460 likes | 548 Views
Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham Security and Privacy In Emerging Systems (SPIES) group http://spies.cis.uab.edu Center for Information Assurance and Joint Forensics Research (CIA|JFR) http://thecenter.uab.edu/. Outline. Background
E N D
Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham Security and Privacy In Emerging Systems (SPIES) group http://spies.cis.uab.edu Center for Information Assurance and Joint Forensics Research (CIA|JFR) http://thecenter.uab.edu/
Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed
Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed
RFID System Overview An RFID system usually consists of RFID tags and readers and a back-end server. Tags are miniaturized wireless radio devices that store information about their corresponding subject, such as a unique identification number. Readers broadcast queries to tags in their radio transmission ranges for information contained in tags and tags reply with such information. reading signal back-end database ID Reader Tag
Near Field Communication (NFC) • NFC technology enables smart phones to have RFID tag and RFID reader functionality • Phones can be used as payment tokens • Next generation of payment system • For example, Google Wallet App uses this function • Already deployed in many places • Just like RFID, it uses wireless radio communication
Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed
NFC Applications Google Wallet ISIS
NFC Applications Patient Id+ Mobile Ticket Purchase – Austrian Federal Railways
NFC Applications NFC Tags Sharing
Other Applications Interactive Experience NFC at Museum of London Posters / Replacement to QR Codes Productivity (Phone Use Cases) Automatic Pairing with Bluetooth Connect to Wifi Make a Call/Text to a number Change settings automatically Check ins / Locations / Other social activity Open Apps SleepTrak (health monitoring) …many manymore
Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed
Wig model #4456 (cheap polyester) Viagra medical drug #459382 Das Kapitaland Communist-party handbook 500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The RFID Privacy Problem Good tags, Bad readers
NFC Privacy Problem • Should you worry? • NFC is near field (one has to tap to read!) • Yes, unfortunately • Researchers have shown that it is possible to eavesdrop NFC signals from a distance larger than its typical communication range • [Kortvedt-Mjølsnes; 2009]
Chase Bank ATM Card US Bank Credit Card • Porn Movie Ticket • UAB Office Building Access Card Doctor’s Prescription The NFC Privacy Problem Good tags, Bad readers
Wig model #4456 (cheap polyester) Viagra medical drug #459382 Das Kapitaland Communist-party handbook 500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The RFID Cloning Problem Good readers, Bad tags Counterfeit!!
Chase Bank ATM Card US Bank Credit Card • Porn Movie Ticket • UAB Office Building Access Card Doctor’s Prescription The NFC Cloning Problem Good readers, Bad tags
Relay Attack I: Ghost-and-Leech response query query query response response
Relay Attack II: Ghost-and-Reader Server Variant of a Man-in-the-Middle attack [Drimer et al., 2007]; demonstrated live on Chip-and-PIN cards Malicious Reader Authentic Reader Ghost
Reader and Ghost Relay Attack • Fake reader relays information from legitimate NFC tag to “Ghost” • relays information from the legitimate tag to fake tag • “Ghost” relays received information to a corresponding legitimate reader • Happens simultaneously while user performs transaction with legitimate NFC tag • But for a higher amount • Impersonating a legitimate NFC tag without actually possessing the device. • While at a different physical location
NFC Malware Problem Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic
Outline • Background • What NFC is • NFC Applications • What all one could do with it • NFC Attacks/Fraud • What all can go wrong • NFC Defenses • How things could be fixed
Chase Bank ATM Card US Bank Credit Card • Porn Movie Ticket • UAB Office Building Access Card Doctor’s Prescription The NFC Privacy Problem Good tags, Bad readers
Chase Bank ATM Card US Bank Credit Card • Porn Movie Ticket • UAB Office Building Access Card Doctor’s Prescription The NFC Cloning Problem Good readers, Bad tags
Relay Attack I: Ghost-and-Leech response query query query response response
Selective Unlocking • Promiscuous reading is to blame • Currently, NFC supports selective unlocking via PIN/passwords • Works in practice but passwords are known to have problems especially in terms of usability • Our approach – gesture-enabled unlocking
Relay Attack II: Ghost-and-Reader Server Variant of a Man-in-the-Middle attack [Drimer et al., 2007] Malicious Reader Authentic Reader Ghost
