Researchers at the University of Surrey have shown that the much-vaunted near-field communications systems being rolled out for contactless card transactions could possibly be 'hacked' at the point-of-sale using inexpensive, rudimentary technology.
You stop off at a supermarket on your way home from work to buy some food for the evening meal. The store is packed with other customers, as is usual for a weekday evening. You fill your basket and join the queue at the checkout.
Behind you is a man wearing thick glasses and dressed in a worn jacket, pushing his trolley containing a six-pack of cola, some chocolate bars and a couple of pre-packed chicken sandwiches; you might wonder why he needs a trolley when he is buying so few items. Perhaps to provide enough space for his rucksack that has been plonked in the trolley alongside them.
As you finally approach the checkout, you contently pull your brand new contactless card out of your wallet, happily thinking that with the whizzy near-field communications (NFC) technology your purchase will be completed effortlessly and quickly.
Little do you know that inside the aforementioned rucksack is a simple radio receiver, half the size of a shoe box, secretly connected with a piece of wire to the trolley that serves as an improvised, though highly-efficient, antenna, capable of intercepting the exchange of data between your bank card and the payment terminal. As you are waving your card around the reader, the owner of the laptop-concealing rucksack is smiling - in a couple of minutes he will see displayed on his own screen all the data your contactless card has sent to the terminal.
An eavesdropping technique similar to that described above, targeting devices using the NFC standard, has recently been tested, providing rather disconcerting results. A team of researchers from the Department of Computing at the University of Surrey have shown NFC data transmission between a card and a reader can be intercepted at a distance of up to 60cm – with almost 100 per cent accuracy, it claims.
More worrying from the research is that to achieve such results, all a local hacker would need is a loop of wire, a cheap off-the-shelf radio receiver, and a laptop equipped with a digital acquisition card. Their findings – 'Eavesdropping near-field contactless payments: a quantitative analysis', by Johann Briffa, Thomas Diakos, Tim Brown, and Stephan Wesemeyer – published in the latest issue of The IET's The Journal of Engineering, present an assessment of how successful an eavesdropping attack on a contactless payment transaction can be in terms of bit and frame error rates, using an easily concealable antenna and low-cost electronics.
"In this study, we have proved what researchers have been talking about for some time – that contactless design in itself is by no means a security feature," warns Briffa. "Despite the fact that the NFC standard officially requires about 5cm, we have managed to receive the same information as the terminal at the distance of 50 to 60cm."
Although the reliability of the interception decreases with the distance, in the 50-60cm range almost 100 per cent of the eavesdropping attempts performed by the researchers were successful.
The team believes there is reason to worry. Since 2011, when Mastercard certified its PayPass technology, integrating unpowered NFC chips, or tags, into its first credit and debit cards, millions of NFC-enabled cards have been issued worldwide, some 23 million in the UK alone.
Checking out new ways to pay
The UK payment industry is certainly heading towards a future of cashless purchasing, but the contactless payment technology is surrounded with concerns and reservations.
Also dubbed 'wave and pay' or 'tap and go', contactless payment offers consumers a different method of paying for lower-valued goods, priced at £20 and under. Ironically, though, 'contactless' does not always mean contactless. Transactions require close and sometimes physical contact using a contactless-enabled card or NFC-enabled smartphone over a contactless reader.
In the UK many fast-food and beverage chains, such as McDonald's, Starbucks and Nando's, have installed contactless readers in the last two years. Other retailers already accepting contactless payment include Ikea, Boots, the Post Office and WH Smith, and even the M6 motorway toll.
Credit card companies have issued their own contactless offerings including Mastercard's PayPass and Visa's PayWave, while Barclaycard has taken things a step further and released PayTag – an NFC-equipped sticker that can turn any mobile phone into a contactless payment device. Mobile phone vendors such as HTC, Samsung, Google and LG have manufactured NFC-enabled handsets as an alternative method of payment.
Smartphones, tablets and other mobile devices equipped with the NFC technology account for 13.32 per cent of worldwide Web traffic; and smartphone-based digital wallets linked to users' bank accounts relying on NFC data transmission are largely considered to be the next trend in finance (see E&T Vol 8 Issue 7).
"We are integrating NFC and other such similar technologies into more and more aspects of our everyday lives," says James Lyne, global head of security research at Sophos. "The drive for convenience has produced a myriad of use cases to connect the physical and digital world. While some of these cases are fantastic and innovative, they do put more of our data at risk and increasingly give attackers more control over physical systems."
Scoping the method
In the past, various teams have proven that listening-in on NFC data transmission is possible from a distance of up to six metres; however, these teams have mostly used expensive and voluminous equipment. Clearly, a one-metre thick antenna would be quite difficult to conceal in even a large rucksack. The simplicity of the technology used by the University of Surrey team and the rigorous reliability testing is what makes their results all the more significant, according to Briffa.
"The novelty of our work was that we have focused on equipment that is portable and inexpensive, and also that we systematically analysed the reliability," he explains. "We did not just check that we can receive the data, we checked how reliably we can receive it; in other words, how often would we receive the correct data without any errors."
