NFC Relay Attack
What is NFC Relay Attack?
NFC Relay AttackA real-time man-in-the-middle attack that tunnels NFC traffic between a victim's card and a remote reader so the attacker can use the card from a distance.
An NFC relay attack uses two attacker devices, often modified smartphones, to forward NFC commands and responses in real time between a victim's contactless card or smartphone and a payment terminal or access reader located elsewhere. The card-side device, sometimes called the proxy or leech, sits near the victim and communicates with the terminal-side device, the ghost, over the Internet or a long-range radio link. Because the latency is below the typical timeout of EMV or transit protocols, the genuine card unknowingly authorizes a transaction or unlocks a door. Defences include distance bounding, proximity sensors, ambient sensor correlation, transaction limits without further authentication, and mandatory user gestures such as biometric confirmation.
● Examples
- 01
A relay over 4G between a victim's contactless card at home and a POS terminal in a shop.
- 02
Unlocking a corporate badge reader by relaying NFC signals from an employee on the way to lunch.
● Frequently asked questions
What is NFC Relay Attack?
A real-time man-in-the-middle attack that tunnels NFC traffic between a victim's card and a remote reader so the attacker can use the card from a distance. It belongs to the Cryptography category of cybersecurity.
What does NFC Relay Attack mean?
A real-time man-in-the-middle attack that tunnels NFC traffic between a victim's card and a remote reader so the attacker can use the card from a distance.
How does NFC Relay Attack work?
An NFC relay attack uses two attacker devices, often modified smartphones, to forward NFC commands and responses in real time between a victim's contactless card or smartphone and a payment terminal or access reader located elsewhere. The card-side device, sometimes called the proxy or leech, sits near the victim and communicates with the terminal-side device, the ghost, over the Internet or a long-range radio link. Because the latency is below the typical timeout of EMV or transit protocols, the genuine card unknowingly authorizes a transaction or unlocks a door. Defences include distance bounding, proximity sensors, ambient sensor correlation, transaction limits without further authentication, and mandatory user gestures such as biometric confirmation.
How do you defend against NFC Relay Attack?
Defences for NFC Relay Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NFC Relay Attack?
Common alternative names include: Contactless relay attack, Ghost-and-leech attack.
● Related terms
- cryptography№ 929
RFID Cloning
Copying the identifier or cryptographic data of an RFID tag, such as HID Prox or MIFARE Classic, onto another device to impersonate the original badge.
- cryptography№ 848
Power Analysis Attack
A side-channel attack that recovers secret keys by measuring fluctuations in the power consumption of a cryptographic device during operations.
- cryptography№ 1139
TEMPEST Attack
Recovery of secret information by capturing unintended electromagnetic, acoustic, or optical emanations from electronic equipment.
- cryptography№ 445
Glitch Attack
A fault-injection technique that briefly perturbs voltage or clock signals to make a chip skip instructions or leak cryptographic secrets.