Second Phase

This phase will verify when the device screen is enabled, whether the NFC con- troller and application processor are enabled or not. The result for Android 4.4.2 (build number: KOT49H.I9505XXUGNG8) shows that the NFC controller and application processor are enabled even if the device screen is off. Therefore, there is no need to verify further. In the second phase, Android 5.1.1 will be tested.

There are two modifications in the overall setup when compared to the phase one. A wireless charger is used in addition to the other components and instead of the Samsung Galaxy S4, a Google Nexus 5 with Android 5.1.1 was used.

Wireless Charger The wireless charger uses an electromagnetic field to trans- fer energy between two objects. Energy is sent through an inductive coupling to an electrical device, which can then use that energy to charge batteries or run the device1. The reason of using a wireless charger in the attack scenario is to enable the display screen of the device. When a mobile device is kept on the wireless charger, it enables the device screen and shows a notification that the device is charging. In addition to this, when the wireless charger is removed, the device screen is again switched on and shows a notification that the device has stopped charging.

Google Nexus 5 Nexus 52 _{has NFC as well as in-built support for wireless}

charging. The Android version used in the experiment is 5.1.1. Figure 7.10 shows the phone used. Figure 7.11 shows the initial experiment setup for second phase.

7.2.4

The Experiment Setup

In this setup, the Nexus 5 is kept on the NFC antenna of the shield. On the left side, the device screen is turned on and on the right side, the serial output shows

1_{http://goo.gl/1OnZc1}

Figure 7.10: Google Nexus 5 with Android 5.1.1 that it is able to receive the messages.

In the next step, the wireless charger is poweredon, the antenna of the NFC shield is kept on the surface of the wireless charger and the Nexus 5 is kept on the top of the NFC antenna. This way, Nexus 5 has contact with both i.e. wireless charger as well as NFC antenna. Figure 7.12 shows this setup.

7.2.4.1 Result

The result of this experiment is that when the Nexus 5 is kept on the wireless charger, the device screen is turned on. The serial output result shows that the message is transferred between the Nexus 5 and the NFC antenna. Therefore, once the device display is active, the NFC controller and application processor get enabled (If the device screen is manually disabled when the communication is already happening, with little delay the communication is dropped as the NFC controller gets disabled). Unfortunately, the communication between the Nexus 5 and NFC antenna is not stable. This might be because of the interference be-

Figure 7.11: Initial setup with Google Nexus 5 and Wireless Charger tween the electromagnetic induction generated by the wireless charger and the NFC antenna. There are multiple commercial products available which have NFC and wireless charger embedded in one device like Asus NFC EXPRESS 2 and Wireless Charger1_.

This unstable behaviour can be resolved by poweringoff the wireless charger. The device display screen not only gets active when the wireless charger is pow- ered on, but also when the wireless charger is powered off. In this case, there is no electromagnetic interference caused, which allows the device display screen to be active and the message transfer between the Nexus 5 and NFC antenna starts without any problem. Figure 7.13 shows the results. On the left, a wire- less charger is powered off which turns the device display screen on. On the

Figure 7.12: Google Nexus 5 is kept on the Wireless Charger along with the NFC antenna

right side, the serial monitor shows that messages are getting transferred without any interference. However, the message transfer is limited by the time frame for which the device screen is active. This time frame is configurable in the Settings user interface. By default, the screen time out is set to 30 seconds in Android1

5.1.1, which means device screen is turned off automatically when there is no interaction between the device and the user for 30 seconds.

The time frame of 30 seconds is enough for performing an NFC transaction. In case of NFC based payment in Transport For London2, transaction time is close to 500 milliseconds. While in case of Google Wallet and Apple Pay, it is between 1 to 2 seconds3_{. If the delay time caused due to relaying the APDUs}

between Mole and Proxy is included, still 30 seconds will be enough to perform the transaction.

1_{http://www.androidcentral.com/android-101-how-change-screen-time-out-length} 2_{http://www.eetimes.com/author.asp?doc_id=1322320}

Figure 7.13: Google Nexus 5 kept on the Wireless Charger(powered OFF) along with NFC antenna

A limitation of this approach is that Android provides a functionality which forces the user to unlock the device for initiating a transaction. This function- ality can be configured by setting the attribute android:requireDeviceUnlock to true in the apduservice.xml file. By default, the attribute is set to false. There- fore, it depends upon the implementation of the application. As the survey conducted by Consumer Report in 2014 states 34 percent of the US smartphone users do not enable device screen lock1_{. Apart from this, even if the attribute}

android:requireDeviceUnlock is set to true, there are still chances that users can keep their phones on the wireless charger when the device is unlocked.