Projects - User contributions [en]

Projects:2016s1-160c Cyber Security - Personal Networks and Devices

2016-10-20T13:35:45Z

A1645999:

Group Members: Michael Hua, Olga Rodionova, Petko Stefanov

== NFC Security ==

Michael Hua

----

== Introduction ==

Near Field Communication (NFC) is a form of wireless communication over a very short range in the order of centimeters [1]. NFC technology differentiates from other forms of wireless communication with its speed and efficiency. The communication between two devices is able to occur in just seconds with minimal overhead setup costs that is associated with Bluetooth and QR Codes. Communication can happen in various modes: Active – Active, Active – Passive, Passive – Active; where active devices have their own power supply and passive devices are powered from active devices via induction [1, 2]. An example of an active device may be a smart phone and a passive device may be an NFC Tag. NFC tags are a common technology where a tag is able to store data (a simple message or data structure) and is able to be read by an NFC capable device, such as a smart phone [1].

== The Security Issue ==

In a society where technology is advancing at an astonishing rate, technology such as NFC seems very promising. NFC technology markets itself as quick and easy, however, the compromise or trade off would be security [1]. NFC is able to enhance the quality of our current technology and opens up more possibilities. Thus the motivation behind this research project is to strengthen NFC security in attempt to promote further development and utilisation of NFC-Tag based applications and NFC based technology.

Because the NFC scanning process is so quick and easy, there are major security issues involving confidentiality, authentication, integrity and access/availability. Upon further investigation, there are have been multiple studies and analyses which delve into this issue further. However, by breaking down the entire end-to-end NFC scanning process, it is evident the current investigations and research targets the middle stages of the process, mainly considering the stored data itself.
[[File:NFC Chip.jpg|350px|thumb|right|NFC chip implanted in hand]]
A recent security exploit in NFC revealed that a hacker was able to implant an NFC-capable chip in his hand (refer to right image) and able to exploit members of the public by infecting their device with malware [3]. Although, the malware is quite simplistic and limited with numerous drawbacks, the fact that these devices could be easy compromised is an issue of concern [3].

A breakdown of the NFC scanning process into four steps:

1. Scanning of the NFC capable devices (devices or tags);

2. Notification;

3. Authentication, encryption and integrity check;

4. Network and content integrity.

== Proposed Solution ==

To directly combat this issue, a solution has been proposed making the first step of the NFC scanning process more deliberate by incorporating numerous conditions. If and only if these conditions are met, will the NFC scanning process be allowed to proceed. Previously, if an unlocked NFC device and NFC tag were brought into very close proximity of each other, the device would successfully scan without permission from the user; this was the fundamental problem with the security breach where the hacker implanted a chip into his hand.

The underlying principle behind the proposed solution is to make the process of NFC require active input but still remain as quick and as convenient as it were before. Basically, the NFC capabilities will indefinitely remain disabled until certain conditions are met. Once these conditions are met, the NFC capabilities will be enables for a short period of time where the user is then able to scan and utilise the NFC functions. After this brief period, the NFC capabilities will then again be disabled indefinitely.

To test the feasibility and demonstrate this, a simple android application was developed. The application disables the phones NFC capabilities and only enables it only for a short period of time if the proximity sensor is not obstructed and the phone detects a shaking motion.

As the reputation and major selling point of NFC technology is that is quick, easy and convenient, the conditions to enable NFC communication must align with this very idea. The conditions required deliberate human action but must remain quick and convenient because if it becomes too complex, there would be nothing deterring developers and users towards Bluetooth or QR Code technology – other forms of short range wireless communication.

The first condition which must be met is proximity. Under normal circumstances when a user decides to scan another device or an NFC Tag, the proximity sensor is unobstructed – it is counter intuitive and very unlikely a user will purposely scan their device with the proximity sensor obstructed. The idea behind this condition is to prevent a device being unknowingly scanned by a hacker if it is faced down, in the user’s pocket or bag, etc. This is just one of the two conditions proposed in attempt to improve the security of NFC technology.

