Content uploaded by Stylianos Basagiannis
Author content
All content in this area was uploaded by Stylianos Basagiannis on Jun 23, 2016
Content may be subject to copyright.
Security Analysis of NFC Relay Attacks using
Probabilistic Model Checking
Nikolaos Alexiou
KTH Royal Institute of Technology
School of Electrical Engineering
Stockholm, Sweden
Email: alexiou@kth.se
Stylianos Basagiannis
United Technologies
Research Centre
Cork, Ireland
Email: basagis@utrc.utc.com
Sophia Petridou
Department of Applied Informatics
University of Macedonia
Thessaloniki, Greece
Email: spetrido@uom.gr
Abstract—Near Field Communication (NFC) is a short-ranged
wireless communication technology envisioned to support a
large gamut of smart-device applications, such as payment and
ticketing applications. Two NFC-enabled devices need to be
in close proximity, typically less than 10 cm apart, in order
to communicate. However, adversaries can use a secret and
fast communication channel to relay data between two distant
victim NFC-enabled devices and thus, force NFC link between
them. Relay attacks may have tremendous consequences for
security as they can bypass the NFC requirement for short range
communications and even worse, they are cheap and easy to
launch. Therefore, it is important to evaluate security of NFC
applications and countermeasures to support the emergence of
this new technology. In this work we present a probabilistic
model checking approach to verify resiliency of NFC protocol
against relay attacks based on protocol, channel and application
specific parameters that affect the successfulness of the attack.
We perform our formal analysis within the probabilistic model
checking environment PRISM to support automated security
analysis of NFC applications. Finally, we demonstrate how the
attack can be thwarted and we discuss the successfulness of
potential countermeasures.
Keywords—Near Field Communication; probabilistic model
checking; relay attack; security analysis.
I . I NTRODUCTION
Near Field Communication (
NFC
) is a contactless radio
communications technology to establish short-range ad-hoc
connections between devices. NFC establishes low data rate
links to transfer data over short distance (max. of
10cm
). The
simplicity of the technology is posing NFC technology as a
suitable candidate for an increasing number of applications
including e-ticketing, mobile payments and access control
systems [
1
]. The integration of NFC in smartphones in
particular, transforms user devices into a mobile wallets [
2
],
[
3
] and carriers of authentication and authorization proof that
is exchanged via short-range NFC channels.
Any two NFC-enabled devices can be paired in peer-to-
peer mode or alternatively, operate in card emulation mode for
mobile-to-infrastructure communications like in typical RFID
communications. However, NFC systems are susceptible to
attacks and security remains an open issue [
1
]. In particular,
relay attacks are easy to deploy and pose a serious threat
for security of NFC systems, as well as the acceptability of
the technology. During a relay attack, the adversary acts as
a transparent intermediary between two distant victim NFC
devices, an NFC reader and target, and maliciously forces an
NFC link between them. This is achieved using a secret and
fast relay channel that connects the two victim NFC devices,
which eventually believe they are in close proximity and can
communicate directly with each other. The attack leverages on
the absence of localization evidence during the NFC protocol, as
well as on the fast relaying property of the adversarial channel
that alleviates the distance between the victim devices.
Distance-bounding poses as the prevalent countermeasure
for relay attacks against RFID and consequently, NFC sys-
tems [
4
], [
5
]. In a nutshell, distance bounding protocols offer
guarantees regarding the maximum distance between two
communicating devices. Therefore, they prevent an attacker
from faking the close-proximity property that is necessary to
launch the relay attack. However, distance bounding has not yet
been adopted to secure real world NFC systems, or is envisioned
to do so in the near future.
Above all, it becomes clearer that we need methods to
evaluate and analyze security of real world NFC systems.
Formal analysis techniques constitute the perfect candidate [
6
],
since they can be applied to analyze the security of systems
in a rigorous manner. Model checking techniques offer the
additional advantage of automated rigorous analysis, which
is beneficial for proprietary systems and new communication
technologies [
7
], like NFC. In this paper we propose a
probabilistic model checking approach to analyze security of
NFC protocols against relay attacks. We construct our relay
attack model in the probabilistic model checker PRISM [
8
].
