Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

An NFC research toolkit application for Android

License

NotificationsYou must be signed in to change notification settings

nfcgate/nfcgate

Repository files navigation

NFCGate is an Android application meant to capture, analyze, or modify NFC traffic. It can be usedas a researching tool to reverse engineer protocols or assess the security of protocols againsttraffic modifications.

Get it on F-Droid

Notice

This application was developed for security research purposes by students oftheSecure Mobile Networking LabatTU Darmstadt. Please do not use this application for maliciouspurposes.

Features

  • On-device capture: Captures NFC traffic sent and received by other applications running on thedevice.
  • Relay: Relays NFC traffic between two devicesusinga server. One device operates as a "reader" reading anNFC tag, the other device emulates an NFC tag using the Host Card Emulation (HCE).
  • Replay: Replays previously captured NFC traffic in either "reader" or "tag" mode.
  • Clone: Clones the initial tag information (e.g. ID).
  • pcapng export of captured NFC traffic, readable by Wireshark.

Requirements for specific modes

  • NFC support
  • Android 5+ (API level 21+)
  • Xposed-compatible hookingframework (EdXposed,LSPosedwith Zygisk or Riru): On-device capture, relay tag mode, replay tag mode, clone mode.
  • ARMv8-A, ARMv7: Relay tag mode, replay tag mode, clone mode.
  • HCE: Relay tag mode, replay tagmode, clone mode.

Usage

Building

  1. Initialize submodules:git submodule update --init
  2. Build using Android Studio or Gradle

Operating Modes

As instructions differ per mode, each mode is described in detail in its own documentindoc/mode/:

Pcapng Export

Captured traffic can be exported in or imported from thepcapngfile format. For example, Wireshark can be used to further analyze NFC traffic. A detaileddescription of the import and export functionality is documented indoc/pcapng.md.

Compatibility

NFCGate provides an in-app status check. For further notes on compatibility seethecompatibility document.

Known Issues and Caveats

Please consider the following issues and caveats before using the application (and especially beforefiling a bug report).

NFC Stack

When using modes, that utilize HCE, the phone has to implementtheNFC Controller Interface (NCI)specification. Most of the phones should implement this specification when offering HCE support.

Confidentiality of Data Channel (relay)

To ensure confidentiality and integrity, use Transport Layer Security (TLS), which can be enabled inNFCGate settings. You need a CA-issued or self-signed certificate. Certificates from system-trustedCAs are trusted automatically. Self-signed certificates can be trusted by the user on first use (TOFU).

Compatibility with Cards (relay, replay, clone)

We can only proxy tags supported by Android. For example, Android no longer offers support forMiFare classic chips, so these cards are not supported. When in doubt, use an application like NFCTag info to find out if your tag is compatible. Also, at the moment, every tag technology supportedby Android's HCE is supported (A, B, F), however NFC-B and NFC-F remain untested. NFC-A tags are themost common tags (for example, both the MiFare DESFire and specialized chips like the ones inelectronic passports use NFC-A), but you may experience problems if you use other tags.

Compatibility with readers (relay)

This application only works with readers which do not implement additional security measures. Onesecurity measure which will prevent our application from working in relay mode is when the readerchecks the time it takes the card to respond (or, to use the more general case, if the readerimplements "distance bounding"). The network transmission adds a noticeable delay to anytransaction, so any secure reader will not accept our proxied replies.
This does not affect other operating modes.

Android NFC limitations (relay, replay)

Some features of NFC are not supported by Android and thus cannot be used with our application. Wehave experienced cases where the NFC field generated by the phone was not strong enough to properlypower more advanced features of some NFC chips (e.g. cryptographic operations). Keep this in mind ifyou are testing chips we have not experimented with.

Publications and Media

This applicationwaspresented at the 14th USENIX Workshop on Offensive Technologies (WOOT '20).AnarXiv preprint can be found here.

An early version of this application was presented at WiSec 2015.Theextended Abstractandposter can be foundon thewebsite of one of the authors. It was alsopresented in abriefLightning Talkat theChaos Communication Camp 2015.

Reference our Project

Any use of this project which results in an academic publication or other publication which includesa bibliography should include a citation to NFCGate:

@inproceedings {Klee2020Nfcgate,    author = {Steffen Klee and Alexandros Roussos and Max Maass and Matthias Hollick},    title = {NFCGate: Opening the Door for {NFC} Security Research with a Smartphone-Based Toolkit},    booktitle = {14th {USENIX} Workshop on Offensive Technologies ({WOOT} 20)},    year = {2020},    url = {https://www.usenix.org/conference/woot20/presentation/klee},    publisher = {{USENIX} Association},    month = aug,}

The initial NFCGate paper describing the first version of NFCGate can be cited as follows:

@inproceedings{Maass2015Nfcgate,  title={DEMO: NFCGate: an NFC relay application for Android},  author={Max Maass and Uwe M{\"u}ller and Tom Schons and Daniel Wegemer and Matthias Schulz},  booktitle={Proceedings of the 8th ACM Conference on Security \& Privacy in Wireless and Mobile Networks},  year={2015}}

License

   Copyright 2015-2025 NFCGate Team   Licensed under the Apache License, Version 2.0 (the "License");   you may not use this file except in compliance with the License.   You may obtain a copy of the License at       http://www.apache.org/licenses/LICENSE-2.0   Unless required by applicable law or agreed to in writing, software   distributed under the License is distributed on an "AS IS" BASIS,   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   See the License for the specific language governing permissions and   limitations under the License.

Contact

Used Libraries

Credits

  • ADBI: ARM and THUMB inline hooking

[8]ページ先頭

©2009-2026 Movatter.jp