Hacking contactless with homemade antennas: shortcomings of NFC

Written for the E&T Magazine

An improvised setting for intercepting contactless data transmission, the trolley functions as an improvised though efficient antenna (Credits: The University of Surrey)

An improvised setting for intercepting contactless data transmission, the trolley functions as an improvised though efficient antenna (Credits: The University of Surrey)

Imagine the following scenario. It’s 7pm. On your way home from work you have stopped at a local supermarket to buy some food for dinner as you remembered your fridge had been left completely empty.

The supermarket is packed with people – well, what else can you expect during a Wednesday rush hour? You are queuing at the checkout. Just behind you, some geek with thick glasses dressed in a worn-out jacket is pushing his trolley with a six-pack of Coke, some chocolate bars, a couple of chicken sandwiches and a scruffy backpack inside.

You have been waiting in that queue for ages and as you finally approach the checkout, you are contently pulling out your brand new contactless card out of the wallet, happily thinking that with the great Near Field Communication (NFC) technology, your purchase will be dealt with in a heartbeat.

Little do you know that inside that scruffy backpack of the geek behind you is a simple radio receiver, half the size of a shoe box, secretly connected with a piece of wire to the cage of the trolley that serves as an improvised, though highly efficient antenna, capable of intercepting the exchange of data between your pale blue card and the payment terminal.

Well, why should you worry? In your bank, a cute blond clerk told you the Near Field Communication standard for contactless data transmission is perfectly safe as it only works at a very short distance – about 5 centimetres.

You had some doubts though, as you have a background in engineering and know that radio waves, used for contactless transmissions, can theoretically be intercepted at larger distances. But why would you argue with her, when she has such a lovely smile…Besides, NFC only permits small payments…

Unfortunately, as you are waving your contactless card around the reader, the geeky bloke behind you is grinning mischievously – in a couple of minutes he would see on his laptop all the data your card has sent to the terminal.

The experiment

An example of the eavesdropped signal - the good thing is it's thoroughly encrypted.

An example of the eavesdropped signal – the good thing is it’s thoroughly encrypted.

An eavesdropping technique similar to that described above, targeting devices using the NFC standard, has recently been tested providing rather disconcerting results. A team of researchers from the Department of Computing of the University of Surrey has shown NFC data transmission between a card and a reader can be intercepted at a distance of up to 60 centimetres with nearly 100 per cent accuracy.

What is even worse, that to achieve such results, all you need is a loop of wire, a cheap off-the-shelf radio receiver and a laptop equipped with a digital acquisition card.

“In this study, we have proved what researchers have been talking about for some time – that contactless design in itself is by no means a security feature,” said Johann Briffa, the lead researcher of a study published in the latest issue of the Institution of Engineering and Technology’s Journal of Engineering.

“Despite the fact that the NFC standard officially requires about five centimetres, we have managed to receive the same information as the terminal at the distance of 50 to 60 centimetres.”

Although the reliability of the interception decreases with the distance, in the 50 – 60cm range, almost 100 per cent of the eavesdropping attempts performed by the researchers were successful.

The team believes there is a reason to worry. Since 2011, when MasterCard certified its PayPass technology, integrating unpowered NFC chips, or tags, into its first credit and debit cards, millions of NFC enabled cards have been issued worldwide, some 23 million in the UK alone.

And it’s not only the cards, mobile devices such as smartphones or tablets equipped with the NFC technology account for 13.32 per cent of worldwide web traffic and smartphone-based digital wallets linked to users’ bank accounts relying on NFC data transmission are largely considered to be the next big thing in finance.

The method

In the past, various teams have proved listening in on NFC data transmission is possible from a distance of up to 6 metres. However, these teams have mostly used expensive and voluminous equipment. And clearly, a one-metre-in diameter antenna would be quite difficult to conceal in a worn-out backpack…

The simplicity of the technology used by the University of Surrey team and the rigorous reliability testing is what makes their results rather significant.

“The novelty of our work was that we have focused on equipment that is portable and inexpensive, and also that we systematically analysed the reliability,” Briffa explains. “We didn’t just check that we can receive the data, we checked how reliably we can receive it, in other words, how often would we receive the correct data without any errors.”

Apart from the shopping trolley, the team worked with various basic antenna designs – a ten centimetres long wire-wrapped plastic cylinder or a simple loop of wire.

In a lab, the researcher set up NFC data transmission according to the ISO 14443 standard – the most common mode for today’s contactless high street payments – and tried to listen in on the signal with their home-made antennas.

