Keep Your Enemies Close: Distance Bounding Against

Keep Your Enemies Close:Distance Bounding Against Smartcard Relay Attacks

Saar Drimer and Steven J. MurdochComputer Laboratory, University of Cambridge

http://www.cl.cam.ac.uk/users/sd410, sjm217

Abstract

Modern smartcards, capable of sophisticated cryptogra-phy, provide a high assurance of tamper resistance andare thus commonly used in payment applications. Al-though extracting secrets out of smartcards requires re-sources beyond the means of many would-be thieves,the manner in which they are used can be exploited forfraud. Cardholders authorize financial transactions bypresenting the card and disclosing a PIN to a terminalwithout any assurance as to the amount being chargedor who is to be paid, and have no means of discerningwhether the terminal is authentic or not. Even the mostadvanced smartcards cannot protect customers from be-ing defrauded by the simple relaying of data from onelocation to another. We describe the development ofsuch an attack, and show results from live experimentson the UK’s EMV implementation, Chip & PIN. We dis-cuss previously proposed defences, and show that thesecannot provide the required security assurances. A newdefence based on a distance bounding protocol is de-scribed and implemented, which requires only modestalterations to current hardware and software. As far aswe are aware, this is the first complete design and imple-mentation of a secure distance bounding protocol. Fu-ture smartcard generations could use this design to pro-vide cost-effective resistance to relay attacks, which are agenuine threat to deployed applications. We also discussthe security-economics impact to customers of enhancedauthentication mechanisms.

1 Introduction

Authentication provides identity assurance for, and of,communicating parties. Relay, or wormhole attacks al-low an adversary to impersonate a participant during anauthentication protocol by effectively extending the in-tended transmission range for which the system was de-signed. Relay attacks have been described since at least

1976 [13, p75] and are simple to execute as the adver-sary does not need to know the details of the protocolor break the underlying cryptography. A good exampleis a relay attack on proximity door-access cards demon-strated by Hancke [16]. To gain access to a locked door,the adversary simply relays the challenges from the doorto an authorized card, possibly some distance away, andsends the responses back. The only restriction on the at-tacker is that the signals arrive at the door and remotecard within the allotted time, which Hancke showed tobe sufficiently liberal. Another example is wormhole at-tacks on wireless networks by Hu et al. [18]. Despite theexistence of such attacks, systems susceptible to them areregularly being deployed. One significant reason is thatdesigners consider relay attacks to be too difficult andcostly for attackers to deploy. Section 3 aims to showthat relay attacks are indeed practical, using as an exam-ple the UK’s EMV payment system, Chip & PIN. Theseflaws are demonstrated by an implementation of the relayattack that has been tested on live systems.

Once designers appreciate the risk, the next step inbuilding a secure system is to develop defences. Sec-tion 4 describes potential countermeasures to the relayattack and compares their cost and effectiveness. Whilesome, which depend on procedural changes, could be de-ployed quickly and act as an interim measure, none of theconventional technologies meet our requirements of ade-quate security at low cost. We thus propose an extensionto the smartcard standard, based on a distance boundingprotocol, which provides adequate resistance to the relayattack and requires minimal changes to smartcards.

Section 5 describes this countermeasure and its rela-tionship with prior work, describes a circuit design, andevaluates its performance and security properties. Wehave implemented the protocol on an FPGA and shownit to be an effective defence against very capable ad-versaries. In addition, the experience of both users andmerchants is unchanged, a significant advantage over theother proposals we discuss. The impact of this protocol

16th USENIX Security SymposiumUSENIX Association 87

on the fraud liability landscape is discussed in Section 6.Our contributions include the description of the prac-

ticalities of relay attacks and our confirmation that de-ployed systems are vulnerable to them. By designing andtesting a prototype system for demonstrating this vulner-ability, we show that the attack is feasible and an eco-nomically viable threat. Also, we detail the design of adistance bounding protocol for smartcards, discuss im-plementation issues and present results from both nor-mal operation and under simulated attacks. While papershave previously discussed distance bounding protocols,to the best of our knowledge, this is the first time it hasbeen implemented in practice.

2 Background

Contact smartcards, also known as integrated circuitcards (ICC), as discussed in this paper, are defined byISO 7816 [19] (for brevity, our description of the spec-ification will be only to the detail sufficient to illustrateour implementation). The smartcard consists of a sheetof plastic with an integrated circuit, normally a special-ized microcontroller, mounted on the reverse of a groupof eight contact pads. Current smartcards use only fiveof these: ground, power, reset, clock are inputs suppliedby the card reader, and an additional bi-directional asyn-chronous serial I/O signal over which the card receivescommands and returns its response. Smartcards are de-signed to operate at clock frequencies between 1 and5 MHz, with the data rate, unless specified otherwise, of1/372 of that frequency.

Upon insertion of a smartcard, the terminal first sup-plies the power and clock followed by de-assertion of re-set. The card responds with an Answer-to-Reset (ATR),selecting which protocol options it supports, includingendianness and polarity, flow control, error correctionand data rate. All subsequent communications are ini-tiated by the terminal and consist of a four byte headercommand with an optional variable-length payload.

2.1 Payment environmentThere are four parties in the basic payment model: thecardholder purchasing the goods or service; the mer-chant supplying the goods or service and who controlsthe payment terminal; the issuer bank is in a contractualrelationship with the cardholder and issues their card,and; the acquirer bank that is in a contractual relation-ship with the merchant.

To initiate a transaction, the cardholder presents themerchant with his card and agrees to make the paymentin exchange for goods or services. The merchant vali-dates that the card is authentic and that the cardholder isauthorized to use it, and sends the transaction details to

the acquirer. The acquirer requests transaction authoriza-tion from the issuer over a payment system network (e.g.Mastercard or Visa). If the issuer accepts the transaction,this response is sent back to the merchant via the acquirerand the cardholder is given the good or service. Later, thepayment is transferred from the cardholder’s account atthe issuer to the merchant’s account at the acquirer.

In reality, payment systems slightly differ from thissimplified description. For this paper’s purpose, one no-table difference is that the merchant may skip the stepof contacting the acquirer to verify the transaction. Forsmaller retailers, this communication is ordinarily donevia a telephone connection, so each authorization requestincurs a cost. Thus, for low-risk transactions it may notbe necessary to go online. Also, if the merchant’s ter-minal cannot make contact with the acquirer, due to thephone line being busy or other technical failure, the mer-chant may still decide to avoid losing the sale and never-theless accept the transaction.

2.2 Smartcard applicationsState-of-the-art smartcards are capable of both symmet-ric and asymmetric cryptography, have several hundredsof KB of non-volatile tamper-resistant memory, andthrough secure operating systems may support multiple,mutually un-trusting, applications [3]. Although the po-tential applications are many, they are most commonlyused for authentication of the holder, and more specifi-cally for debit and credit card payment systems, whereless sophisticated smartcards are used.

Smartcards have advantages in all three authorizationprocesses discussed above, namely:

Card authentication: the card was issued by an accept-able bank, is still valid and the account details havenot been modified.

Cardholder verification: the customer presenting thecard is authorized to use it.

Transaction authorization: the customer’s account hasadequate funds for the transaction.

EMV [15], named after its creators, Europay, Master-card and Visa, is the primary protocol for debit and creditcard payments in Europe, and is known by a variety ofdifferent names in the countries where it is deployed (e.g.“Chip & PIN” in the UK). While the following sectionwill introduce the EMV protocol, other payment systemsare similar.

In its non-volatile memory, the smartcard may hold ac-count details, cryptographic keys, a personal identifica-tion number (PIN) and a count of how many consecutivetimes the PIN has been incorrectly entered.

