Eavesdropping on smartphone 13.56MHz NFC polling during screen wake-up/unlock(old.reddit.com)

243 pointsby byry8 days ago12 comments

niemandhier8 days ago
That man is doing nfc spectrum analysis during an air raid.
I hope to someday acquire this amount of focus and dedication.
- 0xbadcafebee8 days ago
  Oh, right. Ukraine is still at war. We don't hear about it on the news over here in the civilized democratized developed modern advanced West anymore, so I just figured it was over. But turns out it's still going on, since 11 years, 1 month, 1 week, and 5 days. The actual invasion of Ukraine has been ongoing for 3 years, 1 month and 2 weeks.
  If you want to help:
  - I want to donate to the Ukrainian people in the most effective way but there are so many options. What is needed most and where? [1]
  - 5 ways you can support Ukraine — even if your government doesn't want to [2]
  - United Help Ukraine [3]
  - Ukraine - Fact Sheet: How You Can Help [4] (Yes, even the god damn CIA cough I mean state department wants you to help)
  - How You Can Help Ukraine [5]
  - How you can help the people of Ukraine [6]
  - Support Ukraine [7]
  - How can I help Ukraine? [8]
  - No child should face the war experience alone [9]
  - Nova Ukraine [10]
  - One in five children in Ukraine has lost a relative or friend since the escalation of war three years ago [11]
  - UKRAINE HUMANITARIAN CRISIS: Help with critical aid — Give now [12]
  - International Medical Corps Ukraine [13]
  - Chefs for Ukraine [14]
  - Doctors without Borders [15]
  - International Rescue Committee [16]
  - Greater Good Charities [17]
  - Catholic Relief Services [18]
  [1] https://www.reddit.com/r/ukraine/comments/1eqnmbf/i_want_to_... [2] https://kyivindependent.com/5-ways-you-can-support-ukraine-e... [3] https://unitedhelpukraine.org/ [4] https://travel.state.gov/content/travel/en/News/Intercountry... [5] https://www.huri.harvard.edu/how-you-can-help-ukraine [6] https://www.obama.org/stories/help-ukraine/ [7] https://war.ukraine.ua/support-ukraine/ [8] https://www.rescue.org/article/how-can-i-help-ukraine [9] https://voices.org.ua/en [10] https://novaukraine.org/ [11] https://www.unicef.org.uk/press-releases/one-in-five-childre... [12] https://my.care.org/site/Donation2;jsessionid=00000000.app30... [13] https://internationalmedicalcorps.org.uk/country/ukraine/ [14] https://wck.org/relief/activation-chefs-for-ukraine [15] https://donate.doctorswithoutborders.org/secure/monthly-an?m... [16] https://help.rescue.org/donate/ukraine-acq?ms=gs_ppc_fy25_uk... [17] https://greatergood.org/crisis-in-ukraine-send-aid-now?utm_s... [18] https://support.crs.org/donate/donate-ukraine?ms=agigoo0922u...
  - agubelu8 days ago
    > We don't hear about it on the news over here in the civilized democratized developed modern advanced West anymore, so I just figured it was over.
    Maybe not in the US. But the invasion of Ukraine is still very much present in most of Europe and it's a driving factor of recent public policies.
    Cthulhu_8 days ago
    At the moment a lot of Ukraine coverage is drowned out by Trump's daily bullshit onslaught though, just like 2016-2020.
    pjc508 days ago
    Depends how far east you are. It's not very much on the radar in the UK, but it definitely is in Finland, Poland, and the Baltic states.
    iszomer8 days ago
    Not if you don't follow from mainstream and social media sources.
  - rolandog7 days ago
    Great idea! Also, we can vote with our Euros and kill two birds with one stone [0], [1].
    [0]: https://www.goeuropean.org/product-details/unixhost-web-host...
    [1]: https://unixhost.pro/
  - yapyap8 days ago
    what the hell are you talking about? I hear plenty of it in my civilized western country, you might just be tuning into the wrong news channels
  - c10ned7 days ago
    [dead]
spongebobstoes8 days ago
This is surprising and cool. What's the explanation for why there are NFC transmissions on unlock or wake?
