[en] Today, we rely on contactless smart cards to perform several critical operations (e.g., payments and accessing buildings). Attacking smart cards can have severe consequences, such as losing money or leaking sensitive information. Although the security protections embedded in smart cards have evolved over the years, those with weak security properties are still commonly used. Among the different solutions, blocking cards are affordable devices to protect smart cards. These devices are placed close to the smart cards, generating a noisy jamming signal or shielding them. Whereas vendors claim the reliability of their blocking cards, no previous study has ever focused on evaluating their effectiveness. In this paper, we shed light on the security threats on smart cards in the presence of blocking cards, showing the possibility of being bypassed by an attacker. We analyze blocking cards by inspecting their emitted signal and assessing a vulnerability in their internal design.We propose a novel attack that bypasses the jamming signal emitted by a blocking card and reads the content of the smart card. We evaluate the effectiveness of 11 blocking cards when protecting a MIFARE Ultralight smart card and a MIFARE Classic card. Of these 11 cards, we managed to bypass 8 of them and successfully dump the content of a smart card despite the presence of the blocking card. Our findings highlight that the noise type implemented by the blocking cards highly affects the protection level achieved by them. Based on this observation, we propose a countermeasure that may lead to the design of effective blocking cards. To further improve security, we released the tool we developed to inspect the spectrum emitted by blocking cards and set up our attack.
Disciplines :
Sciences informatiques
Auteur, co-auteur :
ALECCI, Marco ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
Attanasio, Luca ; Department of Mathematics, University of Padova, Padua, Italy
Brighente, Alessandro ; Department of Mathematics, University of Padova, Padua, Italy
Conti, Mauro ; Department of Mathematics, University of Padova, Padua, Italy
Losiouk, Eleonora ; Department of Mathematics, University of Padova, Padua, Italy
Ochiai, Hideki ; Department of Electrical and Computer Engineering, Yokohama National University, Yokohama, Japan
Turrin, Federico ; Department of Mathematics, University of Padova, Padua, Italy
Co-auteurs externes :
yes
Langue du document :
Anglais
Titre :
Beware of Pickpockets: A Practical Attack against Blocking Cards
Date de publication/diffusion :
16 octobre 2023
Nom de la manifestation :
Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses
Organisateur de la manifestation :
Hong Kong Polytechnic University
Lieu de la manifestation :
Hong Kong, Hong-Kong
Date de la manifestation :
16-10-2023 => 18-10-2023
Manifestation à portée :
International
Titre de l'ouvrage principal :
Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
2022. Contactless Payment Statistics in 2022. https://fitsmallbusiness.com/contactless-payment-statistics/.
Ajoo’s Blog. 2017. Intro to RTL-SDR, Part I-Principles and Hardware. https://web.archive.org/web/20191120002326/http://ajoo.blog/intro-tortl-sdr-part-i-principles-and-hardware.html
Yves Audebert and Wu Wen. 2006. Blocking contactless personal security device. US Patent App. 11/446,132.
Daniel S. Berger, Francesco Gringoli, Nicolo Facchi, Ivan Martinovic, and Jens B. Schmitt. 2016. Friendly Jamming on Access Points: Analysis and Real-World Measurements. Trans. Wireless. Comm. 15, 9 (2016), 6189-6202.
Ioana Boureanu and Anda Anda. 2018. Another look at relay and distance-based attacks in contactless payments. Cryptology ePrint Archive (2018).
Andrei Costin. 2022. MFCUK, an open source C implementation of the Courtois Dark Side attack. https://code.google.com/p/mfcuk/.
Franck Courbon, Sergei Skorobogatov, and ChristopherWoods. 2016. Reverse engineering flash EEPROM memories using scanning electron microscopy. In International Conference on Smart Card Research and Advanced Applications. Springer, 57-72.
Nicolas T. Courtois. 2009. The Dark Side of Security by Obscurity-and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime. IACR Cryptol. ePrint Arch. 2009 (2009), 137.
Lyle Daly and Jack Caporal. 2022. Identity Theft and Credit Card Fraud Statistics. Accessed Jul 1, 2023. https://www.fool.com/the-ascent/research/identity-theftcredit-card-fraud-statistics.
Roberto Di Pietro, Gabriele Oligeri, Xavier Salleras, and Matteo Signorini. 2018. N-Guard: a Solution to Secure Access to NFC tags. In 2018 IEEE Conference on Communications and Network Security (CNS). IEEE, 1-9.
Flavio D Garcia, Gerhard de Koning Gans, Ruben Muijrers, Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, and Bart Jacobs. 2008. Dismantling MIFARE classic. In European symposium on research in computer security (ESORICS). Springer, 97-114.
Flavio D. Garcia, Peter van Rossum, Roel Verdult, and Ronny Wichers Schreur. 2009. Wirelessly Pickpocketing a Mifare Classic Card. In 2009 30th IEEE Symposium on Security and Privacy (S&P). 3-15.
