**2. Relay attacks**

#### **2.1. Related work**

The relay attack is based on the Grand Master Chess problem described by Conway in 1976. The latter shows how a person, who does not know the rules of this game, could win against one of two grand masters by challenging them in a same play. The relay attack is just an extension of this problem applied to the security field. By relaying information between a reader and a card outside the reader field, an attacker can circumvent the authentication protocol. This attack needs two devices: a mole and a proxy. The mole pretends to be the true reader and exchange data with the proxy which pretends to be the true card.

The larger the distance between the different elements is, the more efficient is the relay. Typical maximum distances between the reader and the proxy or between the mole and the card are roughly 50 cm. The distance between the mole and the proxy is not limited; it just depends on the chosen technology [5].

By using a relay, an attacker can transmit requests and answers between an honest reader and an honest card separated by 50 metres [6]. Many communication channels can be used to link the mole and the proxy like GSM, WIFI or Ethernet [8]. The delay, introduced by such a relay is more than 15 µs. At the physical layer, this attack is the most dangerous for many reasons:

**•** The card is activated and transmits information when it is powered, without the agreement of the victim. Anyone can be a victim because the attacker has just to be close enough to control your card like in a crowd.


#### **2.2. Presentation of relay attacks**

A relay attack is thoroughly transparent for current contactless systems and cryptographic protocols. A possible countermeasure is the distance bounding protocol which can add an

In this chapter, we will first assess the potential of relay attacks by implementing them and by keeping in mind the concern of introducing a delay as low as possible. Indeed, this time remains the only detectable feature of such an attack and the existing countermeasures rely

The delay constraint guides us towards the development of three kinds of relay: a wired passive relay, a relay based on a wireless super-heterodyne system and a wireless relay with a complete demodulation of the signal. Our experimental results show that those cheap devices introduce really low delay from 300 ns to 2 µs jeopardizing the use of current distance bounding protocols. A more adapted solution will then be implemented and addressed in the second part of the document. It modifies the stage of the distance bounding protocol which uses the physical layer to carry out a delay assessment with a correlation in the reader between the received signal and the expected one. Finally, a security analysis will be performed and

The relay attack is based on the Grand Master Chess problem described by Conway in 1976. The latter shows how a person, who does not know the rules of this game, could win against one of two grand masters by challenging them in a same play. The relay attack is just an extension of this problem applied to the security field. By relaying information between a reader and a card outside the reader field, an attacker can circumvent the authentication protocol. This attack needs two devices: a mole and a proxy. The mole pretends to be the true

The larger the distance between the different elements is, the more efficient is the relay. Typical maximum distances between the reader and the proxy or between the mole and the card are roughly 50 cm. The distance between the mole and the proxy is not limited; it just depends on

By using a relay, an attacker can transmit requests and answers between an honest reader and an honest card separated by 50 metres [6]. Many communication channels can be used to link the mole and the proxy like GSM, WIFI or Ethernet [8]. The delay, introduced by such a relay is more than 15 µs. At the physical layer, this attack is the most dangerous for many reasons: **•** The card is activated and transmits information when it is powered, without the agreement of the victim. Anyone can be a victim because the attacker has just to be close enough to

reader and exchange data with the proxy which pretends to be the true card.

upper bound for the distance between the two communicating devices.

on its accurate assessment.

68 Radio Frequency Identification from System to Applications

improvements will be discussed.

**2. Relay attacks**

**2.1. Related work**

the chosen technology [5].

control your card like in a crowd.

The delay in current relays is mainly due to the use of components such as microcontrollers or RFID chips. This kind of components is used for the reconstruction of the decoded signals. So, the original signal becomes compatible with other protocols, like Wifi or GSM, used in the wireless communication between the mole and the proxy. All these signal processes lead to the addition of delays in the relay. They can be considerably lowered by the only use of analog components. Attack scenarios with wired relays must then be considered because they can induce very low delays. Moreover, this kind of relays is simple to realize, with few cheap components. Even if they seem to be unlikely, they can be effective in a queue for example or if they are hidden in the environment.