To the best of our knowledge, this is the first time that a
probabilistic model of relay attacks against NFC protocol
have been developed. We prove that the NFC protocol can
be configured to thwart a relay attack and we evaluate the
successfulness of the attack for a variety of characteristics of the
adversarial relay channel. Finally, we evaluate the probability
of the attack for a range of adversarial powers against two
generic types of NFC applications.
The remainder of this paper is organized as follows. Related
work on relay attacks against NFC is discussed in Sec. II.
Sec. III provides the NFC protocol specifications and Sec. IV
describes the relay attack. In Sec. V, we elaborate on details
concerning the probabilistic model checking in prism and the
proposed model, while in Sec. VI the results of the analysis
are discussed. Finally, Sec. VII concludes with remarks of the
presented work as well as future directions.
978-1-4799-0959-9/14/$31.00 ©2014 IEEE 524
I I . R E L AT E D WO R K
NFC technology is currently an attractive solution for
providing security guaranties in a series of mobile services [
9
],
[
10
]. On the other hand, proliferation of NFC technology is
certain to attract great attention on behalf of malicious users.
In order to address these challenges current bibliography focus
on analysis and techniques related to the resiliency of NFC to
a range of attack actions.
In 2005, Kfir and Wool studied relay attacks on contact-
less smartcard communications focusing on operating ranges
issues [
11
]. They highlighted the fact that the nominal range of
10cm
between the reader and the target can be circumvented
by exploiting the attackers’ hardware, consisting of a proxy
and a mole. In practice, they showed that an extension of
50m
is feasible in the reader-to-proxy range, while mole-to-target
range can be also extended up to
40 −50cm
. This entails
that range limitations imposed by ISO/IEC 14443 standard can
be overcome increasing the attackers’ possibilities. The same
year, Hancke designed a low-cost system and executed a relay
attack up to a distance of
50m
connecting a proxy and a mole
through an UHF antenna [
4
]. His implementation was simple
and cheap and introduced a small delay of
15 −20s
, which is
possible because the communication is relayed as analog data.
The alternative approach of encoding/decoding and buffering
the data packets requires additional processing time causing
longer delay. Recently, Issovits and Hutter presented a practical
relay attack which exploits a number of mechanisms of the
ISO/IEC 14443 standard, i.e. the Frame Waiting Time (FWT),
the Negative Acknowledges (NAKs) recovery functionality and
the Waiting Time eXtensions (WTXs) [
12
]. The proposed attack
reaches average delays of
85.3ms
. However, although they
exploit protocol mechanisms for their attack and they propose
some protection measures compliant with the standard, their
approach is protocol dependable and restricted to their specific
attack scenario. Moreover, the proposed countermeasures of
checking the transmission parameters is not proven rigorously.
So far, the main countermeasure against relay attacks on
RFID and consequently NFC systems is distance-bounding
protocols [
4
], [
5
]. Their idea is to verify the proximity of two
parties by timing a challenge-response exchange. Although
distance-bounding is a well-researched area of cryptography,
the approach in most works is mostly informal [
13
]. A major
issue is their hardware implementation which either ignores
low-level implementation details e.g. physical layer of the
communication channel [
14
] or comes with additional cost [
5
].
A second issue is that distance-bounding protocols are also
susceptible to attacks [13], [14], [15].
While the authors in the aforementioned bibliography
focused on questioning the feasibility of a successful relay
attack on NFC systems, proving practically the vulnerability of
such systems against this type of attacks, their studies remain
dependable and therefore restricted to specific attack scenarios.
The purpose of this paper is to address security issues of NFC
technology in a more general framework.
III. NE A R FI E L D COMMUNICATIONS
NFC
allows contactless communications between smart
NFC-enabled devices in close proximity. NFC shares many
similarities with RFID and offers a suite of protocols based
on the ISO-14443 [
16
], which are standardized in [
17
] and
[
18
]. NFC operates at a radio frequency of
fc= 13.65
MHz,
while offers three options for low data rate communications,
namely
106,212
, and
424
kbps. In contrast to RFID, NFC
supports short-range communications, typically up to
10
cm,
and additionally bi-directional communication between devices.