Jeremy J. Gummeson, Bodhi Priyantha, Deepak Ganesan, Derek Thrasher, and Pengyu Zhang. 2013. EnGarde: Protecting the Mobile Phone from Malicious NFC Interactions. In 11th Annual International Conference on Mobile Systems, Applications, and Services. 445-458.
BB Gupta and Megha Quamara. 2021. A taxonomy of various attacks on smart card-based applications and countermeasures. Concurrency and Computation:Practice and Experience 33, 7 (2021), 1-1.
Gerhard P Hancke. 2005. A practical relay attack on ISO 14443 proximity cards. Technical report, University of Cambridge Computer Laboratory 59 (2005), 382-385.
Gerhard P Hancke. 2011. Practical eavesdropping and skimming attacks on high-frequency RFID tokens. Journal of Computer Security 19, 2 (2011), 259-288.
Umer Hassan and Muhammad Sabieh Anwar. 2010. Reducing noise by repetition:introduction to signal averaging. European Journal of Physics 31, 3 (2010), 453.
Qiao Hu, Lavinia Mihaela Dinca, Anjia Yang, and Gerhard Hancke. 2016. Practical limitation of co-operative RFID jamming methods in environments without accurate signal synchronization. Computer Networks 105 (2016), 224-236.
ISO/IEC 14443-1:2018 2018. Cards and security devices for personal identification-Contactless proximity objects-Part 1: Physical characteristics. Technical Report.
ISO/IEC 14443-2:2020 2020. Cards and security devices for personal identification-Contactless proximity objects-Part 2: Radio frequency power and signal interface. Technical Report.
Paul C Kocher. 1996. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Annual International Cryptology Conference. Springer, 104-113.
Divyan M Konidala, Zeen Kim, and Kwangjo Kim. 2007. A simple and costeffective RFID tag-reader mutual authentication scheme. In International Conference on RFID Security (RFIDSec). 141-152.
Gerhard de Koning Gans, Jaap-Henk Hoepman, and Flavio D Garcia. 2008. A practical attack on the MIFARE Classic. In International Conference on Smart Card Research and Advanced Applications. Springer, 267-282.
Henning Kortvedt and S Mjolsnes. 2009. Eavesdropping near field communication. In The Norwegian Information Security Conference (NISK), Vol. 27. 5768.
Frédéric Le Roy, Thierry Quiniou, Ali Mansour, Raafat Lababidi, and Denis Le Jeune. 2016. RFID Eavesdropping Using SDR Platforms. In International Conference on Applications in Electronics Pervading Industry, Environment and Society. Springer, 208-214.
Xuran Li, Hong-Ning Dai, and Hao Wang. 2016. Friendly-Jamming: An Anti-Eavesdropping Scheme in Wireless Networks of Things. In IEEE Global Communications Conference (GLOBECOM). 1-6.
livedoor. 2012. RTL-SDR hardware modification for receiving HF signals. http://blog.livedoor.jp/bh5ea20tb/archives/4263275.html
Stefan Mangard, Elisabeth Oswald, and Thomas Popp. 2008. Power analysis attacks: Revealing the secrets of smart cards. Vol. 31.
Karsten Nohl, David Evans, Starbug, and Henryk Plötz. 2008. Reverse-Engineering a Cryptographic RFID Tag. In USENIX Security Symposium.
NXP Semiconductors. 2017. MIFARE Classic EV1 4K-Mainstream contactless smart card IC for fast and easy solution development-Rev. 3.2. https://www.nxp.com/docs/en/data-sheet/MF1S70YYX_V1.pdf.
Hossein Pirayesh and Huacheng Zeng. 2022. Jamming Attacks and Anti-Jamming Strategies in Wireless Networks: A Comprehensive Survey. IEEE Communications Surveys & Tutorials 24, 2 (2022), 767-809.
RFID4u. 2022. RFID Basics-RFID Regulations. https://rfid4u.com/rfidregulations/.
Qihang Shi, Domenic Forte, and Mark M Tehranipoor. 2017. Analyzing circuit layout to probing attack. In Hardware IP Security and Trust. 73-98.
Yakov Pytor Shkolnikov, Yanqing Du, and Brad Alexander McGoran. 2011. Shield for radio frequency ID tag or contactless smart card. US Patent 7,936,274.
Roel Verdult and Francois Kooman. 2011. Practical Attacks on NFC Enabled Cell Phones. In 2011 Third International Workshop on Near Field Communication. 77-82.
Wikipedia. 2022. MIFARE-Places that use MIFARE products. https://en.wikipedia.org/wiki/MIFARE.
Zerobrain. 2019. Test! RFID/NFC Blocker Karten-Schutz oder Placebo? https://www.youtube.com/watch?v=2Gl4xtHcAYY
Ruogu Zhou and Guoliang Xing. 2014. nshield: A noninvasive nfc security system for mobiledevices. In Proceedings of the 12th annual international conference on Mobile systems, applications, and services. 95-108.
