Paper 2010/228

Practical NFC Peer-to-Peer Relay Attack using Mobile Phones

Lishoy Francis, Gerhard Hancke, Keith Mayes, and Konstantinos Markantonakis

Abstract

NFC is a standardised technology providing short-range RFID communication channels for mobile devices. Peer-to-peer applications for mobile devices are receiving increased interest and in some cases these services are relying on NFC communication. It has been suggested that NFC systems are particularly vulnerable to relay attacks, and that the attacker's proxy devices could even be implemented using off-the-shelf NFC-enabled devices. This paper describes how a relay attack can be implemented against systems using legitimate peer-to-peer NFC communication by developing and installing suitable MIDlets on the attacker's own NFC-enabled mobile phones. The attack does not need to access secure program memory nor use any code signing, and can use publicly available APIs. We go on to discuss how relay attack countermeasures using device location could be used in the mobile environment. These countermeasures could also be applied to prevent relay attacks on contactless applications using `passive' NFC on mobile phones.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Unknown where it was published
Keywords
relaysecurityattackp2ppeer-to-peerNFCNFC-enabled-mobile-phonescountermeasurelocationpractical-implementationtransactions
Contact author(s)
lishoy @ gmail com
History
2010-04-28: received
Short URL
https://ia.cr/2010/228
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2010/228,
      author = {Lishoy Francis and Gerhard Hancke and Keith Mayes and Konstantinos Markantonakis},
      title = {Practical NFC Peer-to-Peer Relay Attack using Mobile Phones},
      howpublished = {Cryptology ePrint Archive, Paper 2010/228},
      year = {2010},
      note = {\url{https://eprint.iacr.org/2010/228}},
      url = {https://eprint.iacr.org/2010/228}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.