In summary, NFC supports two communication modes:
Passive Mode
: In passive mode NFC communication takes
place between the Initiator, the active device sending data to
the Target, which is the passivereceiving device. During the
NFC session, the Initiator’s RF field is activated and the Target
responds using a load modulation scheme. NFC in passive mode
is referred to as Reader/Writer and Card Emulation modes. NFC
in passive mode enables several real-life applications, such as
e-ticketing and contactless payments [1].
Peer-to-Peer Mode
: NFC in active mode allows both
communicating devices to use their own RF field to trans-
mit data, which switch on their RF field when transmitting
data interchangeably. The two devices alternate between the
Initiator and Target states, eventually indulging in a peer-to-peer
mode communication scheme. Active mode NFC can support
application that involve device pairing [17], [18].
A. NFC Protocol
In this section we provide a thorough overview of passive
mode NFC in
212
and
424
kbps data rate speeds. More details
regarding NFC specifications can be founded in [
17
], [
18
]. For
the rest of the paper, we use the term Reader to refer to the
Initiator of an NFC transaction. Table I shows the format of
an NFC frame and the respective size for each of the frame’s
fields. The preamble consists of at least
48
logical zero bits
and serves as the prologue of the frame. The SYNC field is
2
bytes long and the length is set equal to the number of bytes
to be transmitted in payload plus one. The payload consists
of
n
8-bit-bytes of data, where
n
is indicated by the number
of data bytes. Finally, CRC is a 2 byte value attached to the
end of the frame. When a frame is received a standard delay
period of 8×64fcµsec before the next frame is sent.
Table I. F RAME FO R M AT FI E L D S A N D SI Z E
Preamble SYNC Length Payload CRC
Size 48 bits min. 16 bits 8 bits n8-bit-bytes 16 bits
Overall, the NFC protocol comprises three phases: (i) RF
collision avoidance, (ii) Initialization Single Device Detection,
and (iii) Transport Protocol.
RF collision avoidance:
The RF collision avoidance
scheme is used to prevent collisions between nearby Readers
having their RFs enabled in parallel. The Reader senses the
medium continuously for a time period of
TIDT +n×TR F W
µ
sec, where
TIDT >4096
,
TRF W = 512/fc
is the RF waiting
time,
n
is a randomly generated integer (
0≤n≤3
) and
fc
corresponds to the radio frequency (
13.56MHz
). The Initiator
enables its own RF field if no other RF field is detected.
Device Detection:
Following Collision avoidance, Device
Detection allows a Reader to detect NFC-enabled devices. A
Reader may support up to
16
Targets in parallel using time-
slotted device detection. In a nutshell, the Reader uses up to
16
time slots of duration
Ts
each, where
Ts
is
256 ×64fcµsec
.
525
The Reader then probes nearby Targets by broadcasting a polling
request packet. Following polling request, each nearby Target
selects a random identifier
R
corresponding to a particular time-
slot and then, replies to the Reader during the time-slot that
corresponds to
R
. In practice only one card can be supported
e.g., for e-ticketing applications.
Transport Protocol:
Following the discovery of nearby
devices, the Reader selects a nearby Target and starts data
transmission using the Transport Protocol. During activation,
the Reader and the Target negotiate communication parameters,
such as the expected timeouts during the data exchange protocol.
The NFC protocol defines the range of acceptable timeouts
from
302 µsec
to
4949 msec
. During data exchange, the Target
acknowledges each successful packet reception, and replies to
the Reader with its own data packets. A deactivation sequence
of the Target is used to finalize the protocol.
I V. N F C R E L A Y AT T A C K S
In order to understand how a relay attack, is deployed
consider the grand chess master problem from cryptography.
The problem setup includes two chess boards e.g., table A
and table B and a chess master is sitting at each one of the
tables; as well as a malicious player who does not know how
to play chess and wants to compete against the chess master
on table A. To achieve this, the malicious player can replay
the moves from table A on table B. By doing so, the next best
move against the chess master of table A is revealed to the
player by chess master B. Eventually the malicious player has
increased chances of winning the chess game by forcing the
two chess masters compete each other, even if totally agnostic
about the rules of the game. Relay attacks against NFC fit to
the description given above.
