How to prevent NFC tag cloning?

by

That depends on what type of tag you use and what level of protection against cloning you want.

  1. NFC tags (as defined by the NFC Forum) have no protection against cloning. Such tags are intended as containers for freely readable data (so called NDEF messages). Anyone could read an NDEF message from one tag and duplicate it to another tag.

  2. Many NFC tags also contain a unique identifier that is pre-programmed by the tag manufacturer and cannot be modified on normal tags. You could use this unique identifier to determine if a tag was issued by you (i.e. you know its id) or forged (i.e. you don’t know its id). Instead of using a list of genuine ids, you could also create a digital signature over the tag’s id and its data. THat way, you could find out if data and signature are used on a tag with a different unique identifier. However, all data can still be extracted from your tag. Therefore, you should be aware of the fact, that specialized hardware (e.g. Proxmark, etc) and ready-made tags are available where an attacker can change the unique identifier to the value of your tag’s id. So this is certainly not perfect cloning protection.

  3. You could use a contactless smartcard/tag that provides communication encryption and shared-key based access control (e.g. MIFARE DESFire). With this approach, you could store data that you do not want an attacker to be able to clone in a key-protected memory area. However, if you want to be able to read that data from within your app (i.e. without having an online backend that directly communicates with the card), you would need to store the key to access the memory area within your app. Consequently, in an offline scenario (i.e. key stored in app), an attacker might be able to extract that key and use it to clone the tag.

  4. You could use a tag/smartcard that contains a secret asymmetric key and provides a command to sign a cryptographic challenge with that key. In that case, in order to verify if the tag is genuine, you could request such a signature from the tag for a random challenge and verify the signature against the tags corresponding public key. This would certainly be the most secure solution as you do not need to store any shared secret within your app. The only ready-made NFC tag solution (that I’m currently aware of) that provides such functionality seems to be Inside Secure’s VaultIC. Though you could create one yourself based on the asymmetric crypto functionality of a contactless smartcard (e.g. a Java Card).

Note that for all of the above cloning-protection scenarios you would have to create an app that checks if a tag is genuine or cloned. By default NFC phones only use the information in (1) and therefore do not perform any such checks.

More Related Contents:

  1. How to avoid reverse engineering of an APK file
  2. How do I prevent Android taking a screenshot when my app goes to the background?
  3. How to prevent Screen Capture in Android
  4. How to encrypt and decrypt file in Android?
  5. Emulate Mifare card with Android 4.4
  6. How permission can be checked at runtime without throwing SecurityException?
  7. Android SharedPreference security
  8. Restrict API requests to only my own mobile app
  9. How to securely store credentials (password) in Android application?
  10. Host-based Card Emulation with Fixed Card ID
  11. android: Determine security type of wifi networks in range (without connecting to them)
  12. How to securely store access token and secret in Android?
  13. How to Secure Android Shared Preferences?
  14. Editing Functionality of Host Card Emulation in Android
  15. How do I clone a View?
  16. Android app enable NFC only for one Activity
  17. Bluetooth pairing without user confirmation
  18. Best way to secure Android app sensitive Data?
  19. Getting started with Open NFC emulator
  20. Get NFC tag with NDEF Android Application Record (AAR)
  21. How to keep the OAuth consumer secret safe, and how to react when it’s compromised?
  22. Android: Changing NFC settings (on/off) programmatically
  23. How to secure my app against piracy
  24. How to enable AutoStart option for my App in Xiaomi phone Security App programmatically in android
  25. Google Play security alert for insecure TrustManager
  26. Secure element Access Control on ICS 4.0.4
  27. Get Static NFC Tag Id with HCE mode
  28. How to use an API from my mobile app without someone stealing the token
  29. How to manage installation from Unknown Sources in Android Oreo?
  30. Changing size of seekbar thumb

Leave a Comment