Information Security Vulnerabilities of NFC Technology and

Improvement Programs
Zining Wang1
1
Beijing-Dublin International College at BJUT,
Beijing University of Technology, Beijing, China
jasmine_wzn@163.com

ABSTRACT active mode, the device can behave like a simulated contactless
NFC is a new development of Radio-Frequency Identification smart card reader. It can receive the data transmitted from other
technique. In recent years, it got extremely fast popularization due devices or realize the peer-to-peer communications; while in the
to its portability and practicability. At the same time, however, passive mode, the device is just regarded as a contactless smart
criminals also began to seek the new information technology’s card (Francis, Hancke, Mayes and Markantonakis, 2010).
security leak. For avoiding the secure attacks, people should know Additionally, all NFC devices should obey a message and reply
the mechanism of threats and embark on protection work based on concept, which means the passive device cannot reply to the
the fundamentality. This paper presents some common threats information source device before receiving the message
occurring in NFC transmission processes, including (Haselsteiner and Breitfuß, 2006). The main part of NFC device is
eavesdropping, transmission interference and data distortion. the RFID microchip for data transmission, which is always called
According to the commonality of each information theories, it is a RFID tag (Juels, 2006). The tag is similar to the label of
tricky way to use the relevant techniques and applications that commodity and people. NFC devices can recognize other devices
were already promoted to solve the NFC information security by their tags. The device with NFC opening is regarded as an
problems. Hence, I proposed to use the encryption technique to interrogator which can generate signals. If a device is close
solve illegal access private information. And then this paper also enough to the interrogator, the device tag will be powered by the
discusses the feasibility of applying the Quality-of-service-based signal. In this way, NFC tag can be activated without power
transmit beamforming and the Faraday Cage on defending signal supply. Two devices can establish a high frequency NFC field to
disturbance. Following discussion, it was proved that, based on transmit the information between initiator devices and NFC tags.
the mechanisms of the different transmission stages, those Generally, NFC has four types tags, indicated by number 1 to 4.
methods could perform different roles to solve specific problems. In different standards and systems, these tags have different
abilities. Hence, the communication type of a tag should be
CCS Concepts identified firstly by a validation message. If it is matched, the
• Security and privacy ➝Cryptanalysis and other attacks. interrogator can deliver the instruction. NFC tag also should check
the validity of the instruction. And if it is permitted, the tag will
Keywords execute the instruction.
NFC; Information Security; Encryption; Signal Transmission. NFC is a utilitarian function that leads to an enormous usage of
mobile phone (Coskun, Ozdenizci and Ok, 2013). One normal
1. INTRODUCTION function of NFC is the entrance key. People find it is lighter and
Near field communication, which is abbreviated by NFC, is a
quicker than the traditional keys to access the house and vehicles.
short distance wireless communication technology that can be
Another common function is the electronic payment. As the e-
implemented on mobile devices (ISO/IEC 18092, 2004). That is a
commerce is becoming popular, the circulation of money and
development of RFID (Radio-Frequency Identification)
goods is faster than before. People are aware of that there is an
technology, which means the information can be transmitted by
urgent need for finding a quick and convenient way to manage
putting the device near the NFC sensor devices instead of
merchandise and remote payment. Obviously, NFC is a suitable
connecting them. The transmission in NFC depends on the
choice. In the early stage, scanning barcodes and QR codes are the
magnetic field produced by the NFC devices. The device can
primary methods of e-commerce. However, it cannot provide the
generate a field or get influenced by the others. It indicates there
unique identification and has less automatism than RFID
are two operation modes in NFC technology: active and passive.
technology (Juels, 2006). On the one hand, barcodes are only able
These different modes depend on if a device can generate a radio
to offer the fundamental information of the commodities while
frequency by itself or not (Haselsteiner and Breitfuß, 2006). In the
RFID can give a unique tag for the goods. That provides lots of
Permission to make digital or hard copies of all or part of this work efficiency in store management. On the other hand, barcodes and
forpersonal or classroom use is granted without fee provided that copies QR codes need line-of-sight contact of devices. That will cost
are notmade or distributed for profit or commercial advantage and that
plenty of human resource. But NFC does not require that since the
copies bearthis notice and the full citation on the first page. Copyrights
for componentsof this work owned by others than ACM must be operation can be done only by waving the device near the others.
