Symbolic Verification

As we introduced in Chapter4, Scyther is a protocol verification tool presented by Cremers [29] for assuring correctness using symbolic analysis. This was re-employed to verify the protocols proposed in this chapter; we refer the reader back to Section4.5.4of Chapter4for a description of Scyther. We analyse all protocols using the default Dolev-Yao adversarial model, between TA1, TA2 and the TSM for migration; TA, TSM and BA for backup; TA, TSM and RA for revocation lookup and MA and RA for revocation reporting; TA, MA, RA and TSM for updates; and re-verifying the modified BTP with AEAD between TA1 and TA2. The protocols are modelled under the multi-protocol setting offered by Scyther for evaluating procedures comprising sub-protocols. We see, for instance, that BP-BTP (Protocol2) contains BTPs executed between (T SM, BA), (T SM, T A)and (T A, BA). Multi-protocol analysis in Scyther accounts for attacks that, for example, replay messages between (T SM, BA) to (T A, BA) and vice-versa, across all sub-protocols of a given procedure.

To be clear, we assume a uniform threat model between entities in the sub-protocols, i.e. the interactions between (T A1, T A2)for credential migration is analysed under the same adversarial model as, for example, (T SM, BA) in the backup procedure. In other words, the same Dolev-Yao adversarial model is used to analyse all sub-protocols; however, in reality, the roles of BA, RA, TSM and MA are likely be served by one or more trusted organisations over a network subjected to more rigorous security controls, such as enterprise firewalls and frequent inspection. This is opposed to two devices communicating in the field over a more uncontrolled network topology, as we assume with (T A1, T A₂). In short, we assume the worst case that the network between all communicating parties is untrusted.

Like Chapter4, we used Scyther to test the secrecy of transmitted quotes from each party in each procedure and corresponding sub-protocols, e.g. (Secret, qta1) and credentials (Secret, c); aliveness (Alive); replay protection, i.e.

non-injective agreement (Niagree) and non-injective synchronisation (Nisynch), as defined in [29]; session key secrecy (SKR, K); and the reachability of all enti-ties, e.g. (Reachable, TA). Scyther found no attacks on any procedure under a Dolev-Yao adversary. However, we urge the reader to be mindful of the limita-tions of verification tools, as set out in Section4.5.4of Chapter4.

The Scyther specifications for each protocol are also released for further scrutiny¹. Note that the entities tested in our procedures are considered to be trusted, i.e. not compromised. TEEs are inherently designed against complex, potentially kernel-level adversaries – for a detailed review of the threats that a TEE defends against, the reader is referred back to Section2.4.7 in Chapter 2– which also includes the TEEs we assume to be in operation by the backup, revocation and maintenance authorities, and the TSM.

6.10 Conclusion

In this chapter, we presented the first investigation into secure and trusted remote TEE credential management on constrained devices using mutual attestation.

This resulted in the proposal of a suite of protocols for supporting secure remote migration, revocation, backups, and credential updates. This work is a development of the ideas and challenges of mutual attestation (Chapter4), and we demon-strated in Section6.8how it can be applied to secure and mutually trusted log retrieval from work in Chapter5. After summarising TEE credential deployment in Section6.2, we formalised the threat model, security goals and assumptions for a typical centralised IoT TEE credential deployment in Section6.3. For each man-agement challenge, we reviewed the state-of-the-art before proposing procedures and protocols for securely realising these notions using mutual attestation. The protocols were subjected to formal symbolic verification using Scyther, which found no attacks under the Dolev-Yao adversarial model. We publicly release the verification scripts for further research and scrutiny (see Section6.1.2).

6.10.1 Future Work

While we evaluated the performance of the core protocol in Chapter4for boot-strapping a secure and mutually trusted channel for underpinning the remaining proposed procedures, it would be worthwhile to implement and evaluate the procedures in this chapter in an emulated IoT environment with multiple devices.

1Protocol specifications available online at: https://www.dropbox.com/s/

uq0hftj6b6c1zux/remote-credential-scyther-scripts.zip

A particularly useful endeavour in future research would be to evaluate each protocol on a range on various platforms, from MCUs to higher-end SBCs, using heterogeneous TEEs. A related task would be to implement and evaluate alter-native wireless mediums common in IoT deployments, such as ZigBee, LoRa, Bluetooth and 802.11 Wi-Fi, for identifying any potential latency challenges.

Chapter 7

On the Effectiveness of Sensor-based Proximity and Relay Attack Detection Mechanisms for NFC Transactions

The previous chapters principally considered applications of TEEs and proposed a number of protocols, procedures and systems that support those applications.

In this chapter, we explore the application of TEEs in protecting the credentials used in NFC-based contactless transactions and their vulnerability to relay at-tacks. Relay attacks stem from the absence of proximity assurances in the NFC specifications, i.e. whether two devices really are within the intended operating distance (less than 5cm). We examine the current state-of-the-art of relay attacks and re-evaluate the efficacy of proposed sensor-based mechanisms for detecting them under the conditions actually stipulated by industry.