16th USENIX Security Symposium USENIX Association88

Cards capable of asymmetric cryptography can cryp-tographically sign account details under the card’s pri-vate key to perform card authentication. The merchant’sterminal can verify the signature with a public key whichis stored on the card along with a certificate signed bythe issuer whose key is, in turn, signed by the operator ofthe payment system network. This method is known asdynamic data authentication (DDA) or the variant, com-bined data authentication (CDA).

As the merchants are not trusted with the symmetrickeys held by the card, which would enable them to pro-duce forgeries, cards that are only capable of symmet-ric cryptography cannot be reliably authenticated offline.However, the card can still hold a static signature of ac-count details and corresponding certificate chain. Theterminal can authenticate the card by checking this sig-nature, known as static data authentication (SDA), butthe lack of freshness allows replay attacks to occur.

Cardholder verification is commonly performed by re-quiring that the cardholder enter their PIN into the mer-chant’s terminal. The PIN is sent to the card which thenchecks if there have been too many consecutive incor-rect guessing attempts; if not, it checks if the PIN wasentered correctly. If the terminal or card does not sup-port PIN verification, or the cardholder declines to enterit, the merchant may allow signature verification, or inunattended terminal scenarios, no authentication at all.

The card may hold a history of transactions since it haslast communicated with the issuer, and evaluate the riskof authorizing further transactions offline; otherwise, thecard can request online authorization. In both cases, thecard’s symmetric keys are used to produce a transactioncertificate that is verified by the issuer. Merchants mayalso force a transaction to be online.

2.3 Security goals and threat model

The full threat model of EMV incorporates risk man-agement protocols where the card and terminal negotiatedifferent methods of authenticating cardholders and theconditions for online or offline verification. This decisionis reached by considering the transaction value and type(cash-back or goods), the card’s record of recent offlinetransactions and both the card issuer’s and merchant’srisk perception. This complexity and other features ofEMV exist to manage the reality of all parties mistrust-ing all others (to varying extents). These details are out-side the scope of the paper and are further discussed inthe EMV specification [15, book 2].

Instead, we assume that the merchant, the banks andcustomers are honest. We also exclude physical attacks,exploits of software vulnerabilities on both the smart-card and terminal, as well as attacks on the underlyingcryptography. Other weaknesses of the EMV system are

known, such as replay attacks on SDA cards as discussedabove, and fallback attacks which force use of the mag-netic stripe, still present on smartcards for backwardscompatibility. These weaknesses have been covered else-where [1, 4] and are anticipated to be resolved by even-tually disabling these legacy features.

In our scenario, the goal of the attacker is to obtaingoods or services by charging an unwitting victim whothinks she is paying for something different, at an at-tacker controlled terminal.

3 Relay attacks

Relay attacks were first described by Conway [13, p75],explaining how someone who does not know the rules ofchess could beat a Grandmaster. This is possible by chal-lenging two Grandmasters at postal chess and relayingmoves between them. While appearing to play a goodgame, the attacker will either win against one, or drawagainst both. Desmedt et al. [14] showed how such re-lay attacks could be applied against a challenge-responsepayment protocol, in the so called “mafia fraud”.

We use the mafia-fraud scenario, illustrated in Fig-ure 1, where an unsuspecting restaurant patron, Alice,inserts her smartcard into a terminal in order to pay a$20 charge, which is presented to her on the display.The terminal looks just like any one of the numeroustypes of terminals she has used in the past. This par-ticular terminal, however, has had its original circuitryreplaced by the waiter, Bob, and instead of being con-nected to the bank, it is connected to a laptop placed be-hind the counter. As Alice inserts her card into the coun-terfeit terminal, Bob sends a message to his accomplice,Carol, who is about to pay $2 000 for a diamond ringat Dave’s jewellery shop. Carol inserts a counterfeit cardinto Dave’s terminal, which looks legitimate to Dave, butconceals a wire connected to a laptop in her backpack.

Bob and Carol’s laptops are communicating wirelesslyusing mobile-phones or some other network. The data toand from Dave’s terminal is relayed to the restaurant’scounterfeit terminal such that the diamond purchasingtransaction is placed on Alice’s card. The PIN enteredby Alice is recorded by the counterfeit terminal and issent, via a laptop and wireless headset, to Carol who en-ters it into the genuine terminal when asked. When thetransaction is over, the crooks have paid for a diamondring using Alice’s money, who got her meal for free, butwill be surprised when her bank statement arrives.

Despite the theoretical risk being documented, EMVis vulnerable to the relay attack, as suggested by Ander-son et al. [4]. Some believed that engineering difficultiesin deployment would make the attack too expensive, oreven impossible. The following section will show that


Bob

CarolAlice

Dave

£

$2,000

PIN

PIN

$20

Attacker controlled

Attacker controlled

Figure 1: The EMV relay attack. Innocent customer, Alice, pays for lunch by entering her smartcard and PIN into amodified terminal operated by Bob. At approximately the same time, Carol enters her fake card into honest Dave’sterminal to purchase a diamond. The transaction from Dave’s terminal is relayed wirelessly to Alice’s card with theresult of Alice unknowingly paying for Carol’s diamond.

equipment to implement the attack is readily available,and costs are within the expected returns of fraud.

3.1 Implementation

This section describes the equipment we used for imple-menting the relay attack. We chose off-the-shelf com-ponents that allowed for fast development rather thanminiaturisation or cost-effectiveness. The performancerequirements were modest, with the only strict restrictionbeing that our circuit hardware fit within the terminal.

3.1.1 Counterfeit terminal

Chip & PIN terminals are readily available for purchaseonline and their sale is not restricted. While some areas cheap as $10, our terminal was obtained for $50 fromeBay and was ideal for our purposes due to its copious in-ternal space. Even if second hand terminals were not soreadily available, a plausible counterfeit could be madefrom scratch as it is only necessary that it appears legiti-mate to untrained customers.

Instead of reverse engineering the existing circuit, westripped all internal hardware except for the keypad andLCD screen, and replaced it with a $200 Xilinx Spartan-3 small factor, USB-controlled, development board. Wealso kept the original smartcard reader slot, but wired itsconnections to a $40 USB GemPC Twin reader so wecould connect it to the laptop. The result is a terminalwith which we can record keypad strokes, display con-tent on the screen and interact with the inserted smart-card. The terminal appears and behaves just like a gen-

uine one to the customer even though it lacks the abilityto communicate with the bank.

3.1.2 Counterfeit card

At the jeweller’s, Carol needs to insert a counterfeit cardconnected to her laptop, into Dave’s terminal. We tooka genuine Chip & PIN card and ground down the resin-covered wire bonds that connect the chip to the back ofthe card’s pads. With the reverse of the pads exposed,using a soldering iron, we pressed into the plastic thin,flat wires to the edge of the card. This resulted in a cardthat looked authentic from on the top side, but was actu-ally wired on the back side, as shown in Figure 2. Thecounterfeit card was then connected through a 1.5 m ca-ble to a $150 Xilinx Spartan-3E FPGA Starter Kit boardto buffer the communications and translate them betweenthe ISO 7816 and RS-232 protocols. Since the FPGA isnot 5V tolerant, we use 390 Ω resistors on the channelsthat receive data from the card. For the bi-directionalI/O channel, we use the Maxim 1740/1 level translator,which costs less than $2.

3.1.3 Controlling software

The counterfeit terminal and card are controlled by sepa-rate laptops via USB and RS-232 interfaces, respectively,using custom software written in Python. The laptopscommunicate via TCP over 802.11b wireless, althoughin principle this could be GSM or other wireless pro-tocol. This introduces significant latency, but far lessthan would be a problem as the timing critical operations


(a) With the exterior intact, the terminal’s original internal circuitry was replaced bya small factor FPGA board (left); FPGA based smartcard emulator (right) connectedto counterfeit card (front).

(b) Customer’s view of terminal. Here, it isplaying Tetris, to demonstrate that we have fullcontrol of the display and keypad.