In the progress of the one-day experiment, the receiving antennas were gradually being moved further away from the transmitting antenna up to the distance of 120cm.

The antenna, connected to the receiving circuit, passed the signal through a commonly available off-the-shelf receiver, amplifying and filtering the signal to make it clearer.

The researchers focused on the uplink data – those transmitted from the card to the terminal – as it is more likely to contain information useful for the attacker.

The filtered and amplified analogue signal was captured using a desktop based digital acquisition system.

The idea was the attacker would capture a number of transmissions and decode them later.

What can you do with the data?

So you have the data, but the question remains, what can you really do with it. Or in other words, what would the geeky hacker from your local supermarket really get out of those hours he spends roaming the aisles and queuing at the checkout with a receiver in his backpack apart from a headache?

Johann Briffa admits that he and his team don’t know the answer yet, but are determined to find out.

“What we saw was an example of the eavesdropped signal. What this signal contains would depend on the actual transaction taking place and that’s something we are analysing right now,” he says.

Even at this stage, he believes, there are lessons to be learned from the study that might be of interest to companies developing NFC applications and devices.

“I think the most important message that can be taken from our study is that it is important for designers who use this technology to take into account privacy issues, to take into account security issues,” he says.

“It’s important for designers of NFC applications to realise that the short range nature of NFC cannot be used as a security feature. One must take into account that a determined eavesdropper can actually receive the data, so it’s important for these designers to make sure that the protocols that they use can still work reliably and securely, even under these conditions.”

Neil Garner, the CEO of Proxama, a company developing platforms for NFC-based commercial applications such as mobile wallets, reassures developers are well aware of these weaknesses and have the issue under control.

“The knowledge that something like this could be technically feasible has been around for quite a while,” Garner says. “The community was first discussing it after biometric passports were introduced. These electronic passports rely on the same contactless technology and many people were concerned someone could actually read data from these passports from afar and use it to create clones.”

Despite acknowledging the research of the University of Surrey team, Garner says NFC, although still in early stages of its development, is much safer than conventional cash and the bad publicity it receives is largely unfair.

“In the early days of contactless cards, some banks issued them incorrectly and placed some information about the card holder on them that might have possibly been abused by someone but that’s no longer the case,” he explains.

“There is really barely anything useful you could do with the eavesdropped data from these transactions today as they are encrypted and contain information related to that particular transaction.”

To get anything out of his efforts, the geeky hacker in the supermarket would have to be able to use the data immediately, before the bank approves the transaction, as it wouldn’t accept the same cryptogram twice. Moreover, the intercepted sequence contains information about the exact amount to be paid, which, in the case of contactless, amounts to no more than £20.

“I sincerely believe any hacker would be better off moving to the USA and focusing on cloning magnetic stripes of cards that are still commonly in use there,” Garner jokes. “Magnetic cards are far less secure than contactless or chip and pin and have already been largely replaced in Europe, however, there are still places, like the USA, were they are still pretty common.”

Never underestimate hackers

However, hackers tend to be rather resourceful and have proved many times in the past that they are able to find flaws in the most intricate systems.

Last year, at the well-known Black Hat hacking conference, researcher Charlie Miller surprised the audience with a live demonstration of security shortcomings in the NFC technology integrated into smartphones.

By simply tapping two handsets together, he initiated a peer-to-peer NFC session, gaining unauthorised access to the targeted phone, running a code which allowed him to load a malicious webpage onto the device without having to request any permission or authorisation.

In another demonstration, Miller managed to exploit connections between NFC devices and Bluetooth components of the Nokia N9 to activate a handset, and install and execute files including a PowerPoint presentation.

In the case of contactless cards, some have warned that as these cards by default respond to any device generating magnetic field capable to power them up, a random attacker could extract information from the card, including the Unique Identifiers that could be used to track the owner of the device.

However slim the chances might be, it’s surely better to be safe than sorry as with sensitive digital data, too much is at stake. Especially when, as Johann Briffa says, there is only little an individual user can do to protect himself against NFC eavesdropping.

“When the contactless device is not in use, for example if it’s an NFC enabled mobile phone, one thing that can be done is to switch the NFC off until it’s actually needed,” he says. “In the case of cards, there exist wallets that act as faraday cages and shield the device against the radio transmission. But the problem that we have found is what happens during an actual transmission and obviously, at this point the device has to be operative.”

Watch my video interview with Johann Briffa below:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s