Before speaking about the matter of security of the Near Field Communication, firstly a solid foundation is needed on what actually it is NFC, how it functions and what are some of the most popular applications of this standard today.
Basically this standard enables NFC enabled devices to communicate between each other by establishing a radio communication in order to perform a particular action in no bigger distance than 10 cm. Typical example of application of this protocol can wary from contactless transactions, up to controlling your smartphone in order to simplify the step of setting up a wireless network on your smartphone.
The actual standard is not new, although this standard recently has been promoted as a new feature in some of the high-end smartphones and tablets as a way of helping the process for interconnection between two or more devices. For example, sending commands to the phone to turn on/off Bluetooth, Enable/Disable Wi-Fi or any other sub-system of the OS of the smartphone is one of the many possibilities. In "capable" hands of hackers, this protocol can become a very interesting field for operating, especially when all the documentation of the working is freely available and the fact it doesn't uses any encryption. The whole security of the standard relies on the short operating distance between the devices, which may in fact be proven as unsafe enough.
NFC history and foundation
The origin and foundation of this standard is a mixture of the already known standards for Radio-Frequency Identification (RFID), ISO/IEC 14443 standard which is mostly used in today's contactless identification cards, ISO/IEC 18092 and a those defined by a NFC forum formed by NOKIA, PHILIPS and SONY in 2004.
The NFC operates at a frequency of 13.56 MHz, which frequency is modulated depending if the device is in one of the two modes: Active and Passive. When in Active mode, the device is actually generating a RF field and is considered as an Initiator of the connection, while in Passive mode the device is considered to be in listening mode or also called a Target which absorbs the RF field.
When the device is in Active mode the data is sent by using a digital modulation called Amplitude Shift Keying (ASK). This means that the amplitude of the base frequency of 13.56 MHz is modulated by a coding scheme. Depending on the baud rate1 the coding scheme can be either the so-called modified Miller coding or Manchester coding scheme. If the baud rate is 106 kBaud, the modified Miller coding is used. When baud rates are higher than 106 kBaud, Manchester coding scheme is used. There are some differences between the two coding schemes. When transmitting a data, the bits are sent in fixed time slots and the time slot is divided in two half's which are called half bits.
In the basic Miller coding scheme a zero is encoded as a pause in the first half and no pause in the second half bit in the transmission, and one's are encoded as the opposite of the zero with no break in the first half bit and break in the second half bit. In the modified version of this encoding scheme, there are some additional rules that apply to the encoding of the zeros. When we have a bit of 1 followed by a 0 bit, then the next two half bits would have a pause. In the modified version of the Miller encoding scheme this is avoided by encoding a 0 bit followed by 1 bit which in both half bits has no pause.
Manchester encoding scheme is quite similar to the one of Miller scheme. They don't have pause nor in the first or second half bits. The whole half bit is either a pause or is modulated. Depending on the baud rate, a different percentage of modulation is used. In 106kBaud a 100% modulation is used while in higher than 106kBaud bandwidth, a modulation of 10% is used. When a passive mode is used then the transmission is encoded with the Manchester coding scheme and 10% modulation is used. Depending on the baud rate different frequencies are modulated.
When 106kBaud is used, then a subcarrier frequency is used for modulating the signal. For higher transmission rates the 13.56 MHz frequency (the base radio frequency) is modulated. We already discussed about the ability of the device to be Active transmitter or Passive receiver but beside that there are two other roles that a device can play. The whole NFC protocol is actually base on a message and reply concept. We can consider the following example:
Device X ------ send message -----> Device Y
Device Y ------ reply message ----->Device X
Important thing to know is that the Device Y can never reply a message to a Device X without the initiation message from Device X. The device X is also known as the initiator device and the device Y as target device. The initiating device can actually send message to more than one target device, but first a selection of target devices should be made. The targets that are not included in the imitating message are not activated.
Applications of NFC
The application of such protocol is vast and it's very hard to grasp the whole picture. Most common applications of NFC protocol are in:
Contactless Token
In this section all applications are covered that use the NFC protocol as an interface to retrieve data from a passive token. Examples of this application type are the Smart Card, an RFID label or embedded in some electronic device. So in this case the data is stored in passive devices as mentioned above and then that passive device is read by an active NFC device. Typical example is a NFC label which has stored data for an URL which leads to the website of some consumer shop or brand. Another example is when NFC is used as helper in order to setup a Wireless connection. All the data relating to the proper setup of the Wireless connection is stored inside the passive device and when an active device such as smartphone passes in the emitting field, a successful wireless setup and connection is made on the smartphone. This enables for seamless connection to some wireless network without even knowing the details.
Payment/Proof of payment
This application of NFC is the interface is used for transfer of valuable information. For example you buy a ticket online on your smartphone for a movie theatre; the ticket information will be stored on your smartphone with all the necessary data. Later your phone will act as a passive device and transfer the data to an active device at the movie theatre counter providing the purchase proof, assuming the theatre supports NFC proof of payment.
