Previously, we showed how you can easily start developing NFC applications on NodeJS with a Tappy device using the TappyTcmpJs library. While that project was very short, much of the code we had to write was boilerplate for composing commands and making sense of the Tappy’s responses. This is necessary in order to take advantage of the full power of the Tappy family of NFC readers with all of their advanced commands and any custom commands we may develop for your use, but in a lot of applications, you only really need to detect tag UIDs as well as read and write NDEF messages.
In any secure application design, there are lots of things that must be considered. For lots of NFC-based application, one of these concerns is vulnerabilities to a type of man-in-the-middle attack called a relay attack. In post, we’ll look at what a relay attack is, why they’re dangerous even with encrypted communication, and how you can reduce the odds of one impacting your system.
What is a relay attack In the common man-in-the-middle attack, the attacker inserts themselves in between two communicating parties.
When planning the security of a system, all of us developers love to get into the nitty gritty details of what NIST standards we’re implementing or the size of our keyspace. Unfortunately, this tendency can often end up resulting in missing the forest for the trees. By the same token, product managers can often make the dangerous mistake of believing that using a high difficulty randomly salted Argon2 password hash and 4096-bit RSA your application is automatically secure.
In recent years, a large number of “RFID blocking” wallets have hit the market touting their ability to prevent criminals from surruptitiously accessing any NFC-capable smartcards in your wallet, such as your idenfitication or credit card. While these wallets do actually work, it turns out that you can actually turn just about any wallet into an RFID/NFC blocking wallet with just a few minutes of work and some aluminum foil.
Encoding NFC tags has historically been a painful process for even the simplest of use cases. You could use a tool such as NXP Tag Writer on your Android device, but a mobile interface is very poor for many types of content creation. If instead you wanted to use a utility on your laptop or desktop, you were pretty much out of luck. Most of the utilities out there were very complicated development tools, very limited programs barely beyond proofs of concept, or very specialized for use with a specific application.
Encoding NFC tags has historically been a painful process for even the simplest of use cases. You could use a tool such as NXP Tag Writer on your Android device, but a mobile interface is very poor for many types of content creation. If instead you wanted to use a utility on your laptop or desktop, you were pretty much out of luck. Our Tappy Reader/Writer ChromeApp provides a multi-platform Chrome-based solution to this problemi using our TappyUSB readers, but what if you want to use TappyBLE devices or just want a standard native Windows application?
Lots of hotels, offices, and apartment buildings are now using NFC-based access control systems. As a result, plenty of people ask about the practicality of cloning their access card to produce a spare or emulating their card via an NFC-capable smartphone. In this article we’ll look into why, while theoretically possible, doing so is often not practical.
Types of access control systems In order to discuss how NFC access control systems can be defeated, we must start with looking at how they work in the first place.
Toronto was recently named the best city to live in according to the Economist. This was a huge sense of pride for me and other Torontonians that call this city home. Alas, if you’re commuting in Toronto, try taking the streetcar and you’ll feel like you’ve traveled back in time to the 1930s. You won’t have the privilege to get on board unless you have the exact coin change, a TTC token, a paper transfer, or a TTC pass.
When customers or investors once asked us why we never entered the NFC payment space we respectfully replied with “if Google can’t make money in mobile payments, we certainly can’t.” This often ended that line of questioning quite painlessly.
Although Google Wallet has some adoption, it never gained the widespread usage Google had hoped. As a symbolic white flag, Host Card Emulation (HCE) was introduced in Android KitKat in 2013 allowing third party developers to create similar apps.
So it’s 2015, and by many predictions and forecasts this would be the precipice of NFC ubiquity. Of course Apple is still weighing in on this fate, but assuming Apple plays nice and allows NFC to be used for more than payments we’re certainly on that path. Just having NFC hardware shipped with iPhones is a huge step forward, and this is why 2015 will be the year of NFC for TapTrack and other NFC companies, just not for the everyday consumer just yet.