I am sure that everyone has seen the commercial where users of a specific brand of smartphone are passing a video back and forth by simply touching the devices together. It is a very slick feature that obviously makes moving files between mobile devices an easy task to accomplish.
The technology being used to provide this feature is known as Near Field Communications (NFC). This same technology, which is an extension to older Radio Frequency Identification (RFID) technology, is also being integrated in other facets of our lives under the banner of convenience. Unfortunately, like anything where convenience is the priority, there are some potential security issues that the security community has been pointing out for years. In this case we are talking about “Tap to Pay” credit cards, transit cards, and other cards that use NFC to broadcast payment information to payment terminals.
As previously mentioned, NFC is an extension to RFID technology. RFID technology, typically used to track inventory, is (I am over simplifying here) essentially a small radio transmitter that requires little to no power. The main difference, which according to many NFC vendors is a security feature, is that RFID allows for a longer range transmission than NFC. Essentially NFC will work when the devices are inches apart while RFID can be meters apart. If you want the real geeky details on exactly how NFC works I suggest that you give the ISO standard (ISO 18092) a read.
To read a NFC transmission or even an RFID one for that matter one simply needs to have a receiver that is within range of the transmitting device. I would like to tell you that this transmission is performed over cryptographically secured channels or that only an authorized receiver may pick up the transmission but unfortunately, this is not always the case.
This week we had an opportunity to talk with KOMO TV News Reporter Matt Markovich about NFC technology and some of the risks it presents when used as a payment mechanism. I would say that my impression of Matt was that he is more technical that most reporters I have worked with in the past as when he approached Leviathan for assistance on his story, he already had a working test case that helps prove the threat.
What Matt was proving (video below) was that this technology of convenience is not secure from an eavesdropper or interception. Essentially, a “bad guy” can build his own receiver and as long as he is within the necessary range read the transmission coming from the NFC enabled card. In Matt’s test case, he uses Visa credit cards however, with a bit of customization work this can be extended to read other types of NFC enabled cards such as transit passes, and door locks.
When watching the video remember no vulnerability is being exploited this is simply leveraging a feature of the technology, not a bug. NFC is after all simply a radio transmitter, there is no access control or authorization required to accept that radio transmission.
It is also important to understand that this is different than some of the ways we have seen RFID technology leveraged by attackers. In the past attackers have built low cost devices like this Proxmark one pictured below to read RFID enabled devices;