Long Distance Relay Attack - Semantic Scholar
Transcript of Long Distance Relay Attack - Semantic Scholar
![Page 1: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/1.jpg)
Long Distance Relay Attack
Luigi Sportiello Joint Research Centre Institute for the Protection and the Security of the Citizen European Commission
![Page 2: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/2.jpg)
Smart Cards
• ˝Something you have˝
• Secure data storage
• Qualify the holder for operations
• Two possible communication technologies
• Contact
• Contactless
![Page 3: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/3.jpg)
Contactless Smart Cards
• Some characteristics:
• quick interactions
• working distance: typically few cm
Contactless Card Reader
Command
Response
(Slave) (Master)
![Page 4: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/4.jpg)
Reader-Card Communication Protocol
• ISO 14443 (+ ISO 7816-4) common solution for many contactless
smart card
• Some time constraints during the communication
Command
Response
Anticollision/Initialization
ISO14443 Frame | Encoded Command
ISO14443 Frame | Encoded Response
APDU: read, write, …
ISO14443
ISO7816-4
Response within max ~5s.
![Page 5: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/5.jpg)
Relay Attack Against a Contactless Smart Card
• Two devices are needed:
• Proxy: emulates a contactless smart card
• Mole: acts as reader nearby the victim card
• Communication channel between Proxy and Mole
Command Command Command
Response Response Response
![Page 6: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/6.jpg)
Relay Attack: Our Aim
• Relay attacks against contactless smart cards are not new
• Some experiments featured with specific hardware modules
• Lab conditions with short distances
• Our proof of concept:
• Long distance attack (>10Km)
• In dynamic conditions (no constraints on devices positions)
![Page 7: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/7.jpg)
Relay Attack on a Mobile Phone Network
• Off-the-shelf equipment
• Mobile phones with NFC (ISO 14443 compliant) as Proxy and Mole
• Mobile phone network for Proxy-Mole communication
• Data network basically provided by all mobile phone network
operators
Internet
Proxy App
NFC NFC
-Card Emulation
-Open Connection
-Msg/Rsp Forwarding
Mole App
-Card Reader
-Accept Connections
-Msg/Rsp Forwarding
IP: X.X.X.X IP: Y.Y.Y.Y
Connection
Cmd/Rsp
Restricted/Private IP Restricted/Private IP:
no incoming connections
Proxy Mole
![Page 8: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/8.jpg)
Our Relay Attack Architecture
Accept connections from phones Commands/Responses forwarding
Open Socket Open Socket
Cmd
Cmd
Rsp
Rsp
Cmd
Rsp
Cmd
Rsp
![Page 9: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/9.jpg)
Our Relay Attack Architecture: More Details
ISO 14443 communication
ISO 14443 communication
![Page 10: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/10.jpg)
Relay Attack on a Geographical Scale
• We successfully relayed a Reader-ePassport communication over several kilometers
• Authentication protocols useless against relay attacks
• No longer possible to assume that a card is physically nearby the reader
15Km
42Km
![Page 11: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/11.jpg)
No Timing Issues
On average, response waiting time ≈ 800ms.
Cmd
Rsp
ISO 14443 communication
![Page 12: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/12.jpg)
Live Experiment: Italy-Austria Relay Attack?
• Let’s try!
• (you know, things never go well in these cases... we apologize in advance…)
541Km
![Page 13: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/13.jpg)
Contactless Smart Card Applications
• Government (e.g., identification)
• Banking (e.g., electronic payments)
• Transport (e.g., tickets)
• Access control
• Loyalty programs
• ...
![Page 14: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/14.jpg)
Market Figures
Source:
![Page 15: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/15.jpg)
Conclusions
• Long distance relay attack in dynamic conditions
against contactless smart cards proved
• A ˝botnet of smart cards˝ is possible
• Practical countermeasures:
• Access codes (e.g., MRZ, PIN)
• Shielding
![Page 16: Long Distance Relay Attack - Semantic Scholar](https://reader031.fdocuments.us/reader031/viewer/2022012502/617c95339155c65acf78bc26/html5/thumbnails/16.jpg)
Thank you for your attention!