From NFC Tools
Jump to: navigation, search

Active demonstration of a relay attack using a genuine OMNIKEY 5121 RFID reader and ISO14443-A tag.



A relay attack is a kind of man-in-the-middle attack, where that the attacker only forwards the data. It does not have to trick any of the involved parties, it impersonates just by relaying the communication between the originator and the original genuine device. The genuine device is replaced by a device-emulator. The emulator gathers instructions and transmits (forwards) them to the genuine device. Secondly it gathers the responses from the genuine device and transmits them back to the originator.

Essentially a relay attack on wireless protocols is very easy to perform. It only requires some hardware to redirect the transmitted signals over the air. It does not have to know about any higher-level protocol than the modulation itself. Most modulation techniques are publicly known, which makes a relay attack often possible with of-the-shelf hardware. For example, the modulation techniques used in NFC tags is specified by the ISO14443/ISO18092 standards.

A very important difficulty during such an attack is the timing delay that is added during the transmission. To prevent relay attacks it could be useful to set very hard timing-constraints and make use of distance bounding protocols.

Access control

Relay attack access control.png
Modern access control systems often make use of wireless access cards which are based on RFID protocols. More protection is required for authorization than for simple and low-costs RFID systems (e.g. animal identification). To achieve this, new protection layers were added to the RFID/NFC tags. One of these mechanisms are powerful encryption schemes. Beside that there are a number of encryption techniques proved to be insecure, almost all of them are vulnerable for a well timed and performed relay attack. In the picture on the left a simple example shows the working of a relay attack. Both red devices are controlled by an attacker. The attacker uses some wireless communication (GSM, WIFI) to relay the data from a genuine tag in someones pocket to the access control reader hanging next to door.

Example tool

This tool requires two compatible NFC devices. One will emulate a ISO14443-A tag, while the 2nd device will act like an access control reader. The genuine tag can be placed on the 2nd reader and the emulator can be placed on top of the original reader. All communication is now relayed and logged to the screen.

Relaying frames over USB can be time-consuming because of all the overhead created by the operating system. Not all readers allow the slow responses from the emulator. Luckily, desktop RFID readers like the "Omnikey 5121" ignore slow timing. It is recommended to use one of these devices to explore this advanced feature.


Relay attack usb readers.png Example-relay-screenshot2.jpg Example-relay-screenshot.png

Personal tools