Comment by datameta
2 years ago
In my opinion it's clear that NFC is indeed designed with a higher focus on security than general RFID applications. In fact it emphasizes secure data exchange by design. Yes it is a subset of RFID technology operating at 13.56 MHz. Because NFC enables encrypted communication over very short distances (typically less than 4 cm), it is more challenging for unauthorized interception to happen. Also NFC supports two-way communication, which allows for more dynamic and secure interactions between devices, such as payment systems or secure access controls.
RFID, while versatile and utilized across a range of applications from inventory management to access control, does not inherently prioritize security to the same extent. Its broader application spectrum means that specific security measures can vary significantly based on the use case and the design of the RFID system. For example, passive RFID tags, which are widely used due to their cost-effectiveness and simplicity, can be read from distances up to several meters, potentially exposing them to unauthorized scans. Active RFID tags offer longer read ranges and can incorporate additional security features, but their cost and complexity limit their use to specific applications.
Therefore, when comparing the security aspects directly, NFC's design principles inherently prioritize secure exchanges, leveraging close proximity communication and encryption standards that are well-suited for transactions and sensitive data exchanges. This focus on security, combined with the technology's adaptability for consumer use (e.g., smartphones for payments), underscores NFC's advantage in scenarios where security is paramount.
Most hotels use non-NFC RFID and on top of that most use passive tags. So it is certainly an inherent security flaw of hotel door locks. Unfortunately non-meatspace security is also drastically in need of choosing more effective already existing measures.
You keep suggesting NFC has a lot of security concepts baked in, but it's not really true. The base standards of NFC provide no encryption concepts. It provides no protection against sniffing. It provides no authentication. It provides no relay protection. The only "security" you get is it's designed for near communication, but you can absolutely read and write NFC tags from a distance with the right hardware.
Base NFC has almost no security and relies on protocols on top to be secure. For example, Amibos use NFC and are trivially duplicated with cheap writable NFC tags. Contactless credit cards aren't secure because they do NFC, they're secure because NFC allows for an EMV transaction, it's the EMV handshake that handles all the security.
Once again, suggesting NFC just has a lot of security by default is acting like WiFi is always secure. But even worse, because at least WiFi standards have encryption and what not built in and optional, NFC doesn't even provide that.
And then you point out passive tags as if that's a thing that makes RFID less secure (ignoring NFC used for identification is RFID) but then I guess don't realize NFC allows for passive tags as well. I don't need to change batteries on my Amibos or the NFC stickers I put on the Wi-Fi info around the house.
You could build a key card system with NFC that has the same or worse system as older key card platforms. It being NFC gives you absolutely no additional benefit.
I think both our views are valid within their contexts, with the key difference being the distinction between NFC's base capabilities and the security measures actually implemented in NFC applications (where often upper layer protocols like in credit cards, are doing the heavy lifting for security). Since this discussion centers around real world incidence, you're right to point out that NFC does not inherently mean the application will be secure.
I actually will also correct myself about saying that NFC is shorter range than RFID. Both HF and LF have about the same range. UHF has a range on the order of 10m but is almost never if at all used for high volume applications like hotel door locks. I do however disagree with your rejection of the colloquial usage of RFID to exclude NFC. In everyday conversation, I believe it is understood that NFC is a subset.
The main point I'm trying to make is essentially targeted at this line of logic:
> NFC's design principles inherently prioritize secure exchanges
NFC's design principles inherently has absolutely zero security. It doesn't prioritize secure exchanges, at all. The fact secure exchanges can happen over NFC in incidental to NFC existing. Any secure exchange that happens over NFC happens because the higher-level application brought its own security.
It's like UDP. Sure, you can do a secure exchange of data using it like QUIC or encrypted RTP, but UDP doesn't give you anything other than a way to send that data along.
Which then compared to just an overall massively wide topic like "RFID", which encompasses dozens (hundreds?) of other technologies, some of which do actually prioritize secure (or at least attempted to secure) handshakes throughout the entire stack.
And range of an RF thing is largely just based around typical hardware. If you wanted to you could build an antenna array to pick up an NFC tag from dozens of meters away. WiFi might only be designed to work around the house, but with a clear line of sight, decent RF conditions, and the right antennas you can send it miles.
Generally speaking, you shouldn't expect any kind of security doing things with NFC. Because, NFC has no security inherent to the protocol.