NFCGate: Setup and Execution of a Relay Attack
Summary
We used NFCGate to do a relay attack. In this attack, the data from a real card is sent to a phone and then to the card reader. The card doesn’t need to be close to the reader. This can be used to trick the system, for example in contactless payments or door access.
Architecture
The following diagram illustrates the architecture we used to implement our relay attack. One smartphone functions as the Tag, while the other acts as the Reader. Communication between the two devices is routed through a server, which for the purpose of this project, was hosted on a laptop.
Requirements
smartphones used
- Samsung Galaxy A40
- LG nexus 5G
smartphone Applications
- Magisk v26.0 [1]
- LineagesOS v18.1 [2]
- NFC Gate install NFC Gate
Laptop Applications
- NFC Gate Server install NFC Server
Installation
Smartphones
Download NFC Gate
Download the APK v2.4.4.apk: Download NFCGate
Install NFC Gate
Install via ADB:
adb install Downloads/NFCGate.2.4.4.apk
Ubuntu
Download NFC Server
Create a folder:
mkdir nfcGate cd nfcGate
Install NFC Server
Clone the repository:
sudo git clone https://github.com/nfcgate/server.git
Attack
Hotspot
Enable hotspot from smartphone and connect the server (Ubuntu)
Run server
go to the folder:
cd nfcGate/server
run the server:
python3 server.py
Ip server
Check the IP address (from hotspot)
ip a
NFC Gate settings
Open the NFCGate app and go to settings:
Go to "Hostname and Port":
The hostname is the same IP address as the server:
Port number is always 5566:
In the NFCGate app, go to Relay mode. Use the Tag option for the card and the Reader option for the NFC terminal.
Now you have a connection through the server:
Relay Attack
Hold the smartphone with the Tag side near the card:
Hold the smartphone with the Reader side near the terminal:
Used Hardware
- 2 Smarthones with root and [Compatibility]
- Laptop as Server [Ubuntu]