Figure 2: Photographs of tampered terminal and counterfeit card.

on the counterfeit card are performed by the FPGA withreal-time guarantees.

One complication of selecting an off-the-shelf USBsmartcard reader for the counterfeit terminal is that it op-erates at the application protocol data unit (APDU) leveland buffers an entire command or response before send-ing it to the smartcard or the PC. This increases the timebetween when the genuine terminal sends a commandand when the response can be sent; but, as previouslymentioned, this is well within tolerances.

This paper only deals with the “T=0” ISO 7816 sub-protocol, as used by all EMV smartcards we have exam-ined. Here, commands are uni-directional, i.e. either thecommand or response contains a payload but not both.Upon receiving a command code from the genuine ter-minal, any associated payload will not be sent by the ter-minal until the card acknowledges the command. Thecounterfeit card thus cannot tell whether to request a pay-load (for terminal → card commands) or send the com-mand code to the genuine card immediately (for card →terminal commands).

Were the counterfeit terminal to incorporate a charac-ter level card reader, the partial command code couldbe sent to the genuine card and the result examined todetermine the direction, but this is not permissible forAPDU level transactions. Hence, the controlling soft-ware must be told the direction for each of the 14 com-mand codes. Other than this detail, the relay attackis protocol-agnostic and could be deployed against anyISO 7816 based system.

3.2 Procedure and timingEMV offers a large variety of options, but the generalityof the relay attack allows our implementation to accountfor them all; for simplicity, we will describe the proce-dure for the common case in the UK. That is, SDA cardauthentication (only the static cryptographic signature ofthe card details is checked), online transaction autho-rization (the merchant will connect to the issuer to ver-ify that adequate funds are available) and offline plaintextPIN cardholder verification (the PIN entered by the card-holder is sent to the card, unencrypted, and the card willcheck its correctness).

Transaction authorization is accomplished by the cardgenerating an application cryptogram (AC), which is au-thenticated by the card’s symmetric key and incorpo-rates transaction details from the terminal, a card transac-tion counter, and whether the PIN was entered correctly.Thus, the issuing bank can confirm that the genuine cardwas available and the correct PIN was used. Note thatthis only requires symmetric cryptography, and so willwork even with SDA-only cards, as issued in the UK.

The protocol can be described in six steps:

Initialization: The card is powered up and returns theATR. Then the terminal selects one of the possiblepayment applications offered by the card.

Read application data The terminal requests card de-tails (account number, name, expiration date etc.)and verifies the static signature.


Cardholder verification: The cardholder enters theirPIN into the merchant’s terminal and this is sent tothe card for verification. If correct, the card returnsa success code, otherwise the cardholder may tryagain until the maximum number of PIN attemptshave been exceeded.

Generate AC 1: The terminal requests an authorizationrequest cryptogram (ARQC) from the card, whichis sent to the issuing bank for verification, whichthen responds with the issuer authentication data.

External authenticate: The terminal sends the issuerauthentication data to the card.

Generate AC 2: The terminal asks the card for a trans-action certificate (TC) which the card returns to theterminal if, based on the issuer authentication dataand other internal state, the transaction is approved.Otherwise, it returns an application authenticationcryptogram (AAC), signifying the transaction wasdenied. The TC is recorded by the merchant todemonstrate that it should receive the funds.

This flow imposes some constraints on the relay at-tack. Firstly, Alice must insert her card before Carol in-serts her counterfeit card in order for initialization andread application data to be performed. Secondly, Al-ice must enter her PIN before Carol is required to en-ter it into the genuine terminal. Thirdly, Alice must notremove her card until the Generate AC 2 stage has oc-curred. Thus, the two sides of the radio link must besynchronised, but there is significant leeway as Carol canstall until she receives the signal to insert her card.

After that point, the counterfeit card can request extratime from the terminal, before sending the first response,by sending a null procedure byte (0x60). The counter-feit terminal can also delay Alice by pretending to dial-up the bank and waiting for authorization until Carol’stransaction is complete.

All timing critical sections, such as sending the ATRin response to de-assertion of reset and the encod-ing/decoding of bytes sent on the I/O, are implementedon the FPGA to ensure a fast enough response. Thereare wide timing margins between the command and re-sponse, so this is managed in software.

3.3 Results

We tested our relay setup with a number of differentsmartcard readers in order to test its robustness. Firstly,we used a VASCO Chip Authentication Program (CAP)reader (a similar device, but manufactured by Gemalto, ismarketed by the UK bank Barclays as PINsentry). This

is a handheld one-time-password generator for use in on-line banking, and implements a subset of the EMV pro-tocol. Specifically, it performs cardholder verificationby checking the PIN and requests an application cryp-togram, which may be validated online. Our relay setupwas able to reliably complete transactions, even whenwe introduced an extra three seconds of latency betweencommand and response. While the attack we describein most detail uses the counterfeit card in a retail out-let, a fraudster could equally use a CAP reader to accessthe victim’s online banking. This assumes that the PINused for CAP is the same as for retail transactions andthe criminal knows all other login credentials.

The CAP reader uses a 1 MHz clock to decrease powerconsumption, but at the cost of slower transactions. Wealso tested our relay setup with a GemPC Twin reader,which operates at a 4 MHz frequency. The card readerwas controlled by our own software, which simulatesa Chip & PIN transaction. Here, the relay device alsoworked without any problems and results were identicalto when the card was connected directly to the reader.

Finally, we developed a portable version of the equip-ment, and took this to a merchant with a live Chip & PINterminal. With the consent of the merchant and card-holder, we placed a transaction with our counterfeit cardin the genuine terminal, and the cardholder’s card in thecounterfeit terminal. In addition to the commands and re-sponses being relayed, the counterfeit terminal was con-nected to a laptop which, through voice-synthesis soft-ware, read out the PIN to our “Carol”. The transactionwas completed successfully. One such demonstration ofour equipment was shown on the UK consumer rightsprogramme BBC Watchdog on 6th February 2007.

3.4 Further applications and feasibility

The relay attack is also applicable where “Alice” is notthe legitimate card holder, but a thief who has stolen thecard and observed the PIN. To frustrate legal investiga-tion and fraud detection measures, criminals commonlyuse cards in a different country from where they werestolen. Magnetic stripe cards are convenient to use inthis way, as the data can be read and sent overseas, tobe written on to counterfeit cards. However, chip cardscannot be fully duplicated, so the physical card wouldneed to be mailed, introducing a time window where thecardholder may report the card stolen or lost.

The relay attack can allow fraudsters to avoid this de-lay by making the card available online using a cardreader and a computer connected to the Internet. Thefraudster’s accomplice in another country could connectto the card remotely and place transactions with a coun-terfeit one locally. The timing constraints in this sce-nario are more relaxed as there is no customer expecting


to remove their genuine card. Finally, in certain typesof transactions, primarily with unattended terminals, thePIN may not be required, making this attack easier still.

APACS, the UK payment association, say they are un-aware of any cases of relay attacks being used againstChip & PIN in the UK [5]. The reason, we believe, isthat even though the cost and the technical expertise thatare required for implementing the attack are relativelylow, there are easier ways to defeat the system. Methodssuch as card counterfeiting/theft, mail interception, andcardholder impersonation are routinely reported and aremore flexible in deployment.

These security holes are gradually being closed, butcard fraud remains a lucrative industry – in 2006 £428m(≈ $850m) of fraud was suffered by UK banks [6]. Crim-inals will adapt to the new environment and, to maintaintheir income, will likely resort to more technically de-manding methods, so now is the time to consider how toprevent relay attacks for when that time arrives.

4 Defences

The previous section described how feasible it is to de-ploy relay attacks against Chip & PIN and other smart-card based authorization systems in practice. Thus, sys-tem designers must develop mitigation techniques while,for economic consideration, staying within the deployedEMV framework as much as possible.

