"Internet of Smart Cards": A pocket attacks scenario

Smart cards are secure devices used to store people sensitive data and to regulate important operations like identity proofs and payment transactions. For years people have been used to contact smart cards but in the last decade we have seen the massive introduction of contactless smart cards. At the same time we have seen a growing number of mobile phones equipped with a NFC interface in circulation, which are capable of interacting with contactless smart cards. Under different circumstances the user's contactless cards and mobile phone are kept close together at a distance that should enable them to interact each other, for instance in pockets and bags. We describe an architecture to attack the contactless cards of a user through his NFC-equipped mobile phone. The user's mobile phone, here defined as smart-mole, is infected and connected to the NFC-equipped one of the attacker, the proxy. The victim's phone capabilities are exploited to run local attacks against a contactless card in its range, for instance to recover the card PIN that is then sent back to the attacker. Subsequently the attacker remotely uses the victim's card through a relay attack putting his phone in front of a reader and providing the PIN of the victim card when needed, basically impersonating the cardholder. Infecting several phones an attacker could have under his control a large set of cards, a sort of "Internet of Smart Cards". We show that surveying a decade of research and development in the contactless cards field such attacks look feasible according the current social context and the level of technology. We also discuss how they could be methodologically applied by an attacker to defeat the different measures currently adopted to secure contactless cards. (C) 2019 The Author. Published by Elsevier B.V.