Near Field Communication: the cyber threat we carry in our pockets

(To Orazio Danilo Russo)
29/11/21

As part of the activities to prevent attacks on industrial information assets carried out during a recent international fair, the lack of awareness of the risks associated with the rampant use of electronic business cards, commonly known by the term of smart digital business card.

Instead of the traditional exchange of refined presentation cards, in fact, there is an increasing preference for the use of elegant plastic magnetic cards (credit card type) that carry a chip with our contact details inside.

Approaching this token to our interlocutor's smartphone, we automatically transmit the digital version of our business card, saving paper, time and space.

The functionality is based on the proximity transmission standard called NFC - Near Field Communication: to be clear, the same technology that nowadays allows payments to the supermarket by mobile phone or the automatic reading of the passport at the border controls.

Ceremonial and romantic aside, there is no doubt that the fashion of smart business card satisfies the need for speed, economy and respect for the environment, eliminating the use of paper; but, at the same time, it hides new cyber threats that need to be known and mitigated in order to avoid that - especially in tempting occasions such as fairs, seminars and conferences - malicious actors can carry out cyber attacks, steal personal data, make network services unavailable, falsify documents or sabotage electronic devices.

The threat also benefits from some predisposing conditions, due to the lack of knowledge of the technologies that “you carry in your pocket” and the inadequate attention that is generally paid to security and privacy issues. It is wrongly imagined, for example, that the simple reading of an electronic tag through the proximity network of our telephone cannot initiate any automatism; moreover, many are convinced - and are mistaken - that the limited bandwidth capacity of these technologies, combined with the need for communicating devices to be at a distance of less than 10 cm, does not allow for significant computer penetrations.

These myths must be dispelled. First of all, as a general principle, it must be considered that every time the door of an electronic device is opened - it does not matter whether it is wired or radio - the possibility of remote exploitation is offered to anyone. And, with regard to NFC technologies, there are studies that show how the attack surface facilitated by the use of proximity transmissions is actually quite large. The code responsible for analyzing NFC transmissions, in fact, begins in the Kernel drivers - the core of a device's operating system, the most critical element from a security point of view - proceeds through services intended to manage NFC data and end ends with applications that act on that data.

Basically, it is possible through the NFC interface to access a mobile phone and, without the user's consent, to open Web pages, analyze image files, office documents, videos, run applications, etc. And it is also possible to implement “relay” type cyber attacks, typical “Man-in-the-Middle” tactics with which the data traffic of others is illegally intercepted.

Therefore the security and privacy risk exists and is not negligible.

There are basically three electrical and electronic safety countermeasures. The first is to use devices and applications with functionality "Preview & Authorize" that always require the user's prior authorization before redirecting to a web page or executing potentially harmful instructions on the device. The second precaution is to disable NFC features when not needed. Finally the last caution, which drastically reduces the risk, is to protect the smartphone with NFC-blocking case: shielding housings able to protect against electromagnetic radiation in RFID and NFC frequency ranges. 

There is also an organizational countermeasure: it is good practice to use "forklift" devices when going abroad that do not contain personal or work information, thus reducing the risk of data theft or compromise.

To learn more:

https://csrc.nist.gov/publications/detail/sp/800-98/final

https://ieeexplore.ieee.org/abstract/document/6428872

https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-13.html#fn:33

https://www.welivesecurity.com/2012/04/23/qr-codes-and-nfc-chips-preview-and-authorize-should-be-default/