honored. Abstracting withcredit is permitted. To copy otherwise, or Nevertheless, the rapid development of NFC technology demands
republish, to post on servers or toredistribute to lists, requires prior
the following up of security technology. Association of NFC and
specific permission and/or a fee. Requestpermissions from
Permissions@acm.org. e-commerce requests that the private information has to be
ICISS '18, April 27–29, 2018, Jeju, Republic of Korea connected with smart phones. For instance, if people want to use
NFC to make payments, they should bind their bank cards with
© 2018 Association for Computing Machinery.ACM ISBN 978-1-4503-
6421-8/18/04…$15.00
their phones. When they put the phones in front of the NFC
devices, there will be links between their cards and payment
https://doi.org/10.1145/3209914.3226165 networks. That means card information is exposed in a big

196
network and it is more likely to face high risk. Although NFC is The easiest way to disturb the original signals is sending the noise
an information technology with high security level, there are still to the broadcasting channel. The unwanted frequencies can be
many threats during data transmission. Both unstable network added to the information signals at the right time. Hence
circumstance and malicious devices with illegal authority may harmonics components will occur on the spectrum of the receiver
cause the information leakage. To a greater extent, not only the input signal. But the correct time should be calculated based on
safety of private information suffers the security challenge, but the correct analysis of modulation mechanism in this transmission.
also the official secrets may also get attacked since NFC
technology probably be applied in high-security problem (Zhang And the useless signals can also result from the channel blockage.
and King, 2005). Hence, the security issue in radio technology The abnormal network environment may lead to a service
and information network should get high attention. exception on end devices.

This article only focus on the security problems of NFC 2.3 Data Distortion
technology in the daily life. In the next part, the main security Data distortion is also called data modification. The transmission
problems of NFC will be illustrated in detail. And section 3 lines data is illegally changed or altered but the receiver can still
out some methods for improving the issues on the basis of NFC understand it. The main difference between data distortion and
features. The common NFC attacks and potential solving methods data corruption is that the information is operable at receiver.
will be discussed by following. The last section gives a brief
This is a less common threat since its complexity of
conclusion of the whole paper and provides some strategies for
implementations. Criminals use some specific software to scan the
future works.
NFC tags and readers to obtain the security protocols between two
2. THREATS end devices. Additionally, through responding to the reader, the
The applications of NFC in daily life indeed bring lots of encoding algorithms can be broken. Hence, it can modify the
convenience for people. However, it cannot deny that the attacks transmission signals. As a direct result, the information may be
to information security also appear with the NFC popularization. juggled. For example, a few years ago, AVL mobile security team
According to the characteristics of NFC, attackers found the flaws found that some people tried to change the balance of
and worked out many attack plans for vulnerabilities. In this part, transportation cards by a malicious NFC attacking software
some common information security issues will be introduced with (AVLTeam, 2014). They just needed to make the smart-phones
their implementation measures. close to the cards and the balance information would be changed.
If this technology is used to steal other cards’ information, it may
2.1 Eavesdropping lead to worse results.
Eavesdropping is the most normal attack to information signal, As illustrated in the last section, after being powered, the reader
since NFC technology is a kind of contactless communication. It can receive the instruction and check its validity. When reader
is easy for malicious device to get heard of the private information device response to the NFC signal, the tag in device can supply
during transactions. the content edition function. Based on this function, the tag is able
When there are two NFC devices trying to make transmissions to implement file-writing functions, including text reading, url
with each other, they will rely on the radio frequency wave. In this address reading, uri reading and formatting. In this process,
way, it gives the attackers chances to listen to the content by using people can write malicious codes and store them in information
a receiver, like antenna. Criminals may try plenty of possible local signals and the codes will be read by NFC tag. The codes in tag
oscillator frequencies to find a proper one for demodulating the will be changed. In the result of that, when NFC is aroused next
receiving signals. It is obviously an easy, realizable but a little time, some dangerous url can be opened on browse by the spoiled
time-consuming method. Or people may analyze the code and Trojan will be downloaded automatically.
characteristics of magnetic fields between two NFC to gain the
NFC tags and the transmission information.
