nfc: a convenient mobile payment platform, or fraudster s’ playground? nitesh saxena computer and...
TRANSCRIPT
Nitesh SaxenaComputer and Information Sciences
University of Alabama at Birmingham
Security and Privacy In Emerging Systems (SPIES) group http://spies.cis.uab.edu
Center for Information Assurance and Joint Forensics Research (CIA|JFR)
http://thecenter.uab.edu/
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
RFID System Overview
readingsignal
ID
back-enddatabase
ReaderTag
An RFID system usually consists of RFID tags and readers and a back-end server. Tags are miniaturized wireless radio devices that store information about their corresponding subject, such as a unique identification number. Readers broadcast queries to tags in their radio transmission ranges for information contained in tags and tags reply with such information.
(Some) RFID Applications
Near Field Communication (NFC)
NFC technology enables smart phones to have RFID tag and RFID reader functionality Phones can be used as payment tokens
Next generation of payment system For example, Google Wallet App uses this function Already deployed in many places
Just like RFID, it uses wireless radio communication
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
NFC Applications
Google Wallet ISIS
Google Wallet Vision
NFC Applications
Patient Id+Mobile Ticket Purchase – Austrian Federal Railways
NFC Applications
NFC Tags Sharing
Other Applications
Interactive Experience NFC at Museum of London Posters / Replacement to QR Codes Productivity (Phone Use Cases)
Automatic Pairing with Bluetooth Connect to Wifi Make a Call/Text to a number Change settings automatically Check ins / Locations / Other social activity Open Apps
SleepTrak (health monitoring) …MANY MANY more
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
The RFID Privacy Problem
Good tags, Bad readers
500 Eurosin wallet
Serial numbers:597387,389473
…
Wigmodel #4456
(cheap polyester)
30 items of lingerie
Das Kapital and Communist-
party handbook
Viagramedical drug #459382
NFC Privacy Problem
Should you worry? NFC is near field (one has to tap to read!)
Yes, unfortunately Researchers have shown that it is
possible to eavesdrop NFC signals from a distance larger than its typical communication range [Kortvedt-Mjølsnes; 2009]
The NFC Privacy Problem
Good tags, Bad readers
UAB Office Building
Access Card
Chase Bank ATM Card
Doctor’s Prescription
Porn Movie Ticket
US Bank Credit Card
The RFID Cloning Problem
Good readers, Bad tags
500 Eurosin wallet
Serial numbers:597387,389473
…
Wigmodel #4456
(cheap polyester)
30 items of lingerie
Das Kapital and Communist-
party handbook
Viagramedical drug #459382
Counterfeit!!
The NFC Cloning Problem
Good readers, Bad tags
UAB Office Building
Access Card
Chase Bank ATM Card
Doctor’s Prescription
Porn Movie Ticket
US Bank Credit Card
Relay Attack I: Ghost-and-Leech
query
query
quer
y
resp
onse
response
response
Relay Attack II: Ghost-and-Reader
Malicious Reader
Ghost
Authentic Reader
ServerVariant of a Man-in-the-Middle attack [Drimer et al., 2007]; demonstrated live on Chip-and-PIN cards
Reader and Ghost Relay Attack
Fake reader relays information from legitimate NFC tag to “Ghost” relays information from the legitimate tag to fake
tag “Ghost” relays received information to a
corresponding legitimate reader Happens simultaneously while user performs
transaction with legitimate NFC tag But for a higher amount
Impersonating a legitimate NFC tag without actually possessing the device. While at a different physical location
NFC Malware Problem
Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
The NFC Privacy Problem
Good tags, Bad readers
UAB Office Building
Access Card
Chase Bank ATM Card
Doctor’s Prescription
Porn Movie Ticket
US Bank Credit Card
The NFC Cloning Problem
Good readers, Bad tags
UAB Office Building
Access Card
Chase Bank ATM Card
Doctor’s Prescription
Porn Movie Ticket
US Bank Credit Card
Relay Attack I: Ghost-and-Leech
query
query
quer
y
resp
onse
response
response
Selective Unlocking
Promiscuous reading is to blame Currently, NFC supports selective
unlocking via PIN/passwords Works in practice but passwords are
known to have problems especially in terms of usability
Our approach – gesture-enabled unlocking
Relay Attack II: Ghost-and-Reader
Malicious Reader
Ghost
Authentic Reader
ServerVariant of a Man-in-the-Middle attack [Drimer et al., 2007]
Authentication is not Enough
Alice’s device must authenticate the whole transaction
