© 2014. Smart Card Alliance. All Rights Reserved.

NFC Tags and Security

Roger Hornstra Identiv

What is NFC?

• Near Field Communications • Short Range Wireless using ISO 14443

• (1-4cm typical,10cm max)

• Low Speed Communications (106-414 kbps) • Passive Targets(look now batteries!)

• Random devices that are not powered-Stickers

• Low Friction Setup( No Discovery No Pairing) • Two devices when close to each other automatically start communicating

NFC Tag Types

• Tag 1Type • Based on the ISO14443A standard. Tags are read and re-write capable

and users can configure the tag to become read-only. Memory available today up to 512 bytes. Expandable up to 2 Kbytes. The communication speed of this NFC tag is 106 Kbit/s. As a result of its simplicity this tag type is cost effective and ideal for many NFC applications

• Tag 2 Type • Also based on ISO14443A. Tags are read and re-write capable and users

can configure the tag to become read-only. The basic memory size of this tag type is only 48 bytes to 888 Bytes. Expanded to 2 Kbyte. Com. speed is 106 Kbit/s.

• Tag 3 Type • Based on the Sony FeliCa system. Currently has a 2 Kbyte memory

capacity and the data communications speed is 212 Kbit/s. Accordingly this NFC tag type is more applicable for more complex applications. Please note: higher cost per tag.

• Tag 4 Type • Defined to be compatible with ISO14443A and B standards. Tag must be

formatted/pre configured prior to personalization. Read / re-writable, or read-only. The memory capacity can be up to 32 Kbytes and the communication speed is between 106 Kbit/s and 424 Kbit/s. Highest cost per tag.

IC Manufacturers & NFC Types

NFC Forum Platform

Type 1 Tag Type 2 Tag Type 3 Tag Type 4 Tag

Compatible Products Broadcom Topaz

NXP Mifare Ultralight, NXP Mifare Ultralight C, NXP NTAG203, 210,213,216

Sony FeliCa NXP DESFire / NXP SmartMX-JCOP

Memory Size Original 96 now 512 Bytes

48 Bytes / 888 Bytes 1, 4, 9 KB 4 KB /32 KB

Unit Price Low Low High Medium I High

Data Access Read/Write or Read-Only

Read/Write or Read-Only

Read/Write or Read-Only

Read/Write or Read-Only

New chips

• NXP Ultralight C(192 bytes) • Key additional features:

• Enhanced Security including anti cloning protection first IC to increase UID to 7 bytes

• 3DES Encryption Authentication Support

• OTP area

• NXP NTAG 210(80bytes),212(164 bytes), 213(144 bytes) 215(504 bytes) and 216(888 bytes)

• Key Additional Features:

• 32 bit password used to lock memory.

• Field programmable read only locking feature.

• No DES Encryption

NFC Tag 1-4 Antenna Sizes and Shapes

Antenna Size Tape pitch (mm) Tape width (mm) Antenna Material Details

45 x 76 mm 80 48 AI

45 x 42 mm 48 48 AI

60 x 25 mm 32 64 AI

60 x 10 mm 25.4 65 Cu

38 x 22.5 mm 35 48 AI

15 x 32 mm 48 35 AI

32 x 15 mm 25 48 AI

20 x 10 mm 25.3 48 Cu

14,4 x 14.5 mm 22 25 Cu

14 x 31 mm 48 48 Cu

3,5 x 45 mm 50.8 35 Cu

Ø8.7 mm 14.25 35 Cu

Ø12 mm 25.4 35 Cu

Ø15 mm 25.4 35 Cu

Ø20 mm 30 35 Cu

Ø25 mm 32 35 Cu

Ø34 mm 48 48 AI

Ø107 mm 127 119 AI

NFC & Global Applications: DISCOVERY, TRANSACTIONS, EXCHANGE

NFC is “Near Field Communication”

Close proximity wireless technology

Fully standardized

Compatible with existing smart card

infrastructure

2013 phone penetration

300 million +

Intuitive, super easy to use

“CHECK IN

& PICK UP ”