- roboror8 days ago
  To look for NFC stuff like payment or tickets etc.
- lxgr8 days ago
  iOS is constantly scanning for NFC tags containing URLs etc., which requires emitting enough field power to allow the tag to indicate its presence.
  Apple Pay itself uses card emulation mode, and as such the phone only needs to (passively) listen for a payment terminal's field; that should itself not be detectable without emitting such a field.
  - bestham8 days ago
    Is it really true that the phone must be passively listening? The field of the payment terminal will induce current in the NFC-coil and that should be able to wake the phone as necessary.
    lxgr8 days ago
    That's a common way of doing it, but Apple devices actively amplify the signal in card emulation mode as well, which gives them longer range than physical cards or "purely passive" devices.
    But it also means they can't do the neat trick of paying with a completely dead (i.e. not even reserve battery power) phone that some early Android and Windows Phone devices could do.
    wrboyce7 days ago
    Maybe I’m not understanding properly, but iPhones absolutely can do NFC payments when the phone is dead. Your nominated “express” card will work for transit payments, and I believe car and house keys continue to work too.
    lxgr7 days ago
    No, that still requires some battery on iOS, i.e. it's only possible in the same "power reserve" mode that still sends the occasional "Find my iPhone" Bluetooth beacon.
    Field-powered mode is possible in at least some NFC chipsets, but I suspect that Apple either values a consistent NFC range more than usability even with a completely dead battery (the amplifier that grants a significantly higher NFC range to Apple Pay obviously needs power), they see it as a security feature (reserve mode is capped to a few hours, I believe), or their NFC controller simply doesn't support it.
    Tokumei-no-hito7 days ago
    that's seems like an obvious security vulnerability. if the phone has no power then how does it authenticate the payment request?
    wrboyce7 days ago
    It only works with approved transit providers and you have to explicitly enable it so the exposure is fairly limited.
    https://www.apple.com/uk/apple-pay/transport/
    lxgr4 days ago
    If you think about it, it's still more secure than a physical card – that also doesn't have any authentication method at transit terminals, but unlike the "Express Transit" option on iOS, you can't turn that functionality off at all.
boznz8 days ago
Bluetooth already broadcasts and has a UID, I have used this a few times in books as plot-outline to identify an antagonist, and I now wonder if NFC has a similar UID It would be interesting to decode the data and see.
- capitainenemo8 days ago
  Article notes this impacts soldiers (or I suppose others trying to be stealthy) who would have turned off bluetooth and wifi.
  - pajko8 days ago
    If the transmission contains some identifying information and can be used for coarse triangulation to decide if a specific phone is in a specific building - well, that's pretty bad.
    Can be harmful even without identifying information in situations where it's enough to decide if some building is occupied or not.
  - ghostly_s8 days ago
    They mention android for this risk factor specifically-does android not have an "airplane mode" equivalent? I would assume it disables NFC also on iOS, but I guess I don't know —no mention of NFC on Apple's support page.
    c10ned7 days ago
    I’m the author. Let me clarify, as that was indeed worded rather vaguely in my post—I forgot to mention why exactly Android is at risk.
    On the Pixel 7, Airplane mode absolutely did not disable those frequency spikes upon screen unlock. Only disabling NFC through the dedicated setting in the phone’s parameters did (Settings > Connected devices > Connection Preferences > NFC). This theoretically puts Android users at greater risk, since on iOS, Airplane mode does disable those polling signals.
    It’s easy to see how an average user might assume they’ve gone completely dark by enabling Airplane mode on an Android device—when in fact, they haven’t.
    I’ll update the original post with this information, and thank you for pointing it out.
    schaum8 days ago
    Andoird has an airplane mode Once enabled airplane mode you can enable Bluetooth again and airplane mode stays on,so just no mobile data an.same is true for WiFi.
    NFC however isn't touched by the airplane mode
    ...At least it was like that on the android phones I owned
    eichin8 days ago
    Samsung Note (9 and 24 at least) has an "NFC and contactless payments" toggle (and a UWB one) on the page with wifi and bluetooth (Settings → Connections) but I don't know if it's "doesn't emit" or just "doesn't interact"...