3. STRATEGIES
For solving those severe threats to NFC transmission,
The result that people worry about most is the bank card countermeasures emerge as the time require.
information leakage. In June on 2013, a credit cards fraud event
happened in the Britain (MANA, 2013). Criminals only put their NFC is a new technology, developed from the other technique.
phones near to the victims’. And then they got the information Then a number of protection methods for RFID or encrypted
about the credit cards just in a few minutes, which can be used for transmission can be modified to suit NFC. Based on the NFC
online shopping or answering the safety questions. transaction mechanism, those modified methods may be applied
in protecting signal safety, data transmission and device tags. In
Actually, there is a limitation of the distance between two NFC this part, how those protection methods work and how to
devices, typically not more than 10cm. However, it is not implement those methods for NFC security protection will be
necessary for attacker devices to obtain the whole information to discussed.
retrieve the signals. So, there is no clear distance in which
criminals can retrieve the usable RF signals until now (Burke, 3.1 Encryption
McDonald and Austin, 2000). For promoting the secure of data transmission, encryption is the
most common and the most secure choice. It is useful to protect
2.2 Transmission Interference the information privacy and data completeness. There are lots of
During conveying information signals, the data may be ways to realize the encryption. In this section, the descriptions of
intercepted or corrupted, which results in the data efficacy losing. two frequently-used methods and how to combine them with NFC
Attackers usually want to make reader confuse about the devices will be illustrated.
information.

197
3.1.1 Symmetric-Key Those strategies can be implemented in the NFC area as well,
Symmetric-key cipher is one of the simplest encryption methods. storing the marked public key in the NFC tag and using this key to
In this process, the sender uses a private key to transform the encrypt message. The online servers should re-encrypt ciphertext
information to the ciphertext and the receiving device can also use again and again, so that even if criminals get the information, they
the key to translate the ciphertext (Burke, McDonald and Austin, cannot break the codes. Only the specific mix servers in the
2000). receivers can recover the plaintext.

Firstly, cryptographic hash function should be used for calculating Sony corporation has already used NFC technique for protecting
a hash value of the original message. It is impossible to recover the game copyright for a long time. Designers embeds the NFC
the message only by knowing the hash code (Juels, 2006). There tag into the game CD. Only the specific game machines can read
will be a secret key and only obtaining this key can encrypt the the NFC tags and activate the games, so that malicious copy is
ciphertext. forbidden. To realize this measure, designers can use the re-
encryption. The game codes in tags are encrypted by several
However, if somebody knows the key, the message from this servers and the certificated public key is added into the tags. The
sender will be all encrypted easily. Hence there should be two game CD reader can identify the certification and own the set of
keys to ensure the en/decryption processes (Haselsteiner and decoded severs for translating the NFC tags.
Breitfuß, 2006). One is a public key which is used for the
encryption. Everyone can know that. The other one is a private 3.2 QoS-Based Transmit Beamforming
key which is only known by the encryption devices. Private key Beamforming is a kind of general signal processing technology
can recover the plaintext. which can control the signal transmission direction and reception
of radio-frequency signal. Quality-of-service(QoS)-based transmit
This cipher technique can be applied to a couple of NFC tags. One
beamforming is a type of multi-antenna transmission techniques
of them uses public key to encode the information and the others
that is a utilitarian for communication scenarios (Liao, Chang, Ma
decode it by private key. Since only the receiver knows the
and Chi, 2011 ).
decode secret key, even if criminal listen to the signal, they will
never decipher the true information. This technique may be proper Wei-Cheng Liao et al once proposed that it was possible to use
for some 1-to-N systems, like the one of the most popular this technique for preventing transmission from the present
applications recently -- Bicycles Sharing. Every bike has its eavesdropper. And they built a formulation to test this theory
unique NFC tag. People should download the APP of this sharing (Burke, McDonald and Austin, 2000). In this experiment, they
system. Every time users want to ride the public bicycles, they constrained the signal-to-interferences-and-noise ratio for both
only need to put their smart phones close to the tags and the locks eavesdropper and intended receiver, and combined the artificial
will open automatically. The tags on bikes store all the noise with the transmission signal for interfering the eavesdropper.