The other condition which must be met is a deliberate action. This deliberate action takes advantage of the phones accelerometer. This is a personalised action set by the user and could be a swish, a shake or any personalised action which can be recreated by the user. This deliberate action condition in most cases completely removes the possibility accidental and unwarranted scanning of devices. Furthermore, it idea of a simple physical action as one of the conditions to enable NFC capabilities still align with the fundamental idea and selling point of NFC technology. Although it does require an additional active input to enable the function it is still very quick, easy and convenient.
[[File:Process1.PNG|750px|thumb|centre|Flow Diagram of the NFC Enabling Process with Added Conditions]]

== Conclusion ==

The application was successfully implemented with all the designed features. It was then able to be tested with NFC Tags. The overall conclusion is that this idea is feasible although there is a slight delay in the NFC being toggled on/off. Furthermore, the shaking motion is quite generic so this method will only be able to prevent some forms of unwarranted scanning. Where the original idea was to make this shake any form of custom motion, the next logical step would be to implement this and further build on the application. This next step should be able to have a “capture mode” where for a short period of time, records and stores a personalised motion through manipulation of the accelerometer. This can then replace the shake detector module; so if the phone is unlocked, the proximity sensor if not obstructed and the personalised motion is recreated, the phones NFC capabilities will be enabled for a short period of time.

Though the application is not the main purpose or goal of this research, it is just a simple and easy method to practically demonstrate and test the feasibility of the idea. If it is determined this method is feasible and practical, phone developers may consider incorporating this additional security measure into their phones; this could be achieved much more easily without all the limitations encountered as an amateur application developer. Furthermore, it wouldn’t be in the form of an application, it would have to be implemented into the phones operating system and always running as a background operation.Although the protocol has been proposed for the use with NFC Tags, if technology is further developed, the same concept should be able to be utilised in all modes of NFC communication (active-active, active-passive, etc).

== Future Works ==

As the NFC scanning process has been broken down, it is evident another aspect of security in the NFC process which has yet to be considered is security from the back end. This is at the final stages of the process where the user has intentionally communicated with another device where the stored information has passed all checks for authenticity and integrity. Some ideas which can be further research would be along the lines of some network based security solutions. This may entail checking the software against a known blacklist/whitelist etc. Another alternative can be the use of an antivirus; this could potentially extend to an online antivirus of some sort as the device may be limited in size. Furthermore, a sandbox environment could also be utilised where the program is executed in an environment which is isolated and not able to interact with other elements of the system.

These are just some aspects of NFC security that can be further investigated. Overall, the future of NFC is promising; it is a quick, easy and convenient method of wireless communication with much potential. However, further research and development is required to strengthen and improve its security before it is utilised more widely in a commercial sense.

----

Petko Stefanov:
An analysis of security flaws in the NFC functionality of modern mobile devices

This project aims to investigate into the prevention of network infection by securing them from a local mobile device level. Specifically, the aim is to investigate the Near Field Communication protocol used in modern mobile devices (with minor insight into similar utilizations in Bluetooth and Wi-fi) which can be exploited to transmit malware from device to device or device to associated network. The investigation covers an analysis on NFC as a protocol and what security risks are associated with it, ways to utilise NFC devices or NFC compatible objects to transmit malware, past cases of such attacks and past attempts to solve such attacks from happening. From the investigation, the desired outcome is to design a countermeasure against whatever exploits that are identified.

----

Olga Rodionova:
Medical Data Security in wearable fitness devices

In the recent years, wearable fitness devices have been blurring the line between medical and personal Internet
of Things (IoT) devices. This project aims to explore security aspects of data storage on fitness devices by
building on existing research into smart band networks and data collection. The integration of wearable fitness
devices into the medical industry will be considered and possible avenues for obtaining unauthorised access to
private medical information will be outlined.

----

== References ==

[1] M. Mareli, S. Rimer, B. S. Paul, K. Ouahada, and A. Pitsillides, "Experimental evaluation of NFC reliability between an RFID tag and a smartphone," in AFRICON, 2013, 2013, pp. 1-5.

[2] M. Roland, Security Issues in Mobile NFC Devices: Springer International Publishing, ISBN 978-3-319-15487-9, 2015.