Similarly, during a relay attack the adversary may remain
agnostic of all protocol specifications or cryptography used,
and take advantage of two distant NFC-enabled devices to
achieve his malicious goals. The adversary needs to deceive
the distant devices, namely the NFC Reader and Target, that
are close enough to establish an NFC communication link,
even though under normal circumstances they would not. NFC
protocols require timing only limitations to be met in order
to successfully complete an NFC transaction. Therefore, the
adversary can bypass the timing constraints by establishing a
fast and transparent relay channel, which is used to transfer the
NFC messages from the victim Reader to the victim Target,
and vice versa. Using the fast relay channel the adversary
minimizes communication delays caused by relaying NFC
packets and essentially helps as an intermediary the victim
NFC devices complete the NFC transaction. The incentives of
the attack are dependent on the NFC application and include
obtaining unauthorized access to a building or buying digital
goods illegally without the consensus of the victim.
To launch the relay attack, two adversarial NFC-enabled
devices that emulate an NFC Reader and a Target need to be
placed near a victim NFC Target and a Reader respectively.
Fig. 1 shows the setup used for the attack. First, the adversary
presents the Adversarial Target
AT
at the Victim Reader (
V R
)
to trigger the NFC transaction.
AT
has a preset communication
link with the Adversarial Reader
AR
which acts as the relay
channel.
AR
is simultaneously presented to the Victim Target
Victim Reader Victim Target
Adversarial Target Adversarial Reader
NFC
Communication
(max. 10cm)
Adversary presents
Target to Reader
Adversarial Relay Channel
Data Transfer over
long distance
NFC
Communication
(max. 10cm)
Adversary presents
Reader to Target
Figure 1. NFC Relay Attack Setup
(
V T
) and emulates an NFC reader, simply relaying all messages
received over the relay channel. The reverse procedure is
followed for all
AT
responses. As a result, if all messages are
successfully relayed, the two victim devices may successfully
complete an NFC transaction that will provide the adversary
with the end result of the attack (e.g., to illegally buy digital
goods).
V. P R O B A B I L I S T I C MO D E L CHECKING IN PRISM
Model Checking is a formal verification technique based on
rigorous model definitions of systems, in order to discover errors,
flaws or unexpected behavior in systems,protocols and hardware.
Probabilistic Model Checking is a formal verification technique
for the verification of systems that exhibit probabilistic behavior
and tries to determine the probability of a model
M
satisfying
a property
prop
. The proposed model follows the analysis
of [
19
] and uses the Continuous Time Markov Chains (CTMC)
to verify resiliency on NFC protocol against relay attacks in
continuous time.
A CTMC is the tuple (S, sinit, R, L), where:
•Sis a finite set of states
•sinit ∈Sis the set of initial states
•R:S×S→Ris the transition rate matrix
•L:S→2AP is a labeling with atomic propositions
The transition rate matrix
R
assigns transition rates to
each pair of states in
S
, which are then used as input to the
exponential distribution. A transition from state
s
to
s0
can
only occur if and only if
R(s, s0)>0
. Time spent at state
s
follows the exponential distribution and the probability of the
transition being triggered within
t
time units is calculated as
(
1−e−R(s,s0)×t
). Typically, more than one transitions from state
s
may occur in parallel, which is known as a race condition.
The first transition to be triggered from
s
determines the next
state of the CTMC. Time spent at
s
, before a transition, is
exponentially distributed with rate E(s)def
=P
s0∈S
R(s, s0).
E(s)
is defined as the exit rate of state
s
. The actual
probability of reaching state
s0
from state
s
independently of
time can be calculated using the embedded DTMC
emb(C) =
(S, sinit, Pemb (C), L), where:
•Sis a finite set of states
•sinit ∈Sis the set of initial states
•L:S→2AP is a labeling with atomic propositions
526
Pemb(C)(s, s0)
is calculated using
E(s)=Σs0∈SR(s, s0)
as
follows:
Pemb(C)(s, s0) = (R(s, s0)/E(s)if Es>0
1if Es= 0 and s=s0
0otherwise
Properties describing expected model’s behaviour are de-
fined to perform model checking. In PRISM, properties are
defined in a superset of the several temporal logics and
more specifically the (i) Probabilistic Computation Tree Logic
(PCTL), (ii) the Continuous Stochastic Logic (CSL), (iii) the
Linear Temporal Logic (LTL), and (iv) PCTL*. For CTMCs,
properties are expressed in CSL in the following syntax:
Φ ::= true |α| ¬Φ|Φ∧Φ|Pp[ϕ]|Sp[Φ]
ϕ::= XΦ|ΦUIΦ
where
α
is an atomic proposition,
∈ {<, >, 6,>}, p ∈
[0,1]
and
I
is an interval of
R>0
.