#### *2.2.1. Passive wired relay*

Fig. 2 depicts a simple design of a relay which introduces a very low delay close to a period of the carrier 13.56 MHz. This relay does not require an amplifier or other active components. The coaxial cable between the two antennas can be longer than 20m. Such a system is very low cost; the attacker needs a piece of PCB, few components for the matching and a coaxial wire. Overall cost is a few dollars at most. We claim that wired relays are the simplest and fastest relays by design and as a consequence, they should challenge the approaches of countermeas‐ ures which only parry the largest delays.

#### *2.2.2. Relay based on a wireless super heterodyne system*

This relay, shown on fig. 3, is quite similar to the relay attack developed by Hancke because it is not restricted by a wired link. Contrary to Hancke's relay, our wireless relay does not use digital components like microcontrollers or RFID chips to process the signal. The delay induced by this relay should be shorter. To do so, the reader signal of frequency fc is mixed with another signal of frequency F, generated by a local oscillator. It results a signal of frequency fc+F, easier

ISO14443-A standard to be compared with literature relays. However, it can be adapted to a

Implementation of a Countermeasure to Relay Attacks for Contactless HF Systems

http://dx.doi.org/10.5772/53393

71

The proxy is mainly based on thus developed by Carluccio et al. [7]. This electronic card can be divided into two subsystems: one for demodulation and decoding of the reader signal and

The Mole is based on a reader developed in our laboratory. This device has a RF front-end RF which allows amplitude modulation and demodulation. The heart of the mole is a FPGA which separates the phase of emission and reception phase. The proxy signal is processed by the FPGA of the mole; it is coded in modified Miller and modulated in OOK. The HF signal is then amplified and injected in the antenna. The victim's card understands the request of our Mole as a frame from a standard reader and answers by modulating its load. This signal is firstly processed by an analog system and then sampled, demodulated and decoded by the FPGA. The proxy and the mole communicate together through a wireless system. We have used chips used in the video/audio wireless transmission systems since they allow a sufficient bit rate of

The datasheet of video transmission systems provides a theoretical distance operation of 100 metres. In practice, problems of propagation in a building must be taken into account but this distance is sufficient to realize the attack in a shop. Based on experiments realized with the relay, we have obtained a maximum distance of 10 cm between the card and the mole but also

This experiment is performed to measure the introduced delays of the different relays. To do so, a reader sends a fixed sequence through a relay. With an oscilloscope, this sequence is

different contactless standard such as ISO15693 or ISO14443-B.

one for the load modulation of the card.

between the proxy and the reader.

**Figure 4.** Relay with demodulation of the signal

**2.3. Experiments on introduced delay**

212kbits/s.

**Figure 2.** Potential use of a wired relay

to amplify and to send further. A PLL is used as a local oscillator to have the same frequency in the modulation and demodulation circuit.

**Figure 3.** Forward wireless relay

#### *2.2.3. Relay with demodulation of the signal*

We have developed a more advanced relay (Fig. 4) close to those realized by Hancke or Kasper.. To realize a relay which demodulates the signal is more complex for an attacker, because it must have a perfect knowledge of the contactless standards. Our system is compliant with the ISO14443-A standard to be compared with literature relays. However, it can be adapted to a different contactless standard such as ISO15693 or ISO14443-B.

The proxy is mainly based on thus developed by Carluccio et al. [7]. This electronic card can be divided into two subsystems: one for demodulation and decoding of the reader signal and one for the load modulation of the card.

The Mole is based on a reader developed in our laboratory. This device has a RF front-end RF which allows amplitude modulation and demodulation. The heart of the mole is a FPGA which separates the phase of emission and reception phase. The proxy signal is processed by the FPGA of the mole; it is coded in modified Miller and modulated in OOK. The HF signal is then amplified and injected in the antenna. The victim's card understands the request of our Mole as a frame from a standard reader and answers by modulating its load. This signal is firstly processed by an analog system and then sampled, demodulated and decoded by the FPGA.

The proxy and the mole communicate together through a wireless system. We have used chips used in the video/audio wireless transmission systems since they allow a sufficient bit rate of 212kbits/s.

The datasheet of video transmission systems provides a theoretical distance operation of 100 metres. In practice, problems of propagation in a building must be taken into account but this distance is sufficient to realize the attack in a shop. Based on experiments realized with the relay, we have obtained a maximum distance of 10 cm between the card and the mole but also between the proxy and the reader.