[3] M. R. (2014, 2 April 2016). Taking “being connected” to the next level: Man implants NFC chip into his hand. Available: http://www.phonearena.com/news/Taking-being-connected-to-the-next-level-Man-implants-NFC-chip-into-his-hand_id62057

Projects:2016s1-160c Cyber Security - Personal Networks and Devices

2016-10-20T13:31:44Z

A1645999: /* The Security Issue */

Group Members: Michael Hua, Olga Rodionova, Petko Stefanov

== NFC Security ==

Michael Hua

----

== Introduction ==

Near Field Communication (NFC) is a form of wireless communication over a very short range in the order of centimeters [1]. NFC technology differentiates from other forms of wireless communication with its speed and efficiency. The communication between two devices is able to occur in just seconds with minimal overhead setup costs that is associated with Bluetooth and QR Codes. Communication can happen in various modes: Active – Active, Active – Passive, Passive – Active; where active devices have their own power supply and passive devices are powered from active devices via induction [1, 2]. An example of an active device may be a smart phone and a passive device may be an NFC Tag. NFC tags are a common technology where a tag is able to store data (a simple message or data structure) and is able to be read by an NFC capable device, such as a smart phone [1].

== The Security Issue ==

In a society where technology is advancing at an astonishing rate, technology such as NFC seems very promising. NFC technology markets itself as quick and easy, however, the compromise or trade off would be security [1]. NFC is able to enhance the quality of our current technology and opens up more possibilities. Thus the motivation behind this research project is to strengthen NFC security in attempt to promote further development and utilisation of NFC-Tag based applications and NFC based technology.

Because the NFC scanning process is so quick and easy, there are major security issues involving confidentiality, authentication, integrity and access/availability. Upon further investigation, there are have been multiple studies and analyses which delve into this issue further. However, by breaking down the entire end-to-end NFC scanning process, it is evident the current investigations and research targets the middle stages of the process, mainly considering the stored data itself.

A recent security exploit in NFC revealed that a hacker was able to implant an NFC-capable chip in his hand (refer to image below) and able to exploit members of the public by infecting their device with malware [3]. Although, the malware is quite simplistic and limited with numerous drawbacks, the fact that these devices could be easy compromised is an issue of concern [3].

[[File:NFC Chip.jpg]]
A breakdown of the NFC scanning process into four steps:

1. Scanning of the NFC capable devices (devices or tags);

2. Notification;

3. Authentication, encryption and integrity check;

4. Network and content integrity.

== Proposed Solution ==

To directly combat this issue, a solution has been proposed making the first step of the NFC scanning process more deliberate by incorporating numerous conditions. If and only if these conditions are met, will the NFC scanning process be allowed to proceed. Previously, if an unlocked NFC device and NFC tag were brought into very close proximity of each other, the device would successfully scan without permission from the user; this was the fundamental problem with the security breach where the hacker implanted a chip into his hand.

The underlying principle behind the proposed solution is to make the process of NFC require active input but still remain as quick and as convenient as it were before. Basically, the NFC capabilities will indefinitely remain disabled until certain conditions are met. Once these conditions are met, the NFC capabilities will be enables for a short period of time where the user is then able to scan and utilise the NFC functions. After this brief period, the NFC capabilities will then again be disabled indefinitely.

To test the feasibility and demonstrate this, a simple android application was developed. The application disables the phones NFC capabilities and only enables it only for a short period of time if the proximity sensor is not obstructed and the phone detects a shaking motion.

As the reputation and major selling point of NFC technology is that is quick, easy and convenient, the conditions to enable NFC communication must align with this very idea. The conditions required deliberate human action but must remain quick and convenient because if it becomes too complex, there would be nothing deterring developers and users towards Bluetooth or QR Code technology – other forms of short range wireless communication.

The first condition which must be met is proximity. Under normal circumstances when a user decides to scan another device or an NFC Tag, the proximity sensor is unobstructed – it is counter intuitive and very unlikely a user will purposely scan their device with the proximity sensor obstructed. The idea behind this condition is to prevent a device being unknowingly scanned by a hacker if it is faced down, in the user’s pocket or bag, etc. This is just one of the two conditions proposed in attempt to improve the security of NFC technology.