- lxgr8 days ago
  "Classic" Bluetooth does not broadcast a detectable ID except if the device is explicitly in "pairing mode". It can be inferred when observing a connection establishment between two paired devices, or probed for if known (i.e. you can confirm that one of a few candidate devices is nearby, if you know their addresses), but not passively sniffed, as far as I know.
  Bluetooth LE does explicitly broadcast its MAC address in some modes, but offers various forms of private or random address modes to mitigate the problem.
  - autoexec8 days ago
    there are passive ways to track cell phones using bluetooth:
    https://www.theregister.com/2021/10/22/bluetooth_tracking_de...
    https://cec.gmu.edu/news/2025-02/find-my-hacker-how-apples-n...
    lxgr8 days ago
    The second attack you linked is yet another completely different threat model. It requires running malicious software on the device to be tracked. From the paper:
    The Trojan code runs on the computer to be tracked. It retrieves the advertising address, acquires the matching public key from our server, and then advertises lost messages
    That's about as active as it gets!
    The first one describes radio fingerprinting, which is relatively new, concerning, and might be tricky to address.
- jsheard8 days ago
  Don't they randomize their broadcast ID? I know both Android and iOS scramble the WiFi MAC address by default, it would be odd if they didn't take the same precaution with Bluetooth.
  - csdvrx8 days ago
    The randomization doesn't matter: you can very easily link the addresses if you have a few datapoints, even if it's just the time you observed the addresses: the basic method is discussed in https://inria.hal.science/hal-03045555/document
    See https://inria.hal.science/hal-02394629v1 for the theoretical bases then hop to https://samteplov.com/uploads/shmoocon20/slides.pdf for an example applying to Apple devices
    Those who said the randomization and other techniques were sufficient were wrong: https://petsymposium.org/popets/2020/popets-2020-0003.pdf will show you how they changed their mind :)
    It's not just apple: google nearby has also been reversed: https://publications.cispa.saarland/2748/ and https://www.ndss-symposium.org/wp-content/uploads/2019/02/nd... talks about attacks, but there's no need for that: just find identifiers that let you link the addresses
    Even if you don't have any identifiers, the Bluetooth address randomization happens only about every 15 minutes: the manufacturer specific data in the public advertisement (or even the frequency and the length of these advertisements) during these 15 minutes periods can be used for linking the randomized addresses
    lxgr8 days ago
    That attack requires continuously monitoring a given device or area though, right?
    In other words, you could possibly track a given device through an area with enough sensors, e.g. a store, but not across visits.
    csdvrx5 days ago
    > That attack requires continuously monitoring a given device or area though, right?
    The "randomization" seems to be a pseudo-randomization: with the seed and the timestamp, you should be able to deduce the future "randomized" addresses.
    lxgr5 days ago
    Not with a cryptographically secure pseudorandom number generator, and constructing one doesn't seem hard to do, given that LE devices will need to support AES anyway.
  - AStonesThrow8 days ago
    Google has lately been far overstepping their utility with “security measures” which I definitely don’t need and often make everything more annoying and difficult.
    Ex: blocking 3rd party cookies always now. Breaks countless websites which I need to work reliably. “Manage unused website/app’s permissions” even after I specifically granted them! Randomized virtual credit card numbers in Wallet: for no good reason, you thoroughly fucked up a refund attempt for me, >$500! And randomized MAC addresses by default for EVERY. SINGLE. SSID. It’s unhinged. It’s fake protection.
    As a matter of fact, I do not enjoy my devices lying to my ISP, or to my college campus, my medical clinic, or to my employers. Device, please identify yourself without wearing a fuckin’ Groucho mask on top, and put on your big boy pants.
    HeatrayEnjoyer8 days ago
    Never thought I'd hear someone complain Google takes privacy too seriously.
    AStonesThrow6 days ago
    Google is extremely conscious for their privacy of their data which they’re collecting from you.