4.1 Non-solutions

In this section we describe a number of solutions that arepossible, or have been proposed, against our attack andassess their overall effectiveness.

Tamper-resistant terminals A pre-requisite of our re-lay attack is that Alice will insert her card and enter herPIN into a terminal that relays these details to the re-mote attacker. The terminal, therefore, must either betampered with or be completely counterfeit, but still ac-ceptable to cardholders. This implies a potential solution– allow the cardholder to detect malicious terminals sothey will refuse to use them. Unfortunately, this cannotbe reliably done in practice.

Although terminals do implement internal tamper-responsive measures, when triggered, they only deletekeys and other data without leaving visible evidence tothe cardholder. Tamper-resistant seals could be inspectedby customers, but Johnston et al. [21] have shown thatmany types of seals can be trivially bypassed. It wouldalso be infeasible to give all customers adequate trainingto detect tampering or counterfeiting of seals. By induc-ing time-pressure and an awkward physical placement of

the terminal, the attacker can make it extremely difficultfor even a diligent customer to check for tampering.

Even if it was possible to produce an effective seal,there are, as of May 2007, 304 VISA approved terminaldesigns from 88 vendors [24], so cardholders cannot beexpected to identify them all. Were there only one termi-nal design, the use of counterfeit terminals would have tobe prevented, which raises the same problems as tamper-resistant seals. Finally, with the large sums of moneynetted by criminals from card fraud, fabricating plasticparts is well within their budget.

Imposing additional timing constraints While relayattacks will induce extra delays between commands be-ing sent by the terminal and responses being received,existing smartcard systems are tolerant to very high la-tencies. We have successfully tested our relay deviceafter introducing a three second delay into transactions,in addition to the inherent delay of our design. Thisextra round-trip time could be exploited by an attacker450 000 km away, assuming that signals propagate at thespeed of light. Perhaps, then, attacks could be preventedby requiring that cards reply to commands precisely af-ter a fixed delay. Terminals could then confirm that acard responds to commands promptly and will otherwisereject a transaction.

Other than the generate AC command, which includesa terminal nonce, the terminal’s behaviour is very pre-dictable. So an attacker could preemptively request thesedetails from the genuine card then send them to the coun-terfeit card where they are buffered for quick response.Thus, the value of latency as a distance measure can onlybe exploited at the generate AC stages. Furthermore,Clulow et al. [12] show how wireless distance boundingprotocols, based on channels which were not designedfor the purpose, can be circumvented. Their commentsapply equally well to wired protocols such as ISO 7816.

To hide the latency introduced by mounting the re-lay attack, the attacker aims to sample signals early andsend signals late, while still maintaining their accuracy.In ISO 7816, cards and terminals are required to samplethe signal between the 20% and 80% portion of the bit-time and aim to sample at the 50% point. However, anattacker with sensitive equipment could sample near thebeginning, and send their bit late. The attacker then gains50% of a bit-width in both directions, which at a 5 MHzclock is 37 µs, or 11 km.

The attacker could also over-clock the genuine card sothe responses are returned more quickly. A DES calcu-lation could take around 100 ms so only a 1% increasewould give a 300 km distance advantage. Even if thecalculation time was fixed, and only receiving the re-sponse from the card could be accelerated, the counter-feit card could preemptively reply with the predictable


11 bytes (2 byte response code, 5 byte read more com-mand, 2 byte header and 2 byte counter) each taking 12bit-widths (start, 8 data bits, stop and 2 bits guard time).At 5 MHz + 1% this gives the attacker 98 µs, i.e. 29 km.

One EMV-specific problem is that the contents of thepayload in the generate AC command are specified bythe card in the card risk management data object list(CDOL). Although the terminal nonce should be at theend of the message in order to achieve maximum resis-tance to relay attacks, if the CDOL is not signed, the at-tacker could substitute the CDOL for one requesting thechallenge near the beginning. Upon receiving the chal-lenge from the terminal, the attacker can then send thisto the genuine card. Other than the nonce, the rest of thegenerate AC payload is predictable, so the counterfeitterminal can restore the challenge to the correct place,fill in the other fields and send it to the genuine card.Thus, the genuine card will send the correct response,even before the terminal thinks it has finished sending thecommand. A payload will be roughly 30 bytes, which at5 MHz gives 27 ms and a 8 035 km distance advantage.

Nevertheless, eliminating needless tolerance to re-sponse latency would decrease the options available tothe attacker. If it were possible to roll out this modifica-tion to terminals as a software upgrade, it might be ex-pedient to plan for this alteration to be quickly deployedin reaction to actual use of the relay attack. While wehave described how this countermeasure could be cir-cumvented, attackers who build and test their systemwith high latency would be forced to re-architect it if theacceptable latency of deployed terminals were decreasedwithout warning.

4.2 Procedural improvements

Today, merchants and till operators are accustomed tolooking away while customers enter their PIN and sel-dom handle the card at all, while customers are often rec-ommended not to allow anyone but themselves to handlethe card because of card skimming. In the case of relayattacks, this assists the criminal, not the honest customeror merchant. If the merchant examined the card, evensuperficially, he would detect the relay attack, as we im-plemented it, by spotting the wires. That said, it is not in-feasible that an RFID proximity card could be modifiedto relay data wirelessly to a local receiver and thereforeappear to be a genuine one.

A stronger level of protection can be achieved if, af-ter the transaction is complete, the merchant checks notonly that the card presented is legitimate, but also that theembossed card number matches the one on the receipt.In the case of the relay attack, the receipt will show thevictim’s card number, whereas the counterfeit card willshow the original number of the card from before it was

tampered. For these to match, the fraudster must haveappropriate blank cards and an embossing machine, inaddition to knowing the victim’s card number in advance.

Alternatively, a close to real-time attack could still beexecuted with a portable embossing machine. Existingdevices take only a few seconds to print a card and itis feasible that fraudsters can make them portable. Thequality of counterfeit cards and embossing need not behigh, just sufficient to pass a cursory inspection. Morerecent smartcards are being issued without embossing,as the carbon-paper payment method is no longer used,making counterfeits even easier to produce. If none ofthese possibilities are open to the fraudster, repeat cus-tomers could be targeted and so creating a wide windowof opportunity. In some scenarios, such as unattendedChip & PIN terminals, ATMs, or where the terminal ison the opposite side of a glass barrier, physical card in-spections would not be possible; but even where it is, themerchant must be diligent.

Varian [23] argues that if the party who is in the bestposition to prevent fraud does not have adequate incen-tives to do so, security suffers. If customers must de-pend on merchants, who they have no relationship with,for their protection, then there are mismatched incen-tives. Merchants selling low-marginal-cost products orservices (e.g. software or multimedia content), have littledesire to carefully check for relay attacks. This is be-cause, in the case of fraud, costs will likely be borne bythe customer. Even if the transaction is subsequently re-versed when fraud is detected, the merchant has lost onlythe low marginal cost and the chargeback overhead, buthas saved the effort of checking cards.

4.3 Hardware alterations

The electronic attorney is a trusted device that is broughtinto the transaction by the customer so that the mer-chant’s terminal does not need to be trusted; this is calledthe “man-in-the-middle defence”, as suggested by An-derson and Bond [2]; trusted devices to protect customersare also discussed by Asokan et al. [7]. The device is in-serted into the terminal’s card slot while the customerinserts their card into the device. The device can displaythe transaction value as it is parsed from the data sentfrom the terminal, allowing the customer to verify thatshe is charged the expected amount. If the customer ap-proves the transaction, she presses a button on the elec-tronic attorney itself, which allows the protocol to pro-ceed. This trusted user interface is necessary, since if aPIN was used as normal, a fraudster could place a legiti-mate transaction first, which is accepted by the customer,but with knowledge of the PIN a subsequent fraudulentone can be placed. Alternatively, one-time-PINs couldbe used, but at a cost in usability.