Pp[ϕ]
denotes the probability
that the path formula
ϕ
being satisfied given the probability
bound
p
. As with PCTL, it is straightforward to derive CSL
operators for F(eventually) and X(next) [19].
A PRISM model is a collection of modules that are active
in parallel. Each module, in turn, comprises of a set of local
variables and labeled actions (e.g., model transitions between
states). Through the actions, the variables are updated according
to the specifications of the modeled system (e.g., the protocol),
which defines the state of the module. Eventually, the global
state of the model is built upon the individual module states
at each point in time. Each module action has two parts, the
guard and the update actions:
[L]guard ⇒R:u1+... +un;
where
L
is the label naming the model transition,
guard
is set of prerequisites to trigger the command (e.g., variables
values),
R
is the rate of the command if the
guard
’s conditions
are met, and
ui
is an update executed by the command. We
express our properties in the PRISM model checker using
the
P=?[F ϕ]
, which gives a numerical estimation of the
probability that the model satisfies ϕ.
A. PRISM Model of NFC
We model a relay attack against passive mode NFC operating
at
212kbps
, as defined in [
17
], [
18
]. Our CTMC model is
minimal in the sense that the NFC protocol is modeled with
enough detail to demonstrate the attack. Transition rate matrix of
the CTMC model is composed based on the selected parameters
of Table II related to the NFC specifications according to [
17
].
Meanwhile, our model is highly configurable and thus may be
used to verify resilience of other NFC protocol types and modes
(e.g., active mode NFC) against relay attacks. Our PRISM model
comprises four modules, one for each of the devices involved
in the attack:
•VR:
The Victim Reader (
V R
) is the verifier during
the NFC transaction. Therefore, it is the victim of the
NFC relay attack since the adversary tries to maliciously
authenticate a Target to the V R
Table II. M O D E L CHECKING PA R A M E T E R S
Parameter Description
MAX_RW T Timeout during data transport protocol
P KT E R Packet error rate of relay channel
DR_RCH Relay channel data rate
DR_N F C NFC data rate of 212 kbps
N F CER Packet error rate of NFC
del Time delays
•AT:
The Adversarial Target (
AT
) is used by the adversary
to communicate with
V R
over NFC, and with
AR
through
the fast relay channel
•AR:
The Adversarial Reader (
AR
) is the Reader operated
by the adversary that initiates the NFC transaction with
the Victim Target.
AR
communicates over NFC with
V T
and through the fast relay channel with the AT
•VT:
The Victim Target (
V T
) communicates over NFC
with
AR
, and has a virtual NFC connection with
V R
as
a result of the relay attack
We focus our analysis on those properties that affect the
probability of a successful attack, namely the (i) timeouts during
the transport protocol (ii) adversarial strength in terms of relay
channel data rate in
kbps
, (iii) adversarial channel quality, and
(iv) size of data transmitted. Those properties will form the CSL
formulas necessary to model check our NFC model. Channel
quality is modeled as the probability to successfully transmit a
packet without communication errors. For our results, we focus
on the adversarial channel quality and we keep the probability of
error during NFC communications very low (
e.g., 10−8
), which
is a best case scenario for the adversary. We define
DR_RCH
as the data rate speed of the adversarial relay channel in
kbps
,
and
DR_N F C
the data rate of the NFC channel. We use
DR_RCH
as an indicator of adversarial strength. Moreover,
we define
MAX_RW T
as the timeout during the transport
protocol. The size of message of the NFC protocol is modeled
as a constant, according the NFC standards [
17
], [
18
]. We
particularly focus on the size of packets exchanged during
the data transport protocol, which can vary depending on the
application. Section VI describes two experimental setups used
to define two different cases of transport protocol packet sizes.
