Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Similar documents
Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

An NFC Ticketing System with a new approach of an Inverse Reader Mode

An NFC Ticketing System with a new approach of an Inverse Reader Mode

Mobile Near-Field Communications (NFC) Payments

NFC Hacking: The Easy Way

Smart Ride: European transit systems move to contactless mobile payments Trends and Developments, May 05, 2015

Applying the NFC Secure Element in Mobile Identity Apps. RANDY VANDERHOOF Executive Director Smart Card Alliance

Applying recent secure element relay attack scenarios to the real world: Google Wallet Relay Attack

Information Security Group (ISG) Core Research Areas. The ISG Smart Card Centre. From Smart Cards to NFC Smart Phone Security

Significance of Tokenization in Promoting Cloud Based Secure Elements

NFC. Technical Overview. Release r05

NFC Tags & Solutions. Understanding Near Field Communication (NFC) Technology. Executive Summary

NFC Hacking: The Easy Way

Mobile NFC 101. Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited

Mobile Electronic Payments

Frequently Asked Questions

Loyalty Systems over Near Field Communication (NFC)

NFC Test Challenges for Mobile Device Developers Presented by: Miguel Angel Guijarro

NFC: Enabler for Innovative Mobility and Payment NFC: MOBILIDADE E MEIOS DE PAGAMENTO

EMV-TT. Now available on Android. White Paper by

Mobile Applications and OpenTravel Specifications

Secure Element Deployment & Host Card Emulation v1.0

Training. MIFARE4Mobile. Public. MobileKnowledge April 2015

BGS MOBILE PLATFORM HCE AND CLOUD BASED PAYMENTS

DEVELOPING NFC APPS for BLACKBERRY

Bank. CA$H 2.0 Contactless payment cards

Mobile Financial Services Business Ecosystem Scenarios & Consequences. Summary Document. Edited By. Juha Risikko & Bishwajit Choudhary

Technical Article. NFiC: a new, economical way to make a device NFC-compliant. Prashant Dekate

Using an NFC-equipped mobile phone as a token in physical access control

Relay Attacks in EMV Contactless Cards with Android OTS Devices

Mobile Cloud & Mobile Ticketing

Store Logistics and Payment with Near Field Communication

Documentation of Use Cases for NFC Mobile Devices in Public Transport

Whitepaper on identity solutions for mobile devices

Latest and Future development of Mobile Payment in Hong Kong

HCE, Apple Pay The shock of simplifying the NFC? paper

DESIGN SCIENCE IN NFC RESEARCH

Mobile MasterCard PayPass Testing and Approval Guide. December Version 2.0

EESTEL. Association of European Experts in E-Transactions Systems. Apple iphone 6, Apple Pay, What else? EESTEL White Paper.

Mobile Payment: The next step of secure payment VDI / VDE-Colloquium. Hans-Jörg Frey Senior Product Manager May 16th, 2013

Securing the future of mobile services. SIMalliance Open Mobile API. An Introduction v2.0. Security, Identity, Mobility

Using RFID Techniques for a Universal Identification Device

1. Fault Attacks for Virtual Machines in Embedded Platforms. Supervisor: Dr Konstantinos Markantonakis,

Mobile Payment Security discussion paper

Secure your Privacy. jrsys, Inc. All rights reserved.

HCE and SIM Secure Element:

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

NFC Testing. Near Field Communication Research Lab Hagenberg. Gerald Madlmayr. NFC Research Lab, Hagenberg. E-Smart 2008, Sophia Antipolis

Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"

Training. NFC in Android. Public. MobileKnowledge October 2015

Common requirements and recommendations on interoperable media and multi-application management

GLOBAL MOBILE PAYMENT TRANSACTION VALUE IS PREDICTED TO REACH USD 721 BILLION BY MasterCard M/Chip Mobile Solution

Mobile Payment Transactions: BLE and/or NFC? White paper by Swen van Klaarbergen, consultant for UL Transaction Security s Mobile Competence Center

C23: NFC Mobile Payment Ecosystem & Business Model. Jane Cloninger Director

Application of Near Field Communication Technology for Mobile Airline Ticketing

PN532 NFC RFID Module User Guide

The Survey on Near Field Communication

Exercise 1: Set up the Environment

NFC technology user guide. Contactless payment by mobile

Mobile Cloud Computing

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

CASQUE SNR Presentation 16 th April 2015

BT LE RFID Reader v1.0

Mobile Commerce. Deepankar Roy, Ph.D. National Institute of Bank Management, Pune, India

Threat Modeling for offline NFC Payments

NFC technology user guide. Contactless payment by mobile

What is a Smart Card?

MOBILE PAYMENT IN THE EU: ROLE OF NFC. Gerd Thys Product Manager Clear2Pay Open Test Solutions (OTS)

PUF Physical Unclonable Functions

Cloning Credit Cards: A combined pre-play and downgrade attack on EMV Contactless

}w!"#$%&'()+,-./012345<ya

Overview of Contactless Payment Cards. Peter Fillmore. July 20, 2015

Security Analysis of Mobile Payment Systems

Near Field Communication in Cell Phones

OVERVIEW OF MOBILE PAYMENT LANDSCAPE

OVERVIEW OF MOBILE PAYMENT LANDSCAPE Marianne Crowe Federal Reserve Bank of Boston NEACH September 10, 2014

permitting close proximity communication between devices in this case a phone and a terminal.

