised using DPA attacks. Reading about the security concepts applied in the design of MIFARE DESFire EV2 and Cirpurse Version 2 provides valuable and interesting information.

38 comments on “Looking Inside NFC Security: Eavesdropping Attack, Part 3

  1. amrutah
    June 30, 2014

    @Victor: “Ensure the authenticity of the device at the other end of the channel.”

       Generating the OTP and send to another user's device before executing message transaction between the 2 ends.  Does this not help to ensure the authenticity?

  2. amrutah
    June 30, 2014

    Victor: Even if we use another layer of security by adding a hardware key or another code (in combination with the RFID device), may not help as the second step is again has to go through the same channel.  What do you say about this?

  3. Netcrawl
    June 30, 2014

    The fact is NFC is just a platform for establishing communication between to two devices and NFC doesn't come loaded with built-in hardware-driven security systems. NFC is still growing, and most of its creators are very much aware of the ton of security issues involved. Its not just hardware of software things, I think its much deeper, hacking is about taking anything that's available to individual who is looking to take that things, whether's its technology or whatever. And they're pretty smart in looking for weakness and openings. 

    But I think it's range could serves as a safeguard against eavesdropping. In order to grab signal or tap signals, hackers would need to accomplish few critical things here. First they need to be closed enough to get on board. But even if the hackers was close enough he still some good lucks and timing, NFC is very sensitive, so sensitive, in fact that if we turn our smartphone slightly it could be able to read a smart tag. And If he want to grab a signal then he need to maneuver a hacking device's antenna into a precisely position.    


  4. Netcrawl
    June 30, 2014

    @amrutah, NFC does not guaranteed total protection against eavesdropping or data modifications, establihsing a secure channel between the two devices are clearly the best solution here to protect against eavesdropping and enhance the protection of NFC against man-in-the-middle-attacks.

    Standard key aggeement protocol such as Diffie-Hellman based on RSA could be applied to secure shared communication between two devices, this one is good enough, it could provide integrity and authenticity of the transmitted data.   

  5. yalanand
    June 30, 2014

    NFC does not guaranteed total protection against eavesdropping 

    Can RF signal for the wireless data transfer can be picked up with other antennas ? What is the distance from which an attacker is able to eavesdrop the RF signal ?

  6. Netcrawl
    June 30, 2014

    @Yalanand, You mean how close the attackers to be in able to get a clear shot? or to grab a signals, I think there's no precise answer to your questions, the reasons for that is the huge number of parameters that need to be considered.

    1. Characteristics of hacker's antenna.

    2. Quality of hacker's receiver.

    3. Quality of hackers RF signal decoder sent out by NFc devices.

    4. RF filed characteristics( antenna geometry and many more.)

    5. And last setup of the location where an attack is performed.

    And then there's more, eavesdropping could be affected by the communication mode (active and passive mode) That's because, based on communication mode, transferred data is coded and modulated diffferently which mean that data transferred with stronger modulation can be eavesdropped easily. And a passive device that does not generate its own RF field, is much harder to eavesdrop or tap than an active device.  

  7. yalanand
    June 30, 2014

    @Netcrawl, thanks a lot for the detailed reply. That answers most of my questions. Are there any tools installed on NFC devices whiwch warns the owner if some person is trying to intrude into the system ?

  8. yalanand
    June 30, 2014

    @Netcrawl can you share some more info on Standard key aggeement protocol such as Diffie-Hellman ?

  9. samicksha
    July 1, 2014

    Its lot more dangerous when you know that a criminal can listen you on NFC transaction, i guess there should be dedicated range for NFC or secure channel which can help devices to share signals in close loop restricting unwanted intervention.

  10. Victor Lorenzo
    July 1, 2014

    @amrutah >> “Generating the OTP and send to another user's device(…)

    If OTP means One Time Password , it is really a bad idea to send passwords over unsecured channels. It is in fact a bad idea to send passwords by any means.

    One way to check for the authenticity could be encrypting one pre-established message at peer 1 and send it to peer 2. If peer 2 decodes the packet and the message does not match the expected content it could conclude that peer 1 does not use the same encryption algorithm or key.

    But this is also a very bad practice. If by any mean an attacker guesses what the plain authenticity check text is, obtaining the key is just a matter of brut forcing and time.

  11. Victor Lorenzo
    July 1, 2014

    @amrutah>> “hardware key(..)

    The term “Hardware key” could have many meanings in this context.

    The objective is to arrive to a point where all messages traveling the unsecure physical link are encrypted before transmission and decrypted after reception. This encryptio/decryption process must be carried out by a sub-system (SAM module, HSM, etc.) capable of holding the secret keys in a secured memory area. This memory area should be out of reach for any atacker. Several manufacturers provide secure CPUs with support for this functionality.

  12. Victor Lorenzo
    July 1, 2014

    @Netcrawl>> “But I think it's range could serves as a safeguard against eavesdropping

    Well, a little bit of googling could lead to some very interesting notes about this subject. Some authors claim they have been able to successfully receive and decode NFC transaction signals from as far as 5meters.