Lately we have an increased software development in the smartphone world, especially for software which allows for onsite payment. Typical application for the Android enabled phones is Google Wallet, while Apple is still a bit sceptical to introduce the protocol as acceptable standard. The usage of Google Wallet is very simple. You enter your credit card information or banking accounts into the smartphone and the smartphone encrypts the data. When you go to a store that has NFC enable payment, you activate the application, enter your Personal Identification Number (PIN) and make contactless tap over the counter and you have a successful payment.
Device Pairing
In this application the NFC is mostly used as a mediator interface. Because of the low transfer rate of the protocol, a data transfer of bigger files is not feasible. Typical example is when two devices need to establish a Bluetooth connection, the NFC devices are brought close to each other and the emitting NFC signal contains the hardware instructions and paring code for an initiation of seamless pairing of the devices. This operation takes away the burden of the user to navigate through menus and manual input of the pairing codes.
Security threats
When security of the NFC protocol is discussed, a vast variety of opinions are available due to the fact that the protocol does not use any kind of encryption on the transmitted data and mostly relies on the limited distance for proper operations of the NFC protocol. Later we will discuss more on the both points of view; one which says that is not secured enough and one that actually states that the security is very hardly breakable. In the following a couple of the most common security threats will be discussed.
Sniffing
NFC is a communication protocol that is based on a wireless transmission, which implies that sniffing is a very possible threat to the security. As mentioned above, when two devices use NFC for communicating, they use a radio frequency (RF) waves to transmit data. An attacker can use this fact to sniff the radio wave with an antenna to receive the signal sent from the active device. These days, due to the high volume of information available on the internet for radio waves and its properties, an attacker can easily make a research on its own in the comfort of their home chair. By gaining that knowledge and experimenting with different types of antennas, he can easily find the proper setup for sniffing and decoding the radio signals even if the radio signal is low in power, like the one used in NFC. Above we said that for proper operation of the NFC protocol a short distance is needed between the two devices. The real question that has to be asked here is how close the attacker would have to be in order to have a retrievable and usable RF signal. There is no right answer to this question due to many factors involved in the process. We can mention few of the factors that will contribute to the answer of how big should the distance be:
The characteristics of the radio that's built in the NFC devices (taking into consideration the antenna size, the shielding of the device, and the environment of operation)
The characteristics of the attacker's antenna
Quality of the receiver and decoder on the attacker's antenna
The environment where the attack is performed (Walls, metal objects and the overall radio noise in the surrounding area)
And finally but not the last; the power of the emitting NFC device.
This are one of the few factors and a finite measurement of the distance needed is not plausible. If the attack is done in controlled environment a quantification of the distance is possible. Some researches while performing experiments have come to a conclusion that 10m is the maximum distance for which a sniffing attack can be performed. This implies that in real life, such conditions are not predictable and the distance is a lot less than 10m and not quantifiable in a general for an overall rule on the distance security issue. Also very important fact to know is the mode on which the sender of the data operates. Depending on whether the sender is transmitting the data in active mode by generating his own field or the sender is using a RF field generated by other device in passive mode, is more difficult for sniffing on a passive sender because when in this mode the device range of emitting the signal is limited to 1m.
Denial of Service (DoS) attack
Previously we discussed about the ability of the attacker to receive the RF signal from a sending device. There is also another possible way for an attack; the attacker can easily transmit a malformed data RF signals directed to the receiving device in order to confuse it or to cause a denial of service because the receiving device would not be able to separate the "good" RF signal versus the "bad" RF signal. This type of attack can be done by sending a data through the valid spectrum of the RF frequency that the NFC uses (13.56 MHz) in a correct timing. Because the RF signal is modulated and coded with the modified Miller and Manchester coding schemes, the attacker can easily find the correct timing if he has enough knowledge for the used modulation and coding schemes, which are freely available on the internet.
This kind of attack is actually not so complicated, because the attacker is not interested in the particular data sent over the RF signal. His intentions are only to cause a Denial of Service. With the implementation of this kind of attack, the attacker does not have actual knowledge about the valid data transmitted.
Data Modification
In this kind of attack, the attacker purpose is to insert a valid data to a receiving device but with manipulated data. Typical example of this is when a user with a smartphone goes to a store and checks out the NFC label of a product, the label will send a instructions to the smartphone to open a URL link to the product webpage. If an attacker succeeds to implement this attack, then the target device can receive instructions to open another URL instead of the original, which will have some malware on it and infect the target device which can be later exploited.
The feasibility of this kind of attack is very dependable on the used modulation, mostly because of the different types of decoding needed when used 10% or 100% modulation. When 100% modulation is used the RF decoder firstly checks the half bits. If the half bits have a pause then this means that the RF signal is off. On opposite when the two half bits don't have a pause that implies that the RF signal is on. If the attacker wants to manipulate the data it needs two things. First in order for the decoder to understand a zero as one and vice versa, the pause in the modulation has to be filled up with the carrier frequency. The tricky part comes when the attacker has to send a RF signal which has to be in perfect synchronization with the original signal of the legitimate sender. This is almost impossible to do. In rare case when the modified Miller coding scheme is used, when the signal has two subsequent 1's, then the attacker has opportunity to change the second half bit of the stream by adding a signal where it is supposed to be pause. In worst case scenario the probability of successful transmission of the modified data is 0.5.
