Much has been written about Near-Field Communications (NFC) for consumer transactions; however, NFC is still so new that I want to address it in a broader security context and, hopefully stimulate some creative thinking. In my opinion, multiple security applications are waiting to be developed.
NFC is an RFID standards-based wireless technology, operating at 13.56 MHz over extremely short distances (less than 2 inches). When designed into a smartphone, it is capable of enabling data transfer between the phone and a companion device. The Nokia model 6131 was the first NFC phone, introduced in 2006. The predominant application driving this technology has been electronic payment as a follow-on to contactless smart cards, and manufacturer interest has been significant, as witnessed by the growth of the NFC Forum (www.nfc-forum.org) — founded in 2004 by Nokia, Philips and Sony — to more than 135 members today.
Like RFID, data transfer is based on inductive coupling in an unlicensed ISM band. Devices can function as readers or writers and be active or passive, as long as one device is active. Energy from an active device will couple to and power the passive device. In peer-to-peer mode, devices may actively exchange data and set up Bluetooth or Wi-Fi sessions; and, in card emulation mode, the NFC phone may mimic a traditional smart card, because the RFID infrastructure is essentially the same.
Communication modes are established when communication is initiated. An active device is normally a reader, receiving information from the passive device (normally a tag, sticker, key fob or card). There are four tag types, with properties as shown below:
Tag TypeRead/Write (R/W)Memory (bytes)
(Basic) Memory (bytes) (Expanded)Max Data Rate
(Kbps)1R/W962 K1062R/W or R482 K1063R2 K-2124R32 K-424
Read-only tags are pre-configured with limited data, such as an ID number or a URL, where the smart device can access more detailed information.
Given its roots in RFID technology, access control was a natural first application for NFC in the security space. HID Global and Assa Abloy have taken a strong proactive approach in the implementation of NFC technology (Editor’s Note: see page 29 of this issue for a report on HID’s NFC pilot at Arizona State).
Other, less obvious applications will undoubtedly emerge. For some, it is simply a matter of answering questions like: “Is there information I would like to access,” or “Do I need to control or activate something,” or “Do I want to authorize someone or some action,” or “How can existing RFID function be enhanced through the use of a highly intelligent smartphone reader device?”
Here are a few application ideas, but I’m sure creative minds in our industry will conjure up others:
Read a device MAC address from a device tag and initiate diagnostics;
Access product information from a URL, whose link is on the tag;
View stored or live video from a camera, based on a URL provide by the tag;
Activate lights; and
Initiate a duress signal.
NFC Security Flaws
If you ask most CSOs, IT managers and related parties about concerns about information and network security created by smartphones, you will get an earful. These devices are intelligent, largely uncontrolled, and hackable.
On one hand, the close proximity requirement of NFC devices enhances security a bit, but the sheer number of NFC devices and their potential application make them an attractive target. Several types of attacks are theoretically or practically possible:
An attack on data confidentiality may take the form of eavesdropping. Although NFC distance is extremely short range, eavesdropping may be attempted with larger antennas and open-source devices over distances of up to several meters.
A man-in-the-middle attack may be used to either obtain or modify data in order to get the receiving device to accept altered data, compromising data integrity. While smartphones normally use two-factor authentication (something you have — phone; something you know — PIN), the loss or theft of the phone reduces this to one factor. Critical applications may require the use of additional factors, such as a biometric.