    Using open source hardware some hackers claim they have been able to step into a bus and unadventedly steal information from several unaware passengers.

    How was it possible? Exploiting security bugs and design flaws in the smartcard security design and implementation.

    Distance reduces the surface attack but does not improve security in the case of NFC.

  13. Victor Lorenzo
    July 1, 2014

    @Netcrawl> “key aggeement protocol such as Diffie-Hellman

    For mid/low cost NFC devices (tags) this algorithm is not very practical and it is also sensitive to man in the middle attacks.

  14. Victor Lorenzo
    July 1, 2014

    @yanaland>> “Can RF signal for the wireless data transfer can be picked up with other antennas?

    Yes, it is possible by using very sensitive antennas and receivers. Some times the PCB and the reader antenna produce far field emissions too.

    What is the distance from which an attacker is able to eavesdrop the RF signal ? ” It depends on several factors like the NFC devices which are implied in the communication, the distance between them, the usage or not of adaptive reader RF porwer and the interceptor's setup. It reaches from several centimeters to some meters with very specialized and sensitive devices.

  15. Victor Lorenzo
    July 1, 2014

    Netcrawl >> “a passive device that does not generate its own RF field, is much harder to eavesdrop or tap than an active device

    I agree with you on that. The load modulated signal is much more harder to receive and decode due to it's very low signal to noise ratio.

  16. Victor Lorenzo
    July 1, 2014

    @yanaland >> “Are there any tools installed on NFC devices whiwch warns the owner if some person is trying to intrude into the system ?

    Not to my knowledge, but as a standard feature, access control systems and automatic fare collection systems must implement algorithms and procedures to detect intrussion attemps. Most systems log this information and some produce fraud attemp reports for the supervising authorities. It always depends on system design.

  17. Victor Lorenzo
    July 1, 2014

    @samicksha>> “(…)which can help devices to share signals in close loop restricting unwanted intervention

    In the case of ISO7816 based cards many readers take the card in and close the front “door” for ensuring no intruder will be able to sniff into the Data I/O line and eavesdrop into the transaction. But it makes no sense to do it with NFC devices.

    What at the end makes the channel “secure” is the use of strong encryption algorithms for exchanging all information in the form of encrypted messages.

  18. Netcrawl
    July 1, 2014

    @yalanand, Public key cryptography such as Elliptive Curve Diffie-Hellman, is used to establish shared secrets between two devices, the security parameters is 192 bit this does not protect you against man-in-the-middle-attack. 

  19. Netcrawl
    July 1, 2014

    @yalanand I believe we still don't have that kind of technology, it requires high level of sophistication, which I believe we don't have. 

  20. eafpres
    July 2, 2014

    @Victor–thank you for this entire series.  I appreciate the matter of fact, direct presentation of the basics of how it could be done, proof of concept, and mitigation.

    I think many commenters have been distracted by the idea of link distance affecting the security; you have patiently told several that that does not work.  More or less without invoking any particular standard, your comments, techniques, and conclusions apply almost verbatim to many situations.

    For me a main point here is that you have to think about security early and often–it is a mindset.

  21. eafpres
    July 2, 2014

    The topic of smart metering has been raised a few times in the comments to various parts of this series.  What I have seen is that the chip companies are integrating cryptographic cpus directly into a SoC or module.  However, I think that many or most of these are targeted to protect communication over a wired interface, like power line communications.  In the cases where the power company doesn't directly communicate with the meter, and insteas there are meter readers (people) in use, many of these systems are some sort of short-range wireless, although some are WAN technologies (like cellular).  The point here is that some choices of the communication system design affect the security and thus must be taken into account.  In my area, many meters are equipped with some sort of short range wireless interface–not NFC, but possibly Zigbee etc.  The power company has people driving around with automatic equipment polling the meters.  Such an approach obviously provides an attack cross-section.

  22. eafpres
    July 2, 2014

    I think that some people don't see security as much of an issue with electric power meters and/or gas meters.  For decades anyone could walk to the mater, outside the house, and read it.  However, if someone could get a continuous data stream, it would be possible by usage analysis to understand if a house was un-occupied.  This information could be used for criminal purposes.

  23. eafpres
    July 2, 2014

    Victor–I really appreciate the checklist.  I think it is good advice for many communnication-security applications.  Thanks for sharing this valuable knowledge.

  24. Victor Lorenzo
    July 2, 2014

    @Netcrawl, @yanaland, there are several readily available products that could be considered 'hardware keys'. Some simply act like secure keys storage, protected by kind of a master key/PIN (entered using a secure Pid-Pad or a keyboard) and others implement all the security provider functions.

    SAM modules are one example of the later and you can find them also in the form of security tokens (serial/USB/etc) and even IC's for direct integration in PCB. Master and diversified keys are stored in SAM modules under highly secured and controlled environments and never, by no means, come out of the SAM module. The module is implemented using a secure processor. MAXIM and INFINEON, amongst others, are well known secure processors manufacturers.


  25. Victor Lorenzo
    July 2, 2014

    @Blane, I appreciate your comments about the series and the topics covered, I make it extensive to all colleagues who also spend their time in reading and sharing very useful thoughts with all of us.

