Written by
The attacks demonstrated are trivial due to the manufacturer time to market (TTM) obsession, thereby shipping devices with trivial vulnerabilities, in Mulliner’s research they orbit around passive tags which are mostly abused as vectors for the any of the attacks demonstrated.
[From Attacks on NFC mobile phones demonstrated | Zero Day | ZDNet.com]
The attacks fall, broadly, into two categories. There are attacks on the implementation of the NFC tag standard in a current handset — these remind us of a useful lesson about implementing new standards, but are not that significant in the long run — and attacks on the way that tags work in the current NFC standards. The problem that Colin has focussed on here is that there is no way of knowing whether a tag is "real" or not: you wave your phone at a Royal Bank of Scotland advert at the train station, but the tag has been tampered with (shielded by a bogus tag, for example) so that your phone is redirected to a web site in the Ukraine which looks like RBS but is just going to use your entered username/password to log in to your account for nefarious purposes. Unfortunately, that’s the way tags work: there is no way of preventing this and Colin is right to highlight both modifying original tags and replacing them with malicious tags as interesting security questions.
These questions relate to the better understood issue of product vs. provenance in the RFID world and, as we know, one way to solve that problem is by using digital identity: it’s just that it’s the identity of stuff in question, not the identity of people.
I did have a good idea for exploiting this vulnerability about a year ago, but I didn’t think any of our customers would be interested (!). I was thinking about selling NFC tags to plumbers so that they can add them to the postcards that they decorate London phone boxes with: this way, when a customer has finished surveying the range of services on offer, he can simply wave his phone over the chosen card and get connected directly to the plumber in question. If you’ve walked past a phone box in London recently, you’ll know how big this market is! The plumbers would pay extra for postcards with tags in because they would attract a better class of early adopter but also because they would know precisely which phone boxes were generating the traffic and could then target future advertising campaigns. Once I’d got all of the plumbers using postcards with tags in, I would then sell them redirection tags to stick on the postcards of rivals. The redirection tags have a ferrite shield to block the signal from the real tag (or I imagine you could make a handheld device to kill the existing tags — I’ll ask the CHYPlab guys about this on Monday). Colin points out a simpler version of this attack on the SMS vending machines in Austria: just go to machines B, C, D and stick on a tag that codes for machine A: Then just wait at machine A and pick up the free drinks! I dread to think of the chaos in London phone boxes!
So what’s to be done? I may well be guilty of generalising all problems, but the problem of determining whether tags are real and whether the handset is being directed to the correct phone number, web site or text message is a problem that needs to be solved using digital identity infrastructure to the long-term not one of sector-specific solutions to react to a particular threat.
To understand what’s to be done, you need to understand what happens when you touch a tag with your phone. The tag sends data in NFC Data Exchange Format (NDEF). An NDEF block is made up from a number of records. Each record can contain arbitrary data, but there are some specific data formats defined of which the most important is URI (the URI can be for the web, phone call, text message etc). There’s a smart poster format as well: this contains a URI plus an action (ie, go to this URI, save this URI etc).
I think it’s reasonably well-understood how should things work. Putting cheap, read-only tags inside magazine covers or on the back of business cards is really no big deal and in fact leaving them, in a sense, open so that people can play around with them is probably a good thing. The ones that we’ve been playing with are, generally, the MiFare 1K tags that have a few hundred bytes available for the NDEF. When I walk into a mobile phone shop in a year’s time, I fully expect to see "open" NFC tags like these on sale so that people can stick them on whatever they want (their phones, for one thing, so that you can enable non-NFC phones to interact with NFC phones). Of course the big market will be selling tags in bulk for advertising campaigns, direct mail that sort of thing.
For serious business however, this kind of tagging is not good enough: if I were a bank I would not put these tags in adverts in my branch, as an example, because the reputation damage that might result from customers who think they are registering for a good loan deal being sent to a porn site instead. What might a viable alternative architecture look like them? Well, consider the poster at my local bus stop. In the UK most of these sites are owned by a few large companies so you might imagine these companies installing tags in the in the frame of (or behind) the poster. Then when the installers come along and put up the new poster for, let’s say, a new credit card, at that point they either use some form of handheld device (let’s call it for sake of argument a phone) to update the tag in the frame with the new details or alternatively if the sites are connected in some way then the tag could be updated from a central location. In either case the tag must be secure, so that nobody else can over-write it with bogus data.
Whether the bus-stop poster contains a smart tag like this or a simple tag we still need to solve the problem of authenticity. How does my phone know it’s reading a legitimate tag and not a bogus tag stuck on the post by a hacker? Step forward digital signatures. Colin asks if this means a special PKI for NFC (slide 62) but I think we should approach the problem the other way around: Extend general-purpose digital identity PKI into NFC implementations.
When I’m idling about waiting for the bus, I wave my phone over the poster and the poster sends a digitally signed chunk of data to the phone. Because my mobile operator has a deal with the poster site operator, my mobile phone has the relevant digital certificate in the SIM and can therefore verify the signature when it arrives. The phone now knows that the signature was correct and can go ahead and process the data that was signed. The data might contain a web link which the phone can now confidently load and, better still, can load using encryption and authentication (since the phone can provide a digital certificate for its owner) that mean that both the bank and the phone can be confident that they are talking to each other. Now, it’s true that it will take some effort and thought to create an architecture for the tags, certificates and so on, since there a few different ways that we can choose to go, but these are essentially well-defined and "known" paths (at least they are in Consult Hyperion).
The implication of this more sophisticated architecture is clearly that a new version of the relevant standard needs to be introduced and that mobile operators will need to gear up to treat really smart poster and tagging applications to the same degree of security and attendant key management that they are currently developing for payment and transit applications. This is not a negative at all. In fact, the ability to manage the channel securely will increase its value to the advertisers, their customers, the mobile operators and ultimately the consumers. I know from my own recent conversations with an advertising agency in connection with a project that we are working on, that the ability to know which posters are generating calls to the call centre or "clicks" is very very valuable.
What we are talking about here, then, is bringing together some of the "identity of stuff" ideas that have been circulating in the digital identity world for some time with some of the concepts that are being delivered in the NFC world at present. This is fun!
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
It’s unfortunate that Mr. Birch feels the need to use prostitutes in his example of “how things work”. I’m offended that he needs to trash women as part of his analysis of NFC. Come on… you can do better than this, Dave. Be a grown-up!
[Dave Birch] Apologies, no offence was intended, the example has been changed.
Hi Dave, thank you for your analysis. I think this is a very relevant topic. Regarding the bus-stop example, a better way would be for the URLs stored on the tags to point to a campaign management platform owned by the poster site operator. The URL would containt an unique identifier that could be mapped to the tag location and the campaign management platform would serve the updated content. This way updates would be made server-side only, there is no need to reprogram the tags.
Having the certificate of the poster site operator on the SIM might not be an option since SIM real-estate is a scarce resource and you would have a potentially large number of operators and other service providers.
Alternatively you could store the public certificate of the poster operator on the tag itself and use the certification path to confirm it’s authenticity but you would need bigger and more expensive tags.
A third option would be to include a second URL on a “secure smart poster” standard that would point to the provider’s public certificate.
“SIM real-estate is a scarce resource”
is it really that scarce any more? The SIM would only needs half a dozen or so certificates wouldn’t it?
Remember that mobile operators will rent SIM space for NFC applications such as payment, transport, loyalty, etc. SIM space will be core for the business model.
The thing is you don’t need to store the certificates of all service providers on the SIM because they are public and don’t require a secure storage. Only the certificates of the certification authorities, the ones you have to trust, should be on the SIM.