Blog technique
RFID Relay Attack
Equipe SEAL
AMOSSYS is one of the few ITSEFs in France (IT Security Evaluation Facility) licensed by the [ANSSI] (https://cyber.gouv.fr/) and accredited by [COFRAC] (https://www.cofrac.fr/). We evaluate security products with a rigorous methodology, which can result in a [security Visa] (https://cyber.gouv.fr/en/security-visa) issued by the ANSSI.
“The security Visa issued by ANSSI makes it possible to easily identify the most reliable solutions that are recognized as such following an evaluation performed by laboratories licensed in accordance with rigorous and tried methods. In particular, this evaluation involves extensive penetration testing and in-depth analysis to make sure that the solutions are compliant with the corresponding standards. It is only on completion of this process that ANSSI decides whether or not to issue the Visa for the product or service provider evaluated. Depending on the context and need, this Visa takes the form of a certification or qualification, valued in France and internationally.”
Our license is not valid for all technologies, but only for software and network equipment, i.e.:
- Intrusion detection
- Antivirus
- Firewall
- Data erasure
- Identification, authentication and access control
- Secured communications
- Secured messaging
- Secure storage
- Cryptography
Such a license does not cover hardware domains. However, AMOSSYS has a hardware lab, where we use to open hardware products in order to analyze them and improve our skills. For example, it can be:
- Dump and analyze a switch firmware
- Reverse an embedded camera
- Read eMMC data on smartphones
- Analyze smart bulbs
- Realize an STP32 glitcher
- TPM LPC sniffing
As part of this activity, we developed a tool being able to realize RFID relay attacks on access control systems. The aim of such tool is to check if RFID-based applications respect state-of-the-art protection against relay attacks. This article deals with the implementation of this attack and how we proceed.
Relay attack principle
A relay attack consists of picking up a signal from an authentication smart card and to relay it to a legitimate reader. However, the RFID protocols are designed to prevent a man in the middle. Indeed, the smart card and the reader use cryptographic challenge to prevent an attacker from replaying the authentication. In such a system, an attacker needs to forward in real time to extend the distance between the smart card and the reader and thus, authenticate the attacker while the user is not in front of the reader. This explains why the attacker does not need to understand the exchanged data.
If you imagine someone wishing to access to a special room having an access control system by card, this person has to authenticate itself near the reader using its smart card. If the authentication card has sufficient privileges, the access will be granted. Otherwise, the access will be denied. The principle of a relay attack is as follows:
- An attacker locates someone having a valid authentication card, goes near this person and initiates the communication with the card.
- Then, the attacker relays the communications directly to the reader or to another attacker near the reader.
- The access control reader detects the RFID signal emitted by a device emulating a smart card and grants access to the room using the victim identity.

Countermeasure to relay attack
The state-of-the-art approach to mitigate such attack lies into the time measurement. Because of the technological design, such timing is computed with measurements of data arrival between the smart card and the reader. Based on the frequency of the signal, the signal’s velocity in the air and RFID chip’s response time a reader can estimate a sound time window between the reader and the smart card. If this data arrival is far outside such time window, it is highly probable that an attacker is trying to authenticate or that the chip is not used as intended (too far from the reader, for instance).
This article presents how to use RFID attacks to measure this time windows from an attacker perspective. Whilst this time window is a glimpse of the attacker’s means, it enables having a metric to validate a design. As an example, the ISO14443 proposes a default value of 5 ms[1].
In our case, the purpose of such an attack is to test RFID access control systems in order to check if:
- A relay attack is feasible, meaning that the time between two requests is enough to perform the attack,
- If there is at least a time threshold beyond which authentication is not accepted anymore.
By this way, it is possible to estimate necessary conditions beyond which, it is not possible to realize this type of attack.
The mandatory prerequisites are the following:
- Be able to physically be located between a smart card and a reader
- Relay packets with the lowest latency
- To go further, modify payloads
The theoretical approach is the following.

In practice
In practice, here is the result.

The platform is composed of:
- A legitimate access control system to test
- A PN532 module offering a SPI and UART interface
- A Proxmark3 platform
- A UART to USB adaptor
- A Desfire EV1 badge

In order to emulate a legitimate access control system, A Proxmark3 and a Desfire EV1 badge was used, with the following information.

The system access control will realize a check prior to reading the “file 01” content and check the data 0xDEAD00C0DE00CAFE. Such a platform is able to emulate a real access control system. The Proxmark3 client was used to manage the access control and obtain additional measures on the delay of the relay.
The relay uses two programs and an additional overlay to facilitate high-level operations:
- Proxmark3 standalone firmware: automatic responses with anti-collision and optimization of predictable packets when it is possible. Other are asked to the Libnfc program through serial messages.
- Libnfc additional command: based on Libnfc example tools, a program relaying commands and opening serial communications with the PM3 and the PN532 was implemented. This program takes as parameters the delta time to add and communicates with the different devices.
- Python overlay: to facilitate and add functionalities to the relay, a Python script was developed allowing to automatically start the PM3 in standalone mode and simplify the completion if several parameters for the PICC. This script also generates packets exchanges traces in different formats.
This platform was successfully tested and after that, delays were introduced and measured.
Introduced delays
First of all, we compared introduced delays on our relay with other relays found on the Internet.
Weaknesses of ISO/IEC 14443 Relay Attacks
On the Power of Active Relay Attacks using Custom-Made Proxies
Implementation of a Countermeasure to Relay Attacks for Contactless HF Systems*
A Practical Relay Attack on ISO 14443 Proximity Cards*
* High performance relays
In papers, the methodology varies, and so, it only can give a rough estimate in our context. On the first command, our platform offers a relatively high delay with an added delay of 50 ms. For the next commands, the added delay is 25 ms, approximately. This particularity is due to the PM3 memory area initialization. This long time can be significantly reduced when the authentication procedure is launched again following an unsuccessful attempt. In this case, the mean delay is 15 ms.
Our measures were taken from the PM3 having the access control role, using the “hf mfdes list” function. Different packets are used as checkpoints during an exchange. The time is measured from the packet admitting answering reception. Ten samples were used for our tests, which is sufficient according to our platform, because there is not a lot of change.
Despite everything, a lot of factors can alter delays and delays considered as acceptable for a target are not always accurate. Take several measures by increasing the added delay allows estimating the limits of a target. Here is an example.

In this picture, it is possible to observe that an added delay higher to 400 ms produce a failure.
To conclude
We manage to realize an RFID relay attack tool allowing testing access control systems and their threshold about authentication failure. This tool requires a computer to be launched and this way of proceeding subject our relay to the hazard of an operating system, in terms of time measurement. In another hand, this architecture simplifies the arrangement of this relay. For example, replace the computer by a STM32 would help to propose shorter delays.