The other condition which must be met is a deliberate action. This deliberate action takes advantage of the phones accelerometer. This is a personalised action set by the user and could be a swish, a shake or any personalised action which can be recreated by the user. This deliberate action condition in most cases completely removes the possibility accidental and unwarranted scanning of devices. Furthermore, it idea of a simple physical action as one of the conditions to enable NFC capabilities still align with the fundamental idea and selling point of NFC technology. Although it does require an additional active input to enable the function it is still very quick, easy and convenient.

A flow diagram is shown in the figure below:

[[File:Process1.PNG]]

== Conclusion ==

The application was successfully implemented with all the designed features. It was then able to be tested with NFC Tags. The overall conclusion is that this idea is feasible although there is a slight delay in the NFC being toggled on/off. Furthermore, the shaking motion is quite generic so this method will only be able to prevent some forms of unwarranted scanning. Where the original idea was to make this shake any form of custom motion, the next logical step would be to implement this and further build on the application. This next step should be able to have a “capture mode” where for a short period of time, records and stores a personalised motion through manipulation of the accelerometer. This can then replace the shake detector module; so if the phone is unlocked, the proximity sensor if not obstructed and the personalised motion is recreated, the phones NFC capabilities will be enabled for a short period of time.

Though the application is not the main purpose or goal of this research, it is just a simple and easy method to practically demonstrate and test the feasibility of the idea. If it is determined this method is feasible and practical, phone developers may consider incorporating this additional security measure into their phones; this could be achieved much more easily without all the limitations encountered as an amateur application developer. Furthermore, it wouldn’t be in the form of an application, it would have to be implemented into the phones operating system and always running as a background operation.Although the protocol has been proposed for the use with NFC Tags, if technology is further developed, the same concept should be able to be utilised in all modes of NFC communication (active-active, active-passive, etc).

== Future Works ==

As the NFC scanning process has been broken down, it is evident another aspect of security in the NFC process which has yet to be considered is security from the back end. This is at the final stages of the process where the user has intentionally communicated with another device where the stored information has passed all checks for authenticity and integrity. Some ideas which can be further research would be along the lines of some network based security solutions. This may entail checking the software against a known blacklist/whitelist etc. Another alternative can be the use of an antivirus; this could potentially extend to an online antivirus of some sort as the device may be limited in size. Furthermore, a sandbox environment could also be utilised where the program is executed in an environment which is isolated and not able to interact with other elements of the system.

These are just some aspects of NFC security that can be further investigated. Overall, the future of NFC is promising; it is a quick, easy and convenient method of wireless communication with much potential. However, further research and development is required to strengthen and improve its security before it is utilised more widely in a commercial sense.

----

Petko Stefanov:
An analysis of security flaws in the NFC functionality of modern mobile devices

This project aims to investigate into the prevention of network infection by securing them from a local mobile device level. Specifically, the aim is to investigate the Near Field Communication protocol used in modern mobile devices (with minor insight into similar utilizations in Bluetooth and Wi-fi) which can be exploited to transmit malware from device to device or device to associated network. The investigation covers an analysis on NFC as a protocol and what security risks are associated with it, ways to utilise NFC devices or NFC compatible objects to transmit malware, past cases of such attacks and past attempts to solve such attacks from happening. From the investigation, the desired outcome is to design a countermeasure against whatever exploits that are identified.

----

Olga Rodionova:
Medical Data Security in wearable fitness devices

In the recent years, wearable fitness devices have been blurring the line between medical and personal Internet
of Things (IoT) devices. This project aims to explore security aspects of data storage on fitness devices by
building on existing research into smart band networks and data collection. The integration of wearable fitness
devices into the medical industry will be considered and possible avenues for obtaining unauthorised access to
private medical information will be outlined.

----

== References ==

[1] M. Mareli, S. Rimer, B. S. Paul, K. Ouahada, and A. Pitsillides, "Experimental evaluation of NFC reliability between an RFID tag and a smartphone," in AFRICON, 2013, 2013, pp. 1-5.

[2] M. Roland, Security Issues in Mobile NFC Devices: Springer International Publishing, ISBN 978-3-319-15487-9, 2015.