information. The information can be encrypted by a fixed public They verified that if the base station knew the channel state
key. After NFC phones actively generating a magnetic field and information, eavesdropper could be crippled with transmission
powering on the NFC tags on bikes, they can receive information beamforming.
signal. Those coded signals can be translated by private key which
is transmitted by APP. In this way, the phones can obtain the This idea can also be realized in improving NFC transmission
bicycles usage rights. And the system begins to work. security. NFC transaction is able to use the QoS-based
beamforming for delivering signal. Transmission signal can also
3.1.2 Re-encryption contain the artificial noise whose function is to confuse the
Re-encryption means the information is encoded consecutively so eavesdropping device and to cripple the illegal access. It is more
that it is harder for criminals to break the codes. likely to apply this beam in defending the information exchange
process.
At beginning, re-encryption technique was implemented in RFID
(Juels and Pappu, 2003). To trace the banknotes, people 3.3 Faraday Cage
embedded RFID chips in them. And re-encryption ensured the Faraday cage is using an electrical conducting material,
security of banknotes owners’ privacy. But this method needs surrounding a space to exclude electronic-magnetic waves
the serial number of banknotes, and uses public key to encode it (French, 2011). The Faraday Cage utilizes the theory that the item
as well as store ciphertext. is an equipotential body when it connects to ground. The potential
in the cage is zero. It can protect the items from external electric
Later on, G Avoine realized the shortcoming of this technique and
field. As shown in figure 1, the green cage is a sample of Faraday
put forward a new method——universal re-encryption (Golle,
Cage which connects to the ground, surrounding the global item.
Jakobsson, Juels and Syverson, 2004 ). Universal re-encryption The red arrows are the external frequencies and they are shielded
requires sequential servers, a public key and several private keys by the cage. In this way, the ball will not get touched with those
owned by each severs. Message firstly gets encrypted under the signals.
public key and then this ciphertext becomes the input of that serial
servers. Each server uses its private keys to re-encrypt the
ciphertext one by one. The final output can be decrypted by
another set of mix servers. To defend the attacks to public key,
unsubvertible encryption was introduced (Ateniese, Camenisch
and de Medeiros, 2005 ). That needs the public key generated
with authority certification and stores this key into the tags. Only
issuers can mark the key and only certified public key can be valid
in the reader and the receiver devices.
Figure 1: Faraday Cage

198
This theory is always implemented for something that should cryptograph rather than encrypt it. And for wider popularity, the
escape from the electronic-magnetic signal, like RFID tags. prime cost of NFC device should be considered during building
Obviously, it can be used for protecting NFC tags. However, systems. And the security protocol should not be in a high level.
generating Faraday cage needs another device next to the proteges. High level protocols may generate some breakthroughs for
Then the signals cannot reach the device. It may be only useful in criminals. In the future, people wish to find out a way to encode
protecting static NFC devices which store some permanent the information quickly and try to promote the protocol levels. It
information or message needing less modifications. requires NFC system administrator to keep a wary eye on
information threats that may arise at any moment.
It is useful to ensure the devices not to be destroyed by other
malicious tags. But this method has less practicability and higher 6. References
prime cost. [1] ISO/IEC 18092, 2004. International Organization for
Standardization: Near Field Communication - Interface and
4. Discussion Protocol (NFCIP-1).
The previous paragraph has illustrated the current common threats
appearing in NFC system and listed some feasible [2] Haselsteiner, E, Breitfuß, K., 2006. Security in Near Field
countermeasures. Communication (NFC). In Printed handout of Workshop on
RFID Security RFIDSec 06.
Encryption is one of the most common protection methods. It can
be wildly applied in NFC system, like guarding against the [3] Francis, L, Hancke, G., Mayes, K., Markantonakis, K., 2010.
malicious information cracking. Even if the worst case, which the Practical NFC Peer-to-Peer Relay Attack using Mobile
information is captured by criminals, happens, only the people Phones. In Proceedings of the 6th international conference on
owning the correct private keys can decipher the ciphertext. Radio Frequency Identification: Security and Privacy Issues,
pp. 35-49.