So Alice’s phone knows that the reader charges $250 But Alice doesn’t The big screen on the malicious reader says $5
Even if phone displays the correct amount, Alice may not look at it Or make a mistake due to rushing
Our Approach: Proximity Detection
A second line of defense rather than relying upon the user
Verify phone and reader are in same location Each device measures local data with sensor
We use ambient audio Send authenticated data to server Server checks that the data is the same in both
measurements Or at least similar enough
Then approves the transaction
Advantages of our Approach
Does not require explicit user action Does not change traditional NFC usage model
Extremely difficult for attacker to change environnemental attributes
Geographical location not sent to server users’ location privacy is protected (unlike the
use of GPS coordinates) Compatible with current payment
infrastructure
Implementation and Evaluation
Sensor data collected by two devices in close proximity Capture audio from cell phone’s built-in
microphone (two Nokia N97 phones) Recorded 20 consecutive segments from
two sensors simultaneously at different pairs of locations At 5 different locations
Detection Techniques
Techniques based on time, frequency or both: In both domains tested:
Euclidean distance between signals Correlation between signals
Combined method: frequency distance and time-correlation
Best results achieved for combined time-frequency based method
Time-Frequency Distance Technique
Our new Time-Frequency-based technique Calculating distance between two signals:
Calculate Euclidean distance between frequency feature vectors
Calculate Time-based correlation between signals Distance defined as DC = 1 - Correlation
Both distances combined for classification Combined as a 2-D point in space
Test Results
Time-Frequency distance measure:
Numbers are distance measured squared
Detection Techniques
Used simple classifier to detect samples taken at the same locations Simple-Logistics classifier from Weka 10-Fold classification:
Data divided into 10 groups, 9 used for training, one for testing
Input to the classifier: Time-Frequency distance measure squared
Results
Our tests showed perfect classification: False Accept Rate = 0% and False Reject
Rate = 0% High level of security and usability
Conclusions from Proximity Detection
Designed a defense for the Reader-and-Ghost attack
Promising defense without changes to the traditional RFID usage model without location privacy leakage also applicable to sensor-equipped RFID cards
Audio is a stronger signal compared to light More experiments are planned in the future
Paper: ESORICS [Halevi et al.; 2012] Media Coverage: Bloomberg, ZDNet, NFCNews,
UAB News, etc…
NFC Malware Problem
Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic
Malware Protection via Gestures
Malware actions are software-generated Legitimate actions, on the other hand, are
human-generated Human gestures will tell the OS whether
an access request is benign or malicious Luckily, for NFC, a gesture that can work
is “tapping” An explicit gesture could also be employed
Tap-Wave-Rub (TWR) Gestures
Phone Tapping accelerometer
Waving/Rubbing/Tapping proximity sensor
Waving light sensor
TWR Enhanced Android Permissions
Initial Results
Phone Tapping (accelerometer)
Tap/wave/rub (proximity sensor)
Conclusions from TWR
Initial results are promising The approach is applicable for protecting
any other critical mobile device service SMS, phone call, camera access, etc.
TWR gestures are also ideal for selective unlocking
Take Away from the Talk NFC is a promising new platform with immense
possibilities However, a full deployment requires careful assessment of
security vulnerabilities and potential fraudulent activities Many vulnerabilities similar to RFID
Except Malware – a burgeoning threat to NFC Other attacks possible – such as phishing via malicious NFC tag
Security solutions need to be developed and integrated with NFC from scratch Research shows promise Phone is almost a computer; so lot could be done (unlike RFID)
User convenience or usability is an important design metric when developing security solutions
Acknowledgments
Students – the SPIES Jaret Langston, Babins Shrestha, Tzipora Halevi, Jonathan Voris, Sai Teja
Peddinti, Justin Lin, Borhan Uddin, Ambarish Karole, Arun Kumar, Ramnath Prasad, Alexander Gallego
Other Collaborators
More info: http://spies.cis.uab.eduhttp://spies.cis.uab.edu/research/rfid-security-and-privacy/
Thanks!