Long Distance Relay Attack Luigi Sportiello Joint Research Centre - - PowerPoint PPT Presentation

long distance relay attack
SMART_READER_LITE
LIVE PREVIEW

Long Distance Relay Attack Luigi Sportiello Joint Research Centre - - PowerPoint PPT Presentation

Aug 29, 2022 313 likes •485 views

Long Distance Relay Attack Luigi Sportiello Joint Research Centre Institute for the Protection and the Security of the Citizen European Commission Smart Cards Something you have Secure data storage Qualify the holder for

slide-1
SLIDE 1

Long Distance Relay Attack

Luigi Sportiello Joint Research Centre Institute for the Protection and the Security of the Citizen European Commission

slide-2
SLIDE 2

Smart Cards

  • ˝Something you have˝
  • Secure data storage
  • Qualify the holder for operations
  • Two possible communication technologies
  • Contact
  • Contactless
slide-3
SLIDE 3

Contactless Smart Cards

  • Some characteristics:
  • quick interactions
  • working distance: typically few cm

Contactless Card Reader

Command Response (Slave) (Master)

slide-4
SLIDE 4

Reader-Card Communication Protocol

  • ISO 14443 (+ ISO 7816-4) common solution for many contactless

smart card

  • Some time constraints during the communication

Command Response

Anticollision/Initialization ISO14443 Frame | Encoded Command ISO14443 Frame | Encoded Response APDU: read, write, … ISO14443 ISO7816-4 Response within max ~5s.

slide-5
SLIDE 5

Relay Attack Against a Contactless Smart Card

  • Two devices are needed:
  • Proxy: emulates a contactless smart card
  • Mole: acts as reader nearby the victim card
  • Communication channel between Proxy and Mole

Command Command Command Response Response Response

slide-6
SLIDE 6

Relay Attack: Our Aim

  • Relay attacks against contactless smart cards are not new
  • Some experiments featured with specific hardware modules
  • Lab conditions with short distances
  • Our proof of concept:
  • Long distance attack (>10Km)
  • In dynamic conditions (no constraints on devices positions)
slide-7
SLIDE 7

Relay Attack on a Mobile Phone Network

  • Off-the-shelf equipment
  • Mobile phones with NFC (ISO 14443 compliant) as Proxy and Mole
  • Mobile phone network for Proxy-Mole communication
  • Data network basically provided by all mobile phone network
  • perators

Internet Proxy App NFC NFC

  • Card Emulation
  • Open Connection
  • Msg/Rsp Forwarding

Mole App

  • Card Reader
  • Accept Connections
  • Msg/Rsp Forwarding

IP: X.X.X.X IP: Y.Y.Y.Y Connection Cmd/Rsp Restricted/Private IP Restricted/Private IP: no incoming connections Proxy Mole

slide-8
SLIDE 8

Our Relay Attack Architecture

Accept connections from phones Commands/Responses forwarding Open Socket Open Socket Cmd Cmd Rsp Rsp Cmd Rsp Cmd Rsp

slide-9
SLIDE 9

Our Relay Attack Architecture: More Details

ISO 14443 communication ISO 14443 communication

slide-10
SLIDE 10

Relay Attack on a Geographical Scale

  • We successfully relayed a Reader-ePassport communication over several kilometers
  • Authentication protocols useless against relay attacks
  • No longer possible to assume that a card is physically nearby the reader

15Km 42Km

slide-11
SLIDE 11

No Timing Issues

On average, response waiting time ≈ 800ms.

Cmd Rsp

ISO 14443 communication

slide-12
SLIDE 12

Live Experiment: Italy-Austria Relay Attack?

  • Let’s try!
  • (you know, things never go well in these cases... we apologize in advance…)

541Km

slide-13
SLIDE 13

Contactless Smart Card Applications

  • Government (e.g., identification)
  • Banking (e.g., electronic payments)
  • Transport (e.g., tickets)
  • Access control
  • Loyalty programs
  • ...
slide-14
SLIDE 14

Market Figures

Source:

slide-15
SLIDE 15

Conclusions

  • Long distance relay attack in dynamic conditions

against contactless smart cards proved

  • A ˝botnet of smart cards˝ is possible
  • Practical countermeasures:
  • Access codes (e.g., MRZ, PIN)
  • Shielding
slide-16
SLIDE 16

Thank you for your attention!