Handling the NDEF signature record type in a secure manner

Abstract

Today's society is used to get information of different types of items in a fast and convenient way using e.g., a camera or a barcode scanner in combination with the Internet. Using near-field communication (NFC) this information procurement can be further simplified. The desired information is obtained by just touching a so-called NFC tag with an NFC-capable device (e.g. smartphone). Of course also new opportunities for attackers rise with this technology, the content of the tags can be changed in order to provide wrong information. The NFC Forum has addressed this issue by introducing digital signatures on the NFC tags. In this work we have used a state-of-the-art smartphone with NFC functionality and Android operating system in order to point out different security vulnerabilities which rise even with signed tags. Using a self-developed Android application that handles the digital signatures on NFC tags, we could show these security vulnerabilities in real-world examples. Our achieved results show that the integration of a digital signature on NFC tags is not enough to provide integrity and authenticity of the data. Also the handling of data has to be done with great care. Suggestions for creating signed tags in a secure way are also given in the result section.