NFCGate: Opening the Door for NFC Security Research with a Smartphone-Based Toolkit

TL;DR

NFCGate is an open-source toolkit that transforms smartphones into powerful NFC analysis tools, enabling security research and vulnerability discovery in NFC systems without specialized hardware.

Contribution

The paper presents an extended NFC toolkit based on open-source code, with new features like traffic analysis, modification, relay, and replay, facilitating NFC security research on smartphones.

Findings

Discovered security issues in an enterprise NFC lock

Demonstrated NFCGate's effectiveness in analyzing real-world NFC devices

Enabled NFC protocol analysis without dedicated hardware

Abstract

Near-Field Communication (NFC) is being used in a variety of security-critical applications, from access control to payment systems. However, NFC protocol analysis typically requires expensive or conspicuous dedicated hardware, or is severely limited on smartphones. In 2015, the NFCGate proof of concept aimed at solving this issue by providing capabilities for NFC analysis employing off-the-shelf Android smartphones. In this paper, we present an extended and improved NFC toolkit based on the functionally limited original open-source codebase. With in-flight traffic analysis and modification, relay, and replay features this toolkit turns an off-the-shelf smartphone into a powerful NFC research tool. To support the development of countermeasures against relay attacks, we investigate the latency incurred by NFCGate in different configurations. Our newly implemented features and improvements enable the case study of an award-winning, enterprise-level NFC lock from a well-known European lock vendor, which would otherwise require dedicated hardware. The analysis of the lock reveals several security issues, which were disclosed to the vendor.