Of course, people prefer ensuring the signals should not be [4] Juels, A., 2006. RFID Security and Privacy: A Research
eavesdropped by others. It requires a pure network environment Survey. IEEE Journal on Selected Areas in Communications
and a protection of the transmission channels. The QoS-Based (J-SAC), vol.24, no.2, pp.381-394.
Transmit Beamforming is a proper choice. It can use artificial
noise to interference the eavesdropper frequencies so that the [5] Coskun, V, Ozdenizci, B., Ok, K., 2013. A survey on Near
malicious detections to the transmission signals cannot reach the Field Communication (NFC) technology. Wireless
wiretap target smoothly. The information can be prevented from personal communications, 71(3), 2259-2294.
eavesdropper frequencies and malicious interference signals in [6] Zhang, X, King, B, 2005. Modeling RFID Security.
that way. Information Security and Cryptology, 1st SKLOIS Conference,
Compared with the above methods, Faraday Cage is more likely CISC 2005, Beijing, China, December 15-17, 2005. Lecture
to be regarded as a safeguard for some important slugs. Notes in Computer Science 3822 Springer 2005, pp. 75-90.
Government may consider to use it for saving the confidential [7] Burke, J, McDonald, J, Austin, T, 2000. Architectural
documents and vital information. Cage can Support for Fast Symmetric-Key Cryptography. In
refuse frequencies to pass through the magnetic walls. Proceedings of the International Conference on ASPLOS, pp.
Nevertheless, the actualization of this technique needs an extra 178-189.
device to generate the Faraday Cage. How to protect this new
[8] Juels, A, Pappu, R, 2003. Squealing Euros ： Privacy
device from others’ controls will be another potential issue.
Protection in RFID—enabled Banknotes. In R. Wright, editor,
5. Conclusions Financial Cryptography volume 2742 of Lecture Notes in
Returning to the questions posed at the beginning of paper, due to Computer Science, pp. 103-121.
the deep diffusion of NFC technique in daily life, the information [9] Golle, P, Jakobsson, M., Juels, A, Syverson, P., F., 2004.
security attacks can cause more threats from many aspects. NFC Universal Re-encryption for Mixnets. In Proceedings of
technique has excellent convenience and favorable embedability. CTRSA’04, volume 2964 of LNCS, pp. 163-178.
It gains lots of favor from engineers. People tried to apply it in [10] Ateniese, G., Camenisch, J., de Medeiros, B., 2005.
many fields, like commercial area, transportation and even Untraceable RFID Tags via Insubvertible Encryption. In
copyright protection. And they keep exploring new applicable 12th ACM Conference on Computer and Communication
industries. Hence, the aim of this article is to summarize the Security. To appear.
common attacks and give an account of effective countermeasures.
[11] Liao, WC., Chang, TH., Ma, WK., Chi, CY., 2011. QoS-
NFC has similar characteristics to the other information Based Transmit Beamforming in the Presence of
techniques, so it is also under attacks of privacy information Eavesdroppers: An Optimized Artificial-Noise-Aided
thieves. The leakage, interference and distortion may all cause Approach. IEEE Trans. Signal Process., vol.59, no.3,
fatal issues. However, based on this similarity, it can be assumed pp.1202-1216.
that the methods of handling the security problems in relative
courses may be also useful. The explanations in the third part of [12] French, M. M. J., 2011. Mobile Phone Faraday Cage. Physics
paper support this hypothesis. Education, vol.46, no.3, pp.290-293.
[13] http://www.freebuf.com/articles/wireless/51070.htmlMANA,
However, we readily realized that there are still some problems 2013. Exposure the Security Vulnerabilities about NFC
with the current protection measures. NFC is aimed to realize a Payment? Analyze the Cracking and Fraud Issues of NFC.
signal transmission with high speed, which means the cipher Retrieved from http://blog.atmbox.com/5462.html.
mechanism should not be too complex. However, in most of the
cases, it is perhaps much easier for criminals to decipher the

199