When 10% modulation is used then the Manchester encoding scheme is used and an attack on this modulation is very feasible for almost all of the bits. This is due to the nature of the inner workings of the modulation of the signal. The Manchester coding scheme uses a signal of 82% and Full signal. The attacker can use 82% signal and fill it up such as the 82% signal looks like full signal and the actual Full signal becomes an 82% signal.
Men In the Middle attack (MITM)
This kind of attack is very common and it actually has the purpose to convince two parties that they have genuine conversation, but in fact they have a middle man between that tricks the other two devices to throttle the traffic to the attacker's device then the attacker's device will push the traffic to the original recipient. For the demonstration of this method we will use the following graphical representation:
Let's assume that Device A uses active mode and we have another Device B in passive mode. Device A has generated an RF field and it sends data to Device B. The attacker is very close to Device A and he receives the signal from Device A and at the same time it sends malformed packets that will cause temporary DoS on Device B so that Device B won't be able to receive the original transmission from Device A. Instead the original transmission, Device B will receive a transmission from the Attacker, either as a copy of the original transmission or modified version of the original transmission sent by Device A. In order for this kind of attack to work now we have two separate RF fields; one generated by the original sender Device A and one generated by the attacker. Because it is almost impossible as we said before when we spoke about the data modification method to align the RF fields because the passive and active device use two different encoding schemes, this attack on this configuration of devices is renderer as practically impossible.
There is also another configuration of the devices, when both are active devices. This means that when the device is in Active mode the RF field is turned off and the attacker is able now to turn on his RF field in order to send the data to both of the devices. But one of the drawbacks is that no matter what direction is the data sent, both of the active devices will receive the same data and the devices will detect a problem in the protocol and they will close the connection. Due to this fact also in this configuration the attack is rendered as impossible and the general conclusion is that it is infeasible to mount Man in the Middle attack in the real-world scenario.
4.5 Physical security
For this threat we are going to use a NFC programmable label that can be easily physically replaced instead of the original NFC label. Nowadays smartphones, especially Android driven, have the ability to receive NFC instructions from a programmable NFC label. More and more common is to see NFC labels in stores, cyber cafés, train stations, subways and etc. Marketing companies use this labels to either advertise their clients or to give discounts on certain products in a form of discount coupons or they can instruct the user phone to visit the website of that particular product or brand.
Now let's imagine a scenario where the attacker takes an identical NFC label and programmes a code inside the label to instruct the phone to go to a clone of the metro station website where a certain malware is waiting to be loaded on the smartphone in order for the attacker to later exploit the phone. He then goes to a subway station and takes the original NFC label that is instructing the users phone to open website of the map of the metro and replaces it with his own programmed NFC label. A typical user, in 98% of the cases will not even consider about checking the validity of the received URL through the NFC label and will continue and execute the URL link and infect his smartphone with malware code. The suspicion of anything being wrong will be almost to none.
After the insertion of malware is made, the attacker has the ability, assuming that the malware is written in a way that will allow the attacker full control over the smartphone, to remotely gain access to all confidential information available on the phone (if any), including bank account numbers, Social Security number, Credit Cards information, passwords or even use the device as a pivoting point for mounting another attacks on the network when the smartphone is connected on a wireless network.
Possible solutions for the security threats
Sniffing
Above we concluded that sniffing is generally very difficult to perform but not undoable when devices in Active mode. In order to prevent a sniffing attack, researchers suggest implementation of a secured channel for NFC communication.
Denial of Service (DoS)
This is still an open issue because when it comes to communication through RF fields, the field can be easily distorted or jammed by jamming device in the hands of the attacker. In long terms this might actually destroy a trust that a client has towards a company. For example if your smartphone always crashes when you touch an NFC label for buying metro tickets you will definitely lose confidence in the method and you may stop using the service partially or completely.
5.3 Data Modification
As a general conclusion to this is that it is very difficult to modify the data while the device is in Active mode. In order to fully prevent attack is when both of the devices are in Active mode but when in Active mode the devices are more susceptible to a sniffing attack. Other useful method is for the devices to check constantly the RF field for disturbances and close the link, which will be as same as Denial of Service if the attacker tries to disturb the RF field all the time. Probably the best solution is to use a secured channel.
5.4 Man in the Middle attack
For this attack a straightforward suggestion is to use Active-Passive mode configuration, where the Active device should actually listen for any disturbances in the RF field and if so to terminate the connection.
5.5 Physical Security
Probably one of the most easiest and with high probability of success is this method. As a solution is presented more secured physical placement of the NFC labels and use of one-time programmable labels so it will limit the attacker of reprogramming the NFC labels.