Because the cardholder controls the electronic attor-ney, and it protects the cardholder’s interests, the incen-tives are properly aligned. Market forces in the businessof producing and selling these devices should encouragesecurity improvements. However, this extra device willincrease costs, increase complexity and may not be ap-proved of by banking organizations. Additionally, fraud-sters may attempt to discourage their use, either explic-itly or by arranging the card slot so the use of a electronicattorney is difficult. A variant of the trusted user interfaceis to integrate a display into the card itself [8].

Another realization of the trusted user interface forpayment applications is to integrate the functionality ofa smartcard into the customer’s mobile phone. This canallow communication with the merchant’s terminal usingnear field communications (NFC) [20]. This approachis already under development and has the advantage ofbeing a customer-controlled device with a large screenand convenient keypad, allowing the merchant’s nameand transaction value to be shown and once authorizedby the user, entry of the PIN. Wireless communicationsalso ease the risk of a malicious merchant arranging theterminal so that the trusted display device is not visible.Although mobile phones are affordable and ubiquitous,they may still not be secure enough for payment applica-tions as they can be, for example, targeted by malware.

5 Distance bounding

None of the techniques detailed in Section 4.1 are ad-equate to completely defeat relay attacks. They are ei-ther impractical (tamper-resistant terminals), expensive(adding extra hardware) or circumventable (introduc-ing tighter timing constraints and requiring merchants tocheck card numbers). Due to the lack of a customer-trusted user interface on the card, there is no way to de-tect a mismatch between the data displayed on the termi-nal and the data authorized by the card. However, relayattacks can be foiled if either party can securely establishthe position of the card which is authorizing the transac-tion, relative to the terminal processing it.

Absolute positioning is infeasible due to the cost andform factor requirements of smartcards being incompat-ible with GPS, and also because the civilian version isnot resistant to spoofing [22]. However, it is possiblefor the terminal to securely establish a maximum dis-tance bound, by measuring the round-trip-time betweenit and the smartcard; if this time is too long, an alarmwould be triggered and the transaction refused. De-spite the check being performed at the merchant end,the incentive-compatibility problem is lessened becausethe distance verification is performed by the terminal anddoes not depend on the sales assistant being diligent.

The approach of preventing relay attacks by mea-suring round-trip-time was first proposed by Beth andDesmedt [9] but Brands and Chaum [11] described thefirst concrete protocol. The cryptographic exchange inour proposal is based on the Hancke-Kuhn protocol [17],because it requires fewer steps, and it is more efficientif there are transmission bit errors compared to Brands-Chaum. However, the Hancke-Kuhn protocol is pro-posed for ultra-wideband radio (UWB), whereas we re-quire synchronous half-duplex wired transmission.

One characteristic of distance-bounding protocols, un-like most others, is that the physical transmission layeris security-critical and tightly bound to the other layers,so care must be taken when changing the transmissionmedium. Wired transmission introduces some differ-ences, which must be taken into consideration. Firstly,to avoid circuitry damage or signal corruption, in a wiredhalf duplex transmission, contention (both sides drivingthe I/O at the same time) must be avoided. Secondly,whereas UWB only permits the transmission of a pulse,wired allows a signal level to be maintained for an ex-tended period of time. Hence, we may skip the initialdistance-estimation stage of the Hancke-Kuhn setup andsimplify our implementation.

While in this section we will describe our implemen-tation in terms of EMV, implemented to be compatiblewith ISO 7816, it should be applicable to any wired, half-duplex synchronous serial communication line.

5.1 ProtocolIn EMV, authentication is only card to terminal so wefollow this practise. Following the Hancke-Kuhn termi-nology, the smartcard is the prover, P , and terminal is theverifier, V . This is also appropriate because the Hancke-Kuhn protocol puts more complexity in the verifier thanthe prover, and terminals are several orders of magnitudemore expensive and capable than the cards. The protocolis described as follows:

Initialization :V → P : NV ∈ 0, 1a

P → V : NP ∈ 0, 1a

P : (R0i ||R1

i ) = HK(NV , NP ) ∈ 0, 1b

Rapid bit-exchange :V → P : Ci ∈ 0, 1P → V : RCi

i ∈ 0, 1

At the start of the initialization phase, nonces and pa-rameters are exchanged over a reliable data channel, withtiming not being critical. NV and NP provide fresh-ness to the transaction in order to prevent replay attacks,with the latter preventing a middle-man from running thecomplete protocol twice between the two phases usingthe same NV and complementary Ci and thus, obtain


A 3 8 F 6 D 7 5Ci : 1010 0011 1000 1111 0110 1101 0111 0101R0

i : x0x0 11xx x011 xxxx 0xx1 xx1x 1xxx 1x0xR1

i : 1x0x xx10 1xxx 0001 x10x 01x0 x111 x1x0

RCii : 1000 1110 1011 0001 0101 0110 1111 1100

8 E B 1 5 6 F C

Table 1: Example of the rapid bit-exchange phase of thedistance bounding protocol. For clarity, x is shown in-stead of the response bits not sent by the prover. The leftmost bit is sent first.

both R0i and R1

i . The prover produces a MAC under itskey, K, using a keyed pseudo-random function, the resultof which is split into two shift registers, R0

i and R1i .

In the timing-critical rapid bit-exchange phase, themaximum distance between the two participants is deter-mined. V sends a cryptographically secure pseudoran-dom single-bit challenge Ci to P , which in turn imme-diately responds with RCi

i , the next single-bit response,from the corresponding shift register. A transaction of a32 bit exchange is shown in Table 1.

If a symmetric key is used, this will require an on-linetransaction to verify the result because the terminal doesnot store K. If the card has a private/public key pair, asession key can be established and the final challenge-response can also be verified offline. The values a and b,the nonce and shift register bit lengths, respectively, aresecurity parameters that are set according to the applica-tion and are further discussed in Section 5.5.

This exchange succeeds in measuring distance be-cause it necessitates that a response bit arrive at a certaintime after the challenge has been sent. When the proto-col execution is complete, V ’s response register, RCi

i , isverified by the terminal or bank to determine if the proveris within the allowed distance for the transaction.

5.2 ImplementationISO 7816, our target application, dictates that the smart-card (prover) is a low resource device, and therefore,should have minimal additions in order to keep costsdown; this was our prime constraint. The terminal (ver-ifier), on the other hand, is a capable, expensive de-vice that can accommodate moderate changes and addi-tions without adversely affecting its cost. Of course, thescheme must be secure to all attacks devised by a highlycapable adversary that can relay signals at the speed oflight, is able to ensure perfect signal integrity, and canclock the smartcard at higher frequencies than it was de-signed for. We assume, however, that this attacker doesnot have access to the internal operation of the terminal

SMPLC

tn

tm

tp

delay

Ci

Ci Ri

RiI/OV

I/OP

td

fV

CLKV P

DRVR

tq

DRVC

SMPLR

tdverifierprover

Figure 3: Waveforms of a single bit-exchange of thedistance bounding protocol. fV is the verifier’s clock;DRVC drives the challenge on to I/O; SMPLR samplesthe response; CLKV →P is the prover’s clock; I/OV andI/OP are versions of the I/O on each side accounting forthe propagation delay td; SMPLC is the received clockthat is used to sample the challenge; and DRVR drivesthe response on to the I/O.

and that extracting secret material out of the smartcard,or interfering with its security critical functionality, is noteconomical considering the returns from the fraud.

5.3 Circuit elements and signalsFor this section refer to Table 2 for signal names and theirfunction, Figure 4 for the circuit diagram and Figure 3 forthe signal waveforms.