DISCOVERY

TRANSACTIONS

Social media location updates

On the spot reviews

Offers/ coupons/ directions

On the spot services, e.g.,

movie trailers

PEER TO PEER EXCHANGES

Person to Person

Sharing (contact, vcard, photos,

songs…)

Social networking, gaming …

Machine to Machine

Pairing wireless protocols

(e.g. easy log-on to WiFi)

Sharing between phone and PC,

TV & other devices

Speed, Convenience & Ease of

use

Existing infrastructure

Multitasking

Mobile computing power

Rich user interface

The Market has Evolved Where Today we Find:

NFC -- a short-range, wireless

communication standard -- can be

summed up in three primary

purposes: Sharing, Pairing and

Transactions.

Transportation

Food ordering

Information on demand

Loyalty point

collection

/ redemption

Smart poster

Device Setting at cinema

Phone2Phone Payment

Coupon download - “down road”

KOREA

Original Applications Ideas

At homePut an NFC tag near your door and set it to do things

like: enable Wi-Fi, decrease brightness, disable Bluetooth, and

auto-sync. Using NFC Task Launcher, you can program the tag to

"switch," so that when you exit your house and tap the tag for the

second time, it changes those settings (like disabling Wi-Fi.)

Driving in the carStick an NFC tag somewhere near your

dashboard or middle console and have it disable Wi-Fi, increase

volume, and enable Bluetooth (for a headset). If you have your

phone hooked up to the car's speakers, program the tag to fire up

an app like Pandora.

Recent Applications Ideas

• Getting to workPlace the NFC tag on a phone dock or your desk's surface and program it to decrease brightness, disable sounds, enable Wi-Fi, and enable auto-sync. Depending on your habits, you might also have it launch a music app, open your daily to-do list, and even check you into Foursquare.

• If you use the Switch option, you can tap the tag again on your way out and have it disable the previously enabled features. And, if you're an extra attentive husband or wife, the tag can also be programmed to send your loved one a text message alerting them that you've left the office and are on the way home.

• On the bedside tableIf you have a phone dock by your bed or place a tag near the dock and program it to disable sounds, enable any alarms, disable auto-sync, disable the notification LED, and decrease the brightness.

• Working outThe fitness types might benefit from an NFC tag on their workout armband or gym bag. For zero distractions, program the tag to enable airplane mode. Or, use the tag to fire up your favorite fitness app and playlist or streaming music app.

More

• Give access to your Wi-Fi network

• If you'd like to give guests at home (or at an office) access to your Wi-Fi network without giving up your password, check out InstaWifi. The free Android app lets you program an NFC tag that, when tapped with an NFC-enabled device, gives the phone or tablet instant access to the associated Wi-Fi network.

• Download the app from the Google Play store to get started (link).

• Auto-start timersHow many times have you loaded the washing machine, walked away, and completely forgot you were doing your laundry? Put an NFC tag next to your washing machine and dryer that, when tapped, fires up a timer.

• Get shortcuts to specific Evernote notesWith Touchanote, a free app that won the Evernote Developers Competition, tags can be programmed to link directly to specific notes. Their examples include a tag on your desk that opens a to-do list, or placing a tag near a product that links to a note with instructions on how to use it. For more examples and the full walkthrough, check out the video on YouTube. You can download Touchanote from the Google Play Store now (link).

Little Known Uses and Unique ideas

MANY MORE NFC APPLICATIONS

Touch2Call

NFC Photo Frame

Touch n Check

Price/Product info

NFCTicket

Buy 1 or Many then transfer!

iLifeStory

Read someone’s life story

Touch2Go

NFC door reader

Touch2View

Movie purchase

Touch 2 Set Mode

Device Setting

NFC is EVERYWHERE!

Security

Security

NFC NDEF Basics

• Concept of the NFC NDEF is sending data of any format over the interface while still being able to retain the air interface data format.