Finally, we model the time required to complete a packet
transmission based on the size of the transmitted packet and
the data rate transmission speed of the communication channel
in
msec
. As an example, the time needed to transmit an NFC
message of
n
bits using an NFC channel of
DR_N F C kbps
can be modeled as
n/DR_N F C
. The above is modeled in
PRISM as a rate to complete a model transition, as described in
Sec. V. Furthermore, in order to evaluate all possible protocol
delays and not restrict our model to transmission only delays,
we have defined the global
del
parameter.
del
corresponds to all
other types of delays that can occur during the attack, such as
packet receiving delays, packet preparation delays etc. However,
it can be adjusted according to the type of NFC application
and hardware used. This makes our PRISM model configurable
and realistic. For our results, we set
del
to a low value, namely
100
msec, in order to verify the best case scenario for the
adversary where delay is negligible. Finally, NFC handshakes
between the aforementioned entities will be executed using
labeling functions for the modules’ synchronization within
527
Figure 2. Relay Channel Rate vs Probability of Successful attack vs Timeout;
low-data volume
Figure 3. Relay Channel Rate vs Probability of Successful attack vs Timeout;
high-data volume
PRISM, between messages’ transmission or reception.
Due to space limitations, an in depth description of model
size and structure is omitted. As an example, for model checking
MAX_RW T = 500
,
DR_RCH = 8
and
P KT E R = 0
,
PRISM model checker reported back a total states of
72840
with
182263
transitions. Our model has a single initial state,
which is the transmission of the polling request message
by the Reader. Table II summarizes the set of configurable
parameters that greatly affect the success fulness of the attack.
Through the produced results, we argue that a close to
0
probability of a successful attack will pinpoint the optimal
range of the model parameters. Thus, the concrete values of
the parameters under the aforementioned constraint, will form
verifiable countermeasures for the defense of NFC.
V I . M O D E L CHECKING RE S U LT S
Our probabilistic model checking results show that the
successfulness of an NFC relay attack relies on four parameters:
(i) the NFC protocol parameters, (ii) the strength of the
adversary, (iii) the quality of the adversarial channel, and
(iv) the NFC application type. Timing constraints, namely
the
MAX_RW T
timeout, as defined for the NFC transport
protocol, play an important role in thwarting the attack. We
use the data rate speed of the relay channel
DR_RCH
as a
measure of strength for the adversary, since adversaries with
high
DR_RCH
can relay bits of information through the relay
channel faster. Finally, we measure reliability of the adversarial
channel using
P KT E R
and show that the probability of a
successful attack depends on the NFC application, thus the
number of bytes exchanged between the victim devices.
We perform our analysis using two experimental setups
that correspond to two different types of NFC applications.
The first setup models the case of
280
bits and
160
bits of
data transmitted by
V T
to
V R
, and
V R
to
V T
respectively,
during the data transport protocol. The second setup models
transport protocol messages of
80
bits both for
V T
and
V R
.
We name them as the low-data volume and the high-data
volume respectively. Let us note here that our probabilistic
model is highly configurable and can thus support a variety
of experimental setups regarding the data volumes transmitted.
It is also worth to be mentioned that NFC is a low data rate
communication technology that is targeting applications where
the volume of data exchanged between the devices is normally
low. Therefore our setups demonstrate a realistic scenario and
also, serve to demonstrate the impact of two different types of
applications on the relay attack.
Fig. 2 shows the probability of a successful relay attack for
the low-data volume, using a range of
MAX_RW T
timeouts
and significantly low packet error probability (
P KT E R =
10−8
).
DR_RCH
illustrates the adversarial strength based on
the transfer speed of the adversarial relay channel in Mbps. We
observe that strong adversaries with
DR_RCH > 3
Mbps have
a significantly higher probability of performing a successful
relay attack, which is above
60%
for
MAX_RW T > 4.5
sec. However, we observe that even weaker adversaries with
slower relay channels (
DR_RCH = 0.7,1
Mbps) exhibit
a very high probability of successfully launching the relay
attack when
MAX_RW T
is high. Moreover, we observe a
stip increase in the probability for higher
DR_RCH
and a
slower increase for less powerful adversaries, which is expected
since powerful adversaries can take advantage of slight increases
in
MAX_RW T
values, while weaker adversaries are restricted
by their modest relaying capabilities. However, the adversarial
successfulness decreases rapidly when
MAX_RW T
is very
low. For
MAX_RW T < 1.5
sec the probability of a successful
attack for all adversarial strengths we tested is less than
10%
,
and negligible for DR_RCH = 0.7and 1Mbps.