7.1 Introduction

Near-Field Communication (NFC) [270] and Host Card Emulation (HCE) [111]

– discussed in Section2.2.5 in Chapter 2 – have opened mobile platforms to application domains that were previously instantiated using smart cards. This has led to the development of the use of smartphones in a range of services, such as payments, transportation and access control – exemplified by Google Pay¹, Apple Pay²and Samsung Pay³as three widely-deployed systems. Deloitte estimated that 5% of the 600-650 million NFC-enabled mobile phones were used at least once a month to make a contactless payment globally in 2015 [271]. In the same year, 12.7% of smartphone users in the USA were actively using contactless mobile payments according to Statista, while the value of such transactions is projected to grow by two-thirds in the next three years alone: from $114 billion (USD) in 2018 to $190 billion (USD) in 2021 [272]. It is projected that 2018 will see approximately 166 million NFC mobile payment users

1Google Pay:https://pay.google.com/

2Apple Pay:https://www.apple.com/uk/apple-pay/

3Samsung Pay:https://www.samsung.com/uk/samsung-pay/

worldwide, corresponding to an approximately 200% increase from previous estimations made in 2015 (53.9m) [273]. Similar trends are expected to follow in transportation and access control for where mobiles are used to deliver smart card-type services [274]. This is before considering alternative devices besides smartphones, such as smartwatches, that may participate in such transactions.

One of the use cases for TEEs on modern mobile devices is the storage of payment credentials used to authenticate users during NFC-based contactless transactions. TEEs and SEs form the cornerstone for protecting the integrity of such credentials against software adversaries from untrusted world components and a selection of hardware-based adversaries (see Section2.4.7of Chapter2).

TEEs and SEs may be used to store credentials directly, such as certified device-specific key-pairs used for device authentication. TEEs and SEs are also used to store limited use tokens via the process of tokenisation, described further in Section 7.2.1, particularly in the context of payment transactions. The repercussions of unauthorised credential use are somewhat obvious, such as illicit payments billed to the victim’s account, or using physical access control credentials to enter a restricted area. Relay attacks are a method by which even TEE- and SE-bound credentials can be abused by exploiting an inherent weakness in the NFC specifications over which a TEE or SE communicates. In this chapter, the focus is on the challenge of proximity and relay attack detection (PRAD) in contactless transactions between a mobile handset and a terminal or Point of Sale (PoS) within restricted time-frames.

7.1.1 Motivation

In a relay attack [275], [276], the aim of the adversary is to extend the physical distance of the communication channel between the victim’s mobile phone and the transaction terminal, where each message is relayed across this extended distance. A multitude of Proximity/Relay Attack Detection (PRAD) mechanisms have been proposed that rely on collecting measurements of the ambient envi-ronment surrounding the transaction instrument and terminal. These proposals collect measurements from mobile sensors, such as temperature, location and motion sensors, which subsequently undergoes a similarity comparison to as-sure that the transaction devices are genuinely in proximity, and not subject to a potential relay attack.

However, the proposals presented in existing literature are not compliant with industry-imposed constraints that stipulate maximum transaction times.

Mobile payments and transportation are two major domains expected to benefit from NFC contactless transactions where controls exist regarding the maximum transaction times. These are governed by the EMV specifications and ITSO respectively. In this chapter, we question whether ambient sensing on mobile devices

is an effective PRAD method under the time conditions stipulated by industry, and present an empirical evaluation to this end. In this first part of this chapter, we consider the notion of proximity detection in which we attempt to detect whether two co-located legitimate devices (at NFC distance) can be detected from sensor information alone. This is extended in the second part of the chapter to cover relay attack detection, where we use data collected from an emulated relay attack setup from a device that streams sensor data 1.5m away; this represents a ‘worst case’ close-quarters relay attack.

Generally, this study aims at evaluating the following null and alternative hypotheses. Null hypothesis: short transaction durations (under 500ms) have no effect on the error rates of ambient sensing-based proximity and relay attack mechanisms. Alternative hypothesis: short transaction durations capture insuffi-cient information to provide acceptable error rates for ambient sensing-based proximity and relay attack detection mechanisms.

7.1.2 Contributions

This chapter presents the following contributions:

• We present a two-fold evaluation, employing both similarity- and machine learning-based analyses, demonstrating that ambient sensing-based PRAD mechanisms perform poorly under the transaction duration requirements stipulated by EMV and ITSO.

• We evaluate the effectiveness of 17 widely-deployed ambient sensors avail-able through the Android SDK as a PRAD method for time-restricted con-tactless transactions. The evaluation was conducted using data collected from a mock relay attack set-up with consumer mobile devices.

• This two-part study presents results for both proximity and relay attack detection, and questions the applicability of proposed methods in related work to time-critical transactions.

• A data-set and test-bed environment⁴ for reproducing the results of this work and facilitating future research.

The contributions in this chapter are based on our following publications:

• C. Shepherd, I. Gurulian, E. Frank, K. Markantonakis, R. N. Akram, K.

Mayes, and E. Panaousis. “The Applicability of Ambient Sensors as Prox-imity Evidence for NFC Transactions”, in Mobile Security Technologies, ser.

IEEE Security & Privacy Workshops, IEEE, 2017.

4Available at:https://github.com/AmbientSensorsEvaluation/

• I. Gurulian, C. Shepherd, E. Frank, K. Markantonakis, R. N. Akram, and K. Mayes. “On the Effectiveness of Ambient Sensing for NFC-based Prox-imity Detection by Applying Relay Attack Data”, in Proceedings of the 16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, ser. IEEE TrustCom ’17, IEEE, 2017.

• (Invited Paper) I. Gurulian, K. Markantonakis, C. Shepherd, E. Frank, and R. N. Akram. “Proximity Assurances Based on Natural and Artificial Ambient Environments”, in Proceedings of the 10th International Conference on Innovative Security Solutions for Information Technology and Communications, ser. SECITC ’17, Springer, 2017.