1 / 46

Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham

Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham Security and Privacy In Emerging Systems (SPIES) group http://spies.cis.uab.edu Center for Information Assurance and Joint Forensics Research (CIA|JFR) http://thecenter.uab.edu/. Outline. Background

estefani-perez
Download Presentation

Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham Security and Privacy In Emerging Systems (SPIES) group http://spies.cis.uab.edu Center for Information Assurance and Joint Forensics Research (CIA|JFR) http://thecenter.uab.edu/

  2. Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed

  3. Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed

  4. RFID System Overview An RFID system usually consists of RFID tags and readers and a back-end server. Tags are miniaturized wireless radio devices that store information about their corresponding subject, such as a unique identification number. Readers broadcast queries to tags in their radio transmission ranges for information contained in tags and tags reply with such information. reading signal back-end database ID Reader Tag

  5. (Some) RFID Applications

  6. Near Field Communication (NFC) • NFC technology enables smart phones to have RFID tag and RFID reader functionality • Phones can be used as payment tokens • Next generation of payment system • For example, Google Wallet App uses this function • Already deployed in many places • Just like RFID, it uses wireless radio communication

  7. Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed

  8. NFC Applications Google Wallet ISIS

  9. Google Wallet Vision

  10. NFC Applications Patient Id+ Mobile Ticket Purchase – Austrian Federal Railways

  11. NFC Applications NFC Tags Sharing

  12. Other Applications Interactive Experience NFC at Museum of London Posters / Replacement to QR Codes Productivity (Phone Use Cases) Automatic Pairing with Bluetooth Connect to Wifi Make a Call/Text to a number Change settings automatically Check ins / Locations / Other social activity Open Apps SleepTrak (health monitoring) …many manymore

  13. Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed

  14. Wig model #4456 (cheap polyester) Viagra medical drug #459382 Das Kapitaland Communist-party handbook 500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The RFID Privacy Problem Good tags, Bad readers

  15. NFC Privacy Problem • Should you worry? • NFC is near field (one has to tap to read!) • Yes, unfortunately • Researchers have shown that it is possible to eavesdrop NFC signals from a distance larger than its typical communication range • [Kortvedt-Mjølsnes; 2009]

  16. Chase Bank ATM Card US Bank Credit Card • Porn Movie Ticket • UAB Office Building Access Card Doctor’s Prescription The NFC Privacy Problem Good tags, Bad readers

  17. Wig model #4456 (cheap polyester) Viagra medical drug #459382 Das Kapitaland Communist-party handbook 500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The RFID Cloning Problem Good readers, Bad tags Counterfeit!!

  18. Chase Bank ATM Card US Bank Credit Card • Porn Movie Ticket • UAB Office Building Access Card Doctor’s Prescription The NFC Cloning Problem Good readers, Bad tags

  19. Relay Attack I: Ghost-and-Leech response query query query response response

  20. Relay Attack II: Ghost-and-Reader Server Variant of a Man-in-the-Middle attack [Drimer et al., 2007]; demonstrated live on Chip-and-PIN cards Malicious Reader Authentic Reader Ghost

  21. Reader and Ghost Relay Attack • Fake reader relays information from legitimate NFC tag to “Ghost” • relays information from the legitimate tag to fake tag • “Ghost” relays received information to a corresponding legitimate reader • Happens simultaneously while user performs transaction with legitimate NFC tag • But for a higher amount • Impersonating a legitimate NFC tag without actually possessing the device. • While at a different physical location

  22. NFC Malware Problem Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic

  23. Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed

  24. Chase Bank ATM Card US Bank Credit Card • Porn Movie Ticket • UAB Office Building Access Card Doctor’s Prescription The NFC Privacy Problem Good tags, Bad readers

  25. Chase Bank ATM Card US Bank Credit Card • Porn Movie Ticket • UAB Office Building Access Card Doctor’s Prescription The NFC Cloning Problem Good readers, Bad tags

  26. Relay Attack I: Ghost-and-Leech response query query query response response

  27. Selective Unlocking • Promiscuous reading is to blame • Currently, NFC supports selective unlocking via PIN/passwords • Works in practice but passwords are known to have problems especially in terms of usability • Our approach – gesture-enabled unlocking

  28. Relay Attack II: Ghost-and-Reader Server Variant of a Man-in-the-Middle attack [Drimer et al., 2007] Malicious Reader Authentic Reader Ghost