• An NDEF message is composed of one or more NDEF records. There can be multiple records in a NDEF message.

• The limit for the number of records that can be encapsulated into an NFC NDEF message depends upon the application in use and the tag type used.

• In order that the system knows where the messages begin and end, the first record in a message is marked with the MB or Message Begin flag set and the last record in the message is marked with the ME or Message End flag set. The minimum message length is one record. This is achieved by setting both the MB and the ME flag in the same record.

NFC NDEF Basics

• To ensure that the data capability is used efficiently, NFC NDEF records do not incorporate an index number - the index number within the message is implicitly assigned by the order in which the records occur.

What is the Device Technology?

• Standard calls for 2 types • These are known as the Initiator and Target of the communication. As the names

imply, the initiator is the device that initiates the communication and it controls the data exchanges. The Target device is the one that responds to the requests from the Initiator.

• Standard defines two different modes of operation. • Active mode of communication: In the active NFC mode of communication, both

devices generate an RF signal on which the data is carried.

• Passive mode of communication: In this mode of communication, only one NFC device generates an RF field. The second passive device which is the target uses a technique called load modulation to transfer the data back to the primary device or initiator.

NFC Security Basic Threats

• There are several important areas for near field communications security. Each possibly vulnerability just be addressed and resolved. Some of the major NFC security areas are listed below: • Eavesdropping

• Data corruption • Data modification

• Man-in-middle attack

• Above are the most common ways to breach NFC security. Communication standard defines very close read range, therefore significantly reducing the probability of a threat. However this does not mean you are totally safe when deploying NFC tags. Any tag can be breached with time and knowhow!

NFC Security Basics Eavesdropping

• Radio Wave Attack Threat: • NFC radio waves propagate in the vicinity of the transmitter and are available to

be received. It is possible for unwanted users to pick up the signals. The technology to receive this signals is not difficult to create.

• Reception Range: • Typical NFC passive read range is just a few centimeters. Known attackers have

read usable signals up to 1 meter.

• Active mode distances of up to 10 meters may be at risk

NFC Security – Data Corruption

• Essentially a form of denial of service attack • Attacker may try to disturb the communications by sending data that may

or may not be valid • Possible threat to block the channel therefore corrupting legitimate data • Attacker does not need to be able to decipher the valid data being sent. • Power required to successfully attack a system is significantly higher than

that which can be detected by the NFC device transmitting the data. Therefore proper monitoring of data channel can detect the spike in power profile.

NFC Security – Data Modification • Involves the attacker aiming to arrange for the receiving device to receive

data that has been manipulated • Complication is data must be in the correct format for it to be accepted • Possible for some bits but not all to be modified due to the high baud rate

of data transfer • Example is 106 Baud data rate in active mode. Very difficult to intercept

in both directions simultaneously

NFC Security- Man-in-the-Middle

• This form of threat involves a two party communication being intercepted by a third party

• The third party acts as a relay, by listening and manipulating the data if required will enable the attacker to collect data

• Police probe 'skimming' card reader at Citizens ATM • January 15, 2013

• Gloucester police are advising residents to check bank statements after learning today that an illegal device used to read debit card information was attached to the Citizen’s Bank ATM at the bank’s Main Street location.

Consider Before Launching

• Design your Tag to meet environmental challenges • Always Lock the Tag • Consider offering visual authenticity techniques to prove your brand • If sensitive information exists consider using encryption • Networks monitoring active tags to create a trusted connection help to

protect against fraud • At the application level always allow the user he opportunity to confirm a

request • Take into account all aspects of new product launch to ensure your product offers

widespread trust

© 2014. Smart Card Alliance. All Rights Reserved.

For more information: go to: www.nfc-forum.org www.identiv.com

© 2014. Smart Card Alliance. All Rights Reserved.

rhornstra@identiv.com

1900 B Carnegie Ave. Santa Ana CA, 92705 (404) 531 9604

www.identiv.com

Roger Hornstra

VP Strategic Accounts

Identiv