Authentication is not Enough • Alice’s device must authenticate the whole transaction • So Alice’s phone knows that the reader charges $250 • But Alice doesn’t • The big screen on the malicious reader says $5 • Even if phone displays the correct amount, Alice may not look at it • Or make a mistake due to rushing
Our Approach: Proximity Detection • A second line of defense • rather than relying upon the user • Verify phone and reader are in same location • Each device measures local data with sensor • We use ambient audio • Send authenticated data to server • Server checks that the data is the same in both measurements • Or at least similar enough • Then approves the transaction
Advantages of our Approach • Does not require explicit user action • Does not change traditional NFC usage model • Extremelydifficult for attacker to change environnemental attributes • Geographical location not sent to server • users’ location privacy is protected (unlike the use of GPS coordinates) • Compatible with current payment infrastructure
Implementation and Evaluation • Sensor data collected by two devices in close proximity • Capture audio from cell phone’s built-in microphone (two Nokia N97 phones) • Recorded 20 consecutive segments from two sensors simultaneously at different pairs of locations • At 5 different locations
Detection Techniques • Techniques based on time, frequency or both: • In both domains tested: • Euclidean distance between signals • Correlation between signals • Combined method: frequency distance and time-correlation • Best results achieved for combined time-frequency based method
Time-Frequency Distance Technique • Our new Time-Frequency-based technique • Calculating distance between two signals: • Calculate Euclidean distance between frequency feature vectors • Calculate Time-based correlation between signals • Distance defined as DC = 1 - Correlation • Both distances combined for classification • Combined as a 2-D point in space
Test Results • Time-Frequency distance measure: Numbers are distance measured squared
Detection Techniques • Used simple classifier to detect samples taken at the same locations • Simple-Logistics classifier from Weka • 10-Fold classification: • Data divided into 10 groups, 9 used for training, one for testing • Input to the classifier: Time-Frequency distance measure squared
Results • Our tests showed perfect classification: • False Accept Rate = 0% and False Reject Rate = 0% • High level of security and usability
Conclusions from Proximity Detection • Designed a defense for the Reader-and-Ghost attack • Promising defense • without changes to the traditional RFID usage model • without location privacy leakage • also applicable to sensor-equipped RFID cards • Audio is a stronger signal compared to light • More experiments are planned in the future • Paper: ESORICS [Halevi et al.; 2012] • Media Coverage: Bloomberg, ZDNet, NFCNews, UAB News, etc…
NFC Malware Problem Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic
Malware Protection via Gestures • Malware actions are software-generated • Legitimate actions, on the other hand, are human-generated • Human gestures will tell the OS whether an access request is benign or malicious • Luckily, for NFC, a gesture that can work is “tapping” • An explicit gesture could also be employed
Tap-Wave-Rub (TWR) Gestures • Phone Tapping • accelerometer • Waving/Rubbing/Tapping • proximity sensor • Waving • light sensor
Initial Results Phone Tapping (accelerometer) Tap/wave/rub (proximity sensor)
Conclusions from TWR • Initial results are promising • The approach is applicable for protecting any other critical mobile device service • SMS, phone call, camera access, etc. • TWR gestures are also ideal for selective unlocking
Take Away from the Talk • NFC is a promising new platform with immense possibilities • However, a full deployment requires careful assessment of security vulnerabilities and potential fraudulent activities • Many vulnerabilities similar to RFID • Except Malware – a burgeoning threat to NFC • Other attacks possible – such as phishing via malicious NFC tag • Security solutions need to be developed and integrated with NFC from scratch • Research shows promise • Phone is almost a computer; so lot could be done (unlike RFID) • User convenience or usability is an important design metric when developing security solutions
Acknowledgments • Students – the SPIES • Jaret Langston, Babins Shrestha, Tzipora Halevi, Jonathan Voris, Sai Teja Peddinti, Justin Lin, BorhanUddin, AmbarishKarole, Arun Kumar, Ramnath Prasad, Alexander Gallego • Other Collaborators More info: http://spies.cis.uab.edu http://spies.cis.uab.edu/research/rfid-security-and-privacy/ Thanks!