NFC relay attacks with Android mobile devices


15 oct 2014


NFC (Near Field Communication) refers to the set of standards for stablishing a wireless point-to-point communication between two devices in close proximity, typically a few centimeters. Those standards cover different communication and data exchange protocols, based at the same time on other RFID standards as ISO/IEC 14443 or FeliCa.


More and more services use payment cards or contactless devices based on NFC technology; from public transport to car parks, fast teller machines in supermarkets, vending machines, etc. The main reason? The strong commitment of banks in this technology.


There are many types of NFC cards, security mechanisms and attacks to them. Relay attacks are a man-in-the-midle variant in which the attacker is able to retransmit a message from a sender to a remote receiver in real time, exploiting the assumption that communicating with an NFC card entails physical proximity. Unfortunately, the vast majority of cards do not have any counter measure to this attack vector, probably because the need for specialized hardware made unrealistic a practical attack. However, with the advent of mobile devices carrying NFC chips, this scenario has changed radically.


This paper aims to study the NFC architecture in a mobile environment and develop an application that allows a relay attack with Android devices on NFC credit cards transactions.



In this talk we present the results of our study about NFC architecture in a mobile environment, a discussion about NFC capabilities and limitations of an actual off-the-shelf Android device and how it can be used for relay attacks.

Moreover, an Android application capable of performing a relay attack on a scenario with contactless credit card transactions has been developed.

Finally, we describe some fraud related scenarios and how the malware industry can take advantage of NFC mobile devices and relay attacks.



Android 4.4 implements HCE (Host Card Emulation) allowing to emulate any contactless card, thanks to this is no longer necessary to use ad-hoc hardware or modified software to perform a relay attack with Android devices. But must be taken into account that there are some restrictions:

Also in this paper we present the possible ways to evade these issues and therefore the future steps to reach convert an Android device into a real powerfull NFC tool, able to compete with specialized hardware.

The full paper (by now only in Spanish) can be found HERE (or MIRROR) as part of my final degree project at the University of Zaragoza. Special thanks to my advisor Ricardo J. Rodríguez for all the help and support.



This video has been edited to avoid the leakage of sensitive credit card information.

Source code references



pepe - pvtolkien at gmail dot com

ricardo - rj.rodriguez at unileon dot es