Attacks On Near Field Communication Devices

For some years, Near Field Communication (NFC) has been a popularly known technology characterized by its short-distance wireless communication, mainly used in providing different agreeable services such as payment with mobile phones in stores, Electronic Identification, Transportation Electronic Ticketing, Patient Monitoring, and Healthcare. The ability to quickly connect devices offers a level of secure communication. That notwithstanding, looking deeply at NFC and its security level, identifying threats leading to attacks that can alter the user’s confidentiality and data privacy becomes obvious. This paper summarizes some of these attacks, emphasizing four main attack vectors, bringing out a taxonomy of these attack vectors on NFC, and presenting security issues alongside privacy threats within the application environment

Secure capacity analysis for magnetic inductive coupling-based SWIPT system

Many researchers have provided meaningful insights for physical layer security (PLS) in various wireless communication systems. However, few works have carried out an intensive PLS analysis for magnetic inductive coupling (MIC)-based simultaneous wireless information and power transfer (SWIPT). This paper analyzes the effect of the angular position of coils on the secure capacity of a MIC-based SWIPT system in the presence of a potential malicious power receiver. Using a simple coupling model, we analyze the maximum achievable secure capacity of a MIC-based SWIPT system when the transmitter has knowledge of the coil angular positions of the receiver and the potential eavesdropper. In addition, we expand our analysis to the case where the transmitter has only limited knowledge of the coil angular positions of the receiver and the potential eavesdropper due to the angular fluctuation of the coils. Since employing the PLS technique with a traditional security algorithm can enhance security, the analysis will provide a meaningful contribution for improving MIC-based SWIPT system security. © 2013 IEEE.1

A Relay Prevention Technique for Near Field Communication

The use of near field communication (NFC) has expanded as rapidly as Bluetooth or similar technologies and shows no signs of slowing down. It is used in many different systems such as contactless payment processing, movie posters, security access and passport identification. NFC enabled devices include cell phones, credit cards and key chains. With the spread of any new technology come security vulnerabilities that malicious users will try to exploit. NFC is particularly vulnerable to what is known as a relay attack. The relay attack is similar to the man-in-the-middle attack but the data need not be unencrypted to be vulnerable. The relay attack is currently undetectable and unstoppable. Many solutions have been proposed but no real-world solution has been found that does not require significant changes to the NFC protocol, or even the hardware. In this work we propose a technique that uses careful timing analysis of tag communication to identify a transaction as dangerous and thus set off an alert of the potential threat. This could be built into mobile devices and readers already deployed and provide a level of security to the market not currently available while maintaining the protocols set forth by the ISO. A proof of concept has been built and tested on custom hardware as well as on an Android Nexus 4 to detect and prevent the relay attack. In this thesis we give an overview of security issues in NFC communication, describe the relay attack in detail, present our timing based countermeasures and its implementation, and give results of our evaluation of timing based relay prevention

A Relay Prevention Technique for Near Field Communication

The use of near field communication (NFC) has expanded as rapidly as Bluetooth or similar technologies and shows no signs of slowing down. It is used in many different systems such as contactless payment processing, movie posters, security access and passport identification. NFC enabled devices include cell phones, credit cards and key chains. With the spread of any new technology come security vulnerabilities that malicious users will try to exploit. NFC is particularly vulnerable to what is known as a relay attack. The relay attack is similar to the man-in-the-middle attack but the data need not be unencrypted to be vulnerable. The relay attack is currently undetectable and unstoppable. Many solutions have been proposed but no real-world solution has been found that does not require significant changes to the NFC protocol, or even the hardware. In this work we propose a technique that uses careful timing analysis of tag communication to identify a transaction as dangerous and thus set off an alert of the potential threat. This could be built into mobile devices and readers already deployed and provide a level of security to the market not currently available while maintaining the protocols set forth by the ISO. A proof of concept has been built and tested on custom hardware as well as on an Android Nexus 4 to detect and prevent the relay attack. In this thesis we give an overview of security issues in NFC communication, describe the relay attack in detail, present our timing based countermeasures and its implementation, and give results of our evaluation of timing based relay prevention

0E2FA: Zero Effort Two-Factor Authentication

Smart devices (mobile devices, laptops, tablets, etc.) can receive signals from different radio frequency devices that are within range. As these devices move between networks (e.g., Wi-Fi hotspots, cellphone towers, etc.), they receive broadcast messages from access points, some of which can be used to collect useful information. This information can be utilized in a variety of ways, such as to establish a connection, to share information, to locate devices, and to identify users, which is central to this dissertation. The principal benefit of a broadcast message is that smart devices can read and process the embedded information without first being connected to the corresponding network. Moreover, broadcast messages can be received only within the range of the wireless access point that sends the broadcast, thus inherently limiting access to only those devices in close physical proximity, which may facilitate many applications that are dependent on proximity. In our research, we utilize data contained in these broadcast messages to implement a two-factor authentication (2FA) system that, unlike existing methods, does not require any extra effort on the part of the users of the system. By determining if two devices are in the same physical location and sufficiently close to each other, we can ensure that they belong to the same user. This system depends on something that a user knows, something that a user owns, and—a significant contribution of this work—something that is in the user’s environment

Método para la preservación de la privacidad en dispositivos iot vestibles extendiendo la Seguridad usando fog computing