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

Bringing Security & Interoperability to Mobile Transactions. Critical Considerations

Making Cloud-Based Mobile Payments a Reality with Digital Issuance, Tokenization, and HCE WHITE PAPER

NFC technology user guide. Contactless payment by mobile

RFID Penetration Tests when the truth is stranger than fiction

Android pay. Frequently asked questions

Chytré karty opět o rok dál...

Touch & Travel a SIM-based eticketing System

Security on NFC-Enabled Platforms

Transcription:

Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare? Michael Roland University of Applied Sciences Upper Austria,, Austria IWSSISPMU2012 International Workshop on Security and Privacy in Spontaneous Interaction and Mobile Phone Use 18 June 2012, Newcastle, UK www.nfc-research.at This work is part of the project 4EMOBILITY within the EU program Regionale Wettbewerbsfähigkeit OÖ 2007 2013 (Regio 13) funded by the European regional development fund (ERDF) and the Province of Upper Austria (Land Oberösterreich).

This document has been downloaded from http://www.mroland.at/

Outline Introduction Near Field Communication Secure Element-based Card Emulation Software Card Emulation Software Card Emulation Advantages Disadvantages Conclusion 2 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Near Field Communication Advancement of proximity RFID and smartcard technology Idea: Touch an object to trigger an action 3 operating modes Peer-to-peer mode Reader/writer mode Card emulation mode 3 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

NFC in a Mobile Phone Application processor NFC interface Application processor Secure element (via NFC controller) Peer-to-peer mode, Reader/writer mode, Software card emulation (1) (3) Secure card emulation (internal access to secure element) Secure element NFC interface Secure card emulation (2) (4) Application processor Secure element (direct) Secure card emulation (internal access to secure element) 4 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Card Emulation NFC device emulates a contactless smartcard Access control token Credit card Compatibility to existing proximity smartcard infrastructure Emulation by Smartcard chip (secure element) Software on application processor 5 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Secure Element-based Card Emulation Secure Element Dedicated secure element chip UICC ( SIM card ) SD memory card Same high security level as other smartcards Secure storage Secure execution environment Hardware-based cryptographic operations 6 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Attacks on Card Emulation and Smartcards Example: Relay Attack Communication between smartcard and reader can be relayed over longer distances Proxy reader in proximity of the smartcard Proxy card emulator in proximity of the actual reader Proxy card emulator and proxy reader communicate over an alternative channel (e.g. Bluetooth) 7 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Software card emulation No secure element Smartcard commands handled by software on the application processor 8 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Availability of Software Card Emulation All BlackBerry NFC mobile phones CyanogenMod 9 after-market firmware for Android devices Dedicated NFC reader devices (e.g. ACR 122U) Dedicated card emulators (Proxmark, ) 9 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Advantages of Software Card Emulation Card emulation is often associated with high revenue applications (payment, ticketing, access control) Everyone wants to develop these applications BUT: Secure element is under tight control of handset manufacturer/trusted service manager/mobile network operator Competing applications not likely to be allowed to coexist on one secure element High cost to get applications onto a secure element (due to limited space and expensive certification) 10 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Advantages of Software Card Emulation Software card emulation opens card emulation applications to average developers Complex secure element is not needed Anybody can develop applications based on existing reader infrastructure Software card emulation can be used as an alternative to peer-topeer mode Peer-to-peer mode is still not (fully) supported by many NFC devices Many smartcard readers for PCs do not support peer-to-peer mode Reader/writer mode is well supported on the PC platform through PC/SC (peer-to-peer mode is not!) Software stack for reader/writer mode is less complex than that of peer-topeer mode Great chance for others than the big players to create innovative NFC applications 11 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Disadvantages of Software Card Emulation Application processor is less secure than secure element (no secure storage, no trusted execution environment) Difficult to store sensitive data Possible interference by other applications Maybe okay for some applications (e.g. ticketing) Problematic with other applications (e.g. payment, access control) Software card emulation devices as attack platform Card emulator for relay attacks Mobile phones have form factor expected for NFC/contactless transactions Mobile phones have network connectivity for the relay channel 12 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Cloud-based Secure Element 13 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Conclusion Software card emulation is a great opportunity for developers Breaks the barrier of secure element-based solutions Easy integration into existing contactless smartcard systems Easier to use than peer-to-peer mode Significant risk Developers may be lazy with securing their applications and data Devices may be used as platform for relay attacks 14 www.nfc-research.at Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

September 11th 12th, 2012, Austria Thank You! http://congress.nfc-research.at/ Michael Roland Research Associate, NFC University of Applied Sciences Upper Austria,, Austria michael.roland (at) fh-hagenberg.at www.nfc-research.at This work is part of the project 4EMOBILITY within the EU program Regionale Wettbewerbsfähigkeit OÖ 2007 2013 (Regio 13) funded by the European regional development fund (ERDF) and the Province of Upper Austria (Land Oberösterreich).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information