Relay attacks generally occur between two entities that communicate with each other through wireless means. When a relay attack between a honest prover and a honest verifier occurs, an adversary ...tricks the prover and verifier into believing that they are indeed communicating with each other. Such attacks are rather difficult to identify and prevent since a passive adversary does not modify any of the communicated messages between prover and verifier. RFID/NFC-based applications are particularly vulnerable to such attacks. We provide an overview of RFID-based relay attacks and evaluate various streams of research that have attempted to address these attacks. Specifically, we consider distance-bounding techniques and the use of artificial or natural ambient conditions, with specific emphasis on the latter.
•Relay attacks are difficult to identify when they occur.•We provide an overview of existing means to address relay attacks.•Specifically, we consider distance and ambient conditions based approaches.•We discuss issues with these approaches and possible future research directions.
Remote keyless entry systems have penetrated the vehicular market due to its convenience. However, its vulnerability against relay attacks exploiting the wireless channel is a serious threat. One of ...the prominent countermeasures is radio ranging between the key fob and the vehicle. Taking into account radio regulations, usability and power consumption among other things, a suitable approach is necessary to devise. This article proposes sub-GHz two-way ranging based on phase detection which offers high tolerance against reference clock offset between a pair of transceiver devices and a novel compensation scheme against multipath effects. We present the operation principle and theoretical performance under a two-path model of radio propagation and additive white Gaussian noise. In field experiments with prototype devices, the ranging accuracy is validated. We show that the proposed ranging produces sufficient performance for remote keyless entry systems, confirming if the key fob is within a few meters of the vehicle.
A passive keyless entry and start (PKES) system is an electronic lock for an automobile that provides the great convenience of opening the door when the user is in proximity. However, the system ...suffers from relay attacks. Recent studies revealed that relayed signals result in valid packets that are sufficient to unlock doors. In particular, the adversary causes proximity errors by injecting a certain time delay before relaying to manipulate the phase rotation in the response signal. To this end, we present a novel relay-resilient proximity detection solution,
, which uses pseudo-random frequency hopping with the assistance of a reference backscattering device. Since the relay adversary transmits the relayed signals from the key fob at long distances, the signals should propagate over longer distances, resulting in inevitable significant phase rotation with different frequencies. Inspired by this finding,
uses an additional backscattering device to ensure the proximity of the key fob using the invariant characteristics of radio frequency signals in the physical layer (i.e., phase rotation). Our evaluation demonstrates the effectiveness of
in resisting three types of relay attacks. The results show that it achieved a 98% true positive rate at close range and a 0.3% false positive rate at long range.
In this paper, we present a systematic survey on the contextual information based proximity detection techniques. These techniques are heavily used for improving security and usability in ...Zero-Interaction based Co-presence Detection and Authentication (ZICDA) systems. In particular, this survey includes a discussion on the possible adversary and communication models along with the existing security attacks on ZICDA systems. It also reviews the state-of-the-art proximity detection techniques that make use of contextual information. The proximity detection techniques are commonly referred as Contextual Co-presence (COCO) protocols. The COCO protocols dynamically collect and use contextual information to improve the security of ZICDA systems during the proximity verification process. Finally, we summarize the significant challenges and suggest possible innovative and efficient future solutions for securely detecting co-presence between devices in the presence of adversaries. The proximity verification techniques presented in the literature usually involve several trade-offs between metrics such as efficiency, security, deployment cost, and usability. At present, there is no ideal solution which adequately addresses the trade-off between these metrics. Therefore, we trust that this review gives an insight into the strengths and shortcomings of the known research methodologies and pave the way for the design of future practical, secure, and efficient solutions.
Distance-bounding (DB) protocols are used to verify the physical proximity of two devices. DB can be used to establish trusted ad-hoc connections in the industrial Internet-of-Things, e.g., nodes can ...verify they are deployed in the same location and monitoring the same piece of equipment. Thresholds and error correction codes (ECCs) are two methods to provide error-resilience for DB protocols working in noisy environments. However, the threshold method adds overheads and the ECC method increases the adversary success probability, compared to threshold, when implemented in precommitment DB protocols. In this article, we investigate the ECC method and demonstrate that designers can mitigate increased adversary success probability by using nonsystematic codes. To demonstrate this idea, we compare a prominent precommitment protocol by Brands and Chaum (BC) integrated with different types of ECCs with two existing error-resilience methods, showing how nonsystematic codes provide improved protocol security. Moreover, We further evaluate the BC protocol with nonsystematic ECCs and discuss how to configure protocols to minimize the protocol failure rate, while maintaining adequate attack success probability.