Potential success of an eavesdropping attack largely depends on the correct recovery of the data frames used in the ISO 14443 standard (now the most common mode for contactless payments). An NFC inductive loop antenna was used to emulate an ISO 14443 transmission. For eavesdropping, an identical inductive loop antenna, as well as a shopping trolley modified to act like an antenna, were used.
As well as the trolley, the University of Surrey team also worked with various basic antenna designs – a 10cm-long wire-wrapped plastic cylinder and a simple loop of wire. In a laboratory, the researchers set up NFC data transmission according to the ISO 14443 standard – now the most common mode for contactless payments – and tried to listen in on the signal with their homemade antennas.
During the one-day experiment, the receiving antennas were gradually moved further away from the transmitting antenna up to a distance of 120cm. The antenna, connected to the receiving circuit, passed the signal through a commonly available off-the-shelf receiver, amplifying and filtering the signal to make it clearer.
The researchers focused on the uplink data – those transmitted from the card to the terminal – as it is more likely to contain information that is useful for the hacker. The filtered and amplified analogue signal was captured using a desktop-based digital acquisition system. The assumption was a wireless hacker would capture a number of transmissions and decode them later.
Harvesting the hacked data
If all goes to plan, you're left with a selection of credit card data, but the question remains – what can you really do with it? Or in other words, what would the hacker from your local supermarket really get out of those hours he spends roaming the aisles and queuing at the checkout with a receiver in his rucksack?
Briffa says that he and his team do not know the answer yet, but finding out will form the next step of their research. "What we saw was an example of the eavesdropped signal," he adds. "What this signal contains would depend on the actual transaction taking place and that's something we are analysing right now."
Even at this stage, he believes there are lessons to be learned from the study that might be of interest to companies developing NFC applications and devices. "The most important message that can be taken from our study is that it is important for designers who use this technology to take into account privacy issues, to take into account security issues," he says.
"It's important for designers of NFC applications to realise that the short-range nature of it cannot be used as a security feature. One must take into account that a determined eavesdropper can receive the data, so it's important for these designers to make sure that their protocols work reliably and securely, even under these conditions."
Neil Garner, CEO of Proxama, a company developing platforms for NFC-based commercial applications such as mobile wallets, says that developers are well aware of these weaknesses and have the issue under control. "The knowledge that something like this could be technically feasible has been around for quite a while," he believes. "The community was first discussing it after biometric passports were introduced. These electronic passports rely on the same contactless technology, and many people were concerned someone could actually read data from these passports from afar and use it to create clones."
Garner acknowledges the value of the University of Surrey research, but says that NFC, although still in the early stages of development, is actually much safer than conventional cash, and the bad publicity it receives is largely unfair. "In the early days of contactless cards, some banks issued them incorrectly and placed information about the cardholder on them that might have been abused by someone but that's no longer the case," he explains. "There is barely anything useful you could do with the eavesdropped data from these transactions today, as they are encrypted and contain information related to that particular transaction."
To get anything out of his efforts, a hacker would have to be able to use the data immediately, before the bank approves the transaction, as it wouldn't accept the same cryptogram twice. Moreover, the intercepted sequence contains information about the exact amount to be paid, which, with contactless, amounts to no more than '20.
"Any hacker [interested in this particular attack vector] would be better-off moving to the US and focusing on cloning magnetic strips of cards that are still commonly in use there," Garner jokes. "Magnetic cards – far less secure than contactless or chip-and-pin – have already been largely replaced in Europe. However, there are places, such as the US, where they are still common."
Other NFC vulnerabilities
However, hackers are resourceful and have shown their ability to find flaws in the most intricate and seemingly well-safeguarded systems. At the 2012 Black Hat conference in Las Vegas, Accuvant Labs' principal research consultant Charlie Miller surprised the audience with a live demonstration of security shortcomings in the NFC technology integrated into smartphones.
By simply tapping two handsets together, he initiated a peer-to-peer NFC session, gaining unauthorised access to the targeted phone, running a code which allowed him to load a malicious webpage onto the device without having to request permission.
In another demo, Miller managed to exploit connections between NFC devices and Bluetooth components of the Nokia N9 to activate a handset, and install and execute files including a Microsoft PowerPoint presentation.
In the case of contactless cards, some have warned that as these cards respond to any device generating magnetic field capable to power them up, a random attacker can extract information from the card including the 'unique identifiers' that could be used to track the device owner.
Briffa says that there may be practically nothing that individual NFC users can do to protect themselves against eavesdropping. "When the contactless device is not in use, for example if it is an NFC-enabled mobile phone, one thing that can be done is to switch the NFC off until it is needed," he says. "In the case of cards, wallets exist that act as Faraday cages and shield the device against the radio transmission. But the problem that we have found is what happens during an actual transmission and obviously, at this point, the device has to be operative."
The full paper, 'Eavesdropping near-field contactless payments: a quantitative analysis', was published in the IET's The Journal of Engineering (www.thejournalofengineering.org). It can be downloaded for free at http://bit.ly/HwefHG
Additional reporting by James Hayes and Aasha Bodhani.