    I agree with you in that “a main point here is that you have to think about security early and often–it is a mindset “. We many times overlook the importance of properly securing the system and end up with unsafe, unstable and unreliable systems. Security should be considered from a much wider point fo view, it goes beyond just protecting some sensitive information.

  26. Victor Lorenzo
    July 2, 2014

    @Blane, at present most SoC and CPU manufacturers include cryptographic accelerators in their products for securing communications and that's a good thing from my point of view.

    One could think that “many or most of these are targeted to protect communication over a wired interface, like power line communications ” after reading the use cases exposed in the datasheets, manuals and application notes; but in practice these crypto accelerators, random number generators, etc. are the same building blocks we need for securing our wireless communications. It's just a matter of selecting the most appropriated comm protocol and security scheme. Well, I think the word 'just' should be removed from previous phrase as selecting the most appropriated comm protocol and security scheme are probably more complex than most meter measuring functions.


  27. Victor Lorenzo
    July 2, 2014

    @Blane, ZigBee is in use in some devices but, in my oppinion, it is too expensive and it protocol is too complex to implement (consumes a lot of flash). Most devices I've seen use sub-GHz interfaces in the ISM band. Unfortunately there is still a lot of work to do in standardization.

    I found very interesting FlexNet.

  28. Victor Lorenzo
    July 2, 2014

    @Blane, we have been exchanging comments about house occupation monitoring for criminal purposes before and I agree with you. Having a smart meter emitting periodical messages about in-house consumptions provides criminals with a very useful tool for their purposes.

    On the other side, made by good guys like us ;-), there are several patient and old persons tele-care systems based on using information coming from in-house consumptions (gas, electricity, water, etc).


  29. samicksha
    July 2, 2014

    I do understand and agree your point completely but from user point of view one problem i see is no trusted I/O between user and card.

  30. Victor Lorenzo
    July 2, 2014

    @samicksha, it is always important and useful to take into account the user's point of view and usage experience. Could you please expand a little bit about “from user point of view one problem i see is no trusted I/O between user and card “?

  31. Netcrawl
    July 2, 2014

    @Victor I agree with you, and also Zigbee's complexity and power requirements do not make it suitable for any unmaintained devices that need to operate for long periods from a limited power sources, its not a frequency hopping technology so its require careful planning during deployment to ensure that there is no intefering signals in that area. 

  32. Victor Lorenzo
    July 7, 2014

    In their post titled “Hacking into Internet Connected Light Bulbs “, Context Information Security presents a description on the procedure they followed for breaking the security included in the LIFX light bulb.

    For those interested on the subject it could be an interesting reading as it gives clear clues about another practical type of attack: reverse engineering.

  33. amrutah
    July 8, 2014

    @Victor: “The term “Hardware key” could have many meanings in this context.”

       What I meant here is,  Can we have any hardwired chip or button that we can place so that the card is active only in conjunction with it.  Say we have a NFC card which for most purposes is dead until we get this hardwired button like sturcture (my imagination :P)?  Could this add extra security? could this device add extra encryption for communication?

  34. amrutah
    July 8, 2014

    @yalanand: I don't know if there exists something like this, but I like the idea that, if there is something that tells me, somebody has intruded my secured zone.

       But on a second note, how difficult would it be to a hacker to erase the flag when he has the control of our system.  I think the only way possible is to improve the security so that nobody inturdes.

  35. Victor Lorenzo
    July 10, 2014

    @amruttah, there are several solutions for securing the communication like chips, tokens, modules (SAM) and even PC and stand-alone systems (HSM), but these are all connected at the reader side. All security features you need from the card's side is inside the card's/tag silicon die.

    If you implement card emulation you can benefit from features included in several secure CPUs readily available in the market and also from the ones mentioned above.

    For avoiding card reads from an attacker (someone passing by with a cards reading/hacking system) you can use shielding plastic covers which are also available in the market.

  36. Victor Lorenzo
    July 10, 2014

    @yanaland >> “Are there any tools installed on NFC devices whiwch warns the owner if some person is trying to intrude into the system ?

    There are several techniques which are used for detecting that someone is breaking into the system. It would be too long to enumerate and describe on a comment.

    Some are implemented at silicon level, like adding several metal interconnect layers to obfuscate connections if reverse engineering and decaping is used, light detectors, pressure detectors, controlled interconnects impedance to detect tampering and several more. On the software side, time of response is used to detect MITM and fake cards attacks.

    Some systems like most HSM, some SAM modules and many secure CPUs provide key features for autoerasing the device in case of tamper detection.

  37. Victor Lorenzo
    July 10, 2014

    @amrutah, in this case the system designer has to evaluate the points where physical security countermeasures are required and make efforts to create physical barriers (case, housing, etc.) and provide them with all required tamper/intruder detection sensors (light, pressure, switch, etc).

  38. Netcrawl
    July 11, 2014

    @Victor it could be a system for monitoring of secure application execution, this include an NFC modem for communicating transaction of secure contactless transaction with an NFC reader. And a secure controller for monitoring state transitions and a mobile host. 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.