Clocks and frequencies As opposed to the prover, theverifier may operate at high frequencies. We have im-plemented the protocol such that one clock cycle of theverifier’s operating frequency, fV , determines the dis-tance resolution. Since signals cannot travel faster thanthe speed of light, c, the upper-bound distance resolutionis therefore, c/fV . Thus, fV , should be chosen to be ashigh as possible. We selected 200 MHz which allowsus a 1.5 m resolution under ideal conditions for the at-tacker. We have made the prover’s operating frequency,fP , compatible with any frequencies having a high-timegreater than tq + fV

−1 + td, where tq defines the timebetween when the challenge is being driven onto the I/Oand when the response is sampled by the verifier; td isthe delay between V and P . ISO 7816 specifies thatthe smartcard/prover needs to operate at 1–5 MHz andin order to be compatible, we chose fP = fV /128 ≈1.56 MHz for our implementation.

Shift registers The design has four 64 bit shift regis-ters (SR): the verifier’s challenge and received responseSR’s and the prover’s two response SR’s. The challenge


Signals & timingparameters

Description

CLKV , fV Verifier’s clock and frequency; determines the distance resolutionCLKV →P , fP Prover’s clock and frequency; received from verifierDRVC While asserted the challenge is transmittedtn Length of time verifier drives the challenge on to the I/OSMPLC Prover samples challenge on rising edgetm Length of time between assertion of DRVC to assertion of CLKV →P

DRVR Prover transmits responsetp Amount of delay applied to SMPLC

SMPLR Verifier samples response on rising edgetq Time from assertion of CLKV →P to rising edge of SMPLR; determines

upper bound of prover’s distancetd Propagation delay through distance d

Table 2: Signals and their associated timing parameters.

verifier prover

SMPLC

DRVR

delay

R0

R1

response SR

challenge SR

SMPLR

DRVC

divideCLKV

d

response SR’s

challengeCECE

0

1

CLKV P

R

Figure 4: Simplified diagram of the distance bounding circuit. DRVC controls when the challenge is put on the I/Oline. CLKV controls the verifier’s circuit; it is divided and is received as SMPLC at the prover where it is used tosample the challenge. A delay element produces DRVR, which controls when the response is put the I/O, while at theverifier SMPLR samples it. The pull-up resistor R is present to pull the I/O line to a stable state when it is not activelydriven by either side.

SR is clocked by CLKV and is shifted one clock cyclebefore it is driven on to the I/O line by DRVC . The veri-fier’s response SR is also clocked by CLKV and is shiftedon the rising edge of SMPLR. On the prover side, theSR’s are clocked and shifted by SMPLC .

Bi-directional I/O The verifier and prover communi-cate using a bi-directional I/O with tri-state buffers ateach end. These buffers are controlled by the signalsDRVC and DRVR and are implemented such that onlyone side drives the I/O line at any given time in order toprevent contention. This is a consequence of adaptingthe Hancke-Kuhn protocol to a wired medium, and im-plies that the duration of the challenge must be no longerthan necessary, so as to obtain the most accurate distancebound. A pull-up is also present, as with the ISO 7816specification, to maintain a high state when the line is

not driven by either side. As a side note, if the con-straints imposed by ISO 7816 are not to be adhered to,two uni-directional wires for the challenge and responsecould have been used for easier implementation.

5.4 Timing

A timing diagram of a single challenge-response ex-change is shown in Figure 3. The circuit shown in Fig-ure 4 was implemented on an FPGA using Verilog (notall peripheral control signals are shown for the sake ofclarity). Since we used a single chip, the I/O and clocklines were “looped-back” using various length transmis-sion wires to simulate the distance between the verifierand prover as shown in Figure 5.

The first operation is clocking the challenge shift reg-ister (not shown), which is driven on to the I/O line by


Figure 5: The Xilinx XUP board with a VirtexII-PRO 30FPGA on which the distance bounding design was imple-mented. Both verifier and prover reside on the same chipconnected only by two same-length tranmission lines forI/O and clock (1 m shielded cables are shown).

DRVC on the following fV clock cycle for a tn period.tn should be made long enough to ensure that the provercan adequately and reliably sample the challenge, andas short as possible to allow the response to be rapidlysent while not causing contention. The clock sent to P ,CLKV →P , is asserted tm after the rising edge of DRVC .Both CLKV →P and the I/O line have the same propa-gation delay, td, and when the clock edge arrives (nowcalled SMPLC), it samples the challenge. The sameclock edge also shifts the two response registers, one ofwhich is chosen by a 2:1 multiplexer that is controlledby the sampled challenge. DRVR is a delayed replica ofSMPLC , which is created using a delay element.

The delay, tp, allows the response SR signals to shiftand propagate through the multiplexer, preventing the in-termediate state of the multiplexer from being leaked.Otherwise, the attacker could discover both responses tothe previous challenge in the case where Ci $= Ci−1.tp may be very short but should be at least as long asthe period from the rising edge of SMPLC to when theresponse emerges from the multiplexer’s output; in ourimplementation, we used deliberately placed routing de-lays to adjust tp, which can be as short as 500 ps. WhenDRVR is asserted, the response is being driven on to theI/O line until the falling edge.

At the verifier, the response is sampled by SMPLR

after tq from the assertion of CLKV →P . The value oftq determines the distance measured and should be longenough to account for the propagation delay that the sys-tem was designed for (including on-chip and package de-lays), and short enough to not allow an attacker to be fur-ther away than desired, with the minimum value being

tp + 2td. As an improvement, tq can be dynamically ad-justed between invocations of the protocol allowing theverifier to make decisions based on the measured dis-tance, for example, determine the maximum transactionamount allowed. With a single iteration, the verifier candiscover the prover’s maximum distance away, but withmultiple iterations, the exact distance can be found witha margin of error equal to the signal propagation timeduring a single clock cycle of the verifier. SMPLR maybe made to sample on both rising and falling edges offV , effectively doubling the distance resolution withoutincreasing the frequency of operation (other signals mayoperate this way for tighter timing margins).

If we assume that an attacker can transmit signals atthe speed of light and ignore the real-life implications ofsending them over long distances, we can determine thetheoretical maximum distance between the verifier andprover. A more realistic attacker will need to overcomesignal integrity issues that are inherent to any system.We should not, therefore, make it easy for the attackerby designing with liberal timing constraints, and choosethe distance between the verifier and prover, d, to be asshort as possible. More importantly, we should carefullydesign the system to work for that particular distancewith very tight margins. For example, the various termi-nals we have tested were able to transmit/drive a signalthrough a two meter cable, although the card should atmost be a few centimeters away. Weak I/O drivers couldbe used to degrade the signal when an extention is ap-plied. The value of d also determines most of the timingparameters of the design, and as we shall see next, thesmaller these are, the harder it will be for the attacker togain an advantage.

5.5 Possible attacks on distance bounding

Although, following from our previous assumptions, theattacker cannot get access to any more than half the re-sponse bits, there are ways he may extend the distancelimit before a terminal will detect the relay attack. Thissection discusses which options are available, and theireffectiveness in evading defences.

Guessing attack Following the initialization phase,the attacker can initiate the bit-exchange phase beforethe genuine terminal has done so. As the attacker doesnot know the challenge at this stage, he will, on average,guess 50% of the challenge bits correctly and so receivethe correct response for those. For the ones where thechallenge was guessed incorrectly, the response is effec-tively random, so there is still a 50% chance that the re-sponse will be correct. Therefore the expected successrate of this technique is 75%.


Since our tests show a negligible error rate, the termi-nal may reject any response with a single bit that is incor-rect. In our prototype, where the response registers are64 bits each, the attacker will succeed with probability( 34 )64 ≈ 1 in 226. The size of the registers is a security

parameter that can be increased according to the applica-tion, while the nonces assure that the attacker can onlyguess once.