Fig. 3 follows the analysis of Fig. 2 for the high-data volume.
Our model checking results are similar with those for Fig. 2 but
as expected, the increased volume of data that should be relayed
poses an additional challenge for all adversarial strengths. In this
scenario, it is only the most powerful of the adversaries (e.g.,
DR_RCH = 9,12
Mbps) that have a comparable success
probability with Fig. 2. For
MAX_RW T > 4.5
sec the
probability of attack for
DR_RCH = 9
and
12
Mbps is larger
than
50%
, which is approximately
10%
lower when compared
to Fig. 2. Furthermore we observe that performance of weaker
adversaries is even worse;
25%
for
DR_RCH = 1
Mbps, and
DR_RCH = 0.7
Mbps for
MAX_RW T > 4.5
sec. In any
case, the experimental setups show that stricter timeout values
for
MAX_RW T
reduce the probability of an adversary to
successfully launch a relay attack. This result can be used as a
countermeasure against the attack, which has been proposed in
the literature but never proven rigorously.
Figures 4 and 5 show the probability of a successful relay
attack for both experimental setups and strict
MAX_RW T
timeouts. Therefore, following our previous results we now
test the worst case scenario for the adversaries; that is low
timeout values for
MAX_RW T
. We observe that in both
setups the probability of attack decreases dramatically, even if
the adversary uses a fast relay channel of
58
Mbps. In detail,
for the low-data case scenario the probability of a successful
attack does not exceed
2.3%
when
MAX_RW T = 1000
, and
is less than
0.0025%
when
MAX_RW T = 500
msec. In
both figures it is obvious that keeping
MAX_RW T
low can
528
Figure 4. Probability of Successful attack vs Adversarial Power in worst case
scenario; low-data volume
Figure 5. Probability of Successful attack vs Adversarial Power in worst case
scenario; high-data volume
Figure 6. Probability of Successful attack vs
P KT E R
; low-data volume,
MAX_RW T = 3,6secs
eventually thwart the attack, even if the adversary uses a fast
relay channel without transmission errors (
P KT E R = 10−8
).
Finally, we test the probability of a successful attack under
the existence of transmission errors. Transmission errors may
occur when the adversary relays packets over longer distances,
where interference is expected. We studied the impact of a
P KT E R
on the low-data case, which is the worst case attack
scenario for the NFC protocol. We set
MAX_RW T = 3.6
sec in order to evaluate the impact of
P KT E R
when no strict
timeouts are used. Fig. 6 shows that the probability of the attack
becomes negligible when the probability to drop a packet due
to transmission errors is greater than 40%.
VII. OV E RV I E W
In this paper we have presented a probabilistic model
checking approach to evaluate resiliency of NFC protocol
against relay attacks. Our automated analysis can verify the
probability of a successful relay attack against NFC handshakes,
based on a defined set of characteristics that affect the attack.
By capturing system-level NFC characteristics in a formal
model within the PRISM model checker, and modeling intrusion
tactics such as a relay attack activity, we have been able
to determine the actual probability and measure the security
resiliency of NFC related to physical environment specifications
(e.g. distance between NFC Reader and Target). On top of our
probabilistic model checking approach, we have also discussed
possible countermeasures against the attack and a methodology
to configure those according to the type of the NFC application.
For our future work, we plan to extend our analysis to cover
a larger family of short range communication protocols and
explore new methods to deploy efficient countermeasures.
REFERENCES
[1]
G. Madlmayr, J. Langer, C. Kantner, and J. Scharinger, “Nfc devices: Se-
curity and privacy,” in Proc. 3rd International Conference on Availability,
Reliability and Security (ARES’08), pp. 642–647, 2008.
