Friday, December 30, 2016

Convenience is More Important than Security with NFC

Welcome to the wonderful world of NFC or Near Field Communications as this is what lets you wave your credit card or your iPhone, etc and that's sufficient for recognition, making a payment, or whatever other demented application you have for it.

Ostensibly, NFC will only work within a range of about ten cm or four inches.

As with proximity card technology, near-field communication uses magnetic induction between two loop antennas located within each other's near field, effectively forming an air-core transformer.  It operates within the globally available and unlicensed radio frequency ISM band of 13.56 MHz.  Most of the RF energy is concentrated in the allowed ±7 kHz bandwidth range, but the full spectral envelope may be as wide as 1.8 MHz when using ASK modulation.

Theoretical working distance with compact standard antennas: up to 20 cm (practical working distance of about 10 cm).




You know that limit is crap but you do it anyway, don't you.

The RF signal for the wireless data transfer can be picked up with antennas.  The distance from which an attacker is able to eavesdrop the RF signal depends on multiple parameters, but is typically less than 10 meters.  Also, eavesdropping is highly affected by the communication mode.  A passive device that doesn't generate its own RF field is much harder to eavesdrop on than an active device.  An attacker can typically eavesdrop within 10 m and 1 m for active devices and passive devices, respectively.

Because NFC devices usually include ISO/IEC 14443 protocols, relay attacks are feasible.  For this attack the adversary forwards the request of the reader to the victim and relays its answer to the reader in real time, pretending to be the owner of the victim's smart card.  This is similar to a man-in-the-middle attack.  One libnfc code example demonstrates a relay attack using two stock commercial NFC devices. This attack can be implemented using only two NFC-enabled mobile phones.


- WIKI

Yah, that's within thirty feet for the metrically-challenged.  Tell me again how it's no problem with commercially-available Stingray devices and analogous devices which harvest data from cellphones at will.  I so love that fairy tale.   Noooo possible problem there because if good guys have malevolent hardware like that then bad guys never will ... or some type of twisted logic of that nature which makes no sense whatsoever.

Note:  you may have noticed some vendors offering shielded wallets to prevent reading your cards this way.  Unknown efficacy but I know they're available.


Here's a bit more on the matter from Random Oracle:  What is wrong with Apple Pay? NFC and cross-channel fraud (1/2)


The hacker view of NFC is why any talk of security gets my jiggy all wiggy because of buggy Thuggee pols who go flipshit over Russian hackers jerking an election which was already jerked.

You're telling me you believe Russian hackers, assuming they even exist, mean anything whatsoever when this NFC rubbish happens millions of times per day and who knows how much of it gets hacked.  You're seriously telling me security matters to you?

Excuse me but I don't fookin' believe you.

No comments: