NFCdrip Attack Proves Long-Range Data Exfiltration via NFC
19.10.2018 securityweek
Attack

Researchers have demonstrated that the near-field communication (NFC) protocol can be used to exfiltrate small amounts of data, such as passwords and encryption keys, over relatively long distances.

NFC enables two devices to communicate over distances of up to 10 cm (4 in). The system, present in most modern smartphones, is often used for making payments, sharing files, and authentication.

Pedro Umbelino, senior researcher at application security firm Checkmarx has demonstrated that NFC can actually work over much longer distances and it can be highly efficient for stealthily exfiltrating data from air-gapped devices that have other communication systems – such as Wi-Fi, Bluetooth and GSM – disabled.

The attack, dubbed NFCdrip, involves changing NFC operating modes to modulate data. In the case of Android, changing NFC operating modes does not require any special permissions, making the attack even easier to launch.NFCdrip

NFCdrip uses on-off keying (OOK), the simplest form of amplitude-shift keying (ASK) modulation, in which the presence of a carrier wave signals a “1” bit and the absence of a wave a “0” bit. The exfiltration of 8 bits is required to send out one character, but researchers typically also suggest the use of additional bits for error detection.

In his experiments, Umbelino showed how a piece of malware installed on an Android smartphone can be used to transmit a password over tens of meters to another Android phone that is connected to a simple AM radio.

The researcher showed that data can be transmitted over a distance of 2.5 m (8 ft) without any errors at a rate of 10-12 bits per second. The transfer rate is maintained on a distance of 10 m (32 ft), but some errors appear, although they are corrected. As the distance increases, the signal fades and the number of errors increases, but Umbelino did manage to transfer some data over a distance of more than 60 m (nearly 200 ft). He also managed to exfiltrate data through walls over a distance of 10 m.

The range can be extended significantly if an AM antenna and a software defined radio (SDR) dongle are used, the expert said.

Umbelino noted that the attack may even work on some devices when airplane mode is activated, and highlighted that this is not an Android-specific issue – NFCgrip attacks can be conducted on laptops and other types of devices as well.

Checkmarx plans on making the NFCgrip PoC application open source. In the meantime, several videos showing the experiments conducted by Umbelino and a Hack.lu talk discussing the findings have been made available.