**Figure 4.** Relay with demodulation of the signal

to amplify and to send further. A PLL is used as a local oscillator to have the same frequency

We have developed a more advanced relay (Fig. 4) close to those realized by Hancke or Kasper.. To realize a relay which demodulates the signal is more complex for an attacker, because it must have a perfect knowledge of the contactless standards. Our system is compliant with the

in the modulation and demodulation circuit.

70 Radio Frequency Identification from System to Applications

**Figure 2.** Potential use of a wired relay

**Figure 3.** Forward wireless relay

*2.2.3. Relay with demodulation of the signal*

#### **2.3. Experiments on introduced delay**

This experiment is performed to measure the introduced delays of the different relays. To do so, a reader sends a fixed sequence through a relay. With an oscilloscope, this sequence is recorded directly on two calibration coils located close to the two relay antennas. This sequence is a signal modulated in amplitude with a subcarrier at 848 kHz. The cross-correlation of the two recorded signals allows the computation of the temporal shift between them. In this experiment, we assume that the delay is the same for the forward and the backward channel so the results are the double of the value which is computed.

However, if they have been designed to use the physical layer of the system, they never have

Implementation of a Countermeasure to Relay Attacks for Contactless HF Systems

http://dx.doi.org/10.5772/53393

73

Distance bounding protocols are used to detect additional delays introduced by a relay during a transaction between two devices. This kind of protocol is often divided into three stages. In such a protocol, the card, named prover, must convince the reader, named verifier, that they are close to each other. During the first stage, the verifier and the prover exchange encrypted sequences, used during the second stage. While, the second stage consists of a timed exchange between the prover and the verifier, in order to verify the card's location. This analysis is made by measuring the time between the request of the verifier and the response of the prover. The last stage is an authentication and verification. The verifier computes and checks the measured times to define the location of the prover and analyses the prover answers to verify its honesty.

The reliability of such protocols depends mainly on the physical layer; the communication channel during the exchange stage affects the accuracy of the propagation time measurements. However, Hancke et al. and recently Rasmussen et al. are the only authors who gave a number of indications related to the protocol implementation at the physical layer level [13]. Other authors claim the merits of their distance bounding protocols such as cost, complexity, reliability but none of them has treated the problem of the protocol implementation for a

Such discussions and analysis may be proposed before further works on these protocols.

mented on a contactless or UWB communication channel:

Distance measurements based on the use of electromagnetic and acoustic waves are used in many applications such as radars. The distance resolution is inversely proportional to the bandwidth; this relation shows one of the weaknesses of distance bounding protocols imple‐

These two communication channels use electromagnetic waves which have celerity close to the speed of light. In a contactless system, the distance between the verifier and the prover is smaller than 10 cm. Propagation time is then smaller than 300 ps. The first assumption of distance bounding protocol is that the processing time of the signal is assumed to be much smaller than the propagation time of the signal transmitted between the two parts, so smaller

**•** HF communication channel: For a contactless system with a bandwidth of 848 kHz, the spatial resolution is around 350 m. Such resolution is too weak to measure a distance between two communicating entities. Moreover, establishing time in HF antennas, proc‐ essing time for modulation and demodulation take too much time to measure small delays

**•** UWB communication channel: The bandwidth of a UWB system is equal to 20-25% of its central frequency. The spatial resolution is then close to 1.6 m for a 1GHz UWB system. Such resolution is suitable to detect any kind of relays. However, UWB implementation on an HF contactless system is complex. Hardware constraints are required such as the modification of all RF front-end: add of electrical antennas and specific modulation and demodulation

been implemented and tested in the HF band.

contactless system.

than 300 ps.

systems.

Fig. 5 gives an overview of the computed delays. Each type of relay is characterized by a temporal distribution. The delay introduced by the relay can be used to detect the presence of a relay. Wireless relays and wired relays have roughly the same delays because the mix of the signals is very fast in the case of the wireless relay. The relay with demodulation introduces a delay 7 times inferior to Hancke's relay.

**Figure 5.** Measured delays