[3] M. R. (2014, 2 April 2016). Taking “being connected” to the next level: Man implants NFC chip into his hand. Available: http://www.phonearena.com/news/Taking-being-connected-to-the-next-level-Man-implants-NFC-chip-into-his-hand_id62057

File:NFC Chip.jpg

2016-10-20T13:30:45Z

A1645999:

Projects:2016s1-160c Cyber Security - Personal Networks and Devices

2016-10-20T13:29:09Z

A1645999:

Group Members: Michael Hua, Olga Rodionova, Petko Stefanov

== NFC Security ==

Michael Hua

----

== Introduction ==

Near Field Communication (NFC) is a form of wireless communication over a very short range in the order of centimeters [1]. NFC technology differentiates from other forms of wireless communication with its speed and efficiency. The communication between two devices is able to occur in just seconds with minimal overhead setup costs that is associated with Bluetooth and QR Codes. Communication can happen in various modes: Active – Active, Active – Passive, Passive – Active; where active devices have their own power supply and passive devices are powered from active devices via induction [1, 2]. An example of an active device may be a smart phone and a passive device may be an NFC Tag. NFC tags are a common technology where a tag is able to store data (a simple message or data structure) and is able to be read by an NFC capable device, such as a smart phone [1].

== The Security Issue ==

In a society where technology is advancing at an astonishing rate, technology such as NFC seems very promising. NFC technology markets itself as quick and easy, however, the compromise or trade off would be security [1]. NFC is able to enhance the quality of our current technology and opens up more possibilities. Thus the motivation behind this research project is to strengthen NFC security in attempt to promote further development and utilisation of NFC-Tag based applications and NFC based technology.

Because the NFC scanning process is so quick and easy, there are major security issues involving confidentiality, authentication, integrity and access/availability. Upon further investigation, there are have been multiple studies and analyses which delve into this issue further. However, by breaking down the entire end-to-end NFC scanning process, it is evident the current investigations and research targets the middle stages of the process, mainly considering the stored data itself.

A recent security exploit in NFC revealed that a hacker was able to implant an NFC-capable chip in his hand and able to exploit members of the public by infecting their device with malware [3]. Although, the malware is quite simplistic and limited with numerous drawbacks, the fact that these devices could be easy compromised is an issue of concern [3].

A breakdown of the NFC scanning process into four steps:

1. Scanning of the NFC capable devices (devices or tags);

2. Notification;

3. Authentication, encryption and integrity check;

4. Network and content integrity.

== Proposed Solution ==

To directly combat this issue, a solution has been proposed making the first step of the NFC scanning process more deliberate by incorporating numerous conditions. If and only if these conditions are met, will the NFC scanning process be allowed to proceed. Previously, if an unlocked NFC device and NFC tag were brought into very close proximity of each other, the device would successfully scan without permission from the user; this was the fundamental problem with the security breach where the hacker implanted a chip into his hand.

The underlying principle behind the proposed solution is to make the process of NFC require active input but still remain as quick and as convenient as it were before. Basically, the NFC capabilities will indefinitely remain disabled until certain conditions are met. Once these conditions are met, the NFC capabilities will be enables for a short period of time where the user is then able to scan and utilise the NFC functions. After this brief period, the NFC capabilities will then again be disabled indefinitely.

To test the feasibility and demonstrate this, a simple android application was developed. The application disables the phones NFC capabilities and only enables it only for a short period of time if the proximity sensor is not obstructed and the phone detects a shaking motion.

As the reputation and major selling point of NFC technology is that is quick, easy and convenient, the conditions to enable NFC communication must align with this very idea. The conditions required deliberate human action but must remain quick and convenient because if it becomes too complex, there would be nothing deterring developers and users towards Bluetooth or QR Code technology – other forms of short range wireless communication.

The first condition which must be met is proximity. Under normal circumstances when a user decides to scan another device or an NFC Tag, the proximity sensor is unobstructed – it is counter intuitive and very unlikely a user will purposely scan their device with the proximity sensor obstructed. The idea behind this condition is to prevent a device being unknowingly scanned by a hacker if it is faced down, in the user’s pocket or bag, etc. This is just one of the two conditions proposed in attempt to improve the security of NFC technology.

