From 23823a7b67a56f8c1062e3185045bb443e7a3b54 Mon Sep 17 00:00:00 2001 From: Muhammad Nauman Raza Date: Fri, 29 Mar 2024 22:46:18 +0000 Subject: [PATCH] docs: new document nfc-misconceptions.typ --- blog/nfc-misconceptions.typ | 84 +++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 blog/nfc-misconceptions.typ diff --git a/blog/nfc-misconceptions.typ b/blog/nfc-misconceptions.typ new file mode 100644 index 0000000..1c7a603 --- /dev/null +++ b/blog/nfc-misconceptions.typ @@ -0,0 +1,84 @@ +#set page( + paper: "a4", + margin: 1cm, +) + +#align(left, text(10pt)[*I made a mistake while writing this blog +post - somehow forgetting that security isn’t unambiguous. You can +actually skim NFC chips from a certain distance \(having a limited +distance is still an important factor though!), and though I think some +of what I said below still applies you’re better off ignoring it all.* +There are, of course, a whole range of problems with skimming NFC chips +from a distance so my point - don’t be so worried - would still stand. +Either way, I recommend you take this with a grain of salt. +]) + += Introduction +NFC \(short for Near-Field Communication) is the set of communication +protocols which allow for #emph[near-field communication] between two +electronic devices. One of the most prominent uses of this technology +are contactless transactions - this includes services like Google and +Apple Pay as well as all of your contactless-enabled cards. + +It’s been a while since my last blog past, but this one will be brief +too - I’m writing here for the sake of clearing up some misconceptions +people have about NFC. + += The Misconceptions +== Inspiration +While talking with a friend on a WhatsApp group chat a few days ago +about a program I found on my jailbroken iOS device - +#link("https://github.com/Aemulo")[Aemulo] - I was informed of 'subway +skimmers'; devices that could #emph[supposedly] read data from +contactless-enabled devices \(via NFC) and would be able to emulate +them. + +The idea behind the above example was that someone with malicious intent +could place such a device in a public location and take their +contactless devices for their malicious purposes. When I heard of this, +my first thought was: +#link("https://devraza.duckdns.org/blog/hoaxes-overview/")[hoax];, and I +think that it was rightfully so. + +== What exactly is wrong with this? + +Several things. I’m no expert in cybersecurity - everyone’s a student in +some way, but I was sure that NFC was, as it’s name implies, for +#strong[near-field communication];. I’m repeating myself here, but +that’s kind of the point. Various reliable resources, including +Wikipedia, show that NFC has a maximum range of only a few centimetres - +which makes sense, no? + +And yet, whatever source my friend had for 'subway skimmers' gave the +impression, or otherwise stated, that it would work within a radius of a +few feet, which is just impossible. Upon voicing my doubts, I was then +told that 'with a powerful enough antenna, it’s possible'. Hoaxes sure +are convincing, aren’t they? Unfortunately, I am not able to find the +source of my friend’s misinformation. + +See, NFC only works within a few centimetres anyways. Even if it could +#emph[magically] work within a radius of a few feet, you’ve got to take +in the electromagnetic interference that the clothes and wallets people +have would bring to any malicious device. The point of electromagnetic +interference is especially true over a #emph[huge] area of a few feet +\(relatively), where you’ve got several NFC-enabled devices. + +== Where it’s actually an issue +Of course, that isn’t to say there aren’t any issues with NFC and +malicious readers - I’m just saying that the word getting around is +horribly unrealistic. For example, a #emph[realistic] example of a +malicious NFC reader would be one placed on the card slots in cash +machines - you get: + +- The short range (~20 cm) +- Only one device +- Lots of devices to read! + +And so, you’ve got someone so much more realistic that poses an actual +threat! + += Conclusion + +The information above, which I deem accurate, is there. What I suggest +be taken away from this is pretty much the same as what is was for +#link("https://devraza.duckdns.org/blog/hoaxes-overview/")[my blog post on hoaxes] - #strong[do some fact-checking!]