    Google calls it “my privacy” but it’s not their business model to keep my stuff private to me but to Google and their partners.
    https://m.xkcd.com/1150/
    Google is trying to keep their own secrets like what their hardware MAC address really is, (because Google themselves are tracking everyone’s radio-enabled devices in every public space with far more sophisticated methods)
    or hide/virtualize my credit card details, and protecting the card from crackers who wear hoodies, build EBM playlists, and use Firefox? that is a side-effect at best, especially considering how they are already a crazy non-bank middleman 3rd party with a miasma of shifting TOS and hundreds of advertising partners salivating to know what you paid for 3 milliseconds ago. Sheesh.
  - boznz8 days ago
    Sci-Fi books and it was a sentient AI, I can do anything I want in that situation :-)
- jillyboel8 days ago
  NFC uid is also randomized
dzhiurgis8 days ago
Does it do it lockdown mode too?
- c10ned7 days ago
  Yes. I've just tested that. Lockdown mode doesn't disable NFC polling.
nubinetwork8 days ago
Last time I checked, NFC has a range of 3 centimeters...
Edit: can't reproduce this with my android phone, sitting 6ft away from my SDR.
- c10ned7 days ago
  Check your software SDR gain, use higher sampling rates and make sure NFC is enabled.
  Otherwise, there might be some other nuances I'm not yet aware of, such as some phones not polling on unlock. I did test iPhone 15 Pro and Pixel 7 for initial POC. Others tested modern Samsungs/Xiaomis - worked as a charm.
babuloseo8 days ago
Can we use this to find people stuck in Earthquake rubble?
- ghostly_s8 days ago
  Are they checking their phones?
- areyourllySorry8 days ago
  the n in nfc stands for near. won't help under layers of concrete
  - voidUpdate8 days ago
    TFA talks about detecting phones through load-bearing walls over 15-20 meters, and how the lower frequency penetrates surprisingly well. You can't necessarily pull the actual data off it, but you can see that there is a signal
drag0s8 days ago
one of the things I miss in iOS coming from Android is to be able to easily disable NFC or location :/
byry8 days ago
From article: "Then, when the screen turns off again (either manually or via timeout), another signal is sent, just 1 ping this time."
Nice.
yapyap8 days ago
Very interesting!
sparker726788 days ago
> tracking occupancy patterns, correlating signal presence with known devices, identifying sleep cycles
Wait til you find out about Wifi and GSM!
- capitainenemo8 days ago
  From the article. "A great part of discussion in comments on the original thread I've made was about soldiers on the battlefield and a heavy usage of devices close to the line of contact. Android users might turn off Wi-Fi and Bluetooth and even remove their SIM card, thinking they’ve minimized their radio footprint. But NFC often remains active by default — and since most people assume it only matters within arm’s reach, they don’t bother disabling it."
  - 16594470918 days ago
    > soldiers on the battlefield and a heavy usage of devices close to the line of contact. Android users might turn off Wi-Fi and Bluetooth and even remove their SIM card
    I would think a faraday bag would be far more efficient for this - should take care of the NFC issue too
    reginald788 days ago
    I'm assuming they're still using the phone in some capacity in (what they thought) was offline mode. What they really need are phones with hardware switches for all radios, which of course almost don't even exist as a product. If a faraday bag worked for them they'd probably be better off just removing the battery altogether when they don't need the phone (removable batteries also aren't that common anymore).
    It speaks to how terribly fit for purpose mobile devices are for soldiers in an active modern battlefield. Not only do they require discipline and technology training to prevent leaking positions, but most of them actually lack the capability to prevent leaking altogether no matter how trained you are.
xyst8 days ago
Time to start lining the walls with lead to block signal leak. New building code, when?
babuloseo8 days ago
You know its interesting to know that the people that are in ICE are not smart/competent enough to make uses of these things to detect people and I dont think anything is going to change in the next 3-4 years, its actually bizarre.
- reaperman8 days ago
  TSA (more accurately - CBP, more generally - DHS) contract out the hard engineering to Cellebrite and NSO Group. Those companies develop a dumb-proof box. The CBP agents at the border take the phones, plug them to the box, press a few buttons, and that’s it.
  No one in the TSA/CBP/ICE/DHS needs to be smart for this, that’s the job of private engineering firms/contractors.