The other condition which must be met is a deliberate action. This deliberate action takes advantage of the phones accelerometer. This is a personalised action set by the user and could be a swish, a shake or any personalised action which can be recreated by the user. This deliberate action condition in most cases completely removes the possibility accidental and unwarranted scanning of devices. Furthermore, it idea of a simple physical action as one of the conditions to enable NFC capabilities still align with the fundamental idea and selling point of NFC technology. Although it does require an additional active input to enable the function it is still very quick, easy and convenient.

A flow diagram is shown in the figure below:

[[File:Process1.PNG]]

== Conclusion ==

The application was successfully implemented with all the designed features. It was then able to be tested with NFC Tags. The overall conclusion is that this idea is feasible although there is a slight delay in the NFC being toggled on/off. Furthermore, the shaking motion is quite generic so this method will only be able to prevent some forms of unwarranted scanning. Where the original idea was to make this shake any form of custom motion, the next logical step would be to implement this and further build on the application. This next step should be able to have a “capture mode” where for a short period of time, records and stores a personalised motion through manipulation of the accelerometer. This can then replace the shake detector module; so if the phone is unlocked, the proximity sensor if not obstructed and the personalised motion is recreated, the phones NFC capabilities will be enabled for a short period of time.

Though the application is not the main purpose or goal of this research, it is just a simple and easy method to practically demonstrate and test the feasibility of the idea. If it is determined this method is feasible and practical, phone developers may consider incorporating this additional security measure into their phones; this could be achieved much more easily without all the limitations encountered as an amateur application developer. Furthermore, it wouldn’t be in the form of an application, it would have to be implemented into the phones operating system and always running as a background operation.Although the protocol has been proposed for the use with NFC Tags, if technology is further developed, the same concept should be able to be utilised in all modes of NFC communication (active-active, active-passive, etc).

== Future Works ==

As the NFC scanning process has been broken down, it is evident another aspect of security in the NFC process which has yet to be considered is security from the back end. This is at the final stages of the process where the user has intentionally communicated with another device where the stored information has passed all checks for authenticity and integrity. Some ideas which can be further research would be along the lines of some network based security solutions. This may entail checking the software against a known blacklist/whitelist etc. Another alternative can be the use of an antivirus; this could potentially extend to an online antivirus of some sort as the device may be limited in size. Furthermore, a sandbox environment could also be utilised where the program is executed in an environment which is isolated and not able to interact with other elements of the system.

These are just some aspects of NFC security that can be further investigated. Overall, the future of NFC is promising; it is a quick, easy and convenient method of wireless communication with much potential. However, further research and development is required to strengthen and improve its security before it is utilised more widely in a commercial sense.

----

Petko Stefanov:
An analysis of security flaws in the NFC functionality of modern mobile devices

This project aims to investigate into the prevention of network infection by securing them from a local mobile device level. Specifically, the aim is to investigate the Near Field Communication protocol used in modern mobile devices (with minor insight into similar utilizations in Bluetooth and Wi-fi) which can be exploited to transmit malware from device to device or device to associated network. The investigation covers an analysis on NFC as a protocol and what security risks are associated with it, ways to utilise NFC devices or NFC compatible objects to transmit malware, past cases of such attacks and past attempts to solve such attacks from happening. From the investigation, the desired outcome is to design a countermeasure against whatever exploits that are identified.

----

Olga Rodionova:
Medical Data Security in wearable fitness devices

In the recent years, wearable fitness devices have been blurring the line between medical and personal Internet
of Things (IoT) devices. This project aims to explore security aspects of data storage on fitness devices by
building on existing research into smart band networks and data collection. The integration of wearable fitness
devices into the medical industry will be considered and possible avenues for obtaining unauthorised access to
private medical information will be outlined.

----

== References ==

[1] M. Mareli, S. Rimer, B. S. Paul, K. Ouahada, and A. Pitsillides, "Experimental evaluation of NFC reliability between an RFID tag and a smartphone," in AFRICON, 2013, 2013, pp. 1-5.

[2] M. Roland, Security Issues in Mobile NFC Devices: Springer International Publishing, ISBN 978-3-319-15487-9, 2015.