[2] Google Wallet, “https://wallet.google.com,” Oct. 2013.
[3] Isis Mobile Wallet, “https://www.paywithisis.com/,” Oct. 2013.
[4]
G. P. Hancke and M. G. Kuhn, “An rfid distance bounding protocol,” in
Proceedings of the First International Conference on Security and Pri-
vacy for Emerging Areas in Communications Networks, SECURECOMM
’05, (Washington, DC, USA), pp. 67–73, IEEE Computer Society, 2005.
[5]
S. Drimer and S. J. Murdoch, “Keep your enemies close: distance
bounding against smartcard relay attacks,” in Proceedings of 16th
USENIX Security Symposium on USENIX Security Symposium, SS’07,
pp. 7:1–7:16, 2007.
[6]
S. Basagiannis, P. Katsaros, and A. Pombortsis, “Synthesis of attack
actions using model checking for the verification of security protocols,”
Security and Communication Networks, vol. 4, no. 2, pp. 147–161, 2011.
[7]
I. Paparrizos, S. Basagiannis, and S. Petridou, “Quantitative analysis
for authentication of low-cost rfid tags,” in Local Computer Networks
(LCN), 2011 IEEE 36th Conference on, pp. 295–298, IEEE, 2011.
[8]
M. Kwiatkowska, G. Norman, and D. Parker, “PRISM 4.0: Verification of
probabilistic real-time systems,” in Proc. 23rd International Conference
on Computer Aided Verification (CAV’11) (G. Gopalakrishnan and
S. Qadeer, eds.), vol. 6806 of LNCS, pp. 585–591, Springer, 2011.
[9]
Marketsandmarkets.com, “Near Field Communication (NFC) Market:
Global Forecast & Analysis (2011 - 2016) - Products (NFC Chip,
Micro SD Card, Integrated SIM, Reader & Middleware), Applications
(Mobile Payment, Ticketing, Booking, Data Sharing, Access Control,
Non-Payment, Infotainment, Advertisement),” June 2013.
[10]
Jagdish Rebello, “Press Release: US Wireless Carriers Partner with Big
Credit Card Companies, Boosting Cell Phone NFC Market,” May 2011.
[11]
Z. Kfir and A. Wool, “Picking virtual pockets using relay attacks on
contactless smartcard,” in Security and Privacy for Emerging Areas in
Communications Networks, 2005. SecureComm 2005. First International
Conference on, pp. 47–58, 2005.
[12]
W. Issovits and M. Hutter, “Weaknesses of the iso/iec 14443 protocol
regarding relay attacks,” in RFID-TA, pp. 335–342, 2011.
[13]
A. Mitrokotsa, C. Onete, and S. Vaudenay, “Mafia fraud attack against
the rc distance-bounding protocol,” in Proceedings of the 2012 IEEE
RFID Technology and Applications (IEEE RFID T-A), (Nice, France),
pp. 74–79, IEEE Press, November 2012.
[14]
G. P. Hancke and M. G. Kuhn, “Attacks on time-of-flight distance
bounding channels,” in Proceedings of the First ACM Conference on
Wireless Network Security, WiSec ’08, (New York, NY, USA), pp. 194–
202, ACM, 2008.
[15]
C. J. F. Cremers, K. B. Rasmussen, B. Schmidt, and S. Capkun, “Distance
hijacking attacks on distance bounding protocols.,” in IEEE Symposium
on Security and Privacy, pp. 113–127, IEEE Computer Society, 2012.
[16]
ISO/IEC FCD 14443, “Identification Cards — Contactless Integrated
Circuit(s) Cards — Proximity Cards,” Oct. 2007.
[17]
ECMA-340, “Near Field Communication Interface and Protocol (nfcip-1),
second edition,” June 2013.
[18]
ISO/IEC 18092:2013, “Telecommunications and Information Exchange
between Systems – Near Field Communication – Interface and Protocol
(NFCIP-1),” 2013.
[19]
M. Kwiatkowska, G. Norman,and D. Parker, “Stochastic model checking,”
in Formal Methods for the Design of Computer, Communication and
Software Systems: Performance Evaluation (SFM’07), LNCS (Tutorial
Volume), pp. 220–270, Springer, 2007.
529
