Nitesh SaxenaComputer and Information Sciences

University of Alabama at Birmingham

Security and Privacy In Emerging Systems (SPIES) group http://spies.cis.uab.edu

Center for Information Assurance and Joint Forensics Research (CIA|JFR)

http://thecenter.uab.edu/

Outline

Background What NFC is

NFC Applications What all one could do with it

NFC Attacks/Fraud What all can go wrong

NFC Defenses How things could be fixed

Outline

Background What NFC is

NFC Applications What all one could do with it

NFC Attacks/Fraud What all can go wrong

NFC Defenses How things could be fixed

RFID System Overview

readingsignal

ID

back-enddatabase

ReaderTag

An RFID system usually consists of RFID tags and readers and a back-end server. Tags are miniaturized wireless radio devices that store information about their corresponding subject, such as a unique identification number. Readers broadcast queries to tags in their radio transmission ranges for information contained in tags and tags reply with such information.

(Some) RFID Applications

Near Field Communication (NFC)

NFC technology enables smart phones to have RFID tag and RFID reader functionality Phones can be used as payment tokens

Next generation of payment system For example, Google Wallet App uses this function Already deployed in many places

Just like RFID, it uses wireless radio communication

Outline

Background What NFC is

NFC Applications What all one could do with it

NFC Attacks/Fraud What all can go wrong

NFC Defenses How things could be fixed

NFC Applications

Google Wallet ISIS

Google Wallet Vision

NFC Applications

Patient Id+Mobile Ticket Purchase – Austrian Federal Railways

NFC Applications

NFC Tags Sharing

Other Applications

Interactive Experience NFC at Museum of London Posters / Replacement to QR Codes Productivity (Phone Use Cases)

Automatic Pairing with Bluetooth Connect to Wifi Make a Call/Text to a number Change settings automatically Check ins / Locations / Other social activity Open Apps

SleepTrak (health monitoring) …MANY MANY more

Outline

Background What NFC is

NFC Applications What all one could do with it

NFC Attacks/Fraud What all can go wrong

NFC Defenses How things could be fixed

The RFID Privacy Problem

Good tags, Bad readers

500 Eurosin wallet

Serial numbers:597387,389473

…

Wigmodel #4456

(cheap polyester)

30 items of lingerie

Das Kapital and Communist-

party handbook

Viagramedical drug #459382

NFC Privacy Problem

Should you worry? NFC is near field (one has to tap to read!)

Yes, unfortunately Researchers have shown that it is

possible to eavesdrop NFC signals from a distance larger than its typical communication range [Kortvedt-Mjølsnes; 2009]

The NFC Privacy Problem

Good tags, Bad readers

UAB Office Building

Access Card

Chase Bank ATM Card

Doctor’s Prescription

Porn Movie Ticket

US Bank Credit Card

The RFID Cloning Problem

Good readers, Bad tags

500 Eurosin wallet

Serial numbers:597387,389473

…

Wigmodel #4456

(cheap polyester)

30 items of lingerie

Das Kapital and Communist-

party handbook

Viagramedical drug #459382

Counterfeit!!

The NFC Cloning Problem

Good readers, Bad tags

UAB Office Building

Access Card

Chase Bank ATM Card

Doctor’s Prescription

Porn Movie Ticket

US Bank Credit Card

Relay Attack I: Ghost-and-Leech

query

query

quer

y

resp

onse

response

response

Relay Attack II: Ghost-and-Reader

Malicious Reader

Ghost

Authentic Reader

ServerVariant of a Man-in-the-Middle attack [Drimer et al., 2007]; demonstrated live on Chip-and-PIN cards

Reader and Ghost Relay Attack

Fake reader relays information from legitimate NFC tag to “Ghost” relays information from the legitimate tag to fake

tag “Ghost” relays received information to a

corresponding legitimate reader Happens simultaneously while user performs

transaction with legitimate NFC tag But for a higher amount

Impersonating a legitimate NFC tag without actually possessing the device. While at a different physical location

NFC Malware Problem

Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic

Outline

Background What NFC is

NFC Applications What all one could do with it

NFC Attacks/Fraud What all can go wrong

NFC Defenses How things could be fixed

The NFC Privacy Problem

Good tags, Bad readers

UAB Office Building

Access Card

Chase Bank ATM Card

Doctor’s Prescription

Porn Movie Ticket

US Bank Credit Card

The NFC Cloning Problem

Good readers, Bad tags

UAB Office Building

Access Card

Chase Bank ATM Card

Doctor’s Prescription

Porn Movie Ticket

US Bank Credit Card

Relay Attack I: Ghost-and-Leech

query

query

quer

y

resp

onse

response

response

Selective Unlocking

Promiscuous reading is to blame Currently, NFC supports selective

unlocking via PIN/passwords Works in practice but passwords are

known to have problems especially in terms of usability

Our approach – gesture-enabled unlocking

Relay Attack II: Ghost-and-Reader

Malicious Reader

Ghost

Authentic Reader

ServerVariant of a Man-in-the-Middle attack [Drimer et al., 2007]