Replay If the attacker can force the card to performtwo protocol runs, with the same nonces used for both,then all bits of the response can be extracted by sendingall 1’s on the first iteration and all 0’s on the second. Weresist this attack by selecting the protocol variant men-tioned by Hancke and Kuhn [17], where the card addsits own nonce. This is cheap to do within EMV sincea transaction counter is already required by the rest ofthe protocol. If this is not desired then provided the cardcannot be clocked at twice its intended frequency, the at-tacker will not be able to extract all bits in time. This as-sumes that the time between starting the distance bound-ing protocol, and the earliest time the high-speed stagecan start, is greater than the latter’s duration.

Early bit detection and deferred bit signalling Thecard will not sample the terminal’s challenge until tm+d

after the challenge is placed on the I/O line. This is to al-low an inexpensive card to reliably detect the signal but,as Clulow et al. [12] suggest, an attacker who is willingto invest in expensive equipment could, in theory, detectthe signal immediately. By manipulating the clock pro-vided to the genuine card, and using high-quality signaldrivers, the challenge could be sent to the card with lessof a delay.

Similarly, the terminal will wait tq between sendingthe challenge and sampling the response, to allow for theround trip signal propagation time, and wait until the re-sponse signal has stabilized. Again, with superior equip-ment the response could be sent from the card just beforethe terminal samples. The attacker, however, cannot doso any earlier than tp after the card has sampled the chal-lenge, and the response appears on the I/O.

Delay-line manipulation The card may include thevalue of tp in its signed data, so the attacker cannot makethe terminal believe that the value is larger than the card’sspecification. However, the attacker might be able to re-duce the delay, for example by cooling the card. If it canbe reduced to the point that the multiplexer or latch hasnot settled, then both potential responses may be placedon to the I/O line, violating our assumptions.

However, if the circuit is arranged so that the delaywill be reduced only if the reaction of the challenge latch

and multiplexer is improved accordingly, the responsewill still be sent out prematurely. This gives the attackerextra time, so should be prevented. If temperature com-pensated delay lines are not economic, then they shouldbe as short as possible to reduce this effect.

In fact, tp may be so small, even less than 1 ns, that theterminal could just assume it would be zero. This willmean that the terminal will believe all cards are slightlyfurther away than they really are, but will avoid the valueof tp having to be included in the signed data.

Combined attacks For an attacker to gain a better than1 in 226 probability of succeeding in the challenge re-sponse protocol, the relay attack must take less thantm+q time. In practice, an attacker will not be ableto sample or drive the I/O line instantaneously and theradio-link transceiver or long wires will introduce la-tency, so the attacker would need to be much closer thanthis limit. A production implementation on an ASICwould be able to give better security guarantees and bedesigned to tighter specifications than were available onthe FPGA for our prototype.

5.6 ResultsWe have developed a versatile implementation that re-quires only modest modification to currently deployeddesigns. Our distance bounding scheme was success-fully implemented and tested on an FPGA for 2.0, 1.0,and 0.3 meter transmission lengths, although it can bemodified to work for any distance and tailored to any endapplication. Oscilloscope traces of a single bit challenge-response exchange over a 50 Ω, 30 cm printed circuitboard transmission line are shown in Figure 6. In thiscase, the challenge is 1 and the response is 0 with indica-tors where SMPLR has sampled the response. The first,after tqfail = 15 ns has sampled too early while the sec-ond, tqpass = 20 ns, which is a single period of fV later,has correctly sampled the 0 as the response. The delaytd = 2.16 ns, can also be seen and is, of course, due tothe length of the transmission line. If the attacker ex-ploited all possible attacks previously discussed and wasable to transmit signals at c, he would need to be withinapproximately 6 m, although the actual distance wouldbe shorter for a realistic attacker.

5.7 CostsThe FPGA design of both the verifier and prover asshown in Figure 5 consumes 37 flip-flops and 93 look-up tables: 64 for logic, 13 route-throughs, and 16 asshift registers (4 cascaded 16-bit LUTs for each), whichis extremely compact, and consumes well under 0.5%of the resources available on our FPGA. However, it is


vo

lta

ge

(V)

time since start of exchange (µµs)

0 10 20 30 40 50

0

1

2

3

!!

(a) I/OV trace of a 64-bit exchange with position of (b) indicated by • on the x axis.

!10 0 10 20 30 40

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

voltage

(V)

time since challenge sent by verifier (ns)

CLKp

!

!

!! !! !!Prover samples Verifier samples

t d

t n

tm ++ t d

t p ++ t d

tqfail !! t d

t qpass !! t d

!

I Ov

I Op

Challenge sent Response received

0 5 10

distance at speed of light in vacuum (m)

(b) Single bit exchange, challenge is 1 and response is 0.

Figure 6: Oscilloscope trace from the bit-exchange phase of the distance bounding protocol. Delay is introduced by a30 cm transmission line between the verifier and prover. Timing parameters are tn = 10 ns, tm = 5 ns, tp = 8 ns. Twovalues of tq are shown, one where the bit was correctly received tqpass = 20 ns and one where it was not, tqfail = 15 ns.td was measured to be 2.16 ns which over a 30 cm wire corresponds to propagation velocity of 1.4 × 108 m/s. Notethat before the challenge is sent, the trace is slowly rising above ground level; this is the effect of the pull-up resistoras also seen in (a) after the protocol completes. The shown signals were probed at the FPGA I/Os and do not preciselyrepresent when they actually appear inside of it. For example, the FPGA I/O introduces 3–5 ns delay to the signal soin actuality the FPGA will “see” the falling edge shown in (b) slightly after what is represented in the figure. On-chipdelay also affects the design and is not shown, but must be accounted for.


difficult to estimate the cost of an ASIC implementationwith these figures as there is no reliable conversion tech-nique between FPGA resource utilization and ASIC tran-sistor count, especially since the above numbers are forthe core functions, without the supporting circuitry. It isalso hard to estimate the cost in currency because thatchanges rapidly with time, production volume, fabrica-tion process, and many other factors, so we will describeit relative to the resources currently used.

As mentioned, we have made every effort to minimizethe circuitry that needs to be added to the smartcard whilebeing more liberal with the terminal, although for boththe additions can be considered minor. For the smartcard,new commands for initiating the initialization phase needto be added as well as two shift registers and a state ma-chine for operating the rapid bit-exchange. Consider-ing that smartcards already have a few thousand memorycells, this can be considered a minor addition, especiallygiven that they need to operate at the existing low fre-quencies of 1–5 MHz. For the initialization phase, exist-ing circuits can be used such as the DES engine for pro-ducing the content of the response registers. The card’stransaction counter may be used for the nonce, Np.

As for the terminals, their internal operating frequencyis unknown to us, but it is unlikely that it is high enoughto achieve good distance resolution. Therefore, a capableprocessor and some additional components are required,such as a high quality oscillator. As an alternative to highfrequencies, or when designing for very short distances,delay lines could be used instead of operating on clockedges. The distance bounding circuitry would need to beadded to the terminal’s main processor, which consistsof two shift registers and slightly more involved controlcode than the smartcard’s.

We have described the added cost in terms of hard-ware but the added time per transaction and the need tocommunicate with the bank, refused transactions due tofailure, re-issuing cards, and so on, may amount to sub-stantial costs. Only the banks involved have access to allthe necessary information needed to make a reasonableestimate of these overheads.

6 Discussion

The distance bounding protocol we have proposed willdetect attempted relay attacks but requires the banks toproduce cards and terminals that support the protocol.However, the person being defrauded is the cardholder,Alice, who must use the cards and terminals she is given,so has no trusted user interface and no way to protectherself. As mentioned in Section 4.2, this incentivemismatch may be detrimental to the cardholder’s secu-rity. For instance, until all terminals support the distancebounding protocol, the issuer can select whether to fall-

back to the current protocol that is vulnerable to relay-attacks. Under existing UK practice, the customer is li-able for PIN-verified fraudulent transactions [10], so theissuer may elect to accept fallback transactions knowingthat the cardholder is carrying the risk.

