Mobile Pwn2Own 2014, an event focused on discovering vulnerabilities targeting last generation mobiles, compromised five top quality smartphones. Different techniques were used to compromise these, being NFC the technology used to infringe Samsung Galaxy 5 and LG Nexus 5 and getting control of the mobile.
It is not the first time NFC stars in security news. Not too long ago we could see how a VISA flaw allowed charging $999.999,999 in foreign currency without further authorization. VISA technicians stated that exploitation was very unlikely, reducing the importance of the flaw.
So, as this technology is starring several security incidents, we will try to explain the basis of this technology, more present in nowadays live every day.
Physical fundaments of Near Field.
NFC stands for Near Field Communication. The definition of Near Field does not literally and strictly refer to the physical distance to de antenna, but to a region in an antenna radiation field that receives the name Reactive Near Field.
Being D the electric length of the antenna and λ the signal’s frequency, r, the distance at which Near Field can be considered depends on the wavelength (NFC works at 13.56 MHz) and D (where D is referred to the electromagnetic length of the antenna), can be calculated with the formula below
When an antenna radiates in the Near Field, magnetic induction occurs (in opposition to the Far Field Transmission phenomenon) between the two antennas of the elements that wish to communicate.
Illustration 1 Propagation regions
Where’s the antenna?
There are several techniques used to incorporate NFC to the devices with this technology. As the antennas needed are plain and circular, it is possible to use cupper or aluminum, being this the most used to decrease costs even though it has worse electromagnetic characteristics. In credit or debit cards, antennas are incorporated into the card, being only visible through X-ray. Antennas can also be printed using a special conductor ink into de NFC device.
In some mobiles, NFC antennas can be placed in the battery housing, so they are not visible, but in others the antenna is placed in the back of the mobile, being visible both the antenna and the connectors needed. In the image below, the NFC antenna of a Samsung Nexus S can be seen. Both the connectors and the antenna can be identified.
Illustration 2: NFC antenna in a mobile housing.
In the following image the antenna integrated in the battery of a Galaxy Nexus can be seen
Illustration 3: Antenna integrated in the battery of a Galaxy Nexus (via ifixit)
Operating modes and working distance.
In this technology two operating modes can be used. First one, called passive mode, uses the antenna in the active element (usually the card reader or a mobile phone) to generate a changing magnetic field that induces electric current in the passive element (usually a card or the NFC information post). The passive element then uses the electric current to generate its own electromagnetic field that will be read by the active element and will be used to transmit the information. This is the method used when using an NFC credit card.
NFC can also be used to transmit information between two active elements, usually two mobile phones. In this operating mode, called active mode, the initiator induces en electric current in the receptor, similar to the passive mode, but less electric current needs to be induced. Just the needed to detect the communication attempt, as the other element is active aswel. This is the operating mode used in mobile payments.
NFC (or any other RFID technology) needs the magnetic induction of the near field. Therefore, the working distance is limited to the definition of near field that depends on:
Electromagnetic size of the antenna, D, limited by the physical size of the antenna (although not necessarily directly related)
Electromagnetic coupling of the antennas, as magnetic induction depends on the alignment between emitter and receiver.
Taking into account the signals used in NFC and the size of the antennas, the working distance is limited to 20 cm (theorically, 10 cm in practice). Beyond, the magnetic induction is not produced, so the passive mode cannot be started.
The first security measure in our passive NFC devices, such as credit or debit cards, is mainly physical thanks to the need of the nearly field to transmit information. In spite of the physical limitation distance, remote attacks can be executed. One of them is card cloning, as shown in “Cloning Credit Cards: A Combined Pre-play and Downgrade Attack on EMV Contactless” presented in 2013 Workshop on Offensive Technology.
Another attack vector is the Relay attack. With this attack, other means are used to increase transmission distance. In NFC, for example, two android mobiles can be used to generate remote payments between a NFC card and a NFC payment service.
These attacks, documented in articles such as “NFC Relay attacks with Android mobile devices” or “Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones” offer a Proof of Concept. They also propose additional security measures such as GPS or mobile station position, but can only applied if mobile phones are used as the payment method.
Sadly for credit cards, the only security measure in NFC users is based on physical or electromagnetic barriers. One of these could be the use or an aluminum fold (or made of by any similar material) establishing a Faraday cage that would avoid any information transmission. One physical method consists on cutting or drilling the antenna impressed in the card, but, besides irreversible, it is difficult to achieve as the antenna in the card cannot be seen.
The best security measure for NFC is, therefore, prevention. Do not trust people getting to close to your wallet to prevent charges under 20€ the maximum amount that can be charged without PIN authorization.
For mobile devices, NFC is an entry point as shown in Mobile Pwn2Own 2014, so if your device supports this technology and you usually do not use it, deactivate NFC in the settings menu.
A real world example…
In León, where INCIBE headquarters are located, we have an NFC card to ease public transport payment. This card works using NFC technology.
Illustration 5: Leon public transport card
Using an Android Phone (iPhone supports this technology only to use with ApplePay) and using an application such as NFC Taginfo or NFC taginfo by NXP, we can start investigating our NFC cards. Information offered by these apps depends on the card being investigated.
Ilustración 6: Infor read from NFC card
In credit card payment, security controls are done in the card. Thanks to the limited capability of the card, Visa flaw was discovered.