Authentication is not Enough

Alice’s device must authenticate the whole transaction

So Alice’s phone knows that the reader charges $250 But Alice doesn’t The big screen on the malicious reader says $5

Even if phone displays the correct amount, Alice may not look at it Or make a mistake due to rushing

Our Approach: Proximity Detection

A second line of defense rather than relying upon the user

Verify phone and reader are in same location Each device measures local data with sensor

We use ambient audio Send authenticated data to server Server checks that the data is the same in both

measurements Or at least similar enough

Then approves the transaction

Advantages of our Approach

Does not require explicit user action Does not change traditional NFC usage model

Extremely difficult for attacker to change environnemental attributes

Geographical location not sent to server users’ location privacy is protected (unlike the

use of GPS coordinates) Compatible with current payment

infrastructure

Implementation and Evaluation

Sensor data collected by two devices in close proximity Capture audio from cell phone’s built-in

microphone (two Nokia N97 phones) Recorded 20 consecutive segments from

two sensors simultaneously at different pairs of locations At 5 different locations

Detection Techniques

Techniques based on time, frequency or both: In both domains tested:

Euclidean distance between signals Correlation between signals

Combined method: frequency distance and time-correlation

Best results achieved for combined time-frequency based method

Time-Frequency Distance Technique

Our new Time-Frequency-based technique Calculating distance between two signals:

Calculate Euclidean distance between frequency feature vectors

Calculate Time-based correlation between signals Distance defined as DC = 1 - Correlation

Both distances combined for classification Combined as a 2-D point in space

Test Results

Time-Frequency distance measure:

Numbers are distance measured squared

Detection Techniques

Used simple classifier to detect samples taken at the same locations Simple-Logistics classifier from Weka 10-Fold classification:

Data divided into 10 groups, 9 used for training, one for testing

Input to the classifier: Time-Frequency distance measure squared

Results

Our tests showed perfect classification: False Accept Rate = 0% and False Reject

Rate = 0% High level of security and usability

Conclusions from Proximity Detection

Designed a defense for the Reader-and-Ghost attack

Promising defense without changes to the traditional RFID usage model without location privacy leakage also applicable to sensor-equipped RFID cards

Audio is a stronger signal compared to light More experiments are planned in the future

Paper: ESORICS [Halevi et al.; 2012] Media Coverage: Bloomberg, ZDNet, NFCNews,

UAB News, etc…

NFC Malware Problem

Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic

Malware Protection via Gestures

Malware actions are software-generated Legitimate actions, on the other hand, are

human-generated Human gestures will tell the OS whether

an access request is benign or malicious Luckily, for NFC, a gesture that can work

is “tapping” An explicit gesture could also be employed

Tap-Wave-Rub (TWR) Gestures

Phone Tapping accelerometer

Waving/Rubbing/Tapping proximity sensor

Waving light sensor

TWR Enhanced Android Permissions

Initial Results

Phone Tapping (accelerometer)

Tap/wave/rub (proximity sensor)

Conclusions from TWR

Initial results are promising The approach is applicable for protecting

any other critical mobile device service SMS, phone call, camera access, etc.

TWR gestures are also ideal for selective unlocking

Take Away from the Talk NFC is a promising new platform with immense

possibilities However, a full deployment requires careful assessment of

security vulnerabilities and potential fraudulent activities Many vulnerabilities similar to RFID

Except Malware – a burgeoning threat to NFC Other attacks possible – such as phishing via malicious NFC tag

Security solutions need to be developed and integrated with NFC from scratch Research shows promise Phone is almost a computer; so lot could be done (unlike RFID)

User convenience or usability is an important design metric when developing security solutions

Acknowledgments

Students – the SPIES Jaret Langston, Babins Shrestha, Tzipora Halevi, Jonathan Voris, Sai Teja

Peddinti, Justin Lin, Borhan Uddin, Ambarish Karole, Arun Kumar, Ramnath Prasad, Alexander Gallego

Other Collaborators

More info: http://spies.cis.uab.eduhttp://spies.cis.uab.edu/research/rfid-security-and-privacy/

Thanks!