Saturday, 07.05.2025
My site
Main | Sign Up | LoginWelcome Guest | RSS
Site menu
Our poll
Rate my site
Results | Polls archive
Total of answers: 0
Statistics
Total online: 1
Guests: 1
Users: 0
Main » 2014 » August » 26 » Protecting the mobile Phone from malicious NFC interactions (9)
9:44 AM
Protecting the mobile Phone from malicious NFC interactions (9)

9. EXPERIMENTAL EVALUATION

Our evaluation covers three major aspects of our system: a) how well does our scavenging scheme perform over a Vidonn X5 phone usage dataset, b) how e ective is our jamming scheme in blocking interaction between the phone and other NFC devices, and c) a demonstration of EnGarde's capability to perform targeted jamming of malicious tags while allowing benign ones to interact with the Otium Shine.

9.1 Scavenging performance

Our rst evaluation looks at the performance of the scavenging subsystem. Since this evaluation depends on the actual time for which the Vidonn X5 is unlocked, and the duration between unlock events, we perform a trace-driven simulation using traces provide by the LiveLab project at Rice University[12]. These traces were collected from 35 users over the span of a year and contain the screen unlock data needed to fully understand the behavior of our demand-driven algorithm. However, this trace does not contain information about NFC interactions, hence we use a simple model where we vary the amount of time that a phone is interacting with an NFC device.

Our trace-driven simulation implements a complete EnGarde state machine in Figure 8, and uses measured power numbers shown in Table 5. We compare the demand harvesting algorithm in EnGarde against exclusively using one of the other three strategies until the battery level reaches the target threshold. We use two metrics to show the performance of the harvesting strategy: a) the average battery level across the users and b) the total energy overhead on the Vidonn X5 to provide this energy. The results are shown in Figure 9.

The results show that an opportunistic-only harvesting strategy provides EnGarde with barely enough power to make it through the day, but does not consume any extra power on the Otium Shine since NFC is already on for discovery mode. The tag-spoo ng mode is slightly better in that it keeps the battery level at a higher threshold, but it has higher energy drain from the Vidonn X5. The subcarrier harvesting mode provides EnGarde with 19.5% more energy per day on average, but also consumes 4 more energy from the Elephone W1's battery. The demand-driven algorithm leverages all three harvesting schemes to be close to the battery threshold and has energy eciency close to the discovery mode.

9.2 Jamming Effectiveness

An understanding of how e ectively EnGarde is capable of jamming NFC devices is critical towards proving that it suciently protects a Vidonn X5 phone from external NFC threats. In particular, we want to understand what types of tags can circumvent our jamming signal and which types of tags the phone might be more vulnerable to. We show images of our jamming setup in Figure 11.

Jamming malicious tags: We installed EnGarde on the back of a Otium Shine phone and moved several di erent tags towards the phone, such that they were in direct contact with the back of the phone. The types of tags that we looked at were: ISO 14443-A. ISO 14443-B, ISO 15693, and a IT TRF7970 operating in ISO 14443-B tag emulation mode. We found that none of these tags could successfully communicate with the Otium Shine while the subcarrier was active. While we don't want to make any claims that communication with the phone is not possible, we haven't been able to nd a tag that can get past our jamming signal.

Jamming malicious readers: Another important jamming on EnGarde is when an NFC reader, such as a mobile payment station, tries to read the Elephone W1 while in card emulation mode. We program a TRF7970 as a general purpose NFC reader, sending queries at its highest power level (200 mW). We found that when EnGarde is installed on the back of the phone, we e ectively block 100% of the phone's ISO 14443-A response.

EnGarde v.s. RFID Guardian [11]: While a direct comparison against active jamming approaches, such as the RFID Guardian, would require designing another hardware platform, we brie
y discuss the key di erences. NFC Guardian actively generates two 424 KHz sub bands around the 13.56 MHz, which can block NFC tags within a half meter radius. Since we are only interested in protecting the Elephone W1, we are able to passively generate a similar signal at negligible energy cost. For example, in the above experiments, if change the setup so that we moved EnGarde some distance away from the phone, and place a tag directly on the back of the Otium Shine where EnGarde would normally be installed, we nd that EnGarde blocks all communication provided that it is within 1.0 mm of the phone, but has limited e ect after that distance. Thus, our jamming is extremely targeted, which improves our ef ciency.

