Paper 2011/618

Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones

Lishoy Francis, Gerhard Hancke, Keith Mayes, and Konstantinos Markantonakis

Abstract

Contactless technology is widely used in security sensitive applications, including identification, payment and access-control systems. Near Field Communication (NFC) is a short-range contactless technology allowing mobile devices to act primarily as either a reader or a token. Relay attacks exploit the assumption that a contactless token within communication range is in close proximity, by placing a proxy-token in range of a contactless reader and relaying communication over a greater distance to a proxy-reader communicating with the authentic token. It has been theorised that NFC-enabled mobile phones could be used as a generic relay attack platform without any additional hardware, but this has not been successfully demonstrated in practice. We present a practical implementation of an NFC-enabled relay attack, requiring only suitable mobile software applications. This implementation reduces the complexity of relay attacks and therefore has potential security implications for current contactless systems. We also discuss countermeasures to mitigate the attack.

Note: An improved version.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. in submission
Keywords
relaypractical relayRFIDNear Field Communication (NFC)mobile phonecontactlesssmart cardISO 14443paymentsidentificationaccess controltransactionsproximitypractical implementationsecurity attackcountermeasure.
Contact author(s)
lishoy @ gmail com
History
2012-02-24: revised
2011-11-21: received
See all versions
Short URL
https://ia.cr/2011/618
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2011/618,
      author = {Lishoy Francis and Gerhard Hancke and Keith Mayes and Konstantinos Markantonakis},
      title = {Practical Relay Attack on Contactless Transactions by Using {NFC} Mobile Phones},
      howpublished = {Cryptology {ePrint} Archive, Paper 2011/618},
      year = {2011},
      url = {https://eprint.iacr.org/2011/618}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.