Abstract
In certain applications, it is important for a remote server to securely determine whether or not two mobile devices are in close physical proximity. In particular, in the context of an NFC transaction, the bank server can validate the transaction if both the NFC phone and reader are precisely at the same location thereby preventing a form of a devastating relay attack against such systems.
In this paper, we develop secure proximity detection techniques based on the information collected by ambient sensors available on NFC mobile phones, such as audio and light data. These techniques can work under the current payment infrastructure, and offer many advantages. First, they do not require the users to perform explicit actions, or make security decisions, during the transaction – just bringing the devices close to each other is sufficient. Second, being based on environmental attributes, they make it very hard, if not impossible, for the adversary to undermine the security of the system. Third, they provide a natural protection to users’ location privacy as the explicit location information is never transmitted to the server. Our experiments with the proposed techniques developed on off-the-shelf mobile phones indicate them to be quite effective in significantly raising the bar against known attacks, without affecting the NFC usage model. Although the focus of this work is on NFC phones, our approach will also be broadly applicable to RFID tags or related payment cards equipped with on-board audio or light sensors.
Chapter PDF
References
epic.org: Wal-Mart begins tagging and tracking merchandise with RFID (July 2010), http://epic.org/2010/07/wal-mart-begins-tagging-and-tr.html
U.S. Department of State: The U.S. electronic passport, http://travel.state.gov/passport/passport_2498.html
EMVCo: About EMV (November 2009), http://www.emvco.com/about_emv.aspx
Washington State Department of Licensing: Enhanced driver license/ID card, http://www.dol.wa.gov/about/news/priorities/edl.html
NYS DMV: Enhanced driver licenses and non-driver identification cards (July 2010), http://www.nydmv.state.ny.us/broch/C158.pdf
Francillon, A., Danev, B., Capkun, S.: Relay attacks on passive keyless entry and start systems in modern cars. Cryptology ePrint Archive, Report 2010/332 (2010), http://eprint.iacr.org/
ITGlobal Consulting LTD: RFID toll road payment, http://www.itglobalconsulting.com/rfidtollroadpayment.asp
Infowars.com: Texas Department of Transportation to instate RFID TxTag (September 2005), http://www.infowars.com/articles/bb/toll_roads_tx_tag.htm
RFID Asia: New Ez-Link contactless smart cards converge transit and payment applications (December 2008), http://journal.rfid-asia.info/2008/12/new-ez-link-contactless-smart-cards.htm
Medical News Today: VeriChip corporation announces phase II development of in vivo glucose-sensing RFID microchip with RECEPTORS LLC (October 2009), http://www.medicalnewstoday.com/articles/165894.php
ISO: Near field communication interface and protocol (nfcip-1)——iso/iec 18092:2004 (2004), http://www.iso.org/iso/catalogue_detail.htm?csnumber=38578
Gilman, J.: Next-gen payments. Technical report, Tuck School of Business at Dartmouth (2011)
Calamia, M.: Mobile payments to surge to $670 billion by 2015 (July 2011), http://www.mobiledia.com/news/96900.html
Juels, A.: RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communications 24(2), 381–394 (2006)
Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard. In: Security and Privacy for Emerging Areas in Communications Networks (Securecomm) (2005)
Drimer, S., Murdoch, S.J.: Keep your enemies close:Distance bounding against smartcard relay attacks. In: 16th USENIX Security Symposium (August 2007)
Brands, S., Chaum, D.: Distance Bounding Protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994)
Nithyanand, R., Tsudik, G., Uzun, E.: Readers Behaving Badly: Reader Revocation in PKI-Based RFID Systems. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 19–36. Springer, Heidelberg (2010)
Kobsa, A., Nithyanand, R., Tsudik, G., Uzun, E.: Usability of Display-Equipped RFID Tags for Security Purposes. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 434–451. Springer, Heidelberg (2011)
Ma, D., Prasad, A.K., Saxena, N., Xiang, T.: Location-aware and safer cards: Enhancing rfid security and privacy via location sensing. In: ACM Conference on Wireless Network Security (WiSec) (to appear, April 2012)
technologies Inc, B.: Bump Application
Desmedt, Y.G., Goutier, C., Bengio, S.: Special Uses and Abuses of the Fiat Shamir Passport Protocol. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 21–39. Springer, Heidelberg (1988)
Narayanan, A., Thiagarajan, N., Lakhani, M., Hamburg, M., Boneh, D.: Location privacy via private proximity testing. In: Network and Distributed System Security Symposium (NDSS) (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Halevi, T., Ma, D., Saxena, N., Xiang, T. (2012). Secure Proximity Detection for NFC Devices Based on Ambient Sensor Data. In: Foresti, S., Yung, M., Martinelli, F. (eds) Computer Security – ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science, vol 7459. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33167-1_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-33167-1_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33166-4
Online ISBN: 978-3-642-33167-1
eBook Packages: Computer ScienceComputer Science (R0)