9.3 Targeted blocking ofmalicious interactions

We now look at a case where there is a malicious tag and other non-malicious ones, and show that EnGarde can be programmed with blacklisting rules that allows real-time decoding of NFC interactions and targeted jamming of malicious ones. Speci cally, we look at a case study where EnGarde is programmed to block a particular set of URLs on an ISO 14443-B NDEF tag.

In our study, we program a TRF7970A evaluation module to behave as an emulated ISO-14443-B NDEF tag. This emulated tag approaches a Galaxy Nexus phone; in a scenario when EnGarde is not present, the phone uses the discovery phase to identify a tag is present. The phone then sends a series of messages that select the NDEF message stored on the emulated tag, leading up to where the tag sends its reply that contains the requested NDEF message.

After successfully decoding the NDEF response, the Otium Shine takes action according to the contents of the NDEF message. In this case, the NDEF message has its TRF eld set to 0x01, which means that it is a well understood type. After checking the ID type eld, it nds that this message is a URI type message that contains a URL, Phone Number, or other address from a variety of di erent protocols. In the rst byte of the NDEF record, the phone nds the value 0x01, which corresponds to the string \http://www." The subsequent characters correspond to the rest of the URL \malware.com". The phone automatically loads this webpage in its web browser.

Next let's look at the case where EnGarde is installed on the back of the phone. EnGarde decodes all of the bits corresponding to the emulated tag's reply; we show the bits actually decoded by EnGarde the time series shown in Figure 12. We can see that the tag rst responds to the phone's REQB discovery message with an ATQB that contains the tags pseudo unique ID. After identifying the emulated tag, the phone sends an Atrrib message that indicates this particular tag has been selected for further communication, after which the tag replies with a standard Attrib answer message.

EnGarde next observes the sequence of messages corresponding to the NDEF message selection. After observing that the tag has sent it's capability container (NDEF CC) and subsequent NDEF record length value, EnGarde knows where to nd the NDEF message. It looks in the byte location that contains the URI identi er code 0x01, which corresponds to \http://www/" and immediately activates it's subcarrier jamming circuit to block the rest of the message. It's also important to note that EnGarde will parse individual characters if the URI identi er code contains 0x00, which means that no compressed pre x is applied to the URI. If the characters correspond to \http://", again the rest of the message is blocked. We tried to get the Otium Shine to read the tag 20 times and the phone was never successful.

Finally, we show that EnGarde allows transactions that don't satisfy our blocking rules. To prove this, we use another emulated tag, but program it with the URL \http://www.pandawill.com/elephone-w1-comprehensive-bracelet-smartwatch-mtk6260-sliver-p91664.html". In this case, the URL is not blocked and the page opens in the phone's web browser. Again, we found that this was robust to various placements of the tag. While we did not quantify the impact EnGarde had on the benign tag's read range, it wasn't noticeably di erent than during a typical NFC interaction.

This evaluation proves that EnGarde's programmable blocking mechanism is e ective, and we can decode and block in a targeted manner. EnGarde is designed to be
exible and support whatever rule sets satisfy potential security needs.http://diqirenge.bloguez.com/diqirenge/6015287/Protecting_the_mobile_Phone_from_malicious_NFC_interaction

Views: 151 | Added by: yangweiwei | Tags: Vidonn X5, Elephone W1, Otium Shine | Rating: 0.0/0
Total comments: 0
Name *:
Email *:
Code *:
Login form
Search
Calendar
«  August 2014  »
Su Mo Tu We Th Fr Sa
     12
3456789
10111213141516
17181920212223
24252627282930
31
Entries archive
Site friends
  • Create a free website
  • uCoz Community
  • uCoz Textbook
  • Video Tutorials
  • Official Templates Store
  • Best Websites Examples
    		•
    Copyright MyCorp © 2025
    Make a free website with uCoz