Los dispositivos Wearables o vestibles son elementos IoT personales que permiten la recolección de datos de una persona y enviarlas a un sistema informático para su procesamiento, dichos dis-positivos hacen uso de conexiones locales (área de cobertura) y normalmente están dentro de dicha área en dónde se puede tener control de la privacidad, integridad o confidencialidad, por lo cual, cuando es necesario una movilidad de la persona, el IoT debe salir de su área de cobertura, , perdiendo dicho proceso de seguridad. El objetivo es proponer un método que ayude a mitigar el riesgo de pérdida de privacidad sobre los datos en los dispositivos IoT Wearables, cuando estos salen de un área protegida (en la cual normalmente se conectan) a través de la computación en la niebla o Fog Computing (en adelante FC) que viaje con el Wearable. Para esto se han evaluado tres tecnologías de comunicación inalámbrica, las cuales son Bluetooth, RFID y NFC; determinando así cuál es la que mejor se adapta para transportar la información desde IoT hasta FC. También se evalúan los algoritmos de cifrado RSA, Diffie-Hellman Elliptic Curve - DHEC, Homomórfico JPAILLIER - HJP y AES, como mecanismo de protección de la información que se envía desde FC hacia la nube, por lo cual, para la selección de la tecnología y algoritmo de cifrado más adecuado se hace una serie de pruebas técnicas, entregando a través de un sistema de puntos, la valoración de cada prueba. Por último, los resultados de las pruebas son positivos y demuestran que la tecnología NFC es la que mejor se adapta a las limitantes de IoT y que DHEC es un algoritmo de cifrado que proporciona mejor escalabilidad al método planteado. Más tarde se realiza una evaluación de la propuesta en la cual se demuestra que soluciona el problema de pérdida de protección por salir de una cobertura protegidaWearables devices are personal IoT elements that allow the collection of data from a person and send them to a computer system for processing, said devices make use of local connections (cove-rage area) and are usually within that area in where you can have control of privacy, integrity or confidentiality, whereby, when a mobility of the person is necessary, the IoT must leave its cove-rage area, losing this security process. The objective is to propose a method that helps mitigate the risk of loss of privacy on the data in the IoT Wearables devices, when they leave a protected area (in which they normally connect) through fog computing or Fog. Computing (hereinafter FC) that travels with the Wearable. For this, three wireless communication technologies have been evalua-ted, which are Bluetooth, RFID and NFC; determining which is the best adapted to transport infor-mation from IoT to FC. The RSA encryption algorithms, Diffie-Hellman Elliptic Curve - DHEC, Homo-morphic JPAILLIER - HJP and AES, are also evaluated as a protection mechanism for the information sent from FC to the cloud, for which, for the selection of The most suitable technology and en-cryption algorithm is a series of technical tests, delivering through a points system, the valuation of each test. Finally, the results of the tests are positive and show that the NFC technology is the one that best adapts to the limitations of IoT and that DHEC is an encryption algorithm that provides better sca-lability to the proposed method. Later an evaluation of the proposal is made in which it is demons-trated that it solves the problem of loss of protection by leaving a protected coverageMagister en Seguridad Informátic

Modelo de seguridad para garantizar la integridad de los pagos móviles basados en Near Field Communication (NFC).

Se propuso un modelo de seguridad para garantizar la integridad de los pagos móviles basados en Near Field Communication (NFC) denominado NRioSec, que establece tres niveles de protección con un alto grado de compatibilidad y fácil integración en el desarrollo de aplicaciones de pago móviles. Sus componentes permiten controlar la autenticación con certificados digitales, la unicidad de transacciones mediante la tokenización y el cifrado de datos mediante algoritmos robustos, y que sumados a las normas de seguridad de aceptación de pagos móviles del PCI SSC, determinan la eficacia de su aplicación para mitigar las vulnerabilidades analizadas. Se comprobó que el modelo de seguridad NRioSec incrementa el nivel de integridad de los pagos móviles basados en NFC porque mediante cifrado protege la información sensible que se transmite durante una transacción; al ser transmitida la información únicamente entre el emisor y el receptor se protege la información confidencial de los atacantes o de las entidades participantes, pues éstas no tienen necesidad de acceder a dicha información; el modelo proporciona cifrado y autenticación de origen para que el receptor los pueda validar y, se asegura al receptor que los detalles del pago son correctos y corresponden a los datos proporcionados por el emisor mediante una pantalla donde se confirme que los datos son correctos.A security model was proposed to guarantee the integrity of mobile payments based on Near Field Communication (NFC) called NRioSec, which establishes three levels of protection with a high degree of compatibility and easy integration in the development of mobile payment applications. Its components allow controlling authentication with digital certificates, the uniqueness of transactions through tokenization and data encryption using robust algorithms, and that added to the PCISSC mobile payment acceptance security standards, determine the efficiency of its application to mitigate the vulnerabilities analyzed it was possible to verify that the NRioSec security model increases the integrity level of mobile payments based on NFC because encryption protects the sensitive information transmitted during a transaction; When the information is transmitted only between the sender and the receiver, the confidential information of the attackers or participating entities is protected. Because they have no need to access said information; the model provides encryption and authentication of origin so that the receiver can validate them, and the receiver is assured that the details of the payment are correct and correspond to the data provided by the issuer through a screen where the data is confirmed to be correct

NFC Attacks Analysis and Survey

[[abstract]]The NFC (Near Field Communication) became a popular short distance wireless communication technology by providing many convenient services such as an easy payment in a store. It has fast connection ability between devices and provides certain secure communication. However, after studying NFC protocols deeply, we found six threats to protecting the confidential data and users' privacy are unsolved. This paper summaries four standards of NFC protocols, and presents the security issues and unsolved privacy threats in current application environment