Contactless and contact smart card systems use the physical constraints of the communication channel to implicitly prove the proximity of a token. These systems, however, are potentially vulnerable ...to an attack where the attacker relays communication between the reader and a token. Relay attacks are not new but are often not considered a major threat, like eavesdropping or skimming attacks, even though they arguably pose an equivalent security risk. In this paper we discuss the feasibility of implementing passive and active relay attacks against smart tokens and the possible security implications if an attacker succeeds. Finally, we evaluate the effectiveness of time-out constraints, distance bounding and the use of a additional verification techniques for making systems relay-resistant and explain the challenges still facing these mechanisms.
The Mafia fraud consists in an adversary transparently relaying the physical layer signal during an authentication process between a verifier and a remote legitimate prover. This attack is a major ...concern for certain RFID systems, especially for payment related applications.
Previously proposed protocols that thwart the Mafia fraud treat relaying and non-relaying types of attacks equally: whether or not signal relaying is performed, the same probability of false-acceptance is achieved. Naturally, one would expect that non-relay type of attacks achieve a lower probability of false-acceptance.
We propose a low complexity authentication protocol that achieves a probability of false-acceptance essentially equal to the best possible false-acceptance probability in the presence of Mafia frauds. This performance is achieved without degrading the performance of the protocol in the non-relay setting. As an additional feature, the verifier can make a rational decision to accept or to reject a proof of identity even if the protocol gets unexpectedly interrupted.
•Physical context can enables proximity verification and key establishment.•We classify and survey the main approaches to security with physical context.•We survey practical, experimentally verified ...work.
Edge computing is the concept of moving computation back to the endpoints of a network, as an alternative to, or in combination with, centralized, cloud-based architectures. It is especially of interest for Internet-of-Things and Cyber-Physical Systems where embedded endpoints make up the edge of the network, and where these devices need to make localised, time-critical decisions. In these environment secure, ad-hoc device-to-device interaction is important, but offers a challenge because devices might belong to different systems, or security domains, which complicates trusted communication and key establishment. There has been a growing interest in complementing conventional cryptography with physical context. This allows for services that are difficult to achieve with existing cryptographic mechanisms: devices pairing (initial key establishment) and proof-of-proximity (ensuring devices are physically present). Numerous methods, the majority of which are based on the physical context of device characteristics, behavior or environment, have been proposed to supplement cryptography in achieving these services. This paper provides an overview of this area of research, first discussing the nature and importance of the two specified security services in ad-hoc communication settings and then providing an introduction to prominent physical context security approaches in literature.
Distinguishable physical layer features of radio frequency have the potential to serve as new fingerprints for authentication in backscatter networks. They have a definite advantage that backscatter ...tags do not have to run resource-intensive operations that commodity tags rarely implement. However, current physical layer authentication schemes impose substantial burdens on both service providers and users. Since physical layer features are highly susceptible to environmental factors, labor-intensive and time-consuming fingerprint library establishment is indispensable to make sufficient statistics for authentication. In this paper, we propose TagDuet , a collision-assisted authentication scheme that adopts an auxiliary tag to RFID systems, a typical type of backscatter networks, without the requirement of fingerprint library establishment. TagDuet places an independent backscatter tag in the proximity of a reader and utilizes the features in intended tag collisions to improve wireless security. Our phase cancellation decoding algorithm accurately decodes the collisions, which leads TagDuet fully compatible with the commodity RFID tags. TagDuet provides freshness, the paramount property to resist replay attacks, and robustness to relay attacks under FCC regulations for frequency hopping. We implement a prototype of TagDuet with commodity tags, evaluate the performance in randomized channels by the auxiliary tag, and demonstrate the resilience against replay and relay attacks.
Near field communication (NFC) has been a widely used radiofrequency identification (RFID) technology, credited to its convenience and security features. However, the transmitted signals can be ...easily eavesdropped or relayed in an open wireless channel. One of the challenges is relay attack, where an attacker simply relays the signal and bypasses encryption or other means in the application layer. Prior works on relay attack countermeasures have focused on distance-bounding protocols or ambient-based solutions. This paper focuses on ISO/IEC 14443-A and proposes an NFC relay detection method based on RF fingerprinting of transmitted wireless signals in the physical layer. To this end, we first designed and implemented two realizations of NFC relay attacks, wired and wireless relays, and built an SDR-based testbed. We collected the normal and relayed signals of four NFC tags, and the answer to request type A (ATQA) segments were selected for RF fingerprinting. The created dataset comprised 66,366 samples, with four tags’ normal and wired relayed signals and the wireless relayed signals. The dataset was then fed into a deep CNN for training. Finally, our experiment results showed that the method effectively distinguished normal and relayed signals with a high accuracy of 99%, confirming that RF fingerprinting can be a promising countermeasure to NFC relay attacks.