Near Field Communication (NFC) Technology Security Vulnerabilities and Countermeasures

 
 
 
  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract


    Nowadays; the adoption of Internet of things (IoT) technologies and applications in everyday is rising. IoT technology such as Near Field Communication (NFC) is vastly adopted due to its short range frequencies, making it a good candidate for token based security access control applications such as door systems and attendance systems. However, due to the miniature size of NFC tags; its clear text contents and unprotected communication channel between tag-reader-database; NFC technology is prone to security attacks such as the man in the middle; denial of services (DOS) and etc. These attacks lead to leakage of user critical data which could impact any organization adopting NFC applications and technologies. In this paper; NFC vulnerability, causing both security and privacy attacks studies in depth. By focusing on attacks such as DOS and data corruptions; existing risk assessment models are evaluated using Analytical Hierarchy Process (AHP) approach. Best practice in mitigating these attacks is presented as well. A case study on an existing NFC access control application is then used to demonstrate the effectiveness of best practice solutions proposed.

     

     

     


  • Keywords


    Analytical Hierarchy Process (AHP); Attendance System; Near Field Communication (NFC); NFC Security Taxonomy; Risk Assessment; Security

  • References


      [1] Madlmayr G., Langer J., Kantner C. & Scharinger J. (2008), NFC Devices: Security and Privacy. Proc. Proceedings of the 2008 Third International Conference on Availability, Reliability and Security2008, 642-647.

      [2] NFC Forum. Home. http://nfc-forum.org/. Accessed September 3, 2015.

      [3] Coskun V., Ozdenizci B. & Ok K (2015), The survey on near field communication. Sensors, 2015, 15, (6), 13348-13405.

      [4] Want. R (2011), Near field communication. IEEE Pervasive Computing, 10, 3, 4-7.

      [5] Hoepman J.-H. & Siljee J. (2007), Beyond RFID: the NFC Security Landscape. Delft: TNO.

      [6] Google, Google Wallet. https://www.google.com/wallet. Accessed February 23 2016.

      [7] VISA Inc, Visa payWave - Consumer. https://usa.visa.com/pay-with-visa/featured-technologies/visa-paywave.html. Accessed February23 2016.

      [8] Finkenzeller K. (2010), RFID handbook: fundamentals and applications in contactless smart cards. Radio frequency identification and near-field communication, John Wiley & Sons.

      [9] Emms M., Arief B., Little N. & Van Moorsel A. (2013), Risks of offline verify PIN on contactless cards. International Conference on Financial Cryptography and Data Security, Springer, 313-321.

      [10] Dawidowsky F., NFC, Bluetooth and RFID: Unraveling the Wireless Connections. https://nfc-forum.org/nfc-bluetooth-and-rfid-unraveling-the-wireless-connections/. Accessed 27 August 2015.

      [11] Chattha N.A. (2014), NFC—Vulnerabilities and defense. Conference on Information Assurance and Cyber Security (CIACS), IEEE, 35-38.

      [12] Chen C.H., Lin I.C. & Yang C.C. (2014), NFC Attacks Analysis and Survey. 2014 Eigth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 458-462.

      [13] Ceipidor U.B., Medaglia C., Marino A., Morena M., Sposato S., Moroni A., Di Rollo P. & La Morgia M. (2013), Mobile ticketing with NFC management for transport companies. Problems and solutions. 2013 5th International Workshop on Near Field Communication (NFC), IEEE, 1-6.

      [14] Mulliner C. (2009), Vulnerability analysis and attacks on NFC-enabled mobile phones. International Conference on Availability, Reliability and Security (ARES'09), IEEE, 695-700.

      [15] International Organization for Standardization (2011), Identification cards - Contactless integrated circuit cards - Proximity cards - Part 1 to 4. ISO/IEC 14443-3:2011,2, April 2011.

      [16] International Organization for Standardization (2013), Information technology -- Telecommunications and information exchange between systems -- Near Field Communication -- Interface and Protocol (NFCIP-1). ISO/IEC 18092:2013,2, 1-44.

      [17] Kfir Z. & Wool A. (2005), Picking virtual pockets using relay attacks on contactless smartcard. First International Conference on Security and Privacy for Emerging Areas in Communications Network (SecureComm 2005), IEEE, 47-58.

      [18] Haselsteiner E. & Breitfuß K. (2006), Security in near field communication (NFC). Workshop on RFID security, 12-14.

      [19] NIST Special Publications (2002), Guide for Conducting Risk Assessments (800-30). National Institute of Standards and Technology, U.S. Department of Commerce, 1-95.

      [20] Mell P., Scarfone K. & Romanosky S. (2006), Common vulnerability scoring system. IEEE Security & Privacy, 2006, 4, 6.

      [21] FIRST (2016), CVSS. https://www.first.org/cvss/v2/faq. Accessed February 23 2016.

      [22] OWASP (2015), Threat Risk Modeling. https://www.owasp.org/index. php/Threat_Risk_Modeling. Accessed 20 September 2015.

      [23] Caralli R.A., Stevens J.F., Young L.R. & Wilson W.R. (2007), Introducing octave allegro: Improving the information security risk assessment process. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.

      [24] Saitta P., Larcom B. & Eddington M., Trike v. 1 methodology document [draft]. http://dymaxion.org/trike/Trike_v1_Methodology_ Documentdraft. pdf, 2005.

      [25] Shostack A. (2014), Threat modeling: Designing for security, John Wiley & Sons.

      [26] Rosenquist M. (2009), Prioritizing information security risks with threat agent risk assessment. Intel Corporation White Paper.

      [27] Velasquez M. & Hester P.T. (2013), An analysis of multi-criteria decision making methods. International Journal of Operations Research, 2013, 10, 2, 56-66.

      [28] Syamsuddin I., & Hwang J. (2010), The Use of AHP in Security Policy Decision Making: An Open Office Calc Application. JSW, 5, 10, 1162-1169.

      [29] Lahdelma R. & Salminen P. (2010), Stochastic multicriteria acceptability analysis (SMAA): Trends in multiple criteria decision analysis. Springer, 285-315.

      [30] Vermaas R., Tervonen T., Zhang Y. & Siljee J. (2013), The security risks of mobile payment applications using Near Field Communication. Rotterdam: Erasmus University Rotterdam, 2013.

      [31] Houmb S.H. & Franqueira V.N. (2009), Estimating ToE risk level using CVSS. International Conference on Availability, Reliability and Security, 718-725.

      [32] Houmb S.H., Franqueira V.N. & Engum E.A. (2010), Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83, 9, 1622-1634.

      [33] Chan C.W. & Mahinderjit Singh M. (2015), Standardized security metrics with CVSS framework for BYOD higher education. BSc. Thesis, Universiti Sains Malaysia.

      [34] Coskun V., Ozdenizci B. & Ok K. (2013), A survey on near field communication (NFC) technology. Wireless personal communications, 71,3, 2259-2294.

      [35] Kunz J. (2010). The Analytic Hierarchy Process (AHP). https://www.slideshare.net/lakshanasuresh/ahp-calculations?t=123. Accessed October 24 2016.

      [36] ECMA International (2015). 385–nfc-sec: Nfcip-1 security services and protocol. ECMA International (European Association for Standardizing Information and Communication Systems), Geneva, Switzerland.

      [37] Ong D.D.W. & Mahinderjit Singh M. (2016). A secure near field communication (NFC)-enabled attendance on android mobile for higher education. Knowledge Management International Conference (KMICe) 2016 , 111-115.


 

View

Download

Article ID: 23385
 
DOI: 10.14419/ijet.v7i4.31.23385




Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.