Preventing real-world relay attacks on contactless devices

This paper is focused on preventing relay attacks on contactless devices, such as contactless smart cards or Near-Field Communication (NFC) devices. Relay attacks can be prevented by the so called distance bounding protocols, which are based on restricting the round trip time to some limit. Distance bounding protocols protect against all theoretical attacks, because the time limit is calculated from the maximal allowed distance and from the speed of light. Real-world attacks are not perfect and induce additional delay to the delay caused by the signal travelling longer distance. This delay is caused by hardware components processing the signal and sending it to a different location. If the communication is relayed over a distance exceeding the range of one transmitter, it is likely that some buffering will be used. If the data are sent over network using TCP/IP, the induced delay will be significant. The attacker can reduce the response time in the relay attack by overclocking the forged reader in order to get the response from the smart card faster than the legitimate reader would get it. This would give the attacker a chance to reduce the roundtrip time and not exceed the time limit defined in the distance bounding protocol. We propose a method to prevent real-world attacks that induce delays significantly longer than the delay caused by the time travelling longer distance. We also show a countermeasure to the oveclocking attacks.