A further problem of the distance bounding protocolis the lack of non-repudiation: for a third party to ver-ify that a relay attack was not in progress, the merchant’sterminal must be trusted to correctly report the round-triplatency. Thus, if a customer claims that a transaction isfraudulent, then even if the distance bounding protocol isrecorded to have succeeded, there remains the possibil-ity that the terminal has been tampered with. It falls onthe acquirer to mandate tamper-resistant terminals, butalthough the payment network may require that all mem-bers implement appropriate protections, the customer isonly represented indirectly by the issuer.

So while inexpensive yet strong technical solutions,such as distance bounding, do exist they must be de-ployed as part of an appropriate liability framework tofully realize their benefits. The current situation, wherecustomers are liable for fraud, yet powerless to verifywhether a terminal is genuine, is clearly unfair. If thepower of banking institutions is too great to alter theentrenched notion of customer liability, then measuresthat put the cardholder in a position of control, such asthe electronic attorney [2], despite being more expen-sive, may be the most appropriate solution. However,customers should exercise caution before accepting theseoptions as the second-order effect of the customer beingable to detect attacks could be to make them reasonablyliable for any fraud which is nevertheless perpetrated.

7 Conclusion

This paper described relay attacks and how they can beapplied to exploit smartcard-based payment systems. Aprototype was built and shown to be successful againstthe Chip & PIN payment system deployed in the UK.This consisted of creating a fake terminal and customhardware to allow the relaying of information betweenthe participating parties. We suggested procedural im-provements to the acceptance of Chip & PIN transac-tions, which would provide a short-term defence, butthese could be circumvented by a plausible attacker. Wethen developed the first implementation of a distancebounding defence against these relay attacks and showedit to be the most robust solution. Our implementationwas designed to be appealing for adoption in the nextgeneration of smartcards by tailoring the design to theEMV framework.

Future work may include implementing a wirelessvariant of the protocol, mutual distance bound establish-ment and customizing the system to other applications.


Acknowledgements

Saar Drimer is funded by Xilinx, Inc. Steven J. Mur-doch is funded by the OpenNet Initiative. Markus Kuhnhas provided us with both stimulating discussions andadvice, along with hardware. Xilinx donated hardwareand development software. We also thank Ross An-derson, Mike Bond, Richard Clayton, Frank Stajano,Robert Watson, Ford-Long Wong, anonymous reviewersfor their valuable suggestions, and the merchants who al-lowed us to test and demonstrate our attack.

References[1] ADIDA, B., BOND, M., CLULOW, J., LIN, A., MURDOCH,

S. J., ANDERSON, R. J., AND RIVEST, R. L. Phish andchips (traditional and new recipes for attacking EMV). In Se-curity Protocols Workshop (Cambridge, England, March 2006),LNCS, Springer (to appear). http://www.cl.cam.ac.uk/˜rja14/Papers/Phish-and-Chips.pdf.

[2] ANDERSON, R., AND BOND, M. The man in the mid-dle defence. In Security Protocols Workshop (Cam-bridge, England, March 2006), Springer (to appear).http://www.cl.cam.ac.uk/˜rja14/Papers/Man-in-the-Middle-Defence.pdf.

[3] ANDERSON, R., BOND, M., CLULOW, J., AND SKOROBOGA-TOV, S. Cryptographic processors—a survey. Proceedings of theIEEE 94, 2 (February 2006), 357–369.

[4] ANDERSON, R., BOND, M., AND MURDOCH, S. J. Chip andspin, March 2005. http://www.chipandspin.co.uk/spin.pdf.

[5] APACS. APACS response to BBC Watchdog and chip and PIN.Press release, February 2007. http://www.apacs.org.uk/media_centre/press/07_06_02.html.

[6] APACS. Card fraud losses continue to fall. Press release, March2007. http://www.apacs.org.uk/media_centre/press/07_14_03.html.

[7] ASOKAN, N., DEBAR, H., STEINER, M., AND WAIDNER,M. Authenticating public terminals. Computer Networks 31, 9(1999), 861–870.

[8] AVESO. Display enabled smart cards. http://www.avesodisplays.com/.

[9] BETH, T., AND DESMEDT, Y. Identification tokens – or: Solvingthe chess grandmaster problem. In CRYPTO (1990), vol. 537 ofLNCS, Springer, pp. 169–177.

[10] BOHM, N., BROWN, I., AND GLADMAN, B. Elec-tronic commerce: Who carries the risk of fraud? TheJournal of Information, Law and Technology, 3 (October2000). http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/bohm/.

[11] BRANDS, S., AND CHAUM, D. Distance-bounding protocols.In EUROCRYPT ’93: Workshop on the theory and application ofcryptographic techniques on Advances in cryptology (May 1993),T. Helleseth, Ed., vol. 765 of LNCS, Springer, pp. 344–359.

[12] CLULOW, J., HANCKE, G. P., KUHN, M. G., AND MOORE, T.So near and yet so far: Distance-bounding attacks in wireless net-works. In Security and Privacy in Ad-hoc and Sensor Networks(Hamburg, Germany, September 2006), L. Buttyan, V. Gligor,and D. Westhoff, Eds., vol. 4357 of LNCS, Springer.

[13] CONWAY, J. H. On Numbers and Games. Academic Press, 1976.

[14] DESMEDT, Y., GOUTIER, C., AND BENGIO, S. Special usesand abuses of the Fiat-Shamir passport protocol. In Advancesin Cryptology – CRYPTO ’87: Proceedings (1987), vol. 293 ofLNCS, Springer, p. 21.

[15] EMVCO, LLC. EMV 4.1, June 2004. http://www.emvco.com/.

[16] HANCKE, G. A practical relay attack on ISO 14443 proxim-ity cards, 2005. http://www.cl.cam.ac.uk/˜gh275/relay.pdf.

[17] HANCKE, G. P., AND KUHN, M. G. An RFID distance boundingprotocol. In SECURECOMM ’05: Proceedings of the First Inter-national Conference on Security and Privacy for Emerging Ar-eas in Communications Networks (Washington, DC, USA, 2005),IEEE Computer Society, pp. 67–73.

[18] HU, Y.-C., PERRIG, A., AND JOHNSON, D. Wormhole attacksin wireless networks. IEEE Journal on Selected Areas in Com-munications (JSAC) 24, 2 (February 2006).

[19] INTERNATIONAL ORGANIZATION FOR STANDARDIZATION.ISO/IEC 7816-3:2006 Identification cards – Integrated circuitcards – Part 3: Cards with contacts – Electrical interface andtransmission protocols, 3 ed., October 2006.

[20] INTERNATIONAL ORGANIZATION FOR STANDARDIZATION.ISO/IEC 18092:2004 Information technology – Telecommunica-tions and information exchange between systems – Near FieldCommunication – Interface and Protocol (NFCIP-1), 1 ed., Jan-uary 2007.

[21] JOHNSTON, R. G., GARCIA, A. R., AND PACHECO, A. N. Effi-cacy of tamper-indicating devices. Journal of Homeland Security(April 2002).

[22] KUHN, M. G. An asymmetric security mechanism for navigationsignals. In Information Hiding (Toronto, Canada, May 2004),J. Fridrich, Ed., no. 3200 in LNCS, Springer, pp. 239–252.

[23] VARIAN, H. R. Managing online security risks. New YorkTimes. 1 June, 2000. http://www.ischool.berkeley.edu/˜hal/people/hal/NYTimes/2000-06-01.html.

[24] VISA INTERNATIONAL SERVICE ASSOCIATION. ApprovedPIN entry devices, May 2007. http://partnernetwork.visa.com/dv/pin/pedapprovallist.jsp.


Documents

Keep Your Enemies Close: Distance Bounding Against