[3] M. R. (2014, 2 April 2016). Taking “being connected” to the next level: Man implants NFC chip into his hand. Available: http://www.phonearena.com/news/Taking-being-connected-to-the-next-level-Man-implants-NFC-chip-into-his-hand_id62057

Projects:2016s1-160c Cyber Security - Personal Networks and Devices

2016-10-20T13:28:44Z

A1645999:

Group Members: Michael Hua, Olga Rodionova, Petko Stefanov

== NFC Security ==

Michael Hua

----

== Introduction ==

Near Field Communication (NFC) is a form of wireless communication over a very short range in the order of centimeters [1]. NFC technology differentiates from other forms of wireless communication with its speed and efficiency. The communication between two devices is able to occur in just seconds with minimal overhead setup costs that is associated with Bluetooth and QR Codes. Communication can happen in various modes: Active – Active, Active – Passive, Passive – Active; where active devices have their own power supply and passive devices are powered from active devices via induction [1, 2]. An example of an active device may be a smart phone and a passive device may be an NFC Tag. NFC tags are a common technology where a tag is able to store data (a simple message or data structure) and is able to be read by an NFC capable device, such as a smart phone [1].

== The Security Issue ==

In a society where technology is advancing at an astonishing rate, technology such as NFC seems very promising. NFC technology markets itself as quick and easy, however, the compromise or trade off would be security [1]. NFC is able to enhance the quality of our current technology and opens up more possibilities. Thus the motivation behind this research project is to strengthen NFC security in attempt to promote further development and utilisation of NFC-Tag based applications and NFC based technology.

Because the NFC scanning process is so quick and easy, there are major security issues involving confidentiality, authentication, integrity and access/availability. Upon further investigation, there are have been multiple studies and analyses which delve into this issue further. However, by breaking down the entire end-to-end NFC scanning process, it is evident the current investigations and research targets the middle stages of the process, mainly considering the stored data itself.

A recent security exploit in NFC revealed that a hacker was able to implant an NFC-capable chip in his hand and able to exploit members of the public by infecting their device with malware [3]. Although, the malware is quite simplistic and limited with numerous drawbacks, the fact that these devices could be easy compromised is an issue of concern [3].

A breakdown of the NFC scanning process into four steps:

1. Scanning of the NFC capable devices (devices or tags);

2. Notification;

3. Authentication, encryption and integrity check;

4. Network and content integrity.

== Proposed Solution ==

To directly combat this issue, a solution has been proposed making the first step of the NFC scanning process more deliberate by incorporating numerous conditions. If and only if these conditions are met, will the NFC scanning process be allowed to proceed. Previously, if an unlocked NFC device and NFC tag were brought into very close proximity of each other, the device would successfully scan without permission from the user; this was the fundamental problem with the security breach where the hacker implanted a chip into his hand.

The underlying principle behind the proposed solution is to make the process of NFC require active input but still remain as quick and as convenient as it were before. Basically, the NFC capabilities will indefinitely remain disabled until certain conditions are met. Once these conditions are met, the NFC capabilities will be enables for a short period of time where the user is then able to scan and utilise the NFC functions. After this brief period, the NFC capabilities will then again be disabled indefinitely.

To test the feasibility and demonstrate this, a simple android application was developed. The application disables the phones NFC capabilities and only enables it only for a short period of time if the proximity sensor is not obstructed and the phone detects a shaking motion.

As the reputation and major selling point of NFC technology is that is quick, easy and convenient, the conditions to enable NFC communication must align with this very idea. The conditions required deliberate human action but must remain quick and convenient because if it becomes too complex, there would be nothing deterring developers and users towards Bluetooth or QR Code technology – other forms of short range wireless communication.

The first condition which must be met is proximity. Under normal circumstances when a user decides to scan another device or an NFC Tag, the proximity sensor is unobstructed – it is counter intuitive and very unlikely a user will purposely scan their device with the proximity sensor obstructed. The idea behind this condition is to prevent a device being unknowingly scanned by a hacker if it is faced down, in the user’s pocket or bag, etc. This is just one of the two conditions proposed in attempt to improve the security of NFC technology.

The other condition which must be met is a deliberate action. This deliberate action takes advantage of the phones accelerometer. This is a personalised action set by the user and could be a swish, a shake or any personalised action which can be recreated by the user. This deliberate action condition in most cases completely removes the possibility accidental and unwarranted scanning of devices. Furthermore, it idea of a simple physical action as one of the conditions to enable NFC capabilities still align with the fundamental idea and selling point of NFC technology. Although it does require an additional active input to enable the function it is still very quick, easy and convenient.

