Lishoy Francis

Potential misuse of NFC enabled mobile phones with embedded security elements as contactless attack platforms

In this paper we investigate the possibility that a Near Field Communication (NFC) enabled mobile phone, with an embedded Secure Element (SE), could be used as a mobile token cloning and skimming platform. We show how an attacker could use a NFC mobile phone as such an attack platform by exploiting the existing security controls of the embedded SE and the available contactless APIs. To illustrate the feasibility of these actions we also show how to practically skim and emulate certain tokens typically used in payment and access control applications with a NFC mobile phone. Although such attacks can also be implemented on other contactless platforms, such as custom-built card emulators and modified readers, the NFC-enabled mobile phone has a legitimate form factor, which would be accepted by merchants and arouse less suspicion in public. Finally, we propose several security countermeasures for NFC phones that could prevent such misuse.

On the security issues of NFC enabled mobile phones

In this paper, we investigate the possibility that a Near Field Communication (NFC) enabled mobile phone, with an embedded secure element (SE), could be used as a mobile token cloning and skimming platform. We show how an attacker could use an NFC mobile phone as such an attack platform by exploiting the existing security controls of the embedded SE and the available contactless APIs. To illustrate the feasibility of these actions, we also show how to practically skim and emulate certain tokens typically used in payment and access control applications with a NFC mobile phone. We also discuss how to capture and analyse legitimate transaction information from contactless systems. Although such attacks can also be implemented on other contactless platforms, such as custom-built card emulators and modified readers, the NFC enabled mobile phone has a legitimate form factor, which would be accepted by merchants and arouse less suspicion in public. Finally, we propose several security countermeasures for NFC phones that could prevent such misuse.

A Security Framework Model with Communication Protocol Translator Interface for Enhancing NFC Transactions

With the recent technological advances of Near Field Communication (NFC) enabled mobile phones it is now possible to introduce additional transactions of value, including those originating from contact-based security tokens within the existing infrastructure. We propose a low cost security framework including a PKI based security protocol, which can be used to integrate transactions involving external contact-based smart cards, for the purposes of e-identification, e-payment, e-ticketing, and communication services. We then designed and implemented a secure Communications Protocol Translator Interface (CPTI), which allows an NFC enabled mobile phone to access and use, over a contact less interface, any additional smart cards (or secure elements (SE)) which are externally available on a contact based interface and vice-versa. By using CPTI, it is now possible to have communication and interaction between passive security tokens as well as to use external contact based security tokens in the NFC environment, such as a contact based payment smart card.

An Architecture to Support Multiple Subscriber Identity Applications Accessing Multiple Mobile Telecommunication Access Network Systems

With the advances in smart card technology it is quite possible to support more than one type of subscriber identity applications on the same smart card. We propose an architecture capable of hosting multi faceted subscriber identity applications which exploits common functions and data in a secure partitioned manner. The associated security mechanisms are also defined in order to realise its implementation on a single smart card. Our proposed architecture provides a harmonised secure authentication environment. The architecture is extensible to platforms on mobile devices and secure tokens operating across diverse access interfaces. Furthermore, we propose a set of protocols for secure communications between terminal, control module and hosted subscriber identity applications.

Enhancing the Security of Mobile Applications by Using TEE and (U)SIM

Mobile phone platforms are increasingly becoming vulnerable to security attacks and is untrusted to host security sensitive applications, content, and services. Open source mobile ecosystems such as Android allow increased flexibility for developing and deploying applications. However, there are industry-led initiatives to increase the security of mobile phone platforms by using virtualisation and hardware abstraction techniques. In this paper, we explore the potential of the recently introduced Trusted Execution Environment (TEE) ecosystem for mobile phones in order to compliment the security-proven (U)SIM based security functions. We present a security architecture and a novel mobile payment and multimedia content playback solution leveraging on the existing post-paid billing method. We integrate TEE with (U)SIM based security techniques to provide enhanced security for user authentication, content purchase, protected storage and secure content viewing.

A Practical Example of Mobile Phone Application Using SATSA (JSR 177) API

SIM as a security token is increasingly being used to secure mobile phone applications. Sensitive information such as PIN, security keys, etc are stored on the SIM card. To utilise the SIM functionalities, it is imperative that mobile phone applications interact with applets available on the SIM. The security features for mobile applications operating within the J2ME ecosystem are provisioned by SATSA API Framework. It allows support for cryptography, digital signatures, user credential management, communication with a smart card, and remote method invocation. The SATSA APDU Communication API provides support for mobile phone applications to interact with Java Card applets residing on a smart card, over the ISO7816 interface. This chapter provides a practical example of a mobile phone application implementing SATSA API. A MIDP 2.0 application or MIDlet that utilises the APDU package within SATSA API and a Java Card applet were developed. The MIDlet and applet were tested to work with each other on a PC-based development environment. The MIDlet was tested on Wireless Toolkit Emulator and the Java Card applet was tested on Java Card Platform Simulator. Freely available tools were used to create the above mentioned practical demonstrators.