Near-field communication (NFC) is a set of protocols that enables two electronic devices to establish communication by bringing them very close together. Usually the devices must be within less than 4cm. Contactless payment systems use NFC devices, including smartphones, and are similar to those used in credit cards and electronic ticket smartcards. Social networking and sharing contacts, photos, videos or files also uses NFC. Many secure environments use NFC technology for authentication, allowing users to log in into computers, printers and for physical access to the building, to name a few examples. But can an attacker use the NFC signal for data exfiltration?
Abusing NFC Radio Configurations
By abusing the way the NFC radio can be configured in an NFC-enabled device, such as a smartphone or USB reader, our research shows that it is possible to induce controllable changes in the NFC radio emission behaviour and to remotely detect those changes to decode information. A malicious application can take advantage of these radio emissions to exfiltrate data via the NFC frequency in a stealthy way. We were able to transmit the NFC signal at a distance much bigger than anyone previously thought possible, even with off the shelf components. In fact, even a simple AM radio with short-wave support is enough to receive the signal.
Read the complete research at https://www.nfcdrip.com.
Implementing the Data Exfiltration Methods
Our security research team developed both an Android application and a Linux application to implement this data exfiltration method using the native Android API and libnfc, for Android and Linux, respectively. The research demonstrates successful data exfiltration at 20 meters and signal detection at over 35 meters using the NFC radio of a Samsung S8 Android device. Using a NFC USB dongle, a Linux laptop and libnfc, the research showed successful data exfiltration at over 60 meters and signal detection at over 75 meters, over 1000 times the usual effective working distance. All tests use a cheap, standard radio as a receiver, connected via the mic jack to a smartphone that decodes the data.
The Real NFC Range
As NFC is assumed to only work usefully at very short ranges, it is disregarded as a potential channel for data exfiltration. This research shows that NFC enabled devices can be abused to bridge an air-gap, so they should definitely be on the data-egress point list and should be taken into account when it comes to threat analysis, policies to prevent data exfiltration and air-gap design and implementation.
The detection of this new exfiltration technique will most likely need dedicated equipment and needs further research. At the moment, there is no known way or tool to detect this kind of attack.