A flow diagram is shown in the figure below:

[[File:Process1.PNG]]

== Conclusion ==

The application was successfully implemented with all the designed features. It was then able to be tested with NFC Tags. The overall conclusion is that this idea is feasible although there is a slight delay in the NFC being toggled on/off. Furthermore, the shaking motion is quite generic so this method will only be able to prevent some forms of unwarranted scanning. Where the original idea was to make this shake any form of custom motion, the next logical step would be to implement this and further build on the application. This next step should be able to have a “capture mode” where for a short period of time, records and stores a personalised motion through manipulation of the accelerometer. This can then replace the shake detector module; so if the phone is unlocked, the proximity sensor if not obstructed and the personalised motion is recreated, the phones NFC capabilities will be enabled for a short period of time.

Though the application is not the main purpose or goal of this research, it is just a simple and easy method to practically demonstrate and test the feasibility of the idea. If it is determined this method is feasible and practical, phone developers may consider incorporating this additional security measure into their phones; this could be achieved much more easily without all the limitations encountered as an amateur application developer. Furthermore, it wouldn’t be in the form of an application, it would have to be implemented into the phones operating system and always running as a background operation.Although the protocol has been proposed for the use with NFC Tags, if technology is further developed, the same concept should be able to be utilised in all modes of NFC communication (active-active, active-passive, etc).

== Future Works ==

As the NFC scanning process has been broken down, it is evident another aspect of security in the NFC process which has yet to be considered is security from the back end. This is at the final stages of the process where the user has intentionally communicated with another device where the stored information has passed all checks for authenticity and integrity. Some ideas which can be further research would be along the lines of some network based security solutions. This may entail checking the software against a known blacklist/whitelist etc. Another alternative can be the use of an antivirus; this could potentially extend to an online antivirus of some sort as the device may be limited in size. Furthermore, a sandbox environment could also be utilised where the program is executed in an environment which is isolated and not able to interact with other elements of the system.

These are just some aspects of NFC security that can be further investigated. Overall, the future of NFC is promising; it is a quick, easy and convenient method of wireless communication with much potential. However, further research and development is required to strengthen and improve its security before it is utilised more widely in a commercial sense.

----

Petko Stefanov:
An analysis of security flaws in the NFC functionality of modern mobile devices

This project aims to investigate into the prevention of network infection by securing them from a local mobile device level. Specifically, the aim is to investigate the Near Field Communication protocol used in modern mobile devices (with minor insight into similar utilizations in Bluetooth and Wi-fi) which can be exploited to transmit malware from device to device or device to associated network. The investigation covers an analysis on NFC as a protocol and what security risks are associated with it, ways to utilise NFC devices or NFC compatible objects to transmit malware, past cases of such attacks and past attempts to solve such attacks from happening. From the investigation, the desired outcome is to design a countermeasure against whatever exploits that are identified.

----

Olga Rodionova:
Medical Data Security in wearable fitness devices

In the recent years, wearable fitness devices have been blurring the line between medical and personal Internet
of Things (IoT) devices. This project aims to explore security aspects of data storage on fitness devices by
building on existing research into smart band networks and data collection. The integration of wearable fitness
devices into the medical industry will be considered and possible avenues for obtaining unauthorised access to
private medical information will be outlined.

----

== References ==

[1] M. Mareli, S. Rimer, B. S. Paul, K. Ouahada, and A. Pitsillides, "Experimental evaluation of NFC reliability between an RFID tag and a smartphone," in AFRICON, 2013, 2013, pp. 1-5.

[2] M. Roland, Security Issues in Mobile NFC Devices: Springer International Publishing, ISBN 978-3-319-15487-9, 2015.

[3] M. R. (2014, 2 April 2016). Taking “being connected” to the next level: Man implants NFC chip into his hand. Available: http://www.phonearena.com/news/Taking-being-connected-to-the-next-level-Man-implants-NFC-chip-into-his-hand_id62057

Projects:2016s1-160c Cyber Security - Personal Networks and Devices

2016-10-20T13:28:09Z