  29. Authentication is not Enough • Alice’s device must authenticate the whole transaction • So Alice’s phone knows that the reader charges $250 • But Alice doesn’t • The big screen on the malicious reader says $5 • Even if phone displays the correct amount, Alice may not look at it • Or make a mistake due to rushing

  30. Our Approach: Proximity Detection • A second line of defense • rather than relying upon the user • Verify phone and reader are in same location • Each device measures local data with sensor • We use ambient audio • Send authenticated data to server • Server checks that the data is the same in both measurements • Or at least similar enough • Then approves the transaction

  31. Advantages of our Approach • Does not require explicit user action • Does not change traditional NFC usage model • Extremelydifficult for attacker to change environnemental attributes • Geographical location not sent to server • users’ location privacy is protected (unlike the use of GPS coordinates) • Compatible with current payment infrastructure

  32. Implementation and Evaluation • Sensor data collected by two devices in close proximity • Capture audio from cell phone’s built-in microphone (two Nokia N97 phones) • Recorded 20 consecutive segments from two sensors simultaneously at different pairs of locations • At 5 different locations

  33. Detection Techniques • Techniques based on time, frequency or both: • In both domains tested: • Euclidean distance between signals • Correlation between signals • Combined method: frequency distance and time-correlation • Best results achieved for combined time-frequency based method

  34. Time-Frequency Distance Technique • Our new Time-Frequency-based technique • Calculating distance between two signals: • Calculate Euclidean distance between frequency feature vectors • Calculate Time-based correlation between signals • Distance defined as DC = 1 - Correlation • Both distances combined for classification • Combined as a 2-D point in space

  35. Test Results • Time-Frequency distance measure: Numbers are distance measured squared

  36. Detection Techniques • Used simple classifier to detect samples taken at the same locations • Simple-Logistics classifier from Weka • 10-Fold classification: • Data divided into 10 groups, 9 used for training, one for testing • Input to the classifier: Time-Frequency distance measure squared

  37. Results • Our tests showed perfect classification: • False Accept Rate = 0% and False Reject Rate = 0% • High level of security and usability

  38. Conclusions from Proximity Detection • Designed a defense for the Reader-and-Ghost attack • Promising defense • without changes to the traditional RFID usage model • without location privacy leakage • also applicable to sensor-equipped RFID cards • Audio is a stronger signal compared to light • More experiments are planned in the future • Paper: ESORICS [Halevi et al.; 2012] • Media Coverage: Bloomberg, ZDNet, NFCNews, UAB News, etc…

  39. NFC Malware Problem Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic

  40. Malware Protection via Gestures • Malware actions are software-generated • Legitimate actions, on the other hand, are human-generated • Human gestures will tell the OS whether an access request is benign or malicious • Luckily, for NFC, a gesture that can work is “tapping” • An explicit gesture could also be employed

  41. Tap-Wave-Rub (TWR) Gestures • Phone Tapping • accelerometer • Waving/Rubbing/Tapping • proximity sensor • Waving • light sensor

  42. TWR Enhanced Android Permissions

  43. Initial Results Phone Tapping (accelerometer) Tap/wave/rub (proximity sensor)

  44. Conclusions from TWR • Initial results are promising • The approach is applicable for protecting any other critical mobile device service • SMS, phone call, camera access, etc. • TWR gestures are also ideal for selective unlocking

  45. Take Away from the Talk • NFC is a promising new platform with immense possibilities • However, a full deployment requires careful assessment of security vulnerabilities and potential fraudulent activities • Many vulnerabilities similar to RFID • Except Malware – a burgeoning threat to NFC • Other attacks possible – such as phishing via malicious NFC tag • Security solutions need to be developed and integrated with NFC from scratch • Research shows promise • Phone is almost a computer; so lot could be done (unlike RFID) • User convenience or usability is an important design metric when developing security solutions

  46. Acknowledgments • Students – the SPIES • Jaret Langston, Babins Shrestha, Tzipora Halevi, Jonathan Voris, Sai Teja Peddinti, Justin Lin, BorhanUddin, AmbarishKarole, Arun Kumar, Ramnath Prasad, Alexander Gallego • Other Collaborators More info: http://spies.cis.uab.edu http://spies.cis.uab.edu/research/rfid-security-and-privacy/ Thanks!

More Related