Comment by vel0city
2 years ago
You keep suggesting NFC has a lot of security concepts baked in, but it's not really true. The base standards of NFC provide no encryption concepts. It provides no protection against sniffing. It provides no authentication. It provides no relay protection. The only "security" you get is it's designed for near communication, but you can absolutely read and write NFC tags from a distance with the right hardware.
Base NFC has almost no security and relies on protocols on top to be secure. For example, Amibos use NFC and are trivially duplicated with cheap writable NFC tags. Contactless credit cards aren't secure because they do NFC, they're secure because NFC allows for an EMV transaction, it's the EMV handshake that handles all the security.
Once again, suggesting NFC just has a lot of security by default is acting like WiFi is always secure. But even worse, because at least WiFi standards have encryption and what not built in and optional, NFC doesn't even provide that.
And then you point out passive tags as if that's a thing that makes RFID less secure (ignoring NFC used for identification is RFID) but then I guess don't realize NFC allows for passive tags as well. I don't need to change batteries on my Amibos or the NFC stickers I put on the Wi-Fi info around the house.
You could build a key card system with NFC that has the same or worse system as older key card platforms. It being NFC gives you absolutely no additional benefit.
I think both our views are valid within their contexts, with the key difference being the distinction between NFC's base capabilities and the security measures actually implemented in NFC applications (where often upper layer protocols like in credit cards, are doing the heavy lifting for security). Since this discussion centers around real world incidence, you're right to point out that NFC does not inherently mean the application will be secure.
I actually will also correct myself about saying that NFC is shorter range than RFID. Both HF and LF have about the same range. UHF has a range on the order of 10m but is almost never if at all used for high volume applications like hotel door locks. I do however disagree with your rejection of the colloquial usage of RFID to exclude NFC. In everyday conversation, I believe it is understood that NFC is a subset.
The main point I'm trying to make is essentially targeted at this line of logic:
> NFC's design principles inherently prioritize secure exchanges
NFC's design principles inherently has absolutely zero security. It doesn't prioritize secure exchanges, at all. The fact secure exchanges can happen over NFC in incidental to NFC existing. Any secure exchange that happens over NFC happens because the higher-level application brought its own security.
It's like UDP. Sure, you can do a secure exchange of data using it like QUIC or encrypted RTP, but UDP doesn't give you anything other than a way to send that data along.
Which then compared to just an overall massively wide topic like "RFID", which encompasses dozens (hundreds?) of other technologies, some of which do actually prioritize secure (or at least attempted to secure) handshakes throughout the entire stack.
And range of an RF thing is largely just based around typical hardware. If you wanted to you could build an antenna array to pick up an NFC tag from dozens of meters away. WiFi might only be designed to work around the house, but with a clear line of sight, decent RF conditions, and the right antennas you can send it miles.
Generally speaking, you shouldn't expect any kind of security doing things with NFC. Because, NFC has no security inherent to the protocol.